Sign in with
Sign up | Sign in
Your question

Have I been hacked?

Last response: in Windows 2000/NT
Share
May 14, 2005 11:28:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have a Win2K box behind a router, networked with an iMac and a Linux box.
I have 4 shared folders on the Win2K box that I access from the iMac and the
Linux box.

The other day I checked the contents of my shared folders and saw that in
the root directory of each shared folder there were a bunch of executable
files. I didn't put them there. The files were:

casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe, regsvc32.exe,
testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
sdvhost.exe, stisvc32.exe, znksvc32.exe

Has someone broken into my system and placed these files in my shared
directories? If so for what purpose? I thought the router would keep the
hackers out, but what I should I do now if people can get into my system?

Thanks.

More about : hacked

Anonymous
May 14, 2005 11:28:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Well someone placed those files there. If you do not need users [ legitimate
or otherwise] to write to that folder then be sure to lockdown permissions
so that the folder can not be written to. Otherwise you may find it helpful
to enable auditing of logon events on that computer and possibly object
access so that you can audit write access to that folder, though digging
through object access events is not exactly user friendly. The fact that
svchost.exe and a file called sdvhost.exe are present is a bit troubling.
Svchost is a legitimate file though some malware will try and use a copy
that is not to infect the computer. Sdvhost.exe is not any legitimate file
that I know of or could see from a quick Google search.

I would be sure to run a full malware scan ASAP making sure that you have
the latest virus definitions loaded. In addition be sure that you are using
strong passwords, particularly for any accounts in the local administrators
group, that your virus scan also scans all emails, that you keep current
with critical security updates and Windows Updates, and run the Microsoft
Baseline Security Analyzer to check for basic security vulnerabilities. A
properly configured firewall device will protect from direct hack attempts
from the internet but it will not stop malware such as Trojans or infected
email attachments. You could possibly have a backdoor on your computer or
one of your other computers may also be compromised. SysInternals has free
tools such as Process Explorer, TCPView, and Autoruns that can help you in
tracking down rouge processes. The links below may help to get you
tarted. -- Steve


http://www.sysinternals.com/ntw2k/freeware/procexp.shtm...
http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.microsoft.com/technet/security/prodtech/wind...
http://www.microsoft.com/technet/security/tools/mbsahom...

"Cacique" <cacique83@hotmail.com> wrote in message
news:D 64jsu$1q1$1@inews.gazeta.pl...
>I have a Win2K box behind a router, networked with an iMac and a Linux box.
> I have 4 shared folders on the Win2K box that I access from the iMac and
> the
> Linux box.
>
> The other day I checked the contents of my shared folders and saw that in
> the root directory of each shared folder there were a bunch of executable
> files. I didn't put them there. The files were:
>
> casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
> regsvc32.exe,
> testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
> sdvhost.exe, stisvc32.exe, znksvc32.exe
>
> Has someone broken into my system and placed these files in my shared
> directories? If so for what purpose? I thought the router would keep the
> hackers out, but what I should I do now if people can get into my system?
>
> Thanks.
>
>
Anonymous
May 14, 2005 11:28:22 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It could "just" be a computer on your network infected with a virus that has
the ability to spread via Windows NetBIOS file shares. Such viruses
commonly put malware executables on the root of a Windows server file share,
and the file names below can be common. To know for sure, scan them with an
up to date antivirus scanner and then look up how that virus spreads in the
virus encyclopedia on your antivirus vendor's web site. The easiest way is
to go to www.virustotal.com and submit the files there, you get an answer
back immediately using a dozen different scanners.
http://housecall.antivirus.com should also be able to identify those files
using TrendMicro AV.


"Cacique" <cacique83@hotmail.com> wrote in message
news:D 64jsu$1q1$1@inews.gazeta.pl...
> I have a Win2K box behind a router, networked with an iMac and a Linux
box.
> I have 4 shared folders on the Win2K box that I access from the iMac and
the
> Linux box.
>
> The other day I checked the contents of my shared folders and saw that in
> the root directory of each shared folder there were a bunch of executable
> files. I didn't put them there. The files were:
>
> casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
regsvc32.exe,
> testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
> sdvhost.exe, stisvc32.exe, znksvc32.exe
>
> Has someone broken into my system and placed these files in my shared
> directories? If so for what purpose? I thought the router would keep the
> hackers out, but what I should I do now if people can get into my system?
>
> Thanks.
>
>
Related resources
Can't find your answer ? Ask !
May 16, 2005 1:43:12 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks, guys, for the help. I download Ad-Aware and Search and Destroy and
they found all kinds of junk on the system. I have cleaned up most of the
spyware using those two programs.

I have also visited symantec.com and did an online scan it detected the
W32.HLLW.Gaobot worm in many different files. I had already deleted the
executables in question, but I think it's likely, based on the description
of this virus, that it had placed them there. I am currently searching for
the best antivirus tool to use to get rid of it. Symantec has a removal
tool for some of the Gaobot variants, but unfortunately, it doesn't clean
off the one on my system. Maybe McAfee or Trend has something. I'll keep
searching. At any rate, I guess I'll bite the bullet and buy an AV program
to keep these things under control, and run the adware programs regularly.

Thanks again.



"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:o S7oFsMWFHA.2472@TK2MSFTNGP10.phx.gbl...
> It could "just" be a computer on your network infected with a virus that
has
> the ability to spread via Windows NetBIOS file shares. Such viruses
> commonly put malware executables on the root of a Windows server file
share,
> and the file names below can be common. To know for sure, scan them with
an
> up to date antivirus scanner and then look up how that virus spreads in
the
> virus encyclopedia on your antivirus vendor's web site. The easiest way
is
> to go to www.virustotal.com and submit the files there, you get an answer
> back immediately using a dozen different scanners.
> http://housecall.antivirus.com should also be able to identify those files
> using TrendMicro AV.
>
>
> "Cacique" <cacique83@hotmail.com> wrote in message
> news:D 64jsu$1q1$1@inews.gazeta.pl...
> > I have a Win2K box behind a router, networked with an iMac and a Linux
> box.
> > I have 4 shared folders on the Win2K box that I access from the iMac and
> the
> > Linux box.
> >
> > The other day I checked the contents of my shared folders and saw that
in
> > the root directory of each shared folder there were a bunch of
executable
> > files. I didn't put them there. The files were:
> >
> > casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
> regsvc32.exe,
> > testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
> > sdvhost.exe, stisvc32.exe, znksvc32.exe
> >
> > Has someone broken into my system and placed these files in my shared
> > directories? If so for what purpose? I thought the router would keep
the
> > hackers out, but what I should I do now if people can get into my
system?
> >
> > Thanks.
> >
> >
>
>
Anonymous
May 16, 2005 1:43:13 AM

Archived from groups: microsoft.public.win2000.security (More info?)

www.grisoft.com is free antivirus, at least for personal use.
www.bitdefender.com may also have free AV you can use.


"Cacique" <cacique83@hotmail.com> wrote in message
news:D 67g53$h8j$1@inews.gazeta.pl...
> Thanks, guys, for the help. I download Ad-Aware and Search and Destroy
and
> they found all kinds of junk on the system. I have cleaned up most of the
> spyware using those two programs.
>
> I have also visited symantec.com and did an online scan it detected the
> W32.HLLW.Gaobot worm in many different files. I had already deleted the
> executables in question, but I think it's likely, based on the description
> of this virus, that it had placed them there. I am currently searching
for
> the best antivirus tool to use to get rid of it. Symantec has a removal
> tool for some of the Gaobot variants, but unfortunately, it doesn't clean
> off the one on my system. Maybe McAfee or Trend has something. I'll
keep
> searching. At any rate, I guess I'll bite the bullet and buy an AV
program
> to keep these things under control, and run the adware programs regularly.
>
> Thanks again.
>
>
>
> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
> news:o S7oFsMWFHA.2472@TK2MSFTNGP10.phx.gbl...
> > It could "just" be a computer on your network infected with a virus that
> has
> > the ability to spread via Windows NetBIOS file shares. Such viruses
> > commonly put malware executables on the root of a Windows server file
> share,
> > and the file names below can be common. To know for sure, scan them
with
> an
> > up to date antivirus scanner and then look up how that virus spreads in
> the
> > virus encyclopedia on your antivirus vendor's web site. The easiest way
> is
> > to go to www.virustotal.com and submit the files there, you get an
answer
> > back immediately using a dozen different scanners.
> > http://housecall.antivirus.com should also be able to identify those
files
> > using TrendMicro AV.
> >
> >
> > "Cacique" <cacique83@hotmail.com> wrote in message
> > news:D 64jsu$1q1$1@inews.gazeta.pl...
> > > I have a Win2K box behind a router, networked with an iMac and a Linux
> > box.
> > > I have 4 shared folders on the Win2K box that I access from the iMac
and
> > the
> > > Linux box.
> > >
> > > The other day I checked the contents of my shared folders and saw that
> in
> > > the root directory of each shared folder there were a bunch of
> executable
> > > files. I didn't put them there. The files were:
> > >
> > > casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
> > regsvc32.exe,
> > > testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
> > > sdvhost.exe, stisvc32.exe, znksvc32.exe
> > >
> > > Has someone broken into my system and placed these files in my shared
> > > directories? If so for what purpose? I thought the router would keep
> the
> > > hackers out, but what I should I do now if people can get into my
> system?
> > >
> > > Thanks.
> > >
> > >
> >
> >
>
>
Anonymous
May 16, 2005 1:43:13 AM

Archived from groups: microsoft.public.win2000.security (More info?)

As Karl mentioned there are quality free for personal use anti virus
programs. Newegg.com has a deal right now where you can download Trend
Micro PC-cillin for $9.99 after rebates and I think you can download it to
try free for 30 days from TM.

http://www.newegg.com/Product/Product.asp?Item=0-N82E16...

TM also offers a free tool that can detect AND remove many common malwares
called Sysclean. You just download it and the pattern file, unzip the
patterns file, and run from a common folder. The links below explain
ore. --- Steve

http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp

Microsoft has an excellent free downloadable guide called Anti Virus in
Depth if you want to learn more about malware, how to protect yourself from
it, and what to do if you get it that is geared toward system admins and
power users. --- Steve

http://www.microsoft.com/technet/security/topics/server...


"Cacique" <cacique83@hotmail.com> wrote in message
news:D 67g53$h8j$1@inews.gazeta.pl...
> Thanks, guys, for the help. I download Ad-Aware and Search and Destroy
> and
> they found all kinds of junk on the system. I have cleaned up most of the
> spyware using those two programs.
>
> I have also visited symantec.com and did an online scan it detected the
> W32.HLLW.Gaobot worm in many different files. I had already deleted the
> executables in question, but I think it's likely, based on the description
> of this virus, that it had placed them there. I am currently searching
> for
> the best antivirus tool to use to get rid of it. Symantec has a removal
> tool for some of the Gaobot variants, but unfortunately, it doesn't clean
> off the one on my system. Maybe McAfee or Trend has something. I'll
> keep
> searching. At any rate, I guess I'll bite the bullet and buy an AV
> program
> to keep these things under control, and run the adware programs regularly.
>
> Thanks again.
>
>
>
> "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
> news:o S7oFsMWFHA.2472@TK2MSFTNGP10.phx.gbl...
>> It could "just" be a computer on your network infected with a virus that
> has
>> the ability to spread via Windows NetBIOS file shares. Such viruses
>> commonly put malware executables on the root of a Windows server file
> share,
>> and the file names below can be common. To know for sure, scan them with
> an
>> up to date antivirus scanner and then look up how that virus spreads in
> the
>> virus encyclopedia on your antivirus vendor's web site. The easiest way
> is
>> to go to www.virustotal.com and submit the files there, you get an answer
>> back immediately using a dozen different scanners.
>> http://housecall.antivirus.com should also be able to identify those
>> files
>> using TrendMicro AV.
>>
>>
>> "Cacique" <cacique83@hotmail.com> wrote in message
>> news:D 64jsu$1q1$1@inews.gazeta.pl...
>> > I have a Win2K box behind a router, networked with an iMac and a Linux
>> box.
>> > I have 4 shared folders on the Win2K box that I access from the iMac
>> > and
>> the
>> > Linux box.
>> >
>> > The other day I checked the contents of my shared folders and saw that
> in
>> > the root directory of each shared folder there were a bunch of
> executable
>> > files. I didn't put them there. The files were:
>> >
>> > casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
>> regsvc32.exe,
>> > testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
>> > sdvhost.exe, stisvc32.exe, znksvc32.exe
>> >
>> > Has someone broken into my system and placed these files in my shared
>> > directories? If so for what purpose? I thought the router would keep
> the
>> > hackers out, but what I should I do now if people can get into my
> system?
>> >
>> > Thanks.
>> >
>> >
>>
>>
>
>
May 16, 2005 10:21:59 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In news:o x4dRhWWFHA.1796@TK2MSFTNGP15.phx.gbl,
Steven L Umbach <n9rou@nospam-comcast.net> had this to say:

My reply is at the bottom of your sent message:

> Microsoft has an excellent free downloadable guide called Anti Virus
> in Depth if you want to learn more about malware, how to protect
> yourself from it, and what to do if you get it that is geared toward
> system admins and power users. --- Steve
>
> http://www.microsoft.com/technet/security/topics/server...

I snipped out the good stuff but wanted to say thank you. I'd never come
across that. It looks to be an interesting read actually. Much obliged.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes
Anonymous
May 17, 2005 2:34:30 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Galen

Wow. I can't believe an inquisitive guy like you had not seen that guide
before. I think it is well worth reading as it goes beyond the usual detect
and clean type guides. --- Steve


"Galen" <galennews@gmail.com> wrote in message
news:o 1IsvWmWFHA.2540@tk2msftngp13.phx.gbl...
> In news:o x4dRhWWFHA.1796@TK2MSFTNGP15.phx.gbl,
> Steven L Umbach <n9rou@nospam-comcast.net> had this to say:
>
> My reply is at the bottom of your sent message:
>
>> Microsoft has an excellent free downloadable guide called Anti Virus
>> in Depth if you want to learn more about malware, how to protect
>> yourself from it, and what to do if you get it that is geared toward
>> system admins and power users. --- Steve
>>
>> http://www.microsoft.com/technet/security/topics/server...
>
> I snipped out the good stuff but wanted to say thank you. I'd never come
> across that. It looks to be an interesting read actually. Much obliged.
>
> Galen
> --
>
> "And that recommendation, with the exaggerated estimate of my ability
> with which he prefaced it, was, if you will believe me, Watson, the
> very first thing which ever made me feel that a profession might be
> made out of what had up to that time been the merest hobby."
>
> Sherlock Holmes
>
May 17, 2005 2:08:47 PM

Archived from groups: microsoft.public.win2000.security (More info?)

In news:o EpFVFpWFHA.2128@TK2MSFTNGP15.phx.gbl,
Steven L Umbach <n9rou@nospam-comcast.net> had this to say:

My reply is at the bottom of your sent message:

> Hi Galen
>
> Wow. I can't believe an inquisitive guy like you had not seen that
> guide before. I think it is well worth reading as it goes beyond the
> usual detect and clean type guides. --- Steve

Well, there's an awful lot of content on the internet. I've tried my best to
read it all (which is why I have no life) but that one seems to have escaped
me. I expected it to be a watered down base security guide aimed
specifically at malware threats. It turns out that it's fairly accurate, and
has even been updated within the past year.

I've checked it's online version, downloading it requires registering which
I happily did but received no confirmation link, and found chapter three to
be quite interesting. They gave the reasons to avoid multiple AV scanners
running at the same time. I think that the article would make a decent
PowerPoint presentation and am amazed that someone had the idea to include
physical security steps as well.

Good stuff. I'll probably have to try the registration process again just to
be able to download it. I have the MSDN subscription content from that time
but I don't have TechNet I'm afraid. Maybe I'll order that one of these
days.

Galen
--

"And that recommendation, with the exaggerated estimate of my ability
with which he prefaced it, was, if you will believe me, Watson, the
very first thing which ever made me feel that a profession might be
made out of what had up to that time been the merest hobby."

Sherlock Holmes
!