Have I been hacked?

Archived from groups: microsoft.public.win2000.security (More info?)

I have a Win2K box behind a router, networked with an iMac and a Linux box.
I have 4 shared folders on the Win2K box that I access from the iMac and the
Linux box.

The other day I checked the contents of my shared folders and saw that in
the root directory of each shared folder there were a bunch of executable
files. I didn't put them there. The files were:

casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe, regsvc32.exe,
testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
sdvhost.exe, stisvc32.exe, znksvc32.exe

Has someone broken into my system and placed these files in my shared
directories? If so for what purpose? I thought the router would keep the
hackers out, but what I should I do now if people can get into my system?

Thanks.
8 answers Last reply
More about have hacked
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Well someone placed those files there. If you do not need users [ legitimate
    or otherwise] to write to that folder then be sure to lockdown permissions
    so that the folder can not be written to. Otherwise you may find it helpful
    to enable auditing of logon events on that computer and possibly object
    access so that you can audit write access to that folder, though digging
    through object access events is not exactly user friendly. The fact that
    svchost.exe and a file called sdvhost.exe are present is a bit troubling.
    Svchost is a legitimate file though some malware will try and use a copy
    that is not to infect the computer. Sdvhost.exe is not any legitimate file
    that I know of or could see from a quick Google search.

    I would be sure to run a full malware scan ASAP making sure that you have
    the latest virus definitions loaded. In addition be sure that you are using
    strong passwords, particularly for any accounts in the local administrators
    group, that your virus scan also scans all emails, that you keep current
    with critical security updates and Windows Updates, and run the Microsoft
    Baseline Security Analyzer to check for basic security vulnerabilities. A
    properly configured firewall device will protect from direct hack attempts
    from the internet but it will not stop malware such as Trojans or infected
    email attachments. You could possibly have a backdoor on your computer or
    one of your other computers may also be compromised. SysInternals has free
    tools such as Process Explorer, TCPView, and Autoruns that can help you in
    tracking down rouge processes. The links below may help to get you
    tarted. -- Steve


    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
    http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
    http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
    http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx
    http://www.microsoft.com/technet/security/tools/mbsahome.mspx

    "Cacique" <cacique83@hotmail.com> wrote in message
    news:d64jsu$1q1$1@inews.gazeta.pl...
    >I have a Win2K box behind a router, networked with an iMac and a Linux box.
    > I have 4 shared folders on the Win2K box that I access from the iMac and
    > the
    > Linux box.
    >
    > The other day I checked the contents of my shared folders and saw that in
    > the root directory of each shared folder there were a bunch of executable
    > files. I didn't put them there. The files were:
    >
    > casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
    > regsvc32.exe,
    > testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
    > sdvhost.exe, stisvc32.exe, znksvc32.exe
    >
    > Has someone broken into my system and placed these files in my shared
    > directories? If so for what purpose? I thought the router would keep the
    > hackers out, but what I should I do now if people can get into my system?
    >
    > Thanks.
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    It could "just" be a computer on your network infected with a virus that has
    the ability to spread via Windows NetBIOS file shares. Such viruses
    commonly put malware executables on the root of a Windows server file share,
    and the file names below can be common. To know for sure, scan them with an
    up to date antivirus scanner and then look up how that virus spreads in the
    virus encyclopedia on your antivirus vendor's web site. The easiest way is
    to go to www.virustotal.com and submit the files there, you get an answer
    back immediately using a dozen different scanners.
    http://housecall.antivirus.com should also be able to identify those files
    using TrendMicro AV.


    "Cacique" <cacique83@hotmail.com> wrote in message
    news:d64jsu$1q1$1@inews.gazeta.pl...
    > I have a Win2K box behind a router, networked with an iMac and a Linux
    box.
    > I have 4 shared folders on the Win2K box that I access from the iMac and
    the
    > Linux box.
    >
    > The other day I checked the contents of my shared folders and saw that in
    > the root directory of each shared folder there were a bunch of executable
    > files. I didn't put them there. The files were:
    >
    > casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
    regsvc32.exe,
    > testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
    > sdvhost.exe, stisvc32.exe, znksvc32.exe
    >
    > Has someone broken into my system and placed these files in my shared
    > directories? If so for what purpose? I thought the router would keep the
    > hackers out, but what I should I do now if people can get into my system?
    >
    > Thanks.
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks, guys, for the help. I download Ad-Aware and Search and Destroy and
    they found all kinds of junk on the system. I have cleaned up most of the
    spyware using those two programs.

    I have also visited symantec.com and did an online scan it detected the
    W32.HLLW.Gaobot worm in many different files. I had already deleted the
    executables in question, but I think it's likely, based on the description
    of this virus, that it had placed them there. I am currently searching for
    the best antivirus tool to use to get rid of it. Symantec has a removal
    tool for some of the Gaobot variants, but unfortunately, it doesn't clean
    off the one on my system. Maybe McAfee or Trend has something. I'll keep
    searching. At any rate, I guess I'll bite the bullet and buy an AV program
    to keep these things under control, and run the adware programs regularly.

    Thanks again.


    "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
    news:OS7oFsMWFHA.2472@TK2MSFTNGP10.phx.gbl...
    > It could "just" be a computer on your network infected with a virus that
    has
    > the ability to spread via Windows NetBIOS file shares. Such viruses
    > commonly put malware executables on the root of a Windows server file
    share,
    > and the file names below can be common. To know for sure, scan them with
    an
    > up to date antivirus scanner and then look up how that virus spreads in
    the
    > virus encyclopedia on your antivirus vendor's web site. The easiest way
    is
    > to go to www.virustotal.com and submit the files there, you get an answer
    > back immediately using a dozen different scanners.
    > http://housecall.antivirus.com should also be able to identify those files
    > using TrendMicro AV.
    >
    >
    > "Cacique" <cacique83@hotmail.com> wrote in message
    > news:d64jsu$1q1$1@inews.gazeta.pl...
    > > I have a Win2K box behind a router, networked with an iMac and a Linux
    > box.
    > > I have 4 shared folders on the Win2K box that I access from the iMac and
    > the
    > > Linux box.
    > >
    > > The other day I checked the contents of my shared folders and saw that
    in
    > > the root directory of each shared folder there were a bunch of
    executable
    > > files. I didn't put them there. The files were:
    > >
    > > casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
    > regsvc32.exe,
    > > testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
    > > sdvhost.exe, stisvc32.exe, znksvc32.exe
    > >
    > > Has someone broken into my system and placed these files in my shared
    > > directories? If so for what purpose? I thought the router would keep
    the
    > > hackers out, but what I should I do now if people can get into my
    system?
    > >
    > > Thanks.
    > >
    > >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    www.grisoft.com is free antivirus, at least for personal use.
    www.bitdefender.com may also have free AV you can use.


    "Cacique" <cacique83@hotmail.com> wrote in message
    news:d67g53$h8j$1@inews.gazeta.pl...
    > Thanks, guys, for the help. I download Ad-Aware and Search and Destroy
    and
    > they found all kinds of junk on the system. I have cleaned up most of the
    > spyware using those two programs.
    >
    > I have also visited symantec.com and did an online scan it detected the
    > W32.HLLW.Gaobot worm in many different files. I had already deleted the
    > executables in question, but I think it's likely, based on the description
    > of this virus, that it had placed them there. I am currently searching
    for
    > the best antivirus tool to use to get rid of it. Symantec has a removal
    > tool for some of the Gaobot variants, but unfortunately, it doesn't clean
    > off the one on my system. Maybe McAfee or Trend has something. I'll
    keep
    > searching. At any rate, I guess I'll bite the bullet and buy an AV
    program
    > to keep these things under control, and run the adware programs regularly.
    >
    > Thanks again.
    >
    >
    >
    > "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
    > news:OS7oFsMWFHA.2472@TK2MSFTNGP10.phx.gbl...
    > > It could "just" be a computer on your network infected with a virus that
    > has
    > > the ability to spread via Windows NetBIOS file shares. Such viruses
    > > commonly put malware executables on the root of a Windows server file
    > share,
    > > and the file names below can be common. To know for sure, scan them
    with
    > an
    > > up to date antivirus scanner and then look up how that virus spreads in
    > the
    > > virus encyclopedia on your antivirus vendor's web site. The easiest way
    > is
    > > to go to www.virustotal.com and submit the files there, you get an
    answer
    > > back immediately using a dozen different scanners.
    > > http://housecall.antivirus.com should also be able to identify those
    files
    > > using TrendMicro AV.
    > >
    > >
    > > "Cacique" <cacique83@hotmail.com> wrote in message
    > > news:d64jsu$1q1$1@inews.gazeta.pl...
    > > > I have a Win2K box behind a router, networked with an iMac and a Linux
    > > box.
    > > > I have 4 shared folders on the Win2K box that I access from the iMac
    and
    > > the
    > > > Linux box.
    > > >
    > > > The other day I checked the contents of my shared folders and saw that
    > in
    > > > the root directory of each shared folder there were a bunch of
    > executable
    > > > files. I didn't put them there. The files were:
    > > >
    > > > casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
    > > regsvc32.exe,
    > > > testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
    > > > sdvhost.exe, stisvc32.exe, znksvc32.exe
    > > >
    > > > Has someone broken into my system and placed these files in my shared
    > > > directories? If so for what purpose? I thought the router would keep
    > the
    > > > hackers out, but what I should I do now if people can get into my
    > system?
    > > >
    > > > Thanks.
    > > >
    > > >
    > >
    > >
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    As Karl mentioned there are quality free for personal use anti virus
    programs. Newegg.com has a deal right now where you can download Trend
    Micro PC-cillin for $9.99 after rebates and I think you can download it to
    try free for 30 days from TM.

    http://www.newegg.com/Product/Product.asp?Item=0-N82E1681297339SF

    TM also offers a free tool that can detect AND remove many common malwares
    called Sysclean. You just download it and the pattern file, unzip the
    patterns file, and run from a common folder. The links below explain
    ore. --- Steve

    http://www.trendmicro.com/download/dcs.asp
    http://www.trendmicro.com/download/pattern.asp

    Microsoft has an excellent free downloadable guide called Anti Virus in
    Depth if you want to learn more about malware, how to protect yourself from
    it, and what to do if you get it that is geared toward system admins and
    power users. --- Steve

    http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx


    "Cacique" <cacique83@hotmail.com> wrote in message
    news:d67g53$h8j$1@inews.gazeta.pl...
    > Thanks, guys, for the help. I download Ad-Aware and Search and Destroy
    > and
    > they found all kinds of junk on the system. I have cleaned up most of the
    > spyware using those two programs.
    >
    > I have also visited symantec.com and did an online scan it detected the
    > W32.HLLW.Gaobot worm in many different files. I had already deleted the
    > executables in question, but I think it's likely, based on the description
    > of this virus, that it had placed them there. I am currently searching
    > for
    > the best antivirus tool to use to get rid of it. Symantec has a removal
    > tool for some of the Gaobot variants, but unfortunately, it doesn't clean
    > off the one on my system. Maybe McAfee or Trend has something. I'll
    > keep
    > searching. At any rate, I guess I'll bite the bullet and buy an AV
    > program
    > to keep these things under control, and run the adware programs regularly.
    >
    > Thanks again.
    >
    >
    >
    > "Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
    > news:OS7oFsMWFHA.2472@TK2MSFTNGP10.phx.gbl...
    >> It could "just" be a computer on your network infected with a virus that
    > has
    >> the ability to spread via Windows NetBIOS file shares. Such viruses
    >> commonly put malware executables on the root of a Windows server file
    > share,
    >> and the file names below can be common. To know for sure, scan them with
    > an
    >> up to date antivirus scanner and then look up how that virus spreads in
    > the
    >> virus encyclopedia on your antivirus vendor's web site. The easiest way
    > is
    >> to go to www.virustotal.com and submit the files there, you get an answer
    >> back immediately using a dozen different scanners.
    >> http://housecall.antivirus.com should also be able to identify those
    >> files
    >> using TrendMicro AV.
    >>
    >>
    >> "Cacique" <cacique83@hotmail.com> wrote in message
    >> news:d64jsu$1q1$1@inews.gazeta.pl...
    >> > I have a Win2K box behind a router, networked with an iMac and a Linux
    >> box.
    >> > I have 4 shared folders on the Win2K box that I access from the iMac
    >> > and
    >> the
    >> > Linux box.
    >> >
    >> > The other day I checked the contents of my shared folders and saw that
    > in
    >> > the root directory of each shared folder there were a bunch of
    > executable
    >> > files. I didn't put them there. The files were:
    >> >
    >> > casvc.exe, ggtb32.exe, hqisvc32.exe, macdwXM.exe, prcview.exe,
    >> regsvc32.exe,
    >> > testfile, wmp9.exe, mssqlXP16.exe, srtsr32.exe, crss.exe, svchost.exe,
    >> > sdvhost.exe, stisvc32.exe, znksvc32.exe
    >> >
    >> > Has someone broken into my system and placed these files in my shared
    >> > directories? If so for what purpose? I thought the router would keep
    > the
    >> > hackers out, but what I should I do now if people can get into my
    > system?
    >> >
    >> > Thanks.
    >> >
    >> >
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    In news:Ox4dRhWWFHA.1796@TK2MSFTNGP15.phx.gbl,
    Steven L Umbach <n9rou@nospam-comcast.net> had this to say:

    My reply is at the bottom of your sent message:

    > Microsoft has an excellent free downloadable guide called Anti Virus
    > in Depth if you want to learn more about malware, how to protect
    > yourself from it, and what to do if you get it that is geared toward
    > system admins and power users. --- Steve
    >
    > http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx

    I snipped out the good stuff but wanted to say thank you. I'd never come
    across that. It looks to be an interesting read actually. Much obliged.

    Galen
    --

    "And that recommendation, with the exaggerated estimate of my ability
    with which he prefaced it, was, if you will believe me, Watson, the
    very first thing which ever made me feel that a profession might be
    made out of what had up to that time been the merest hobby."

    Sherlock Holmes
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Galen

    Wow. I can't believe an inquisitive guy like you had not seen that guide
    before. I think it is well worth reading as it goes beyond the usual detect
    and clean type guides. --- Steve


    "Galen" <galennews@gmail.com> wrote in message
    news:O1IsvWmWFHA.2540@tk2msftngp13.phx.gbl...
    > In news:Ox4dRhWWFHA.1796@TK2MSFTNGP15.phx.gbl,
    > Steven L Umbach <n9rou@nospam-comcast.net> had this to say:
    >
    > My reply is at the bottom of your sent message:
    >
    >> Microsoft has an excellent free downloadable guide called Anti Virus
    >> in Depth if you want to learn more about malware, how to protect
    >> yourself from it, and what to do if you get it that is geared toward
    >> system admins and power users. --- Steve
    >>
    >> http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
    >
    > I snipped out the good stuff but wanted to say thank you. I'd never come
    > across that. It looks to be an interesting read actually. Much obliged.
    >
    > Galen
    > --
    >
    > "And that recommendation, with the exaggerated estimate of my ability
    > with which he prefaced it, was, if you will believe me, Watson, the
    > very first thing which ever made me feel that a profession might be
    > made out of what had up to that time been the merest hobby."
    >
    > Sherlock Holmes
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    In news:OEpFVFpWFHA.2128@TK2MSFTNGP15.phx.gbl,
    Steven L Umbach <n9rou@nospam-comcast.net> had this to say:

    My reply is at the bottom of your sent message:

    > Hi Galen
    >
    > Wow. I can't believe an inquisitive guy like you had not seen that
    > guide before. I think it is well worth reading as it goes beyond the
    > usual detect and clean type guides. --- Steve

    Well, there's an awful lot of content on the internet. I've tried my best to
    read it all (which is why I have no life) but that one seems to have escaped
    me. I expected it to be a watered down base security guide aimed
    specifically at malware threats. It turns out that it's fairly accurate, and
    has even been updated within the past year.

    I've checked it's online version, downloading it requires registering which
    I happily did but received no confirmation link, and found chapter three to
    be quite interesting. They gave the reasons to avoid multiple AV scanners
    running at the same time. I think that the article would make a decent
    PowerPoint presentation and am amazed that someone had the idea to include
    physical security steps as well.

    Good stuff. I'll probably have to try the registration process again just to
    be able to download it. I have the MSDN subscription content from that time
    but I don't have TechNet I'm afraid. Maybe I'll order that one of these
    days.

    Galen
    --

    "And that recommendation, with the exaggerated estimate of my ability
    with which he prefaced it, was, if you will believe me, Watson, the
    very first thing which ever made me feel that a profession might be
    made out of what had up to that time been the merest hobby."

    Sherlock Holmes
Ask a new question

Read More

Windows Product