I'm Italiano.Chiedo help, thanks. The operating system is Windows 98. I did in my client PC to a scan with Norton and found 19 viruses. three are very dangerous Backdoor.Zinx, Backdoor.IRC.Flood, Hacktool.PWcrack. I enclose the full scan. My question is how can I prove that this computer has been the victim of a hacker who has used these viruses? Thanks.
Statistiche scansione
Durata scansione 687 secondi
Opzioni scansione
Destinazioni scansione E\
Totali
Totale elementi sottoposti a scansione 44.350
- File e directory 44.350
- Voci del Registro di sistema 0
- Processi ed elementi di avvio 0
- Elementi di rete e browser 0
- Altro 0
- File attendibili 0
- File ignorati 60
Totale rischi per la sicurezza rilevati 19
Totale elementi risolti 16
Totale elementi che richiedono attenzione 3
Minacce risolte
Dialer.Generic
Tipo Anomalia
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Dialer
Stato Risolto completamente
———–
1 voce di registro
HKEY_USERS\S-1-5-21-1432768033-1017503496-2163245070-1000\Software\Netscape\Netscape Navigator\Viewers\->TYPE33audio/mid - Riparato
File 2
e\windows\system\ieacce~1.dll - Eliminato
e\windows\temp\icd1.tmp\lsdialer.exe - Eliminato
1 cache del browser
Suspicious.AD
Tipo Anomalia
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus euristico
Stato Risolto completamente
———–
File di 1
e\windows\livexxx.exe - Eliminato
1 cache del browser
Dialer.Generic
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Dialer
Stato Risolto completamente
———–
File di 1
[blacksat.exe] in [blacksat.zip] in [e\tarocco\piccard files\nicolaraglia_moscas208.zip] - Eliminato
Dialer.Generic
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Dialer
Stato Risolto completamente
———–
File di 1
[blacksat.exe] in [blacksat.zip] in [e\tarocco\fun 3in1\fun5in1v38satkoos30042002.zip] - Eliminato
Dialer.Generic
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Dialer
Stato Risolto completamente
———–
File di 1
[blacksat.exe] in [e\tarocco\fun 3in1\blacksat.zip] - Eliminato
Dialer.Generic
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Dialer
Stato Risolto completamente
———–
File di 1
[blacksat.exe] in [blacksat.zip] in [e\tarocco\fun 3in1\fun file dbox2 !!linux!! mit sd,cd und erotik, kabel, sat.zip] - Eliminato
Dialer.Generic
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Dialer
Stato Risolto completamente
———–
File di 1
[blacksat.exe] in [blacksat.zip] in [e\tarocco\firmware goald box\nicolaraglia_moscas208.zip] - Eliminato
Backdoor.Zinx
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
[multicamedit.exe] in [e\tarocco\nokia 9701s firmware e doc\multicam edit 2.4a.zip] - Eliminato
Hacktool.PWcrack
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
[wwwhack.exe] in [e\crak\wwwhack.zip] - Eliminato
Hacktool.PWcrack
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
[wwwhack.exe] in [e\crak\istruzioni webcrack40\wwwhack.zip] - Eliminato
Backdoor.IRC.Flood
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
[more_names.txt] in [e\crak\istruzioni webcrack40\wwwhack.zip] - Eliminato
Hacktool
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
[patch.exe] in [e\crak\istruzioni webcrack40\wwwhack.zip] - Eliminato
Trojan Horse
Tipo Compresso
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
[webcrack.exe] in [e\crak\paok.zip] - Eliminato
Hacktool.PWcrack
Tipo Anomalia
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
e\crak\wwhack\wwwhack.exe - Eliminato
1 cache del browser
Backdoor.IRC.Flood
Tipo Anomalia
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
e\crak\wwhack\more_names.txt - Eliminato
1 cache del browser
Hacktool
Tipo Anomalia
Rischio Alta (Alta Stealth, Alta Rimozione, Alta Prestazioni, Alta Privacy)
Categorie Virus
Stato Risolto completamente
———–
File di 1
e\crak\wwhack\patch.exe - Eliminato
1 cache del browser
Minacce non risolte
Adware.Cydoor
Tipo Anomalia
Rischio Medio (Basso Stealth, Basso Rimozione, Medio Prestazioni, Medio Privacy)
Categorie Adware
Stato Non eseguito
———–
File di 1
e\windows\system\cd_clint.dll - Nessuna azione intrapresa
1 cache del browser
Adware.NDotNet
Tipo Anomalia
Rischio Basso (Alta Stealth, Basso Rimozione, Basso Prestazioni, Medio Privacy)
Categorie Adware
Stato Non eseguito
———–
File di 1
e\windows\temp\newnet\kazaa-298.exe - Nessuna azione intrapresa
1 processo
C\Program Files (x86)\Internet Explorer\iexplore.exe - Nessuna azione intrapresa
1 cache del browser
Adware.NDotNet
Tipo Anomalia
Rischio Basso (Alta Stealth, Basso Rimozione, Basso Prestazioni, Medio Privacy)
Categorie Adware
Stato Non eseguito
———–
File 3
e\windows\ndnuninstall4_88.exe - Nessuna azione intrapresa
e\programmi\newdotnet\uninstall4_88.exe - Nessuna azione intrapresa
e\programmi\newdotnet\newdotnet4_88.dll - Nessuna azione intrapresa
1 processo
C\Program Files (x86)\Internet Explorer\iexplore.exe - Nessuna azione intrapresa
1 cache del browser
three are very dangerous Backdoor.Zinx, Backdoor.IRC.Flood, Hacktool.PWcrack.
Hmm, I've seen worse things.
My question is how can I prove that this computer has been the victim of a hacker who has used these viruses? Thanks.
You need to provide far more details than what you provided.
Anyone using Windows 98 in 2010 is either a very expert geek or a complete computer non-expert that never updated his/her PC.
It is very likely that by removing the infections you also deleted any and all possible evidence.
HOW was the scan performed?
If the idea was to clean the system, Norton is not the *best* tool around and the fact that
Totale elementi sottoposti a scansione 44.350
- File e directory 44.350
- Voci del Registro di sistema 0
- Processi ed elementi di avvio 0
- Elementi di rete e browser 0
- Altro 0
- File attendibili 0
- File ignorati 60
Registry items, Autostart, etc. were not analyzed is not a very good sign.
Can you expand on the user of the system, your role, which is the need to "prove" user was hacked into, to whom it needs to be "proved", etc.?
Do you have a forensic sound image of the disk BEFORE the scan?
From the name of the few files you posted I can anyway give you a profile of the user (basic social engineering)
- Male
- 20-40 years old
- geekish
- interested in Satellite TV (and watching it without paying fees)
- not very fluent in English
- smart, but not particularly expert with PC's, their security and filesystems
As you can see a description that may apply to large number of people, and that makes him a not-so-likely target for a real hacker.
jaclaz
Thanks for your reply. Yes I have a picture dell'hardisk. is necessary to show that the system was breached by a hacker.
Thanks for your reply. Yes I have a picture dell'hardisk. is necessary to show that the system was breached by a hacker.
Best of luck with that, backdoors dont tend to log activity.
Thanks for your reply. Yes I have a picture dell'hardisk. is necessary to show that the system was breached by a hacker.
From the look of it, it is VERY unlikely.
I mean, the amount of things you report lead me - mind you, with NO evidence whatsoever - to think that it is an "average" system used by an "average" user with an "average" number of visits to *aheem* arguable sites, with a consequent "average" number of malware on it.
You have to understand that any malware an antivirus finds inside a .zip may have NEVER run on that system (and this may also apply to some of the .exe's).
This leaves out of the 19 items you posted , very little.
But AGAIN, you did only a partial scan (BTW with just one antivirus and one of the IMHO worst one you can find around) and there are a great number of factors that you are not mentioning, and that may make the difference, like dates/times of the actual files and chronologies inside the Registry, "environment" and actual hardware (to give you another example a "dialer" malware makes mostly NO sense if the PC was not connected to a modem and to a telephone line, and even if it was, it may have been not compatible with Italian dialing system, and anyway a better evidence would come from the telephone company).
Some of the files are related to hacking/modifying Satrellite receivers, at least one is (seemingly) an actual hacking tool
http//
Now, a (wannabe) hacker actually hacked?
Highly IMprobable, IMHO.
jaclaz