Results 1 to 6 of 6

Thread: Was i hacked?

  1. #1
    thedillinger Guest

    Default Was i hacked?


    Last night i was using my PC and all seemed fine.
    But today i turned it on and when i logged into windows, opened internet explorer and after the internet explorer became visible on screen i was asked to supply the zonealarm password.
    This has never happened to me before, as i have technically done nothing that would require me to need enter it.
    I received no pop up by zonealarm in the bottom right of the screen telling me that a program was doing anything strange.
    I did not enter the zonealarm password because i felt that it should not have asked me to do so... Is something trying to change the settings of zonealarm?
    anyway i restarted my pc and i can't remember exactly when but in windows or just before i logged in i got a blue screen in the background with various text that automatically restarted my computer.
    When i logged in now i opened zonealarm and checked the logs... well i noticed that the number of alerts, for both standard and high alerts under blocked intrusions in the overview tab was up by quite a lot but this is normal for that to happen... but in the log (firewall) it was completely empty... i have never gone into the logs (that defaults to firewall) and found them completely empty before.
    Slowly but surely the firewall logs start to increase again as i watch.
    Now i take a look in OS Firewall logs which has only 1 alert in it from today, i don't check these logs regularily so i can't say if there should be more.
    This one OS Firewall log says: High, gives a recent time of within the last 20 minutes so must have happened on one of my log ins to the pc today.. Type: Process, Subtype: Spawn process, Data: C:\WINDOWS\system32\rundll32.exe, Program: C:\WINDOWS\explorer.exe, Action taken: is blank, Count: 1.
    When i hover over the description it says "Windows Explorer was trying to launch C:\WINDOWS\system32\rundll32.exe, or use another program to gain access to privileged resources"
    I take a look in the program logs and there is just one alert in there for zlclient.exe which is connecting to an ip address and the destination dns is something like my internet service provider.
    I took a look in windows event viewer, i have set all logs to 5mb... There are no security or internet explorer logs, tbh i don't know if thats normal.
    There are application and system logs i can't see anything meaningful in them...
    some application logs to say
    "Windows saved user PC-1\x registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

    This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp."
    though i have quite a number of those alerts.
    So do you think i was hacked?



  2. #2
    thedillinger Guest

    Default Re: Was i hacked?


    I checked netstat from the cmd prompt and whilst no internet explorer windows or anything else were open i only found a connection to my ISP.


  3. #3
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Was i hacked?

    NO HACK!
    Feel better?
    Seriously, you were not hacked or invaded.

    But you do have windows or hardware issue. This caused the BSOD - and you should always write down the codes and the message. Check the windows directory for a dump file and have a look at it.

    Windows and rundll32 inter-actions are normal events, nothing unusual.

    Maybe the ZA tried to connect to the provider's dns server?
    You would have to give more details and the exact Flags involved and the destination port and the exact protocol involved. Plus list the other events around before and after that exact connection.

    Windows crashed - either on startup or had experienced a hard shutdown! Myabe both.
    Becuase if the ZA lost the logs (no logs) and the ZA setting got corrupted (asked for an unused password), then what it was using the hard memory of the computer of your previous computer seesion was affected by windows or by some other application that gave windows the issues.
    Plus the windows's event viewer indicated a bad shutdown when it is saving the registry (think of the registry as one big .ini file for the entire operating system) and the memory was not freed (possible buffer overflow or just maybe a bad RAM memory card).

    Okay next ime write down all the codes and information of your BSOD (blue screen).
    Check windows directory for the dump logs (mini dump logs) for some indication of what happened.
    Check the WINDOWS\Internet Logs folder and see if there are any zips or a lspconfict file or some files to the effect of tvdump. I suspect there a few zip folders of good sizes to be found.
    You may have a hardware issue or a hardware driver issue.
    Or a corrupted windows or even a corrupted file system.

    First off:
    Do a system file check, then a disk check and a defrag and disk cleanup. This will help, if it is a windows issue. But it will not help any hardware issues. The make sure windows is completely updated and fully patched.
    Then update your drivers or check the drivers- it is possible a driver is corrupted or needs to be updated.
    After all of that, then reset the ZA settings:[*]Boot your computer into the Safe Mode[*]Navigate to the c:\windows\internet logs folder[*]Delete the backup.rdb, iamdb.rdb, *.ldb and the tvDebug files in the folder[*]Clean the Recycle Bin[*]Reboot into the normal mode[*]ZA will be just like new with no previous settings or data

    Oldsod.
    Best regards.
    oldsod

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Was i hacked?

    See above.
    You are not hacked but have your own troubles instead of somebody's elses.
    Oldsod.
    Best regards.
    oldsod

  5. #5
    thedillinger Guest

    Default Re: Was i hacked?


    Thanks for the advice, though i am still concerned as to what caused the loss of the logs in zonealarm but if you say i was not hacked then i guess i wasn't.
    The blue screen of death that i got was not like the bright blue screens i have got on previous operating systems that stays on the screen until you do something about it... the blue screen i got was a duller blue and flashed up and dissappeared in less than a second, there was no way i could have noted down the information on it.


  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Was i hacked?

    All software firewalls work intensively with the memory and with their own files.
    Some files are for previous events and some are for active or ongoing and some of the files are for strictly references or conditions (rules, allowed/blocked events/processes/connections, etc) for the firewall to use when it starts up.
    But the active and previously active connections and the running processes as seen and controlled by a firewall are always held in the memory. Or in other words, what happened just a while ago and what is happening at that moment concerning the networking/internet is held in the memory - not in the files. It will write to file eventually, but not at that exact moment. Ever wonder why having a lot of connections and active processes or running a firewall on with windows non stop (several weeks) makes almost every software firewalls uses more and more memory? Well now you know why.
    The ZA as far as I can tell the ZA keeps things such as the previous/active connections longer in memory longer than other firewall I have ever seen so far. This is good in some sense because previous events/connections are better tracked or traced and quite possiblely better handled. On the other hand, if windows or some other program experiences issues (like a buffer overflow from a program/windows itself or some memory corruption from bad sectors in the memory cards), and the memory gets affected, then the ZA is directly affected and wtat it was doing gets corrupted. Hence your loss of the logs with your windows issue. There is no security risk as the firewall driver itself is hard coded to work within certain parameters/rules and not allow unauthorized connections - so the networking/firewalling is still safe from any unwanted troyan or malware connections attempts.
    If the ZA sees too many incoming connection attempts it will see this as a DoS and immediately "lock up" and block any incoming and outgoing connections. Seldom happens but it does - in this case a reset of the ZA database will stop the ZA from locking up and return to normal.
    If the ZA gets attacked, the driver will either lockup and stop any connections or continue with the default rules and prevent any unauthorized incoming/outgoing connections (again stopping malware connection attempts) . Again very secure and safe.
    You were safe and well protected by the ZA, but you do have some hardware/windows issues to look after and get fixed.

    If the screen flicked blue and you lost the desktop for a moment, then the explore.exe is involved and possiblely quite a few other proccesses and some window's dll.
    If there was a game running at the time, just keep in mind many software games are poorly written and do have issues with windows. The better game vendors have better written games and these have less issues/glitched. Plus not all PC's are equipped properly for games or meet the games specifications (directx10, shader 4, minimum memory or graphics processor, cpu speed, etc).

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •