A uninvited guest

I thought I had got rid of this person but he has been logging on again and changeing settings.

Ok to begin with I use XP Home SP2 on this machine,Sygate Pro firewall;AVG;A2;Ewido;Process Guard;Spybot S&D;SpywareBlaster and Spyware Guard. All up to date and run regularly. Ccleaner and CWshredder and Hijack this.As well as several management and TCP tools.

This computer is a stand alone outside my Lan, no ICS enabled, no net bios, no network shares, no file and print shareing,no other networking enabled other than whats needed for a direct connect to a RR cable modem. Now I do have a bad habit of leaveing it on all the time. So I check my event and security logs daily.

I am seeing successfull logons and privelages being established at times when no one is on the computer. Apparently I have a RAT well hidden.
Now I follow Black Vipers and the NSA's disable list of processes. Primary is DCom;RPC;RemoteDesktop and assistance all disabled along with File and print shareing etc. All unnecessary services are disabled or manual. Only my AV and Firewall and windows updates are automatic.

Now what I am wondering if I used Truecrypt or something and encryped the entire drive would he be able to still access his back door.
I really don't want to have to nuke this thing, it came with no CD's I have done 2 system restores and 1 system recovery but he still gets in.

I would apreciate any ideas or comments.

 

Have you tried any 'outside' scans from an Online vendor.

Kaspersky
Symantec
TrendMicro's Housecall..

That would be my first stop for sure, as an outside scan may indicate something your own apps are not seeing.

http://housecall.trendmicro.com/
http://security2.norton.com/sscv6/default.asp?langid=ie&venid=sym
http://www.kaspersky.com/virusscanner
.....to name a few.

Definitely do this first, otherwise a HijackThis log posted at a forum which does them [NOT here, no longer do HJTs] https://www.wilderssecurity.com/showthread.php?t=42148

Cheers, TAS

 

There's also the rootkit detectors - IceSword, Blacklight, RootKit Revealer, and Unhackme <I think>. Not sure if there are any more out there.

 

Along with some of the above recommendations I would try downloading and running the free trial of Security Task Manager http://www.neuber.com/taskmanager/index.html and look for anything suspicious. It can find all kinds of hidden malware.

Then I would run some of those rootkit checkers mentioned by Vikorr. They all are free or have fully functional free trials. I would recommend running at least RootkitRevealer, Blacklight beta and Unhackme.

I would also considering running a good anti-keylogger as well. Spycop is a good one. But it's not free. STM and some of the rootkit detectors, in combination, will find a lot of keyloggers too, so you could just run them instead of Spycop. But I what I would be looking for are rootkits and keyloggers, because it sounds like you could have one.

It does seem strange that a keylogger could get past ProcessGuard, but I suppose it's possible. If it was just a regular Rat trojan I would think your AV or Ewido should have caught it, so it sounds like it could be something more sinister, maybe a rootkit. I would consider getting a better AV than AVG anyway. I don't think it's too strong at Rat trojan detection.

Hth.

 

something to find out. what processes/modules [dlls] do you have running on your system....

Download this ProcX [standalone, no install] and it will give a complete list of what's running and if anything you don't know about, try a search via right click option.... no matter what the proggie, if it's 'running' it has to show up somewhere.

http://www.ghostsecurity.com/index.php?page=procx

It's a brilliant little proggy from Ghost Security, authored by gkweb a member here for GS.

TAS

 

I have to put in my two cents, everything of course is true what Tassie Devils and the others say, however let me share a couple other things. I know I am not expert in a sense but I know this: Sygate used to be the schiznic, I used it for like a year and everything seemed perfect, but something happened and people can say I'm paranoid but now I am friends with a real-deal blackhat and he confirmed my suspicions. Hopefully everyone agrees that Symantec is one of the most if not the most targeted security companies by hackers, of course if you don't believe me think about it, if you crack open an application which is your means of uninvited remote entry then do you want an application that 500,000 people use or something like Norton that say (I really don't know how many) 50million people use. I hope you understand. Symantec acquired Sygate firewall technlogies for use with norton, correct? Now I was racking my brain trying to figure out why when I had my computers locked down tight like you Dannyboy 950 why I am seeing bytes coming and going when I pulled up this connection properties box for a usually untampered look at your traffic, at least an indication of it occuring but not an actual look at the packets. Anyhoo, I just like many others are hurt to have to let go of certain technologies that you go to trust but It happens and you must move on to technologies which are at least good for right now like eset nod32 or antivirus personal edition (the one with the red umbrella or blue if you want premium) instead of AVG as this is not reliable like I used to think either, trust me on this man. Then you must really decide yourself which firewall, I personally use zone-alarm's triple defense without the antispyware and antivirus sometimes with.(the trial version is only two weeks for the zone-alarm security suite, but I wipe my hard drive every two weeks anyway) Your choice of firewall is very important as my friend has told me about all kinds of hacks for firewalls like funky combinations of flags on packets and FTP and tricking the connection tracking component the firewall uses to monitor connections and connection attempts. Dannyboy I hope you read all this, you are so on time with the black viper suggested services running, you just need to change your firewall and anti-virus. If I were you I would go get clean installs of process guard, wormguard, oh yeah and use opera, if you must use IE put Spywall from majorgeeks.com on there, and try zone alarm security suite for two weeks if you don't want to buy then just reformat every couple weeks It's not that bad considering you're saving your identity from getting stolen from some dude in malaysia or indonesia. One last thing this could be the most important, is your IP address static or dynamic, you know that there is broadband I know for sure where they get a new Ip address every day, but usually with anythin other than dial-up you have a permanent IP address, get this changed after you wipe your hard drive as once the cracker has it you are through pretty much no matter what security you have if he's hard enough.

 

Hi,
A question: Did you install all these before or after you got hit?
How do you know you got hit? Have you by chance removed lots of spyware recently? Having a RAT only and nothing else is not typical. Mind posting your HJT in an appropriate forum?
Emir: I did not follow what you said about Sygate. Something happened? When and where?
Mrk

 

Thanks for the interest.

Now I have been running my security apps since they first came out. Beta tested most of them. I also run online scans regularly both AV and AT.

I saw that rootkitrevealer had a new version so I uninstalled my old one and installed it. Saved the file but it wanted to put it in the system32 folder.??
I put it in documents instead but now I can't find it LOL

Here are a few events I will post more as I have time to sort thru and filter only the relevent, will take a lil while I run biggggg logs.

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 849
Date: 1/8/2006
Time: 4:07:44 PM
User: NT AUTHORITY\SYSTEM
Computer: LINDA
Description:
An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Remote Assistance
Path: %windir%\system32\sessmgr.exe
State: Enabled
Scope: All subnets

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This is supposed to be disabled. If I ain't turning it on, who is.

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 1/8/2006
Time: 4:07:43 PM
User: NT AUTHORITY\SYSTEM
Computer: LINDA
Description:
The Remote Access Connection Manager service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Was not me

Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6006
Date: 1/8/2006
Time: 4:05:59 PM
User: N/A
Computer: LINDA
Description:
The Event log service was stopped.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ff 00 00 00 ÿ...

Thanks for the help. I will continue digging.

 

Unless I missed it. What settings have been changed by this supposed RAT? Just reading briefly, I suspect nothing is wrong.

 

From what's been posted, there is nothing wrong. Just normal SYSTEM account activity.

Blue

 

Hi,
Like I said - having a RAT only and nothing else is not typical. These things come bundled or arhorseback as payload with some dropper or such. Having a beautiful undetectable RAT on and nothing else can most likely only come from direct physical access.
Mrk