1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Internal privacy breach [HJT log]

Discussion in 'Malware and Virus Removal Archive' started by Fitz, 2005/12/21.

  1. 2005/12/21
    Fitz

    Fitz Inactive Thread Starter

    Joined:
    2002/03/05
    Messages:
    128
    Likes Received:
    0
    This is a rather odd problem which has just appeared. I can suddenly see into the folders of the three other users of my PC where I haven't been able to do so before. Although I am the principal user and "Owner" of the PC, I am no comfortable with this, and neither are they.
    We still continue to log in using our passwords, but I can see their folders.

    Is there any explanation for this, and can we revert to the situation as it was before?
    I run XP Home Edition NTFS system with Private settings checked.
    As a temporary stopgap measure I've changed the other accounts to "Limited" and left my own as Administrator so I can still see the other accounts but they cannot see mine. However, I am still not comfortable with the situation and still have no idea how this has happened. How and why could any virus do this?

    Here is my HJT log:-
    Logfile of HijackThis v1.99.1
    Scan saved at 08:19:28, on 21/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis(2).zip\HijackThis.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Shaitan1678] powerdll.exe
    O4 - HKLM\..\Run: [prcmon] systemdll.exe
    O4 - HKLM\..\Run: [dmxed.exe] C:\WINDOWS\system32\dmxed.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
     
    Fitz,
    #1
  2. 2005/12/21
    Fitz

    Fitz Inactive Thread Starter

    Joined:
    2002/03/05
    Messages:
    128
    Likes Received:
    0
    I should add that there is one anomaly which may give a clue as to what might have happened:-
    I ran my AVG Virus test and got this odd line which hadn't appeared before:-
    C:\Windows\system32\dmysv.exe Reading error error
    I looked up dmysv.exe on Google and on the MS Knowledge database and there were no entries. Nobody seems to have heard of it or have any idea what it does.
    I have never seen a "Reading error" fault either. Maybe this is what might have gone wrong.
     
    Fitz,
    #2


  3. to hide this advert.

  4. 2005/12/21
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    TonyT,
    #3
  5. 2005/12/21
    Fitz

    Fitz Inactive Thread Starter

    Joined:
    2002/03/05
    Messages:
    128
    Likes Received:
    0
    Thanks for that.
    I'm very nervous about altering registry but will follow the guidelines.
    This has been very helpful.
    Whethe it works or not is hard to say because, apart from enabling me to see other users' folders there has been no sign of any other problem or anomaly.
     
    Fitz,
    #4
  6. 2005/12/21
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    well, it could just be that there was nothing on the comp that interested the intruder!
     
    TonyT,
    #5
  7. 2005/12/22
    Fitz

    Fitz Inactive Thread Starter

    Joined:
    2002/03/05
    Messages:
    128
    Likes Received:
    0
    Tony,
    That's more than likely!
    Do intruders like this sit and actively hunt through individuals' PCs, or do they send out "crawler" programmes to infiltrate a large number of PC and await results?

    I took a look at the article about the REgistry and found that my own Registry did not contain a "RunServices" folder nor did it contain any modified version of Rundll32.exe
     
    Last edited: 2005/12/22
    Fitz,
    #6
  8. 2005/12/22
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    The registry Rub Services change it makes are made on win98 & ME systems, not nt systems like win2k or xp. However, other registry changes ARE made on nt systems, such as O4 - HKLM\..\Run: [Shaitan1678] powerdll.exe. Fixing w/ HijackThis removes those registry values. (hjt also makes a backup just in case one screws up.)

    Hackers will usually wait for the trojan to notify them that it is up & running, or in some cases, they will scan a range of ip address looking for the open port that the trojan utilizes for its connections. The hacker may find a thousand infected computers all at once and one by one explore them. The scan is done using a general port scanner.
     
    TonyT,
    #7
  9. 2005/12/22
    Fitz

    Fitz Inactive Thread Starter

    Joined:
    2002/03/05
    Messages:
    128
    Likes Received:
    0
    Hacking sounds like a sordid business and is probably impossible to eliminate; it generally reflects a viler uglier side of human nature, but nothing new there.
    Have run HJT again and eliminated those exe files as you suggested.

    I suppose my main aim and concern is to ensure that my PC is now no longer open to the hacker's marauding activity. I seem to have read that having a wireless router is a stronger means of security than a modem, but obviously only one the trojans have been eliminated...this all sounds very military!

    Many thanks
     
    Fitz,
    #8
  10. 2005/12/22
    Fitz

    Fitz Inactive Thread Starter

    Joined:
    2002/03/05
    Messages:
    128
    Likes Received:
    0
    There is one remaining item which is still not right.
    Each time I run HJT I get a different and strange exe file in the 04 section
    This time it's:_
    O4 - HKLM\..\Run: [dmrci.exe] C:\WINDOWS\system32\dmrci.exe
    I'll eliminate this as I have done several times with similar files with HJT each time, and another odd one replaces it next time I reboot and then run HJT, which indicates some residual strange activity.
    When I then run a virus check, using AVG, the same file will then show up in C\:Windows\system32 as a "reading error ".

    Logfile of HijackThis v1.99.1
    Scan saved at 15:26:25, on 22/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
    O4 - HKLM\..\Run: [dmrci.exe] C:\WINDOWS\system32\dmrci.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
     
    Last edited: 2005/12/22
    Fitz,
    #9
  11. 2005/12/22
    Fitz

    Fitz Inactive Thread Starter

    Joined:
    2002/03/05
    Messages:
    128
    Likes Received:
    0
    OK. Just to round this off and in the spirit of spreading knowledge, information, and solutions, I have now slimmed down all the startup programmes and, in so doing, have eliminated the original problems which were:-
    1. I could see other users' folders-now I can't which is what I want
    2. There are no more curious exe files popping up as "04" entries in C:\Windows\system 32

    This is the latest HJT log and you can see what I've eliminated between this and the last one. One or more of the files that I "fixed" via HJT was responsible for the original problems but I don't know which one it was. Perhaps a more expert eye could discern which of the 016 entries was the culprit.

    Logfile of HijackThis v1.99.1
    Scan saved at 18:04:46, on 22/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
    O4 - HKLM\..\Run: [adiras] adiras.exe
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
     
    Fitz,
    #10
  12. 2005/12/22
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Not sure what it was, but you should also:
    0. config folder options to show hidden & protected os files
    delete:
    1. all folders & files in c\docs & settings\username\local settings\temp
    2. c\windows\temp
    3. all folders & files in c\docs & settings\username\local settings\temp internet files
    turn off system restore, reboot and turn it back on. 9deletes restore points that could contain malware)
    4. do a scan with an online av service or an anti trojan scanner such as The Cleaner from www.moosoft.com. (free 30 day trial)
    5. post a new log after above is done if have any problem still.
     
    TonyT,
    #11
  13. 2005/12/23
    Fitz

    Fitz Inactive Thread Starter

    Joined:
    2002/03/05
    Messages:
    128
    Likes Received:
    0
    Thanks for that Tony.
    I've found out a little more about PC security from this little episode. I won't bother displaying the latest HJT log as it's looking lean and problem-free now, and there don't appear to be any more recurring strange exe-files in Windows\System32.
    One thing that really annoys me are these free-scan spyware programmes that allegedly find shedloads of malware on your PC...they really should be banned.
     
    Fitz,
    #12

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...