Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


A Uninvited Guest

  • Please log in to reply
3 replies to this topic

#1 dannyboy 950

dannyboy 950

  • Members
  • 148 posts
  • Local time:05:27 PM

Posted 09 January 2006 - 07:12 PM

I thought I had got rid of this person but he has been logging on again and changeing settings.

Ok to begin with I use XP Home SP2 on this machine,Sygate Pro firewall;AVG;A2;Ewido;Process Guard;Spybot S&D;SpywareBlaster and Spyware Guard. All up to date and run regularly. Ccleaner and CWshredder and Hijack this.As well as several management and TCP tools.

This computer is a stand alone outside my Lan, no ICS enabled, no net bios, no network shares, no file and print shareing,no other networking enabled other than whats needed for a direct connect to a RR cable modem. Now I do have a bad habit of leaveing it on all the time. So I check my event and security logs daily.

I am seeing successfull logons and privelages being established at times when no one is on the computer. Apparently I have a RAT well hidden.
Now I follow Black Vipers and the NSA's disable list of processes. Primary is DCom;RPC;RemoteDesktop and assistance all disabled along with File and print shareing etc. All unnecessary services are disabled or manual. Only my AV and Firewall and windows updates are automatic.

Now what I am wondering if I used Truecrypt or something and encryped the entire drive would he be able to still access his back door.
I really don't want to have to nuke this thing, it came with no CD's I have done 2 system restores and 1 system recovery but he still gets in.

I would apreciate any ideas or comments.

BC AdBot (Login to Remove)



#2 someguy3211111


  • Members
  • 21 posts
  • Local time:02:27 AM

Posted 09 January 2006 - 09:02 PM

The best thing in any scenario is to be prepared before hand, a reinstallation would be your best bet. Put all your security software back on and update everything. Then you could do a complete backup of your computer and burn it to a DVD-R. That way should you run into this issue you can always bounce back quickly. If you are wanting another shot at looking for hidden malware on your computer you could try this product : http://www.sysinternals.com/Utilities/RootkitRevealer.html. Those would be my suggestions/opinion...

#3 phawgg


    Learning Daily

  • Members
  • 4,543 posts
  • Location:Washington State, USA
  • Local time:02:27 PM

Posted 09 January 2006 - 10:16 PM

Malware varies in how it effects the operating system.
The complete package of security related apps you run,
and the level of comprehension you as a user demonstrate,
leads me to suggest focusing in on searching for
information published that matches the keywords of your
problem... unauthorized (unidentified, illegal, random, spontaneous) logons
not executed at the physical location of the PC.

it will take some time googling for clues, but non the less that
is what I'd encourage. I have no other easy answer to what
would be an unnerving reality.

A used PC with no CDs can sometimes be too much of a challenge to warrent
putting more time (and the money that kinda implies) into it ...
comparing the total cost of replacement with a modest,
non-cutting edge PC which, by it's role in your overall picture, need not be
fancy, just not irreversibly infected with something that escapes your sygate features
of blocking both in & out of PC online connections to select software (or services) and
also eludes detection by a multiple layer defense software suite updated ...
patiently patrolling, plenty of persisant pests n' problems ...

#4 dannyboy 950

dannyboy 950
  • Topic Starter

  • Members
  • 148 posts
  • Local time:05:27 PM

Posted 10 January 2006 - 06:14 PM

Thanks for the replys. This has just been the latest in a long running battle.
I have run rootkit revealer several times and numereous online scans AV and AT.

Here is some log excerpts and a lil more info.

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 849
Date: 1/8/2006
Time: 4:07:44 PM
Computer: LINDA
An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Remote Assistance
Path: %windir%\system32\sessmgr.exe
State: Enabled
Scope: All subnets

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This is supposed to be disabled. If I ain't turning it on, who is.

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 1/8/2006
Time: 4:07:43 PM
Computer: LINDA
The Remote Access Connection Manager service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Was not me

Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6006
Date: 1/8/2006
Time: 4:05:59 PM
User: N/A
Computer: LINDA
The Event log service was stopped.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0000: ff 00 00 00 ...

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users