PDA

View Full Version : Help ... Help ... Help ... Help ... Need Some Help Interpreting RootAlyzer Results !!



LawrenceGH
2008-05-09, 02:42
Please reply.:)

Thanks in advance!:bigthumb:

I am running Windows XP, SP 2 on a Pentium D Machine.


I have run two different versions of RootAlyzer and would appreciate your help in determining what it is that I've got here. Neither of the two versions showed anything in the quick scan. Both showed several results in the deep scan. I question some of the results from the 0.1.4 version which were apparently white listed in the 0.2 version, as some of them appear to be related to files which appear in the log results of the newer version.

Anyhow - here are the results from the 0.1.4 version:

:: RootAlyzer Results
File:"Unknown ADS","C:\RECYCLER\S-1-5-21-996095204-604344382-1343081832-1008\Dc85.pf:SummaryInformation:$DATA"
File:"Unknown ADS","C:\RECYCLER\S-1-5-21-2394979407-4146380186-3720718581-1008\Dc333.exe:SummaryInformation:$DATA"
File:"Unknown ADS","C:\RECYCLER\S-1-5-21-2394979407-4146380186-3720718581-1008\Dc336.exe:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2394979407-4146380186-3720718581-1008$201c62cfe381d56.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
Directory:"No admin in ACL","C:\System Volume Information"
Directory:"No admin in ACL","C:\USERDATA"
Directory:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2:$DATA"

Here are the results from the 0.2 version:

:: RootAlyzer Results
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2394979407-4146380186-3720718581-1008$201c62cfe381d56.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
Directory:"No admin in ACL","C:\USERDATA"
Directory:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2:$DATA"

A couple of the files appear to possibly be related to fax and phone.
I'm not so sure.

I'm also not so sure what the "C:\USERDATA" file is about,
Or, the "All Users\Application Data\TEMP:DFC5A2B2:$DATA" file.

Do you know what the numeric sequence "1-5-21-996095204-604344382-1343081832" relates to?

I ask because I found some entries in my User Rights Assignments which have this same numeric sequence - except with a -1003 and -1004 at the end.
Do you have anyone who is adept at analyzing files of this type?
PepiMK?



Any and all help is greatly appreciated!

Thanks again,

LawrenceGH

LawrenceGH
2008-05-11, 22:23
PepiMK:

I would deeply appreciate your comments and suggestions!

PepiMK
2008-05-13, 13:45
Let's see... only the 0.2 issues are of interest :)

The RAS (Remote Access Service) entry will be whitelisted in 0.2.x (the one after 0.2.0). I guess MS has removed std admin access to the file because malware might use it to steal accounts.

The TEMP:..... thing seems, according to what I found out so far, to Microsoft Office, reappearing whenever you run an Office application even if you delete it. I have no idea why Microsoft thinks they need to hide this, but they do. This, I am going to whitelist (or at least document in this feature (http://forums.spybot.info/project.php?issueid=238)) as well.

As for the USERDATA folder, that does not show up on my test Vista; is your user account an admin account or a power user one?

LawrenceGH
2008-05-13, 18:00
I do know that the USERDATA folder is storing tracking cookies.

There are some entries in my User Rights Assignments which I do not recognize, such as:

Impersonate a client after authentication
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004

Log on as a batch job
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
SUPPORT_3888945a0
SUPPORT_fddfa904

A number of my User Rights Assignments were set to allow for Users, Power Users, Guest and Everyone, which I changed to Authenticated Users.

I also specified:
SUPPORT_3888945a0
SUPPORT_fddfa904
In "Deny access to this computer" and
"Deny log on locally"

and specified
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
In "Deny log on through terminal service"

I know that my computer had been hacked about a year ago and I also had several bad pieces of spyware and virus which were downloaded onto my system, including winfixer 2006.

I am still attacked at regular intervals by hackers.

I would appreciate any and all help in locating the software which is connected to that USERDATA folder.

Thank you for your comments,

LawrenceGH

PS - I may be an idiot - but I am a quick learner.;)
PPS - I am running Win XP SP2, not Vista - and not SP3 until some of the bugs are worked out!

LawrenceGH
2008-05-13, 18:12
I do know that the USERDATA folder is storing tracking cookies.

There are some entries in my User Rights Assignments which I do not recognize, such as:

Impersonate a client after authentication
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004

Log on as a batch job
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
SUPPORT_3888945a0
SUPPORT_fddfa904

A number of my User Rights Assignments were set to allow for Users, Power Users, Guest and Everyone, which I changed to Authenticated Users.

I also specified:
SUPPORT_3888945a0
SUPPORT_fddfa904
In "Deny access to this computer" and
"Deny log on locally"

and specified
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
In "Deny log on through terminal service"

I know that my computer had been hacked about a year ago and I also had several bad pieces of spyware and virus which were downloaded onto my system, including winfixer 2006.

I am still attacked at regular intervals by hackers.

I would appreciate any and all help in locating the software which is connected to that USERDATA folder.

Thank you for your comments,

LawrenceGH

PS - I may be an idiot - but I am a quick learner.;)

LawrenceGH
2008-05-13, 20:51
When RootAlyzer locates this folder I get a pop-up box which says:

C:\USERDATA
(A;;FA;;;SY)
(A;OICIIO;GA;;;SY)
(A;;FA;;;S-1-5-21-2394979407-4146380186-3720718581-1008)
(A;OICIIO;GA;;;S-1-5-21-2394979407-4146380186-3720718581-1008)

I also get a pop-up box on the Remote Access Service which contains only one line, which I did not copy.

I hope that this helps to clarify things for you, as it does not mean much to me.

As a side note, I have turned off all other user accounts with the exception of the System Administrator account and I am the only one who has permission to log on to this system via password.

Thanks.:bighug:


Hope this helps,

LawrenceGH

PepiMK
2008-05-13, 20:58
Ah, sorry for the Vista assumption, I mixed that up with the C:\Users\ folder which is new on Vista! I had to google a bit about C:\UserData, and information is sparse, but it looks like this a folder where information from C:\Documents and Settings\.... is moved after repairing Windows. If you have been using the repair mode, or did install Windows over a previous Windows installation, that might also explain the next issue.
(oh, and that folder might contain tracking cookies, since cookies are stored in there usually, but also tons of other user related information - maybe the ones from -1003 and -1004, again, see below:)


These long rows of numbers are an internal representation of users. The first user you create during installing your computer usually ends in -1001, so -1003 und -1004 are very likely the third and fourth user account created on your computer. Usually, Windows should be able to convert them into the real user names, but in case you have deleted those user accounts, Windows would only know those old IDs. There might be other cases, I've sometimes noticed Windows takes some time to change the display from the long number ID part to real names; or it's old orphaned user accounts from a Windows installation before you upgraded or did a repair installation maybe.

The user accounts starting with SUPPORT_ are those created by Windows' Remote Help System to allow a remote helper to log onto your machine. That's probably why they're flagged as "Deny log on locally" - which means they're strictly reserved for remote help.

On the other hand, you have this "Deny log on through terminal service", which means that these accounts are protected from logging in remotely, which usually makes sense as well, since the remote help accounts should be the only ones to be allowed remote connections (wel, actually I wouldn't even allow them remote access until the point when I would need it).

Usually, Windows has standard user right assignments that are fine for most situations. What RootAlyzer looks for is just files that are not even shown to ANY "human user", since this is a method malware can easily use to hide itself from users searching for them.
Windows Vista started to use this itself for a few important files, but for the good purpose of hiding it from malware running "impersonated" as the user.
So, as with nearly all rootkit methods: they can be used for good as well as for bad purposes!

All in all, the qestion where this leads to would be whether your installation was a "clean one" (fresh/formatted harddisk), or a repair/update installation over an older Windows version?

Finally, re: PS: Idiots wouldn't ask questions ;)

LawrenceGH
2008-05-14, 03:12
I did do a system Recovery after last year's virus attack.

(That winfixer aluria 2006 was especially a bee-och at the time!)

I could not manage to remove all of the components of the spyware which was downloaded on my system to my satisfaction and also had some corrupted system files, so decided to run Recovery.

I should be the only user that has ever been allocated on this system.

I was under the impression that some of the other user allocations were set up on my machine by hackers, as my system was hacked severely about 1 year ago.

I have a gut feeling that I do still have active spyware of some kind on my system due to some of the strange things that my computer does.

I know that I am still regularly attacked by hackers and have trojans and attempted browser hijacks about once or twice a month, which are normally blocked and/or removed promptly.

My browser seems to be blocking me from the deletion of temporary files and add-on files, however (strange as it may sound) if I start multiple virus scans the browser will suddenly let me delete those files while scanning.

I just have to believe that there is something sophisticated and well hidden or extremely stealthy that is still hiding on my system.

I just wish that I knew how to ferret it out.

Whatever it is, it is undetectable to Spyware Doctor, Ad-Aware, AVG, SpyBot and about 4 or so other virus and spyware detection softwares...

But it is like ... I know that it is there lurking in the shadows ...

I can feel it in the rhythms of my machine ...

Any other suggestions are, as always, appreciated!:alien:

Thanks again,

LawrenceGH

PepiMK
2008-05-15, 13:35
As for the browsers temporary files, it's common that applications keep their files blocked while they're running. While Firefox or Opera are standard applications and you can access the files once they're closed, Internet Explorer for example is tied so deep into the system that just closing the browser window does not always help immediately.
About user accounts:


Right-click on the My Computer symbol.
Choose Manage.
In System Tools, open Local Users and Groups, and there Users.
Typical users would be

one called Administrator (a generic administration account),
a system account named ASPNET,
maybe a Guest account,
an account with your name, and
one SUPPORT_(number) account.
The Guest and SUPPORT accounts should show a small red sign on their icons to show that the're disabled. You can double-click any user account and set the checkbox next to Account is disabled to disable accounts. Personally, next to your useraccount and the Administrator account (and maybe the ASPNET account if one exists), you can disable all others.
Changing passwords regularly, both of your user account and the Administrator account, might be a good idea.

LawrenceGH
2008-05-18, 08:17
:angel:

I do appreciate your suggestions.

All other user accounts are turned off...

But...

I am still regularly hacked ...

And often experience strange occurrences ...

Like just a few days ago, when I was having some problems with my Gmail box and it seemed that I was being blocked...

A message popped up in my Gmail box which stated...

"Your mailbox is being blocked by your Network Administrator" !!!

It seems that my actions and access is often being slowed or blocked.

I had one occurrence several weeks ago with a different mailbox when I tried to log out...

I got a pop-up message that I could not log out because my mail was being copied !!!

How's that for raising the hair on the back of your neck?

Not that I cared about anyone seeing my mail...

But it is obviously the whole point that matters a great deal.

What kind of hacker can impersonate a Network Administrator?

A Network Administrator?

Poindexter?

Thanks,

LawrenceGH