Help ... Help ... Help ... Help ... Need Some Help Interpreting RootAlyzer Results !!
Please reply.:)
Thanks in advance!:bigthumb:
I am running Windows XP, SP 2 on a Pentium D Machine.
I have run two different versions of RootAlyzer and would appreciate your help in determining what it is that I've got here. Neither of the two versions showed anything in the quick scan. Both showed several results in the deep scan. I question some of the results from the 0.1.4 version which were apparently white listed in the 0.2 version, as some of them appear to be related to files which appear in the log results of the newer version.
Anyhow - here are the results from the 0.1.4 version:
:: RootAlyzer Results
File:"Unknown ADS","C:\RECYCLER\S-1-5-21-996095204-604344382-1343081832-1008\Dc85.pf:SummaryInformation:$DATA"
File:"Unknown ADS","C:\RECYCLER\S-1-5-21-2394979407-4146380186-3720718581-1008\Dc333.exe:SummaryInformation:$DATA"
File:"Unknown ADS","C:\RECYCLER\S-1-5-21-2394979407-4146380186-3720718581-1008\Dc336.exe:SummaryInformation:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2394979407-4146380186-3720718581-1008$201c62cfe381d56.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
Directory:"No admin in ACL","C:\System Volume Information"
Directory:"No admin in ACL","C:\USERDATA"
Directory:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2:$DATA"
Here are the results from the 0.2 version:
:: RootAlyzer Results
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-2394979407-4146380186-3720718581-1008$201c62cfe381d56.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk"
Directory:"No admin in ACL","C:\USERDATA"
Directory:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2:$DATA"
A couple of the files appear to possibly be related to fax and phone.
I'm not so sure.
I'm also not so sure what the "C:\USERDATA" file is about,
Or, the "All Users\Application Data\TEMP:DFC5A2B2:$DATA" file.
Do you know what the numeric sequence "1-5-21-996095204-604344382-1343081832" relates to?
I ask because I found some entries in my User Rights Assignments which have this same numeric sequence - except with a -1003 and -1004 at the end.
Do you have anyone who is adept at analyzing files of this type?
PepiMK?
Any and all help is greatly appreciated!
Thanks again,
LawrenceGH
I would appreciate your comments.
PepiMK:
I would deeply appreciate your comments and suggestions!
I am the system administrator
I do know that the USERDATA folder is storing tracking cookies.
There are some entries in my User Rights Assignments which I do not recognize, such as:
Impersonate a client after authentication
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
Log on as a batch job
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
SUPPORT_3888945a0
SUPPORT_fddfa904
A number of my User Rights Assignments were set to allow for Users, Power Users, Guest and Everyone, which I changed to Authenticated Users.
I also specified:
SUPPORT_3888945a0
SUPPORT_fddfa904
In "Deny access to this computer" and
"Deny log on locally"
and specified
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
In "Deny log on through terminal service"
I know that my computer had been hacked about a year ago and I also had several bad pieces of spyware and virus which were downloaded onto my system, including winfixer 2006.
I am still attacked at regular intervals by hackers.
I would appreciate any and all help in locating the software which is connected to that USERDATA folder.
Thank you for your comments,
LawrenceGH
PS - I may be an idiot - but I am a quick learner.;)
PPS - I am running Win XP SP2, not Vista - and not SP3 until some of the bugs are worked out!
I am the system administrator
I do know that the USERDATA folder is storing tracking cookies.
There are some entries in my User Rights Assignments which I do not recognize, such as:
Impersonate a client after authentication
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
Log on as a batch job
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
SUPPORT_3888945a0
SUPPORT_fddfa904
A number of my User Rights Assignments were set to allow for Users, Power Users, Guest and Everyone, which I changed to Authenticated Users.
I also specified:
SUPPORT_3888945a0
SUPPORT_fddfa904
In "Deny access to this computer" and
"Deny log on locally"
and specified
1-5-21-996095204-604344382-1343081832-1003
1-5-21-996095204-604344382-1343081832-1004
In "Deny log on through terminal service"
I know that my computer had been hacked about a year ago and I also had several bad pieces of spyware and virus which were downloaded onto my system, including winfixer 2006.
I am still attacked at regular intervals by hackers.
I would appreciate any and all help in locating the software which is connected to that USERDATA folder.
Thank you for your comments,
LawrenceGH
PS - I may be an idiot - but I am a quick learner.;)
One other thing regarding that USERDATA folder...
When RootAlyzer locates this folder I get a pop-up box which says:
C:\USERDATA
(A;;FA;;;SY)
(A;OICIIO;GA;;;SY)
(A;;FA;;;S-1-5-21-2394979407-4146380186-3720718581-1008)
(A;OICIIO;GA;;;S-1-5-21-2394979407-4146380186-3720718581-1008)
I also get a pop-up box on the Remote Access Service which contains only one line, which I did not copy.
I hope that this helps to clarify things for you, as it does not mean much to me.
As a side note, I have turned off all other user accounts with the exception of the System Administrator account and I am the only one who has permission to log on to this system via password.
Thanks.:bighug:
Hope this helps,
LawrenceGH
Thanks for all of the good information Pepi
I did do a system Recovery after last year's virus attack.
(That winfixer aluria 2006 was especially a bee-och at the time!)
I could not manage to remove all of the components of the spyware which was downloaded on my system to my satisfaction and also had some corrupted system files, so decided to run Recovery.
I should be the only user that has ever been allocated on this system.
I was under the impression that some of the other user allocations were set up on my machine by hackers, as my system was hacked severely about 1 year ago.
I have a gut feeling that I do still have active spyware of some kind on my system due to some of the strange things that my computer does.
I know that I am still regularly attacked by hackers and have trojans and attempted browser hijacks about once or twice a month, which are normally blocked and/or removed promptly.
My browser seems to be blocking me from the deletion of temporary files and add-on files, however (strange as it may sound) if I start multiple virus scans the browser will suddenly let me delete those files while scanning.
I just have to believe that there is something sophisticated and well hidden or extremely stealthy that is still hiding on my system.
I just wish that I knew how to ferret it out.
Whatever it is, it is undetectable to Spyware Doctor, Ad-Aware, AVG, SpyBot and about 4 or so other virus and spyware detection softwares...
But it is like ... I know that it is there lurking in the shadows ...
I can feel it in the rhythms of my machine ...
Any other suggestions are, as always, appreciated!:alien:
Thanks again,
LawrenceGH
Thanks for all of the good suggestions, Pepi
:angel:
I do appreciate your suggestions.
All other user accounts are turned off...
But...
I am still regularly hacked ...
And often experience strange occurrences ...
Like just a few days ago, when I was having some problems with my Gmail box and it seemed that I was being blocked...
A message popped up in my Gmail box which stated...
"Your mailbox is being blocked by your Network Administrator" !!!
It seems that my actions and access is often being slowed or blocked.
I had one occurrence several weeks ago with a different mailbox when I tried to log out...
I got a pop-up message that I could not log out because my mail was being copied !!!
How's that for raising the hair on the back of your neck?
Not that I cared about anyone seeing my mail...
But it is obviously the whole point that matters a great deal.
What kind of hacker can impersonate a Network Administrator?
A Network Administrator?
Poindexter?
Thanks,
LawrenceGH