I think I was infiltrated - Here is what happened

**DiGiT** · 12th November 2007

I will be bried, and I will post more in a bit but I need some basic insight.

I went to start, run, and as I was gonna type in a command, I noticed all these other ones that were keyed in.. sometime. I have seen these before, but this time I got susspicious when I say a http site.
Here are the commands in order.. but not sure if I wrote them from last to first or first to last

services.msc
chkdsk
chkdsk d: /r
HTTP website - BEWARE - I DONT KNOW WHAT IT IS - but I went to the root domain, and I say just "Hi" on the top left
command
services
regedit
joy.cpl
cmd
control userpasswords2
msconfig
winver
explorer
command.com
netstat

OK so... is there a way I can see the time these were executed.. and also... for any skilled legit-hacker out here, do these commands look like they are in a special sequence or order, and what does anyone think that could have been done. I was using a VPN Proxy hooked up to sweden when I think this happened, and I have since taken the precautions that I think will make sure I have to remote access, I reset my firewall, turned off all exceptions, and a few other things. I havent set up any live.com emails during this, but I dont want to set up anymore just incase, even though people are changing the password, I still want to be fully secure. Anyone with some info would be great, as to some commands I do on my windows or dos to find out when these were executed.. especially the http. I notice it says usbkey in the link.. So this could even be simply a dumb marketing demographic thing that gets some info, and sends the stats to a file somewher.. I have no clue.,. I have no extra users, and I have changed my windows pw. Anyone with skills enough to get close to this site that was executed and tell me what maybe happened, or happens or anything relating to any of this would be good.

This is either nothing.. or something serious

**Fusen** · 12th November 2007

joy.cpl and winver and a few others aren't going to do shit, I dont see why they'd be run...

I'd check what programs have been set at startup though

beware this;

http://www.google.com/search?hl=en&s...hp&btnG=Search

**DiGiT** · 12th November 2007

Originally Posted by Fusen

joy.cpl and winver and a few others aren't going to do shit, I dont see why they'd be run...

I'd check what programs have been set at startup though

beware this;

http://www.google.com/search?hl=en&s...hp&btnG=Search

Well it will show my windows version asto possibly help knowing about certain things/exploits/anything that may work on one version as oppsed to another.

what does joy.cpl do, or show

and nothing in startup under program files

and nothing special in the startup in msconfig

I ran Hijackthis.. and I have it saved as a different filename, as to trick some apps into hiding from hijackthis.

Here is what is in it
Note winpcap is fomr my messenger plus ipget script. and hijack is this program that gave me this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:05 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Esetnew\nod32kui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Esetnew\nod32krn.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HJT\myhigakk.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=209.50.74.6:3128;http=209.50.74.6:3128;https=209.50.74.6:3128;socks=200.126.202.86:14237
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [catsrv] C:\Documents and Settings\Administrator\Policies\catsrv.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Esetnew\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\Administrator\Policies\catsrv.exe -AutoStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsoft...?1182663478203
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1188553036980
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1188553025484
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Esetnew\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5787 bytes

but what is joy.cpl.. and any way to see when the http was executed other than searching my firefox browser which I dont think will show anything... I know the day this may have been done.. but any log or history of http executed from command shell..

**Fusen** · 12th November 2007

joy.cpl is the control panel for game pads and joysticks

only thing I'd check is

C:\Documents and Settings\Administrator\Policies\catsrv.exe

it could be the windows security center, but it also could be something faking it

**DiGiT** · 12th November 2007

Originally Posted by Fusen

joy.cpl is the control panel for game pads and joysticks

only thing I'd check is

C:\Documents and Settings\Administrator\Policies\catsrv.exe

it could be the windows security center, but it also could be something faking it

ok.. joy was me weeks back.. and I figured out how to see when a file was last accessed (easy )

as for catsvr.. what do you mean check it, what should I check, and from reading up on the link you provided, atleast it seems that this is simply spyware or something of this sort. I am not so much concerned if it is, I dont care about that type of security breach. I was very worried because there was a kid on another forum that I frequent who just signed up, and being 13 so he says, I was chatting with him to help out a bit, and he posted a link to a jokes site and though it seems like a legit site.. I just wasnt sure if this kid was a guy that I recently got into a spat with on my canadian security forum that got mad at me for nothing. So I simply need to make sure that I am not being targeted. If this is simply dumb spyware marketing.. UIm not to worried.

I was told to check these things hijackthis too here are my installed programs.
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 8.1.1
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Alleycode HTML Editor 2.2.1
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ieSpell
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.9)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
neroxml
NOD32 antivirus system
PowerISO
QuickTime
RealPlayer
Registry Mechanic 6.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB936509)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for Publisher 2007 (KB936646)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
SlingPlayer
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Outlook 2007 (KB937608)
Update for Outlook 2007 Junk Email Filter (kb942575)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Word 2007 (KB934173)
Windows Communication Foundation
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
WinPcap 4.0
WinRAR archiver
XChat 2 (remove only)
Xvid 1.1.3 final uninstall

and winPcap is me!

this seems safe...

so can you concur that this is not me being targeted, but simply standard spyware! If so we are all good!

**Fusen** · 12th November 2007

yeah just run a few anti spyware progs like adaware and spybot S&D

**DiGiT** · 12th November 2007

i did.. I got nothing.. ehh... as long as it aint a hacker

**DiGiT** · 19th December 2007

ok well I have a new problem which I cant figure out for some reason and I dont really want to reinstall windows. I think this is 100% why I was disconnecting from windows live. My windows messenger worked fine. So I logged into my messenger live with my live account and went into the setting of messenger live, and checked how I was connected, it showed direct connection, and when I used my realname hotmail id, it showed an error with the host files, which it said it could repair, though it did not. So I decided to go into my windows xp account settings and realized an extra passport account in my .net settings. I erased them all, and I rebooted, now I tried to change my password, and it wont let me. Any clue whats going on. The guest account is off, and I am the only account on the system (I hope) at least that is all that is showing.

Can anyone please help me figure out why this is happening to isolate the issue, and how I can fix it. I know there is a way in registry to see all users, but I forget where, and can I alter the password or my permission in there.

Also in task manager under process under the username column it used to say admin - which is the account I use and always have used. A few weeks back before I realized my issues it started showing no name whatsoever in there except for showing username system for system idle proccess

**DiGiT** · 19th December 2007

ok... figured it out. I know I never set it so that user cannot change password, but for anyone wondering what to do, here are the steps I took

If you are running Windows XP Professional, reset the password in the Local Users and Groups snap-in in Microsoft
Management Console (MMC):

1. Click Start, and then click Run.
2. In the Open box, type "mmc" (without the quotation marks), and then click OK to start MMC.
3. Start the Local Users and Groups snap-in.
4. Under Console Root, expand "Local Users and Groups", and then click Users.
5. In the right pane, right-click Administrator, and then click Set Password.
6. Click Proceed in the message box that appears.
7. Type and confirm the new password in the appropriate boxes, and then click OK.

dont forget to save the changes before exiting the window

alternately, you can type control userpasswords2 in the run filed under the start menu
and then click advanced.
you can change passwords, delete accounts, and disable accounts. but be sure you know what you are doing before you do anything you arent sure of.

mods: you may close or delete this thread if you want to!