Am I being watched? - Tilted Forum Project Discussion Community

TheProf · 07-14-2007, 09:20 PM

Hello,

I hope everyone is well.

Question: Am I being watched? It has been hinted that I may be working on a computer that has some sort of key logger or monitoring program on it. Norton AV with all options checked and Ewido both report a clean machine, but I wanted the opinion of the experts here. I have included the hijack this log run on that computer below.

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:01 PM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\VirtuaWin\modules\VWAssigner.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Applications\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Applications\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Removed by The Prof
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.nch.com.au/cgi-bin/register.exe?software=vrs&source=software
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: VirtuaWin.lnk = C:\Program Files\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://domino.pkfhill.com/dwa7W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Removed by The Prof
O17 - HKLM\Software\..\Telephony: DomainName = Removed by The Prof
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Removed by The Prof
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Removed by The Prof
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6135 bytes

Anything look out of the ordinary?

Thank you.

Dragonlich · 07-14-2007, 11:49 PM

I'd suggest you check out all running processes. You could try sites like
<a href="http://www.neuber.com/taskmanager/process/index.html">http://www.neuber.com/taskmanager/process/index.html</a>
or
<a href= "http://www.liutilities.com/products/wintaskspro/processlibrary/">http://www.liutilities.com/products/wintaskspro/processlibrary/</a>

Cynthetiq · 07-15-2007, 06:01 AM

first glance doesn't look like anything, but the question to me is what makes you "think" you are being watched?

A good watcher could easily spoof the name and path of one of the normal expected applications.

JStrider · 07-16-2007, 03:26 PM

download a linux livecd... problem solved, or there are ways to put linux or windows onto a thumb drive.

TheProf · 07-19-2007, 06:12 AM

Hello,

Unfortunately a Linux Live CD would raise more flags -- why is he using this OS instead of the standard? He must be hiding something, etc.

In regards to Cynthetiq's question -- the concern arose because a member of IT was able to pinpoint a text file deep within My Documents that had some information in it that I forgot about. So I'm wondering, if they were able to scan there, what else is going on?

Cynthetiq · 07-19-2007, 06:28 AM

Quote:

Originally Posted by TheProf

Hello,

Unfortunately a Linux Live CD would raise more flags -- why is he using this OS instead of the standard? He must be hiding something, etc.

In regards to Cynthetiq's question -- the concern arose because a member of IT was able to pinpoint a text file deep within My Documents that had some information in it that I forgot about. So I'm wondering, if they were able to scan there, what else is going on?

I see, so you are in a network environment, either school or business but somewhere the computer is not actually owned and operated by you.

then hell yes you are being monitored...

Many places have monitoring equipment to monitor inbound and outbound traffic. Your PC/Mac is probably remotely managed in some capacity wherein drivers, OS updates, configuration scans, and other "Big Brother" type things are being done.

Is it nefarious? Maybe, but more than likely not.

kurty[B] · 07-19-2007, 06:36 AM

Is this a PC at work, or school that does not belong to you? Is it joined to a domain?

Someone with Domain Admin rights will have the ability to look at any and all files on any PC joined to his domain. They might have a program setup to scan. It might also just be a bored network admin perusing the files on various computers on the network (I used to constantly have to tell a VP of a company I worked for that keeping certain information in a Word document was not safe and secure.

If it is not a domain joined PC, then you need a better firewall application installed. If it's a work PC you are using, then you just need to be more careful what you have on that PC since it's not your property and the company has every right to do what they want with that PC.

TheProf · 07-25-2007, 05:20 PM

There are two machines in question.

One is a work-owned domain-joined PC. The other is my personal laptop that I sometimes connect to the network to get online.

I don't have a problem with them scanning the entire work pc of course -- it is not mine and it is being used only for work. It makes me a little uncomfortable about the laptop on the network, since there is info about my finances, etc on it. But the alternative of transferring many files back and forth is tedious.

Usually I connect to things like gmail using their secure interface which uses encryption. I assume that I am protected from peeking eyes that way. I am not sure what to do about something like the laptop's C$ admin share, since you cannot really disable it.

Am I just being paranoid?

Pragma · 07-26-2007, 04:10 PM

Here's my thoughts (seeing as how I run network security at my workplace):

* If it's my hardware, I own it - no matter what. SSL, encryption software, whatever - doesn't matter. If I want to monitor your activities on it, I will find a way.
* If it's on my network, I own it - no matter what. Man-in-the-middle to break SSL sites, regular packet captures to watch for suspicious activity, thorough logging of our web proxy, etc.

If there's anything that you don't want your workplace to see, don't do it on their hardware and don't do it on their network. That's my view of the situation - compromising on that at all and you're (worst case) giving them all of your information.

(Yes, I realize this sounds very harsh and authoritative, but as Scott McNealy said so well "You have no privacy anyway. Get over it."

Baraka_Guru · 07-26-2007, 04:22 PM

Quote:

Originally Posted by Pragma

(Yes, I realize this sounds very harsh and authoritative, but as Scott McNealy said so well "You have no privacy anyway. Get over it."

Yeah, the Internet is becoming a standard as the new public sphere. If you truly want privacy, you need to remove yourself from "public" (i.e. the Internet). Unplug it.

Redlemon · 07-27-2007, 05:22 AM

Quote:

Originally Posted by TheProf

There are two machines in question.

And there are two choices. One, you can try to defeat any of their abilities to scan, and if they notice, they will be highly concerned and probably investigate you further. Two, you can go to IT directly, and tell them your concerns of personal files being accessed from your personal computer when connected to their network, and perhaps they'll be reasonable. Unless you actually do have something to hide...

Necrosis · 07-27-2007, 09:19 PM

Quote:

Originally Posted by Pragma

Here's my thoughts (seeing as how I run network security at my workplace):

* If it's on my network, I own it - no matter what. Man-in-the-middle to break SSL sites, regular packet captures to watch for suspicious activity, thorough logging of our web proxy, etc.

It didn't seem to be very riskiy to log on to various financial sites via wireless connection at an internet cafe. After all, the little lock indicating a secure transmission was in the corner of my browser.

Then I read about a guy who was using Ettercap or Airpwn. He wasn't being mailcious, but he was picking up e-mail addresses and passwords like mad.

Do the gurus here agree that you are at great risk by logging onto, for example, your bank, even with your own laptop, at a wireless internet cafe?

(Sorry for the borderline threadjack.)

Cynthetiq · 07-27-2007, 09:37 PM

Quote:

Originally Posted by Necrosis

It didn't seem to be very riskiy to log on to various financial sites via wireless connection at an internet cafe. After all, the little lock indicating a secure transmission was in the corner of my browser.

Then I read about a guy who was using Ettercap or Airpwn. He wasn't being mailcious, but he was picking up e-mail addresses and passwords like mad.

Do the gurus here agree that you are at great risk by logging onto, for example, your bank, even with your own laptop, at a wireless internet cafe?

(Sorry for the borderline threadjack.)

where is that fark obvious tag?????

Necrosis · 07-28-2007, 06:45 AM

Quote:

Originally Posted by Cynthetiq

where is that fark obvious tag?????

Uhhh, what?

Cynthetiq · 07-28-2007, 06:54 AM

Quote:

Originally Posted by Necrosis

Uhhh, what?

Quote:

Originally Posted by Necrosis

Do the gurus here agree that you are at great risk by logging onto, for example, your bank, even with your own laptop, at a wireless internet cafe?

Rhetorical question.

Obvious answer.

Necrosis · 07-28-2007, 07:39 AM

Quote:

Originally Posted by Cynthetiq

Rhetorical question.

Obvious answer.

Hmmm. I asked this question in December, http://www.tfproject.org/tfp/showthr...16#post2162316,

and there was not a uniform consensus.

Quote:

Originally Posted by Silvy

The encryption used by most on-line banking sites assumes that you're communicating over an insecure network.

This means that the security measures assume that the communication is picked up by others. (If you use a fixed internet connection your ISP, it's employees, or other computers on the route may also eavesdrop on the connection).
The encryption scheme used (SSL) should ensure that listening in will not reveal any of the data that is transferred.

In theory you should be just as safe using a fixed internet connection as you were using a WiFi connection.

But (there is always a 'but', isn't there?) security schemes may be broken. If that happens, no internet connection is safe, but a WiFi connection is even less safe because it's easier to listen into anonymously*.

Also, using a WiFi connection allows other computers to connect to yours. That connection would normally be refused, but that is also a measure that might be broken. Potentially your PC could be hacked into allowing others to copy your screen without needing to listen in on the connection**

Hope this makes it a little clearer....

* This is not likely, but a decent post about security should mention this
** This is not very likely, but possible. This is akin to someone looking over your shoulder. You might not notice someone across the street using binoculars to read your screen. (Not likely, but not impossible either).

Quote:

Originally Posted by Dilbert1234567

There are a few attack vectors, but they are extremely difficult, the one I am most familiar with is a variation on the man in the middle attack.

First, poison the arp table and control all the traffic. Then pretend to be all parties required for the transaction, including every party that handles the encryption certificates. (The hard part). Record all traffic and take what you want. You don’t actually need access to the internals of the network, just a client. arp poisoning is easy, but the certificates is hard, and well out of reach for nearly everyone.

You are relatively safe, but not completely. I’ve mentioned this before, but I’ll say it again, if you are on a wired connection, with a part of the network is unencrypted wireless, you are not secure, and anyone can view all of your internal traffic, wired and wireless.

In another forum, there was a guy posting live as he hacked people's e-mail, Myspace, and Facebook accounts by doing something resembling the poisoning the arp table and man-in-the-middle. I don't understand any of that, so I thought I'd ask if new hacking techniques or programs pose a "great danger" in regard to secure banking websites.

Which apparently makes me an idiot.

Cynthetiq · 07-28-2007, 08:05 AM

Quote:

Originally Posted by Necrosis

Hmmm. I asked this question in December, http://www.tfproject.org/tfp/showthr...16#post2162316,

and there was not a uniform consensus.

In another forum, there was a guy posting live as he hacked people's e-mail, Myspace, and Facebook accounts by doing something resembling the poisoning the arp table and man-in-the-middle. I don't understand any of that, so I thought I'd ask if new hacking techniques or programs pose a "great danger" in regard to secure banking websites.

Which apparently makes me an idiot.

Doesn't make you an idiot.

The question is if you are "great risk" people manage risk in various ways in many different situations. What is acceptable risk for me, is not necessarily acceptable risk for you. That thread easily illustrates that because there are people who are explaining how they are willing to manage the acceptability of the risk.

I will not use my personal machine in a public wifi spot for private banking because the risk to me is unacceptable. There is no need to expose myself to the risk since I can generally wait until another time. If I really must do some "emergency" banking via internet, well there are other ways to manage my risk.

People can tell you all ways to worry about and fear things in life. It's up to you to dispell it in whatever fashion you choose, either by simple acceptance like shrugging your shoulders, or vigorous protections like installing multiple encryptions and firewalls.

Pragma · 07-28-2007, 10:58 AM

I agree with Cythentiq on this - acceptable risk is a very personal issue. For me, acceptable risk means that I won't risk doing my banking transactions on someone else's machine or on someone else's internet connection. I know perfectly well that my home connection is just as vulnerable to someone upstream deciding to watch my traffic, but I'm trying to limit the risk I have to deal with. If it's something hugely sensitive, I'll just go to a physical location (and then deal with the risk of a possibly malicious bank teller, etc.)

For someone else, they may be willing to accept more risk and so they'd use internet cafe wireless networks and do all of their finances from that point.

Quote:

In another forum, there was a guy posting live as he hacked people's e-mail, Myspace, and Facebook accounts by doing something resembling the poisoning the arp table and man-in-the-middle. I don't understand any of that, so I thought I'd ask if new hacking techniques or programs pose a "great danger" in regard to secure banking websites.

And to be perfectly honest, poisoning arp-tables for wired networks and SSL MitM attacks aren't really new hacking techniques - they've been around for years and get brushed up from time to time as technology changes. The most secure internet connection is none at all

07-15-2007, 06:01 AM	#3 (permalink)
Cynthetiq Tilted Cat Head Administrator Location: Manhattan, NY	first glance doesn't look like anything, but the question to me is what makes you "think" you are being watched? A good watcher could easily spoof the name and path of one of the normal expected applications. __________________ I don't care if you are black, white, purple, green, Chinese, Japanese, Korean, hippie, cop, bum, admin, user, English, Irish, French, Catholic, Protestant, Jewish, Buddhist, Muslim, indian, cowboy, tall, short, fat, skinny, emo, punk, mod, rocker, straight, gay, lesbian, jock, nerd, geek, Democrat, Republican, Libertarian, Independent, driver, pedestrian, or bicyclist, either you're an asshole or you're not. What's the best nation in the world? DO-NATION!

07-16-2007, 03:26 PM	#4 (permalink)
JStrider Poo-tee-weet? Location: The Woodlands, TX	download a linux livecd... problem solved, or there are ways to put linux or windows onto a thumb drive. __________________ -=JStrider=- ~Clatto Verata Nicto

07-26-2007, 04:10 PM	#9 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	Here's my thoughts (seeing as how I run network security at my workplace): * If it's my hardware, I own it - no matter what. SSL, encryption software, whatever - doesn't matter. If I want to monitor your activities on it, I will find a way. * If it's on my network, I own it - no matter what. Man-in-the-middle to break SSL sites, regular packet captures to watch for suspicious activity, thorough logging of our web proxy, etc. If there's anything that you don't want your workplace to see, don't do it on their hardware and don't do it on their network. That's my view of the situation - compromising on that at all and you're (worst case) giving them all of your information. (Yes, I realize this sounds very harsh and authoritative, but as Scott McNealy said so well "You have no privacy anyway. Get over it." __________________ Eat antimatter, Posleen-boy!

07-14-2007, 11:49 PM	#2 (permalink)
Dragonlich 42, baby! Location: The Netherlands	I'd suggest you check out all running processes. You could try sites like <a href="http://www.neuber.com/taskmanager/process/index.html">http://www.neuber.com/taskmanager/process/index.html</a> or <a href= "http://www.liutilities.com/products/wintaskspro/processlibrary/">http://www.liutilities.com/products/wintaskspro/processlibrary/</a>

07-19-2007, 06:12 AM	#5 (permalink)
TheProf Crazy	Hello, Unfortunately a Linux Live CD would raise more flags -- why is he using this OS instead of the standard? He must be hiding something, etc. In regards to Cynthetiq's question -- the concern arose because a member of IT was able to pinpoint a text file deep within My Documents that had some information in it that I forgot about. So I'm wondering, if they were able to scan there, what else is going on?

07-19-2007, 06:36 AM	#7 (permalink)
kurty[B] Sauce Puppet	Is this a PC at work, or school that does not belong to you? Is it joined to a domain? Someone with Domain Admin rights will have the ability to look at any and all files on any PC joined to his domain. They might have a program setup to scan. It might also just be a bored network admin perusing the files on various computers on the network (I used to constantly have to tell a VP of a company I worked for that keeping certain information in a Word document was not safe and secure. If it is not a domain joined PC, then you need a better firewall application installed. If it's a work PC you are using, then you just need to be more careful what you have on that PC since it's not your property and the company has every right to do what they want with that PC.

07-25-2007, 05:20 PM	#8 (permalink)
TheProf Crazy	There are two machines in question. One is a work-owned domain-joined PC. The other is my personal laptop that I sometimes connect to the network to get online. I don't have a problem with them scanning the entire work pc of course -- it is not mine and it is being used only for work. It makes me a little uncomfortable about the laptop on the network, since there is info about my finances, etc on it. But the alternative of transferring many files back and forth is tedious. Usually I connect to things like gmail using their secure interface which uses encryption. I assume that I am protected from peeking eyes that way. I am not sure what to do about something like the laptop's C$ admin share, since you cannot really disable it. Am I just being paranoid?