How can I upstep security on my computer?

Emma18 · #1 10-17-2004, 12:16 PM

I have got a brother who thinks he is smarter than me and he is always fiddling with my computer and messing about with it.

I have just found out today that when I was out he has been removing programs that I can't recover.

I am on windows xp home and I have set up an account for myself with a password and he is bypassing it by logging on as admin.

I am also worried that he has installed some kind of ghost key logger on the computer...How can I find out if he has?

How can I STOP him doing this....cos he is really damaging my computer now.

Any help will be most appreciated.

Zxian · #2 10-17-2004, 01:36 PM

One of the first things that you can do is to check to see if your computer supports a BIOS password.

Reboot the computer and when you see the BIOS screen, hit whatever key it tells you to enter BIOS/setup. It's usually an F-number or Del. Once you're in to BIOS, dig around in the menus to see if there is an option of a Boot-time password. If you set this with something that he doesn't know, he'll never even be able to start your computer.

As for when you're in Windows already, I'm guessing that your admin account doesn't have a password on it. Go to Start->Run and type in

control userpasswords2

Make sure there is a check box beside "Users must enter a user name and password to use this computer". Then click on the "Reset Password" under the "Password for Administrator". Select a password for the Admin account.

As for the keylogger, you can go and check the easiest place... Add/Remove Programs. Click on Start->Control Panel->Add/Remove Programs. Scroll down the list and see if anything strange is installed.

Go and download HijackThis. Have it run a scan of your computer and then post the log file here. We'll be able to see if you have any suspicious programs running. Like HijackThis says... Do not remove anything from the list until you have replied back here. I have seen many systems ruined worse than they were by people who remove random entries from HijackThis.

Let us know how things go.

Emma18 · #3 10-17-2004, 02:30 PM

Hi, and thanks for the quick post. I will check out the bios password in a minute.

I have downloaded hijackthis and it has done a scan of my computer. (thanks for the site)

Below is the log file from it.

---------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 20:19:59, on 17/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\windows\temp\adware\fsg_4104a.exe
C:\program files\180solutions\sa\saap.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Emma Goodwin\My Documents\Updates & Applications\Limewire File Downloading\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eBay\Turbo Lister\Tl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Emma Goodwin\My Documents\Updates & Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4104a.exe"
O4 - HKLM\..\Run: [saap] c:\program files\180solutions\sa\saap.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm41447GB
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab30149.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.8.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...027.2421990741
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D919FE04-B4BF-403E-A075-3B4E6AEC58D5}: NameServer = 195.93.49.134

--------------------------------------------------------------------------------

Let me know if there is anything dodgy there.

And thanks for the help!!!!

Emma18 · #4 10-17-2004, 02:35 PM

Oh aswell, I did go to control panel to see if there were any dodgy programs and I couldn't see anything.

The last time my brother installed a key logger program I did manage to crack it, but I do remeber how ominous it was.

It would only show up by pressing ctrl and another key and it wouldn't show up in task manager or nothing.

Zxian · #5 10-17-2004, 05:16 PM

It looks like you have some low level Spyware on your system... It might not be directly related to your brother, it's worth it to clean up your system in general.

Go and download Ad-Aware and Spybot Search and destroy. Both are available from Download.com. Install the programs and then update the definition files. Scan your computer with each program. If you're lucky, one of them might even pick up your brother's keylogger, since this is considered a type of spyware.

Hope this helps.

Jazz · #6 10-17-2004, 06:08 PM

Also amazing to see the shite AOHell actually installs on your system just via the log as well.

I would dread to see what tripe it writes to the registry!!!!! Once installed, nearly impossible to totally eradicate.

A friend once tried to manually uninstall AOHell, to see exactly what was installed.

------------------------------------------------------------------------------------

Dozens of COM objects that represent various parts of the GUI.

A Desktop and My Computer namespace handler that does who knows what...

CDDB information retrieval objects.

Three folders in Program Files, and three for each user in App Data.

A protocol handler for aim: and aol:

Typical file associations and http: handling

The list went on and on and on.......................

------------------------------------------------------------------------------------

No wonder they are constantly being sued, allegedly. LOL

Emma18 · #7 10-18-2004, 06:49 AM

Yes I have to admit that I have had quite a few problems with Aol but since it has got a bit better when they brought this AOL 9.0 out.

Anyway I tried that thing with the Bios Password and its worked!!!!

I tried to logon as admin myself and it just prompts for the password I set.

Thanks ever so much.....hopefully this means that he get never get access to my computer again.

I will try adware thing now to remove anything he has put on.

AGAIN THANK YOU!

Emma!