Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91981 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Log FIle Look OK [Solved]


  • This topic is locked This topic is locked
91 replies to this topic

#31 Lewg

Lewg

    Silver Member

  • Authentic Member
  • PipPipPip
  • 369 posts

Posted 21 March 2014 - 11:14 AM

By Joe I believe you have done it......I didn't get any pop up window when I opened WTT.  One thing I don't see it the SAS program....Where do you see that located on my PC?  


    Advertisements

Register to Remove


#32 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 21 March 2014 - 12:06 PM

C:\Documents and Settings\Lew\My Documents\SASCORE.EXE
c:\documents and settings\lew\my documents\sasdifsv.sys
c:\documents and settings\lew\my documents\SASKUTIL.SYS

and then in your event logs:
3/1/2014 10:17:03 AM, error: Service Control Manager [7031]  - The SAS Core Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
2/26/2014 5:57:09 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  SASDIFSV SASKUTIL
(these entries appear many times)
 

 

I don't see it in your install list so perhaps it was only partly installed?

 

Let's treat it like remnants and rip it out.

 

COMBOFIX-Script
 

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    
    File::
    
    C:\Documents and Settings\Lew\My Documents\SASCORE.EXE
    
    c:\documents and settings\lew\my documents\sasdifsv.sys
    
    c:\documents and settings\lew\my documents\SASKUTIL.SYS
    
    
    
    Driver::
    
    !SASCORE
    
    SASDIFSV
    
    SASKUTIL
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
 

 


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#33 Lewg

Lewg

    Silver Member

  • Authentic Member
  • PipPipPip
  • 369 posts

Posted 21 March 2014 - 01:57 PM

I cannot paste the text in the screen shot. I also cannot drag the CFscript.txt into Combfix


Edited by Lewg, 21 March 2014 - 02:04 PM.


#34 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 21 March 2014 - 05:00 PM

OK then... please download the attached file to your desktop.  (it must be on your desktop).

 

Hold the windows key (it's between the Ctrl and the Alt key) and press R to bring up a run box.

 

Copy and paste the following into the run box and then hit enter or click OK.

ComboFix "%userprofile%\Desktop\CFscript.txt"

If you cannot copy/paste it into the runbox... type it in carefully.

Attached Files


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#35 Lewg

Lewg

    Silver Member

  • Authentic Member
  • PipPipPip
  • 369 posts

Posted 22 March 2014 - 07:39 AM

As I mentioned earlier trying to copy and Drag the CFscript.txt into the combofix for some reason my machine at that time would not allow me to complete your instructions....Don't know why this happened....Anyway not a problem getting you the new combofix log this time using your last instructions using the run box.   Thanks!

.

 

ComboFix 14-03-19.01 - Lew 03/22/2014   9:17.6.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.958.570 [GMT -4:00]
Running from: c:\documents and settings\Lew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lew\Desktop\CFscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\documents and settings\Lew\My Documents\SASCORE.EXE"
"c:\documents and settings\lew\my documents\sasdifsv.sys"
"c:\documents and settings\lew\my documents\SASKUTIL.SYS"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Lew\My Documents\SASCORE.EXE
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_!SASCORE
-------\Legacy_SASDIFSV
-------\Legacy_SASKUTIL
-------\Service_!SASCORE
-------\Service_SASDIFSV
-------\Service_SASKUTIL
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-22 to 2014-03-22  )))))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-11 18:27 . 2012-09-12 18:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 18:27 . 2012-09-12 18:50 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-24 11:46 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2014-02-24 11:45 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2014-02-24 11:45 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2014-02-24 11:45 . 2006-02-28 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2014-02-24 10:54 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2014-02-07 21:36 . 2013-07-10 14:57 67824 ----a-w- c:\windows\system32\drivers\aswmonflt.sys
2014-02-07 21:35 . 2013-07-10 14:57 410784 ----a-w- c:\windows\system32\drivers\aswSP.sys
2014-02-07 21:35 . 2013-07-10 14:57 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-02-07 21:35 . 2013-07-10 14:57 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-02-07 21:35 . 2013-07-10 14:57 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2014-02-07 21:35 . 2013-07-10 14:57 270240 ----a-w- c:\windows\system32\aswBoot.exe
2014-02-07 21:35 . 2013-07-10 14:56 43152 ----a-w- c:\windows\avastSS.scr
2014-02-07 02:01 . 2006-02-28 12:00 1879040 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:55 . 2006-02-28 12:00 562688 ----a-w- c:\windows\system32\qedit.dll
2014-01-07 11:40 . 2013-07-10 14:57 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-01-07 11:40 . 2013-07-10 14:57 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-01-04 15:50 . 2014-01-04 15:50 231048 ----a-w- c:\windows\system32\SigCheck.exe
2014-01-04 03:13 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-02-07 21:35 259464 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-02-07 3767096]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2013-05-01 421888]
.
c:\documents and settings\Lew\Start Menu\Programs\Startup\
WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2013-7-7 46432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 19:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-09 19:50 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 07:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2013-11-07 23:39 4752384 ----a-w- c:\documents and settings\Lew\Application Data\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2013-11-07 23:39 1140736 ----a-w- c:\documents and settings\Lew\Application Data\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spybot-S&D Cleaning]
2012-11-13 19:07 3713032 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 13:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-09-07 17:55 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PCShowServer"="c:\documents and settings\Lew\Local Settings\Application Data\DIRECTV Player\PCShowServerPMWrapper.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe"  -osboot
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe"
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Lew\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [7/10/2013 10:57 AM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [7/10/2013 10:57 AM 180248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/10/2013 10:57 AM 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/10/2013 10:57 AM 410784]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [7/10/2013 10:57 AM 67824]
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.3.124.0\BBSvc.EXE [12/16/2013 8:34 PM 193696]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/24/2012 3:32 PM 1103392]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [11/24/2012 3:32 PM 168384]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.3.124.0\SeaPort.EXE [12/16/2013 8:34 PM 247968]
S3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/24/2012 3:32 PM 1369624]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/29/2012 12:50 PM 11520]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [8/14/2013 3:19 PM 39056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 15:04 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-12 18:27]
.
2014-03-21 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2014-03-22 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2014-03-21 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2014-03-21 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2014-03-22 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-07-10 21:35]
.
2014-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-10 14:57]
.
2014-03-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-10 14:57]
.
2014-03-22 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2052111302-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 21:13]
.
2014-03-22 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2052111302-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 21:13]
.
2014-03-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2052111302-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 21:13]
.
2014-03-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2052111302-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 21:13]
.
2014-03-19 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-11-24 19:07]
.
2014-03-17 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-11-24 19:07]
.
2014-03-22 c:\windows\Tasks\User_Feed_Synchronization-{90A41A15-AAF1-4707-8558-2318913D9F39}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-22 09:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-861567501-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3952)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2014-03-22  09:29:22 - machine was rebooted
ComboFix-quarantined-files.txt  2014-03-22 13:29
ComboFix2.txt  2014-03-05 18:23
.
Pre-Run: 484,191,256,576 bytes free
Post-Run: 484,144,275,456 bytes free
.
- - End Of File - - 5397F666C48D08E01F61D65671F3324F
8F558EB6672622401DA993E1E865C861
 



#36 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 22 March 2014 - 09:28 AM

That looks good.

 

Are you still having any issues?

 

If things are good, we can do a little housekeeping and let you go.


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#37 Lewg

Lewg

    Silver Member

  • Authentic Member
  • PipPipPip
  • 369 posts

Posted 22 March 2014 - 01:02 PM

Much better now, No more pop up windows.  I think we are good to tidy up now.....thanks!



#38 Lewg

Lewg

    Silver Member

  • Authentic Member
  • PipPipPip
  • 369 posts

Posted 22 March 2014 - 01:04 PM

Question is there a way to tell if someone is controlling my pc when online?



#39 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 22 March 2014 - 01:39 PM

Well... maybe.

 

The only way for someone to control your computer is through software.  If there is a backdoor program, then someone with the "other half" of the program could access your computer and, depending on the software, could possibly control your system.  This is assuming that it is being done without your permission.  There are programs that are not hidden that can be used for remote access to your system.  There is a program that comes with windows that is called Remote Access that does exactly that.  A person would have to have your access credentials (that you set yourself) to use it.  TeamViewer and GoToMyPc are other remote access programs.  All require credentials.  A VPN can be set up - with appropriate credentials.

 

Every legitimate program I've listed leaves a signature (we didn't find any sign of any of them).  A backdoor will usually leave footprints (which we didn't find) but there is no guarantee of that.  Theoretically, a backdoor could exist that is not generally known about and it would be possible to set it up in such a way so that it wouldn't be detected because no scanner would know what footprints to look for.  This is one of the main reasons that we strongly recommend that people not use P2P software (torrent sites) because it opens a port in your system that makes it infinitely easier to install an undetected backdoor.

 

So I guess the best answer I can give you is that it is extremely unlikely that someone else is controlling your system when you are online.  The only way to be 100% certain that you are clean is to reformat your drives and reinstall your operating system from genuine original disks from Microsoft. At that point you are clean with certainty.  From the instant you connect to the internet and install anything else... that certainty goes down.

 

Time for some housekeeping

  • Click START then RUN
  •  
  • Now type ComboFix /Uninstall in the runbox  and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Combofix_uninstall_image.jpg

The above procedure will:

  • Implement some cleanup procedures.
  • Reset System Restore.

 

 

We need to remove the tools we've used during cleaning your machine
 

  • Download Delfix from here
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run

The program will run for a few moments and then notepad will open with a log. It is not important that I see the log so you don't need to post it.

Please re-enable any security that was disabled.

 

 

The following is my standard advice for the future.  Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing.  Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware" 
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions.  Otherwise, this thread will be closed Resolved.  :thumbup:
 


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#40 Lewg

Lewg

    Silver Member

  • Authentic Member
  • PipPipPip
  • 369 posts

Posted 23 March 2014 - 08:19 AM

I hope this did not caluse a problem, but Combofix ran when I typed in COMBOFIX /UNISTALL.  Which was mispelling UNINSTALL and leaving out a N.....Sorry!  I have not uninstalled Combofix.....The recent Combofix.txt log is located in my root directory ( C:.) which I can post if you like.  


    Advertisements

Register to Remove


#41 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 23 March 2014 - 08:57 AM

Shouldn't have made a problem... but go ahead and post the log and I'll give it a quick look.


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#42 Lewg

Lewg

    Silver Member

  • Authentic Member
  • PipPipPip
  • 369 posts

Posted 23 March 2014 - 09:06 AM

ComboFix 14-03-19.01 - Lew 03/23/2014  10:04:17.7.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.958.545 [GMT -4:00]
Running from: c:\documents and settings\Lew\Desktop\ComboFix.exe
Command switches used :: /unistall
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-23 to 2014-03-23  )))))))))))))))))))))))))))))))
.
.
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-11 18:27 . 2012-09-12 18:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 18:27 . 2012-09-12 18:50 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-24 11:46 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2014-02-24 11:45 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2014-02-24 11:45 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2014-02-24 11:45 . 2006-02-28 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2014-02-24 10:54 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2014-02-07 21:36 . 2013-07-10 14:57 67824 ----a-w- c:\windows\system32\drivers\aswmonflt.sys
2014-02-07 21:35 . 2013-07-10 14:57 410784 ----a-w- c:\windows\system32\drivers\aswSP.sys
2014-02-07 21:35 . 2013-07-10 14:57 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-02-07 21:35 . 2013-07-10 14:57 775952 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-02-07 21:35 . 2013-07-10 14:57 54832 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2014-02-07 21:35 . 2013-07-10 14:57 270240 ----a-w- c:\windows\system32\aswBoot.exe
2014-02-07 21:35 . 2013-07-10 14:56 43152 ----a-w- c:\windows\avastSS.scr
2014-02-07 02:01 . 2006-02-28 12:00 1879040 ----a-w- c:\windows\system32\win32k.sys
2014-02-05 08:55 . 2006-02-28 12:00 562688 ----a-w- c:\windows\system32\qedit.dll
2014-01-07 11:40 . 2013-07-10 14:57 180248 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-01-07 11:40 . 2013-07-10 14:57 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-01-04 15:50 . 2014-01-04 15:50 231048 ----a-w- c:\windows\system32\SigCheck.exe
2014-01-04 03:13 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-02-07 21:35 259464 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-02-07 3767096]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2013-05-01 421888]
.
c:\documents and settings\Lew\Start Menu\Programs\Startup\
WKCALREM.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2013-7-7 46432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 19:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-09 19:50 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 07:59 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify]
2013-11-07 23:39 4752384 ----a-w- c:\documents and settings\Lew\Application Data\Spotify\spotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
2013-11-07 23:39 1140736 ----a-w- c:\documents and settings\Lew\Application Data\Spotify\Data\SpotifyWebHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spybot-S&D Cleaning]
2012-11-13 19:07 3713032 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 13:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-09-07 17:55 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PCShowServer"="c:\documents and settings\Lew\Local Settings\Application Data\DIRECTV Player\PCShowServerPMWrapper.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe"  -osboot
"RTHDCPL"=RTHDCPL.EXE
"nwiz"=nwiz.exe /install
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe"
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Lew\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [7/10/2013 10:57 AM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [7/10/2013 10:57 AM 180248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/10/2013 10:57 AM 775952]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/10/2013 10:57 AM 410784]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [7/10/2013 10:57 AM 67824]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [11/24/2012 3:32 PM 1103392]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.3.124.0\SeaPort.EXE [12/16/2013 8:34 PM 247968]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.3.124.0\BBSvc.EXE [12/16/2013 8:34 PM 193696]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [11/24/2012 3:32 PM 168384]
S3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [11/24/2012 3:32 PM 1369624]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/29/2012 12:50 PM 11520]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [8/14/2013 3:19 PM 39056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 15:04 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-12 18:27]
.
2014-03-22 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2014-03-23 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2014-03-22 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2014-03-22 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 3050 J610 series\Bin\HPCustPartic.exe [2010-11-17 02:12]
.
2014-03-23 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-07-10 21:35]
.
2014-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-10 14:57]
.
2014-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-10 14:57]
.
2014-03-23 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2052111302-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 21:13]
.
2014-03-23 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2052111302-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 21:13]
.
2014-03-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2052111302-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 21:13]
.
2014-03-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2052111302-861567501-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-08-14 21:13]
.
2014-03-19 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-11-24 19:07]
.
2014-03-17 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-11-24 19:07]
.
2014-03-23 c:\windows\Tasks\User_Feed_Synchronization-{90A41A15-AAF1-4707-8558-2318913D9F39}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-03-23 10:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2052111302-861567501-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2014-03-23  10:10:35
ComboFix-quarantined-files.txt  2014-03-23 14:10
ComboFix2.txt  2014-03-22 13:29
ComboFix3.txt  2014-03-05 18:23
.
Pre-Run: 484,007,874,560 bytes free
Post-Run: 484,043,132,928 bytes free
.
- - End Of File - - 291939C0D31C9DE8A0FEB384E5F42CAB
8F558EB6672622401DA993E1E865C861
 



#43 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 23 March 2014 - 10:04 AM

That still looks good to me.

 

Carry on. :thumbup:


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png


#44 Lewg

Lewg

    Silver Member

  • Authentic Member
  • PipPipPip
  • 369 posts

Posted 23 March 2014 - 10:23 PM

Something has happened to my multifunction keys on my keyboard, They don't work anymore and on my windows sign screen where I type my password I don't have a blinking cursor.  I have to restart the PC each time to get a cursor so I can log in....That''s not right.....Any idea what has happened.....



#45 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,156 posts

Posted 24 March 2014 - 11:00 AM

I'm guessing you are talking about programmable keys.  Seeing as how you have Enhanced Multimedia Keyboard Solution installed, I'm thinking you have an HP computer?  Everyone's programmable keyboard works a little differently, but they are similar.  Basically, you need the driver installed for it to work.  We did not remove any drivers so I cannot see why anything should have changed.

 

You can try reinstalling the drivers by going to HP and inputing your computer information to get the correct drivers and install them.

 

I am unclear as to the issue with the sign in screen.  You say you have to restart to sign in... but, it seems to me, you would only have to sign in when you restart.  Please clarify.


Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif


WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users