Help with Hacker

Discussion in 'adware, spyware & hijack cleaning' started by KarenS, Jun 10, 2004.

Thread Status:
Not open for further replies.
  1. KarenS

    KarenS Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    5
    I'm new here and not sure if this is the correct forum.

    keep getting a program called Remote Anything, or maybe it's Remote Anywhere, on my computer. I clean it off and the next day or sometime within hours, it's back.

    I googled it and it's a program to allow someone access to your PC. Does anyone have any information on this? What it is actually capable of? Is there anyway to block it?

    Sorry, if I sound uninformed about these kind of things. I am. :) I have AdAware, Spybot, Spyblaster and Spykiller installed. No firewall. I'm open to suggestions for one. Spykiller is the program that picks it up.

    KarenS
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  3. KarenS

    KarenS Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    5
    Okay, I did as instructed and here is the log. The Remote Anything is not on my system right now. I removed it earlier.

    Thanks in advance.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:52:15 PM, on 6/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec\Web Tools\CKA.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
    C:\Program Files\Messenger\msmsgs.exe
    F:\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Symantec\Web Tools\CKA.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.2870601852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{527621FB-B706-4C0B-B8DD-311ABB39A8A4}: NameServer = 12.26.124.2 12.26.124.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{527621FB-B706-4C0B-B8DD-311ABB39A8A4}: NameServer = 12.26.124.2 12.26.124.3
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi KarenS,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: PowerReg Scheduler V3.exe

    Then reboot. If it comes back could you make a HijackThis log before you remove it?

    Regards,

    Pieter
     
  5. KarenS

    KarenS Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    5
    Ok, I removed the entries you said to. It disappeared for a couple days but is back. Here is the logfile with it still on the system.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:06:53 PM, on 6/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec\Web Tools\CKA.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\SpyKiller\SpyKiller.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
    F:\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Symantec\Web Tools\CKA.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.2870601852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{527621FB-B706-4C0B-B8DD-311ABB39A8A4}: NameServer = 12.26.124.2 12.26.124.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{527621FB-B706-4C0B-B8DD-311ABB39A8A4}: NameServer = 12.26.124.2 12.26.124.3

    Thanks,

    Karen
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Karen,

    Does Spykiller produce some sort of log you can post?
    I have a feeling it is a bigger problem itself then the stuff it finds.
    Maybe you should get a second opinion from AdAware and/or Spybot.

    Regards,

    Pieter
     
  7. KarenS

    KarenS Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    5
    Hi Pieter,

    Thanks for responding.

    Someone, and I even think I know who it is, is messing with my computer. It is someone who may have had access to it so I'm not even sure a firewall (which I don't have..I know, I know..money's tight) would help.

    Here is a link to what it can do.

    http://www.webattack.com/get/ra.html

    I know something is happening because I'll be typing something like this message and it will disappear. Or it's like someone is hitting the backspace key. Or it's like someone is hitting the ba

    I did that for an example. :)

    Then I'll run Spykiller and it will show up.

    I'm not very computer savvy as I mentioned. But I don't want someone reading every word I type.

    I've done a search for "remote anything" using the text search not the file name. It comes up with log files from Spykiller.

    Speaking of Spykiller. Are you saying it's a completely useless program that I spent money on that could have gone to a good firewall? Let me shoot myself now. :) And that it's causing the problem? Should I uninstall it?

    Anyway, you asked for it so here it is. A file log from Spykiller. :)

    Incidentally, it's always associated with Camedia which is a program for an Olympus digital camera. Could the solution be as simple as to simply not download from the camera while online?

    I'm actually very interested in knowing what is going on here. If you can explain it in laymans terms. Even if the answer is "You're being totally and completely paranoid." :) Hey, just because you're paranoid...you know the rest.

    Scan initialized on 6/10/2004 10:44:26 AM
    ========================================

    Started memory scan
    ====================
    Running processes:
    1: \SystemRoot\System32\smss.exe
    2: \??\C:\WINDOWS\system32\winlogon.exe
    3: C:\WINDOWS\system32\services.exe
    4: C:\WINDOWS\system32\lsass.exe
    5: C:\WINDOWS\system32\svchost.exe
    6: C:\WINDOWS\System32\svchost.exe
    7: C:\Program Files\Sygate\SPF\smc.exe
    8: C:\WINDOWS\Explorer.EXE
    9: C:\WINDOWS\System32\hkcmd.exe
    10: C:\WINDOWS\BCMSMMSG.exe
    11: C:\WINDOWS\system32\dla\tfswctrl.exe
    12: C:\Program Files\Dell\Media Experience\PCMService.exe
    13: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    14: C:\Program Files\Common Files\Dell\EUSW\Support.exe
    15: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    16: C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    17: C:\Program Files\Symantec\Web Tools\CKA.exe
    18: C:\Program Files\Microsoft Money\System\mnyexpr.exe
    19: C:\Program Files\SpyKiller\spykiller.exe
    20: C:\Program Files\CallWave\IAM.exe
    21: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    22: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    23: C:\WINDOWS\system32\spoolsv.exe
    24: C:\WINDOWS\system32\cisvc.exe
    25: C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    26: C:\Program Files\Messenger\msmsgs.exe
    27: C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    28: C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    29: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    30: C:\WINDOWS\system32\rundll32.exe
    31: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

    Memory scan result:
    Total modules found:31
    Suspicious modules found: 0

    Started registry scan
    ====================
    Remote Anything HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache--CAMEDIA Master--C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CAMEDIA Master.exe
    SEVERE - TWD Industries
    Registry scan result:
    Suspicious keys found: 1

    Started folder scan
    ====================

    Folder scan result:
    Folder processed: 0
    Suspicious folders found: 0

    Started file scan
    ====================

    File scan result:
    Suspicious files found: 0

    Scanning finished
    ====================
    Suspicious modules found: 0
    Suspicious keys found: 1
    Suspicious folders found: 0
    Suspicious files found: 0
    ====================

    Components ignored:0
    Total components found:1


    Karen
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Shooting yourself would be a bigger waste, but maybe I can prevent that by telling your there are some very nice free firewalls available:
    Kerio, Sygate and ZoneAlarm all offer free versions.
    http://www.wilders.org/firewalls.htm

    SpyKiller is mentioned here http://www.netrn.net/spywareblog/
    under Updated List of Rogue/Suspect Anti-Spyware Programs

    I would advise to switch to AdAware or Spybot S&D
    Click the link in my signature to learn more about these (also free) programs.

    Regards,

    Pieter
     
  9. KarenS

    KarenS Registered Member

    Joined:
    Jun 10, 2004
    Posts:
    5
    Thanks Pieter.

    I just hope I can uninstall it with no problems. It'll probably leave registry entries behind since it's a rogue program.

    I'm downloading Zone Alarm right now.

    I already have Spybot and Adaware.

    Karen
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I hope so too. I never heard any complaints about their uninstaller, if that is any consolation.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.