Help with Hacker

I'm new here and not sure if this is the correct forum.

keep getting a program called Remote Anything, or maybe it's Remote Anywhere, on my computer. I clean it off and the next day or sometime within hours, it's back.

I googled it and it's a program to allow someone access to your PC. Does anyone have any information on this? What it is actually capable of? Is there anyway to block it?

Sorry, if I sound uninformed about these kind of things. I am. I have AdAware, Spybot, Spyblaster and Spykiller installed. No firewall. I'm open to suggestions for one. Spykiller is the program that picks it up.

KarenS

 

Hi Karen,

Please follow the instructions posted here:
https://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

Okay, I did as instructed and here is the log. The Remote Anything is not on my system right now. I removed it earlier.

Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 12:52:15 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Web Tools\CKA.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\Program Files\Messenger\msmsgs.exe
F:\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Symantec\Web Tools\CKA.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.2870601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{527621FB-B706-4C0B-B8DD-311ABB39A8A4}: NameServer = 12.26.124.2 12.26.124.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{527621FB-B706-4C0B-B8DD-311ABB39A8A4}: NameServer = 12.26.124.2 12.26.124.3

 

Hi KarenS,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: PowerReg Scheduler V3.exe

Then reboot. If it comes back could you make a HijackThis log before you remove it?

Regards,

Pieter

 

Ok, I removed the entries you said to. It disappeared for a couple days but is back. Here is the logfile with it still on the system.

Logfile of HijackThis v1.97.7
Scan saved at 6:06:53 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Web Tools\CKA.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\SpyKiller\SpyKiller.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
F:\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SymKeepAlive] C:\Program Files\Symantec\Web Tools\CKA.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.2870601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{527621FB-B706-4C0B-B8DD-311ABB39A8A4}: NameServer = 12.26.124.2 12.26.124.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{527621FB-B706-4C0B-B8DD-311ABB39A8A4}: NameServer = 12.26.124.2 12.26.124.3

Thanks,

Karen

 

Hi Karen,

Does Spykiller produce some sort of log you can post?
I have a feeling it is a bigger problem itself then the stuff it finds.
Maybe you should get a second opinion from AdAware and/or Spybot.

Regards,

Pieter

 

Hi Pieter,

Thanks for responding.

Someone, and I even think I know who it is, is messing with my computer. It is someone who may have had access to it so I'm not even sure a firewall (which I don't have..I know, I know..money's tight) would help.

Here is a link to what it can do.

http://www.webattack.com/get/ra.html

I know something is happening because I'll be typing something like this message and it will disappear. Or it's like someone is hitting the backspace key. Or it's like someone is hitting the ba

I did that for an example.

Then I'll run Spykiller and it will show up.

I'm not very computer savvy as I mentioned. But I don't want someone reading every word I type.

I've done a search for "remote anything" using the text search not the file name. It comes up with log files from Spykiller.

Speaking of Spykiller. Are you saying it's a completely useless program that I spent money on that could have gone to a good firewall? Let me shoot myself now. And that it's causing the problem? Should I uninstall it?

Anyway, you asked for it so here it is. A file log from Spykiller.

Incidentally, it's always associated with Camedia which is a program for an Olympus digital camera. Could the solution be as simple as to simply not download from the camera while online?

I'm actually very interested in knowing what is going on here. If you can explain it in laymans terms. Even if the answer is "You're being totally and completely paranoid." Hey, just because you're paranoid...you know the rest.

Scan initialized on 6/10/2004 10:44:26 AM
========================================

Started memory scan
====================
Running processes:
1: \SystemRoot\System32\smss.exe
2: \??\C:\WINDOWS\system32\winlogon.exe
3: C:\WINDOWS\system32\services.exe
4: C:\WINDOWS\system32\lsass.exe
5: C:\WINDOWS\system32\svchost.exe
6: C:\WINDOWS\System32\svchost.exe
7: C:\Program Files\Sygate\SPF\smc.exe
8: C:\WINDOWS\Explorer.EXE
9: C:\WINDOWS\System32\hkcmd.exe
10: C:\WINDOWS\BCMSMMSG.exe
11: C:\WINDOWS\system32\dla\tfswctrl.exe
12: C:\Program Files\Dell\Media Experience\PCMService.exe
13: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
14: C:\Program Files\Common Files\Dell\EUSW\Support.exe
15: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
16: C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
17: C:\Program Files\Symantec\Web Tools\CKA.exe
18: C:\Program Files\Microsoft Money\System\mnyexpr.exe
19: C:\Program Files\SpyKiller\spykiller.exe
20: C:\Program Files\CallWave\IAM.exe
21: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
22: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
23: C:\WINDOWS\system32\spoolsv.exe
24: C:\WINDOWS\system32\cisvc.exe
25: C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
26: C:\Program Files\Messenger\msmsgs.exe
27: C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
28: C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
29: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
30: C:\WINDOWS\system32\rundll32.exe
31: C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

Memory scan result:
Total modules found:31
Suspicious modules found: 0

Started registry scan
====================
Remote Anything HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache--CAMEDIA Master--C:\Program Files\OLYMPUS\CAMEDIA Master 4.0\CAMEDIA Master.exe
SEVERE - TWD Industries
Registry scan result:
Suspicious keys found: 1

Started folder scan
====================

Folder scan result:
Folder processed: 0
Suspicious folders found: 0

Started file scan
====================

File scan result:
Suspicious files found: 0

Scanning finished
====================
Suspicious modules found: 0
Suspicious keys found: 1
Suspicious folders found: 0
Suspicious files found: 0
====================

Components ignored:0
Total components found:1


Karen

 

Shooting yourself would be a bigger waste, but maybe I can prevent that by telling your there are some very nice free firewalls available:
Kerio, Sygate and ZoneAlarm all offer free versions.
http://www.wilders.org/firewalls.htm

SpyKiller is mentioned here http://www.netrn.net/spywareblog/
under Updated List of Rogue/Suspect Anti-Spyware Programs

I would advise to switch to AdAware or Spybot S&D
Click the link in my signature to learn more about these (also free) programs.

Regards,

Pieter

 

Thanks Pieter.

I just hope I can uninstall it with no problems. It'll probably leave registry entries behind since it's a rogue program.

I'm downloading Zone Alarm right now.

I already have Spybot and Adaware.

Karen

 

I hope so too. I never heard any complaints about their uninstaller, if that is any consolation.

Regards,

Pieter