Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Who Is?


  • Please log in to reply
3 replies to this topic

#1 MistriCo.

MistriCo.

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 16 February 2008 - 09:49 PM

Hello there, im new to all this and know very little about comps. I work in a small company (11 people)and the problem is I suspect a work collegaue has put some sort of programe into my machine, his machine or the server (8 WPs are networked) that lets him (and maybe others) view my wp screen in that he can see what i'm typing, looking at etc., M/S outlook, desktop etc. It might seem that I'm paranoid but i thiknk he may have somehow obtained the administrator password. I've told one of the administrators but she can find nothing on the system, so i have asked her to keep a check on my workstation and logon details to see whos doing what. I dont know if she even knows how to do this.

Things that make me suspect are that strange things happen on my screen; it goes blurry, when i click on "start" the menu shimmers in and out of focus, e-mails have been opened, my personal hotmail address appears on another computer, my personal settings change, so on, and so on, and so on. The computer that has my hotmail details is used by alot of the staff. Ive only used the workstation assigned to me when checking my hotmail. ive spoken to other colleagues but they do not have the same probs and theyve told me to download programes to clean out my comp/history etc. one time when i did this i noticed some strange entries that were to be deleted when i restarted. I printed one of these out (several pages of computer language that I dont understand:

Key Name: HKEY_USERS\S-1-5-2.........\Software\Yahoo\Companion

Class Name: <NO CLASS>
Last Write Time: 02/11/2008 - 17:02
Value 0
Name: LastPoll
Type: REG_DWORD
Data: 0x30c

Value 1
Name: ft
Type: REG_DWORD
Data: 0x0

Value 2
Name: dc
Type: REG_SZ
Data: v7_shkwav

Value 3
Blah
Blah
Blah

Value 11
Name: Guest
Type: ReG_SZ
......

Value 12
Name: attempt
Type: REG_SZ
Date:ths is blank nothing typed here

Various Name: like: mess, or mess_off, or resfeed, or asdname, or layout, or sm, or slock, or lastact, or srch_hlt or, catb_dontask, or myweb, or srch_ebox, or V2DataMigrated, or BlockedTotal, or

Name: LastTimeChecked
Type: REG_DWORD
Data: 0x405aff1b
or
Name: LastVersionChecked
Type: REG_SZ
Data: 5,0,2,7

.......disabled)

Various: Key Name: HKEY_USERS\S-1-5-2......... followed by:
\Software\Yahoo\Companion
\Software\Yahoo\Companion\Opt
\Software\Yahoo\Companion\Profiles
\Software\Yahoo\Companion\Profiles\!guest
\Software\Yahoo\Companion\Profiles\!guest\bookmarks
\Software\Yahoo\Companion\Profiles\!guest\ButtonHistory
\Software\Yahoo\Companion\PUB
\Software\Yahoo\Companion\pubmod
\Software\Yahoo\Companion\SearchHistory
\Software\Yahoo\Companion\YCheck

PLEASE NOTE THAT I NEVER USE YAHOO

AND

DOES THIS MEAN ANYTHING TO ANYONE?:


<document WMSNameSpaceVersion="2.0">

<node name="Control Protocol" opcode="create" >
<node name="Object Store" opcode="create" >
<node name="RTSP" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{308786f0-8b15-11d2-b25f-006097d2e41e}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Protocol" opcode="create" type="string" value="RTSP,RTSPA,RTSPT,RTSPU,RTSPM" />
</node> <!-- Properties -->

</node> <!-- RTSP -->

<node name="Sessionless Multicast" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{f9377800-f38d-11d2-b26c-006097d2e41e}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Protocol" opcode="create" type="string" value="MCAST,RTP" />
</node> <!-- Properties -->

</node> <!-- Sessionless Multicast -->

</node> <!-- Object Store -->

<node name="Shared Properties" opcode="create" />
</node> <!-- Control Protocol -->

<node name="Data Protocol" opcode="create" >
<node name="Object Store" opcode="create" >
<node name="RTP" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{cbfb2e20-ab7b-11d2-b261-006097d2e41e}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Format" opcode="create" type="string" value="x-asf-pf" />
<node name="Protocol" opcode="create" type="string" value="RTP/AVP" />
</node> <!-- Properties -->

</node> <!-- RTP -->

<node name="RTP/ASF" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{149a44be-dc14-4e94-9cb0-c0268e77df9e}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Format" opcode="create" type="string" value="x-asfv2-pf,x-asfv2-grp-pf,x-asfv2-frag-pf" />
<node name="Protocol" opcode="create" type="string" value="RTP/AVP" />
</node> <!-- Properties -->

</node> <!-- RTP/ASF -->

<node name="RTP/AVP" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{d7335e2e-62eb-4ad0-96cd-b31c9d0f9f85}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Format" opcode="create" type="string" value="PCMU,L8,L16,MPA,G726-24,G726-40" />
<node name="Protocol" opcode="create" type="string" value="RTP/AVP" />
</node> <!-- Properties -->

</node> <!-- RTP/AVP -->

<node name="RTP/FEC" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{02DEFE42-F8FC-11d2-8670-00C04F6890ED}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Format" opcode="create" type="string" value="parityfec" />
<node name="Protocol" opcode="create" type="string" value="RTP/AVP" />
</node> <!-- Properties -->

</node> <!-- RTP/FEC -->

<node name="RTP/WMS-FEC" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{EDAB8E6B-746C-40db-A885-9E4A9EEF27A2}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Format" opcode="create" type="string" value="wms-fec" />
<node name="Protocol" opcode="create" type="string" value="RTP/AVP" />
</node> <!-- Properties -->

</node> <!-- RTP/WMS-FEC -->

</node> <!-- Object Store -->

<node name="Shared Properties" opcode="create" />
</node> <!-- Data Protocol -->

<node name="Feedback Protocol" opcode="create" >
<node name="Object Store" opcode="create" >
<node name="RTCP" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{ecfddc81-184e-11d3-ae84-00a0c95ec3f0}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Format" opcode="create" type="string" value="x-wms-rtx" />
<node name="Protocol" opcode="create" type="string" value="RTP/AVP" />
</node> <!-- Properties -->

</node> <!-- RTCP -->

</node> <!-- Object Store -->

<node name="Shared Properties" opcode="create" />
</node> <!-- Feedback Protocol -->

<node name="Network Source" opcode="create" >
<node name="Object Store" opcode="create" >
<node name="WMS Http Network Source" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{566A2EFF-5651-4020-AC1A-EB48E4571EA3}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Source Type" opcode="create" type="string" value="HTTP" />
<node name="DefaultHttpServerPort" opcode="create" type="int32" value="0x50" />
<node name="DefaultHttpServerSSLPort" opcode="create" type="int32" value="0x1bb" />
<node name="PacketBuffers" opcode="create" type="int32" value="0x8" />
<node name="EnableHTTP1_1" opcode="create" type="int32" value="0x1" />
<node name="OpenTimeout" opcode="create" type="int32" value="0x1e" />
<node name="SecondSegmentTimeout" opcode="create" type="int32" value="0x64" />
<node name="ControlAdapter" opcode="create" type="string" value="" />
<node name="PercentBWUsageForAccelStreaming" opcode="create" type="int32" value="0x55" />
<node name="Proxy Setting" opcode="create" type="int32" value="0x3" />
<node name="ProxyHostName" opcode="create" type="string" value="" />
<node name="ProxyPort" opcode="create" type="int32" value="0x50" />
<node name="ProxyBypassForLocal" opcode="create" type="int32" value="0x0" />
</node> <!-- Properties -->

</node> <!-- WMS Http Network Source -->

<node name="WMS Mms Network Source" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{DCF6C8B2-F6C0-461b-82DA-35945EADF54A}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Source Type" opcode="create" type="string" value="MMS,MMST,MMSU" />
<node name="DefaultServerPort" opcode="create" type="int32" value="0x6db" />
<node name="MaxReadHeaderRetries" opcode="create" type="int32" value="0x4" />
<node name="PacketBuffers" opcode="create" type="int32" value="0x8" />
<node name="DropProb" opcode="create" type="int32" value="0x0" />
<node name="DropGracePeriod" opcode="create" type="int32" value="0x0" />
<node name="FirstDropGracePeriod" opcode="create" type="int32" value="0x0" />
<node name="DropBurstDuration" opcode="create" type="int32" value="0x0" />
<node name="PacketPairDropProb" opcode="create" type="int32" value="0x0" />
<node name="NackAlgorithm" opcode="create" type="int32" value="0x2" />
<node name="NackRateMultiplier" opcode="create" type="int32" value="0x1" />
<node name="NackBurst" opcode="create" type="int32" value="0x5dc" />
<node name="NackTraceInterval" opcode="create" type="int32" value="0x3e8" />
<node name="NackRetry" opcode="create" type="int32" value="0x1" />
<node name="IgnoreServerVersion" opcode="create" type="int32" value="0x0" />
<node name="EnableMmsDistribution" opcode="create" type="int32" value="0x0" />
<node name="AssertStrangeErrors" opcode="create" type="int32" value="0x0" />
<node name="InactivityTimeout" opcode="create" type="int32" value="0x5a" />
<node name="OpenTimeout" opcode="create" type="int32" value="0x20" />
<node name="PercentBWUsageForAccelStreaming" opcode="create" type="int32" value="0x55" />
<node name="FunnelAdapter" opcode="create" type="string" value="" />
<node name="ControlAdapter" opcode="create" type="string" value="" />
<node name="Proxy Setting" opcode="create" type="int32" value="0x0" />
<node name="ProxyHostName" opcode="create" type="string" value="" />
<node name="ProxyPort" opcode="create" type="int32" value="0x6db" />
<node name="ProxyBypassForLocal" opcode="create" type="int32" value="0x0" />
</node> <!-- Properties -->

</node> <!-- WMS Mms Network Source -->

<node name="WMS Msbd Network Source" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{FB74F625-7D25-4455-B840-7B870B5B9322}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Source Type" opcode="create" type="string" value="ASFM" />
<node name="PacketBuffers" opcode="create" type="int32" value="0x8" />
<node name="DropProb" opcode="create" type="int32" value="0x0" />
<node name="DropGracePeriod" opcode="create" type="int32" value="0x0" />
<node name="FirstDropGracePeriod" opcode="create" type="int32" value="0x0" />
<node name="DropBurstDuration" opcode="create" type="int32" value="0x0" />
<node name="McastTimeout" opcode="create" type="int32" value="0x3a98" />
<node name="EnableIGMPv3" opcode="create" type="int32" value="0x1" />
</node> <!-- Properties -->

</node> <!-- WMS Msbd Network Source -->

<node name="WMS Network Source" opcode="create" >
<node name="CLSID" opcode="create" type="string" value="{ad763fa6-3b90-41ab-bd44-4f832beee55f}" />
<node name="Enabled" opcode="create" type="int32" value="0x1" />
<node name="Properties" opcode="create" >
<node name="Source Type" opcode="create" type="string" value="RTSP,XSDP,RTP,RTSPA,RTSPT,RTSPU,RTSPM" />
<node name="EnableATM" opcode="create" type="int32" value="0x1" />
<node name="MaximumMTU" opcode="create" type="int32" value="0x0" />
<node name="FirewallTimeout" opcode="create" type="int32" value="0x14" />
<node name="OpenTimeout" opcode="create" type="int32" value="0x1e" />
<node name="RtxDropProb" opcode="create" type="int32" value="0x0" />
<node name="DropProb" opcode="create" type="int32" value="0x0" />
<node name="DropGracePeriod" opcode="create" type="int32" value="0x0" />
<node name="FirstDropGracePeriod" opcode="create" type="int32" value="0x0" />
<node name="DropBurstDuration" opcode="create" type="int32" value="0x0" />
<node name="PacketPairDropProb" opcode="create" type="int32" value="0x0" />
<node name="NackAlgorithm" opcode="create" type="int32" value="0x2" />
<node name="NackRateMultiplier" opcode="create" type="int32" value="0x1" />
<node name="NackBurst" opcode="create" type="int32" value="0x5dc" />
<node name="NackTraceInterval" opcode="create" type="int32" value="0x3e8" />
<node name="NackRetry" opcode="create" type="int32" value="0x1" />
<node name="BurstProtection" opcode="create" type="int32" value="0x0" />
<node name="EmulateNetworkDisconnect" opcode="create" type="int32" value="0x0" />
<node name="AssertStrangeErrors" opcode="create" type="int32" value="0x0" />
<node name="PercentBWUsageForAccelStreaming" opcode="create" type="int32" value="0x55" />
<node name="Proxy Setting" opcode="create" type="int32" value="0x0" />
<node name="ProxyHostName" opcode="create" type="string" value="" />
<node name="ProxyPort" opcode="create" type="int32" value="0x22a" />
<node name="ProxyBypassForLocal" opcode="create" type="int32" value="0x0" />
<node name="PktGracePeriodAtEOSForBPP" opcode="create" type="int32" value="0x3e8" />
<node name="PktGracePeriodAtEOSForODP" opcode="create" type="int32" value="0x9c4" />
</node> <!-- Properties -->

</node> <!-- WMS Network Source -->

</node> <!-- Object Store -->

<node name="Shared Properties" opcode="create" >
<node name="Local" opcode="create" />
</node> <!-- Shared Properties -->

</node> <!-- Network Source -->

</document>


__________________________________________________________________

Also,
I would very much like any sort of comment or even a solution from anyone. This has been bugging me for so long now. But if anyone was to reply to this, then please remember I know nothing about comps, only what people have todl me to do.


)

Edited by boopme, 16 February 2008 - 11:28 PM.
{moved to more apprpriate forum~boopme}


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:59 PM

Posted 22 February 2008 - 02:46 PM

Hello MistriCo. and welcome to BC :flowers:

Sorry about the delay in response. We are all volunteers here and sometimes things slip past us.

What is your operating system: Windows XP, Vista etc.?

Do you have any security programs on your computer? If so, what are they?

Does your co-worker have a limited account or one with administrative permissions?

Have you checked to see if the programs in question are shared or private? With your e-mails showing up on another work-station, I suspect that file-sharing is enabled.

Is the administrator account on your machine password protected?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 MistriCo.

MistriCo.
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 31 March 2008 - 05:41 PM

Hiya Orange Blossom,

Thanks for taking the time to get back to me and i must apolgise for not replying sooner.

The operating system is Windows XP.

The security programs on the computer are run by an off-site IT company who installed the comps/network server etc., I think Trend Micro (or something like that) and Norton are used.

Co-worker has a limited account and with no administrative permissions. I must say that over the last few weeks, I've found things like UltraVNC, TightVNC, Trojan Adclicker when scanning for virus/malware using free downloads. But because it's free the scans do not remove the VNCs. I have no clue what they are or how they work or how to get rid of them. Ive checked on the net and found out they allow outsiders to help with problems etc.,(and spying obviously).

I happened to walk past this colleague's desk and before the screen was switched to the desktop I saw a smaller screen with what looked like my screensaver, although I can't be 100% sure.

I no longer use MSN at work and only use Outlook for work stuff (telephone and texing my friends now).

I have no idea if the administrator account on my machine is password protected? As far as I can tell, the whole network is limited in what employees can do. Put it this way we're not supposed to even download freeware (i.e. CleanUp!, CCleaner, Spybot etc.), free games (I took a chance in downloading the mentioned programs by the way) nor visit sites like myspace or whatever its called, TV sites, YouTube, the list goes on. (memos are sent round like nobody's business when administrators find out) So, 10, 09, 08, 07...

Apparently a virus somehow got into the server and nearly ruined the system, so they've come down on us hard.

Do you know how to get rid of the VNC programs?

MistriCo.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:59 PM

Posted 31 March 2008 - 10:15 PM

Let's start here and see if we can make heads or tails here.

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NEXT:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users