Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

REMOTE ACCESS HACKING


  • This topic is locked This topic is locked
4 replies to this topic

#1 onlyuser

onlyuser

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 30 July 2009 - 04:54 PM

Hi,

First, I know that my computer is being accessed remotely via "Owner/Administrator" acct.


HERE IS MY BELARC ADVISOR ANALYSIS: **My User name is "Extra". "Owner" is a profile that I have not been able to delete because it keeps on coming back.

-----------------------------------------------------------------------

System Security Status CIS Benchmark Score


Available only for Windows 2000, XP Pro, and 2003




Virus Protection


Up-to-date




Microsoft Security Updates


Up-to-date







--------------------------------------------------------------------------------

Computer Profile Summary
Computer Name: Pc
Profile Date: Thursday, July 30, 2009 11:32:49 AM
Advisor Version: 8.1b
Windows Logon: Extra


Plan for your next computer refresh...
click for Belarc's System Management products

Operating System System Model
Windows XP Home Edition Service Pack 3 (build 2600)
Install Language: English (United States)
System Locale: English (United States)
System Serial Number:
Enclosure Type: Notebook
Processor a Main Circuit Board b
1.67 gigahertz Intel Core Duo
64 kilobyte primary memory cache
2048 kilobyte secondary memory cache
Multi-core (2 total)
Not hyper-threaded Board: LENOVO
Serial Number: Removed
Bus Clock: 533 megahertz
BIOS: LENOVO Removed (1.00 ) 05/03/2006
Drives Memory Modules c,d
75.44 Gigabytes Usable Hard Drive Capacity
61.41 Gigabytes Hard Drive Free Space

HL-DT-ST DVDRAM GMA-4082N [CD-ROM drive]

TOSHIBA MK8032GSX [Hard drive] (80.02 GB) -- drive 0, SMART Status: Healthy 2040 Megabytes Usable Installed Memory

Slot 'M1' has 1024 MB
Slot 'M2' has 1024 MB
Local Drive Volumes

c: (NTFS on drive 0) 75.44 GB 61.41 GB free

Network Drives
None detected
Users (mouse over user name for details) Printers
local user accounts last logon
Extra 7/30/2009 11:09:35 AM (admin)
local system accounts
ASPNET never
Guest never
Owner 7/29/2009 5:18:34 PM (admin)
SUPPORT_388945a0 never


Marks a disabled account; Marks a locked account None detected
Controllers Display
Base System Device [Controller]
Intel« 82801G (ICH7 Family) Ultra ATA Storage Controllers - 27DF
Intel« 82801GBM SATA AHCI Controller
Primary IDE Channel [Controller]
Ricoh Memory Stick Host Controller
Ricoh MMC Host Controller Mobile Intel« 945 Express Chipset Family [Display adapter] (2x)
Bus Adapters Multimedia
Intel« 82801G (ICH7 Family) USB Universal Host Controller - 27C8
Intel« 82801G (ICH7 Family) USB Universal Host Controller - 27C9
Intel« 82801G (ICH7 Family) USB Universal Host Controller - 27CA
Intel« 82801G (ICH7 Family) USB Universal Host Controller - 27CB
Intel« 82801G (ICH7 Family) USB2 Enhanced Host Controller - 27CC Realtek High Definition Audio
Virus Protection [Back to Top] new Group Policies
AntiVir Desktop Version 9.0.1.30
Virus Definitions Version Up To Date
Realtime File Scanning On
avast! antivirus 4.8.1335 [VPS 090730-0] Version 4.8.1335
Virus Definitions Version Up To Date
Realtime File Scanning On
None discovered
Communications Other Devices

D-Link Wireless N USB Adapter DWA-130 #2
primary Auto IP Address: 192.168.1.41 / 24
Gateway: 192.168.1.1
Dhcp Server: 192.168.1.1
Physical Address: 00:1B:11:F3:4A:6B
Intel« PRO/Wireless 3945ABG Network Connection
Realtek RTL8139/810x Family Fast Ethernet NIC

Networking Dns Server: 192.168.1.1
OHCI Compliant IEEE 1394 Host Controller
Microsoft AC Adapter
Microsoft ACPI-Compliant Control Method Battery
AuthenTec AES1610
HID-compliant device
USB Human Interface Device (2x)
Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
HID-compliant mouse
Synaptics PS/2 Port TouchPad [Mouse]
SDA Standard Compliant SD Host Controller
USB Composite Device
USB Root Hub (5x)

See your entire network map...
click for Belarc's System Management products

new Network Map (mouse over IP address for physical address) [Back to Top]
IP Device Type Device Details Device Roles
Router dslrouter DHCP Server, Gateway, Domain Name Server, Web Server
pc.myhome.westell.com


Find your security vulnerabilities...
click for Belarc's System Management products

Missing Microsoft Security Hotfixes [Back to Top]

All required security hotfixes (using the 07/28/2009 Microsoft Security Bulletin Summary) have been installed.



Manage all your software licenses...
click for Belarc's System Management products

Software Licenses [Back to Top]

Belarc - Advisor 2cb1f893
Microsoft - Interactive Training (Key: Removed)
Microsoft - Internet Explorer Removed
Microsoft - WebFldrs XP Removed
Microsoft - Windows XP Home Edition

Find unused software and reduce licensing costs...
click for Belarc's System Management products

new Software Versions & Usage (mouse over i for details, click i for location) [Back to Top]
─▒ i Adobe Acrobat Version 9.1.0.2009022700
i Adobe Reader Version 9.1.0.2009022700
─▒ i ALWIL Software - avast! Antivirus Version 4, 8, 0, 0
─▒ i Avira GmbH - AntiVir Desktop Version 9.00.01.30
─▒ i Belarc, Inc. - Advisor Version 8.1b
i Canon IJ Driver Uninstaller Version 1.2
─▒ i CANON INC. - CNSLMAIN.EXE Version 1, 4, 0, 0
─▒ i Canon My Printer Version 2, 0, 0, 0
i COMODO Internet Security Version 3, 10, 102353, 531
─▒ i COMODO SafeSurf Version 1, 0, 0, 5
─▒ i Eusing Free Registry Cleaner
─▒ i Gamevance
i Google Updater Version 2.4.1441.4352.beta
─▒ i GoogleToolbarNotifier Version 4, 1, 509, 1944
─▒ i Intel« Common User Interface Version 6.14.10.4926
─▒ i Lavasoft - Ad-Aware Application Version 8, 0, 0, 0
i Lavasoft - Ad-Aware Installation Package
─▒ i Lavasoft - Ad-Aware Service Application Version 8, 0, 0, 0
─▒ i Lavasoft - Ad-Aware Tray Application Version 8, 0, 0, 0
i Lavasoft - ThreatWork Application Version 8, 0, 0, 3
i Lavasoft AB - Ad-Aware Version 2.0
i Lavasoft Startup Manager Version 1, 0, 0, 236
i LENOVO - Help Center Version 1, 0, 0, 0
i Logitech SetPoint Version 4.72.40
─▒ i Microsoft « Windows Script Host Version 5.7.0.18066
─▒ i Microsoft Baseline Security Analyzer Version 2.1 ─▒ i Microsoft Corporation - Internet Explorer Version 7.00.6000.16876
─▒ i Microsoft Corporation - Messenger Version 4.7.3001
─▒ i Microsoft Corporation - Windows Installer - Unicode Version 3.1.4001.5512
i Microsoft Corporation - Windows Movie Maker Version 2.1.4026.0
i Microsoft Corporation - Windows« NetMeeting« Version 3.01
i Microsoft Data Access Components Version 3.525.1132.0
i Microsoft Interactive Training Version 3, 5, 0, 118
─▒ i Microsoft« Windows Media Player Version 9.00.00.3250
─▒ i Microsoft« .NET Framework Version 2.0.50727.3053
─▒ i Microsoft« .NET Framework Version 3.0.6920.1427
─▒ i Mozilla Corporation - Firefox Version 3.5.1
─▒ i Neuber GmbH - Security Task Manager Version 1.7.7.0
i Neuber Software GmbH - www.neuber.com - Spy Protector Version 1.5.2.0
─▒ i Piriform Ltd - CCleaner Version 2, 18, 0, 878
─▒ i Softex Inc. - OmniPass Version 3.0
─▒ i Softex Inc. - OmniPass Version 4.0
─▒ i Softex OmniPass Version 1, 0, 0, 1
i SuperAdBlocker.com - BootSafe Application Version 2, 0, 0, 1000
i SUPERAntiSpyware Alternate Start
─▒ i SUPERAntiSpyware Version 4, 26, 0, 1006
─▒ i Synaptics Pointing Device Driver Version 8.2.26 21Apr06
i View all running processes on your system and stop any known malicious processes
─▒ i Wireless Application Version 1, 1, 74, 0
i Wizards to adjust .NET Framework security, assign trust to assemblies, and fix broken .NET applications. Version 1.0.5000.0
─▒ i Zemana AntiLogger Version 1.9.2.0
i Zemana Ltd. - AntiLogger Installation


i Mouse over to see details, click to see where software is installed.
─▒ Marks software last used within the past 7 days.
─▒─▒ Marks software last used within the past 90 days, but over 7 days ago.
─▒─▒─▒ Marks software last used within the past year, but over 90 days ago.
─▒─▒─▒─▒ Marks software last used over 1 year ago.
Unmarked software lacks the data to determine last use.


Audit your security posture...
click for Belarc's System Management products

Installed Microsoft Hotfixes [Back to Top]
.NET Framework 2.0 Service Pack 2
KB958481 on 7/25/2009 (details...)
.NET Framework 3.0 Service Pack 2
KB958483 on 7/25/2009 (details...)
.NET Framework 3.5 SP1
KB958484 on 7/25/2009 (details...)
KB963707 on 7/25/2009 (details...)
.NETFramework
1.1
S867460 on 4/29/2006 (details...)
M928366 on 7/25/2009 (details...)
CAPICOM
KB931906 on 7/25/2009 (details...)
MSXML4SP2
KB954430 on 7/28/2009 (details...)
Step By Step Interactive Training
SP2
KB898458 on 4/30/2006 (details...)
KB923723 on 7/25/2009 (details...)
WGA
SP0
KB892130 on 7/25/2009 (details...)
Windows Media Player 10
SP2
KB936782_WMP10 on 7/25/2009 (details...) Reinstall!
Windows Media Player
SP0
KB952069_WM9 on 7/25/2009 (details...) Reinstall!
Windows XP
SP-1
KB909520 on 7/25/2009 (details...)
SP0
KB923689 on 7/25/2009 (details...) Reinstall!
KB938127-V2-IE7 on 7/27/2009 (details...)
KB941569 on 7/25/2009 (details...) Reinstall!
KB969897-IE7 on 7/26/2009 (details...)
KB972260-IE7 on 7/28/2009 (details...)
SP3
KB888111WXPSP2 on 7/25/2009 (details...)
KB936929[SP] on 7/25/2009 (details...)
Windows XP (continued)
SP4
KB923561 on 7/25/2009 (details...)
KB938464-V2 on 7/25/2009 (details...)
KB946648 on 7/25/2009 (details...)
KB950762 on 7/25/2009 (details...)
KB950974 on 7/25/2009 (details...)
KB951066 on 7/25/2009 (details...)
KB951376-V2 on 7/25/2009 (details...)
KB951748 on 7/25/2009 (details...)
KB951978 on 7/25/2009 (details...)
KB952004 on 7/25/2009 (details...)
KB952287 on 7/25/2009 (details...)
KB952954 on 7/25/2009 (details...)
KB954459 on 7/25/2009 (details...)
KB954550-V5 on 7/25/2009 (details...)
KB954600 on 7/25/2009 (details...)
KB955069 on 7/25/2009 (details...)
KB955839 on 7/25/2009 (details...)
KB956572 on 7/25/2009 (details...)
KB956802 on 7/25/2009 (details...)
KB956803 on 7/25/2009 (details...)
KB957097 on 7/25/2009 (details...)
KB958644 on 7/25/2009 (details...)
KB958687 on 7/25/2009 (details...)
KB959426 on 7/25/2009 (details...)
KB960225 on 7/25/2009 (details...)
KB960803 on 7/25/2009 (details...)
KB961118 on 7/26/2009 (details...)
KB961371 on 7/25/2009 (details...)
KB961501 on 7/25/2009 (details...)
KB967715 on 7/25/2009 (details...)
KB968537 on 7/25/2009 (details...)
KB969897 on 7/25/2009 (details...)
KB970238 on 7/25/2009 (details...)
KB971633 on 7/25/2009 (details...)
KB973346 on 7/25/2009 (details...)
Windows
SP1
IDNMITIGATIONAPIS on 7/26/2009 (Microsoft Internationalized Domain Names Mitigation APIs)
NLSDOWNLEVELMAPPING on 7/26/2009 (Microsoft National Language Support Downlevel APIs)



Click here to see all available Microsoft security hotfixes for this computer.

Marks a security hotfix (using the 07/28/2009 Microsoft Security Bulletin Summary)
Marks a security hotFix that fails verification (a security vulnerability)
Marks a hotfix that verifies correctly
Marks a hotfix that fails verification (note that failing hotfixes need to be reinstalled)
Unmarked hotfixes lack the data to allow verification


--------------------------------------------------------------------------------


a. Processor clock speed is measured at computer start-up, and on laptops may be impacted by power option settings.
b. Data may be transferred on the bus at one, two, or four times the Bus Clock rate.
c. Memory slot contents may not add up to Installed Memory if some memory is not recognized by Windows.
d. Memory slot contents is reported by the motherboard BIOS. Contact system vendor if slot contents are wrong.
e. This is the manufacturer's factory installed product key rather than yours. You can change it to your product key here http://go.microsoft.com/fwlink/?LinkId=45668 for Windows, or here http://support.microsoft.com/?kbid=895456 for Office.
Copyright 2000-9, Belarc, Inc. All rights reserved.
Legal notice. U.S. Patents 5665951, 6085229 and Patents pending.

--------------------------------------------------------------------------------

CAN ANYONE HELP ME??? I did a complete system recovery and it stayed clean for a day. Then this happened again! My changes are not saved due to "Owner" overides.

thanks!!

Edited by Orange Blossom, 30 July 2009 - 05:55 PM.
Removed sensitive information. ~ OB


BC AdBot (Login to Remove)

 


#2 genius12

genius12

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:06:45 PM

Posted 30 July 2009 - 05:23 PM

I don't think this is the right forum for you. You should be posting in one of the virus/malware forums.á

Anyways, you could try this.

type in 'services.msc' in start menu / run.

Then, find remote registry, remote access auto manager, remote access auto connection manager, remote desktop help session manager and routing and remote access services in the list.

Right-click, each one of them and click properties.

For each one of them set the start-up type to disabled and stop each one of them.

Genius12
" Determination is the cause of Intervention."-Muhammad Shariq

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,295 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:45 PM

Posted 30 July 2009 - 05:53 PM

Uuuhh.."owner" is the default Admin account when XP is installed.

If you installed XP, you are the "owner" account.

If you are not the owner/Admin...then you need to talk to whomever is.

<<Then this happened again! My changes are not saved due to "Owner" overides.>>

I guess my myopia is getting the best of me...what happened? What changes are you referring to?

FWIW: All that Belarc data...doesn't reveal anything useful to me. Lots of data, though.

Louis

#4 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:06:45 PM

Posted 30 July 2009 - 05:57 PM

onlyuser, you have an open HJT log posted HERE

Did you format before or after you posted your HJT log? If you formatted then posted the log:

Because you have this log posted,
you should NOT make further changes to your computer
(install/uninstall programs,
use special fix tools, delete files,
edit the registry, etc) unless advised by a
HJT Team member, nor should you continue to
ask for help elsewhere. Doing so can result in
system changes which may not show it the log
you already posted. Further, any modifications
you make on your own may cause confusion for the
helper assisting you and could complicate the
malware removal process which would extend
the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Good luck with your log.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:45 PM

Posted 30 July 2009 - 05:59 PM

Hello

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/244422/can-someone-please-interpret-my-hijack-this-log/

We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.

I know how frustrating it is when your computer isn't working properly. Let me assure you that your topic isn't lost, forgotten, or ignored. We work with hundreds of logs every day, so we have devised a means of seeing only those topics that don't have responses yet. At the moment, we have nearly 500 unanswered topics, the oldest dated Mon July 20, 2009 11:25 am Eastern Daylight Savings time in the U.S.A. Your HiJack This topic is dated July 25 2009, 6:31 PM using the same time zone.

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take a few more days to get a response but your log will be reviewed and answered as soon as possible. I'd suggest checking your topic for a response once a day.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users