Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown and unwanted user


  • Please log in to reply
68 replies to this topic

#1 lktknow

lktknow

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 06 August 2009 - 04:20 PM

I know we are supposed to just present the problem, and be done with it, and not add a lot of rhetoric. But with my limited knowledge of computers and their problems, I feel compelled to give you the problem the only way I know how to do it, and then you can tell me what it is you need, to have you help me.
I read the "this topic" before posting a log thread, and I read the rules for posting such a thread, and what to do before you post the hijack this log.
It seems as if that is for viruses or mal ware, or that sort of problem, course as I said, with the amount of know=how on computers, this may very well be that sort of problem. I will tell you what it is.
I'm fairly sure I know who the culprit is in this , however I am not positive..
It would sound like a b rated soap opera if I gave all the details, so suffice it to say that whoever has done this had the opportunity to physically do something to my computer, such as add software, or even hardware, such as a keylogger type thing.
What it seems they have done is take control of my computer as an administrator, or something of the sort. And I believe they have done a very good job of it, as far as getting all the certificates involved, and just doing it as a programmer would have, I have no idea what all is involved.
But if I post the hijack this log, without telling you this, I was thinking you would think the files were normal, because they are done right as far as how to install them and all. I hope this is making sense.
So, now I am going to stop and let you tell me exactly what it is you want me to do , and or post in order to help me remove them from my computer.
Thank you for any and all help you may be able to give me.
I must say, it seems as if they are trying to remove what ever it is they have installed remotely, but they seem to be having difficulty.

BC AdBot (Login to Remove)

 


#2 lktknow

lktknow
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 08 August 2009 - 10:30 PM

Title was: Remote control of Computer ~ OB

I read the "before you post about a problem" and the "am I infected" threads, and I still do not know how to go about telling you the problem.
Oh I know what the problem is, but it seems unless a person has extensive knowledge of computers, you guys won't even talk to someone.
And my knowledge is limited.
I sincerely feel I need to tell you the problem in my own words, and then have you tell me how to give you the needed information to help me solve it.
I apologize beforehand.
The problem is not a virus, or any sort of thing like that, the problem is a person, (I know who it is) has taken control of my computer remotely, however they did it is beyond my scope of intelligence, and they are having my files and different things on my computer sent to them, my emails and everything.
Today, when I turned my computer on there was a new icon on my desktop that said, "read me txt" and it was a read me file from a company named Boost. I investigated a little about the company, and evidently the person was not getting the files fast enough so now they have installed this thing.
please let me know what you need in order to help me with this matter
thank you for any help, it is much appreciated.

Edited by Orange Blossom, 08 August 2009 - 11:56 PM.
Merged topics. ~ OB


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:00 PM

Posted 09 August 2009 - 12:02 AM

Hello lktknow,

I have merged your two topics into one to avoid confusion.

but it seems unless a person has extensive knowledge of computers, you guys won't even talk to someone.


I'm sorry you should feel this way because one of the primary purposes of Bleeping Computer is to help the computer novice and to provide information in as clear and straightforward a manner as possible.

We do not intentionally overlook topics, but we are incredibly busy and things do slip past us at times.

That said, I do not know how to resolve your computer issues. But one thing you can and should do immediately is to physically disconnect your computer from the internet.

I'd also go to a known clean computer and change all your passwords.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 lktknow

lktknow
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 09 August 2009 - 12:48 AM

Thank You Orange Blossom for answering my post, and also for the advice of going to a clean computer and changing my passwords and all.
I understand to a degree why you gave me that advice, and I understand the concept behind doing such a thing. However, I do not think it will do any good as far as my problem, because I am not sure, but I think it may be some sort of keystroke logger installed on my computer, (they had physical contact with my computer when I had to vacate the premises during a fumigation for termites)or something of the sort, I am not sure if it is hardware or software, they installed, although I have looked for any suspicious hardware.
So changing my passwords would have no affect after I logged back on to this computer, would it?
And I understood what you said about giving information to computer novices in a clear manner, and I did not mean to imply you overlooked anything I had posted, its just that it seems as if there are no straight answers, like no one will come right out and say that they agree with me about the Boost thing or anything I mention. I realize my information is limited as to what else to tell you, but you said you could not help me with my problem anyway .
I do appreciate your reply.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:00 PM

Posted 09 August 2009 - 12:58 AM

You're right that if you went back to the computer, connected to the internet and started using it, changing the passwords would do no good if you typed them in the affected computer.

That is why I said that the first thing you should do is to completely disconnect the affected computer from the internet. Physically disconnect the cable or line that makes the internet connection. When you do that, your computer cannot send out any more information nor receive any. Change your passwords on a known clean computer, but DO NOT then go back to the affected computer and reconnect it to the internet. Keep it disconnected. I know it's awkward to use computers elsewhere, but I did so for over 10 years, and for 2 of those years, the closest computer I had access to was 12 miles away.

As for the rest of the issues, while I cannot assist you, that does not mean that another here cannot.

Please be patient for another to assist you.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:00 PM

Posted 09 August 2009 - 09:17 PM

I think we have two questions to ask.

First, do you have any proof what-so-ever that someone did something to your computer? How sure are you? If you have proof that someone is "listening" to your internet traffic, or caputuring information on a private computer without your consent, you need to be speaking to a law enforcement agency that has a cybercrimes unit.

If you do not have this proof, and would like to have the computer scanned, we can do that. Is that the path you wish to take? This will possibly remove any evidence on the computer.

Let us know what you wish to do...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 lktknow

lktknow
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 09 August 2009 - 11:54 PM

Hi Rigel,
thank you for the answer, and to answer the first question, of wether or not I have "proof" that they are doing this, the answer is no. not "tangible" proof. And the reason being is because I do not have the know-how to obtain the proof.
I have went cross eyed trying to figure the event logs out, as far as the days I was away from my house during the fumigation, and as far as I can tell , something was installed on those days, but I do not know what I am looking for. I know one of the events says a "logon was attempted using explicit credentials" on one of the days I was gone, which I know that doesn't necessarily mean it was a PERSON logging on, but there was a lot of activity on those days. I do know that my computer has been compromised by someone, how, I do not know.
I discussed this with my lawyer, and he also advised me to go to law enforcement.
that is actually what I want to do, is have them criminally held accountable for this horrible thing they have done.
How can you possibly put a price on invasion of privacy?
I watched with interest the HP people who went beyond legal in something they did within the company, and it seems a if the judge just slapped them on the wrist and sent them on their way. So how can I expect any thing different in the outcome of my case?

So, having said all of that, I will answer number two, and that is I just want it over and done with, and if that means erasing evidence, then so be it, they already know whatever they wanted to know, so the hell with them. I guess I should tell you it has to do with me being a beneficiary of a trust and them giving me a substantial check monthly, I truly do not know what they were looking for.
But yes Rigel, I am ready to move forward and do whatever you tell me to , in order to get them off this computer.
Thank you

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:00 PM

Posted 10 August 2009 - 09:33 AM

Good, so we have a path. The scans we are going to run look for specific infections and certain behavors from software. We will also be looking at your event logs.

Let's start with GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 lktknow

lktknow
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 10 August 2009 - 01:41 PM

I hope I did this right




---- System - GMER 1.0.15 ----

SSDT 87A9C8C0 ZwAlertResumeThread
SSDT 87AB5498 ZwAlertThread
SSDT 87A9B528 ZwAllocateVirtualMemory
SSDT 87A08AF8 ZwConnectPort
SSDT 87243708 ZwCreateMutant
SSDT 87AB5248 ZwCreateThread
SSDT 87AC1C80 ZwFreeVirtualMemory
SSDT 87A9C740 ZwImpersonateAnonymousToken
SSDT 87A9C800 ZwImpersonateThread
SSDT 87243E00 ZwMapViewOfSection
SSDT 87243648 ZwOpenEvent
SSDT 87A9B5F8 ZwOpenProcessToken
SSDT 87243820 ZwOpenThreadToken
SSDT 872433C8 ZwResumeThread
SSDT 86840DE8 ZwSetContextThread
SSDT 87243C70 ZwSetInformationProcess
SSDT 87ABA430 ZwSetInformationThread
SSDT 87243588 ZwSuspendProcess
SSDT 87AB5558 ZwSuspendThread
SSDT 87AB5E20 ZwTerminateProcess
SSDT 87A97170 ZwTerminateThread
SSDT 87243D40 ZwUnmapViewOfSection
SSDT 87AC1D58 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 81EEB914 8 Bytes [C0, C8, A9, 87, 98, 54, AB, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 364 81EEB928 4 Bytes [28, B5, A9, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81EEB9B8 4 Bytes [F8, 8A, A0, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 428 81EEB9EC 4 Bytes [08, 37, 24, 87] {OR [EDI], DH; AND AL, 0x87}
.text ntkrnlpa.exe!KeSetTimerEx + 454 81EEBA18 4 Bytes [48, 52, AB, 87]
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74427BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [744698C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7442D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7441F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74427599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7441E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7445B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7442D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7442012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74420095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744171F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [744AD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [744475E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7441DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7441668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744166BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74421E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[2300] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1229199863\ee\aolsoftware.exe[2948] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:00 PM

Posted 10 August 2009 - 01:47 PM

I am going to review your log... this may take a bit. Also please run Sophos and pos its log as well Thanks!

Download Sophos Anti-rootkit & save it to your desktop.
Be sure to read the Sophos Anti-Rookit User Manual. A copy of this manual sarman.pdf can also be found inside the program folder after installation.
  • Double-click sarsfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click "Start scan".
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will be done when you restart your computer. Click "Restart Now".
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Note: If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted, including temporary files being deleted automatically.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 lktknow

lktknow
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 10 August 2009 - 03:54 PM

rigel,
I was reading the user manual for the Sophos thing, and it does not have Windows Vista listed as one of the os it supports?
so do you still want me to do that? sorry if I am a pest.

#12 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:00 PM

Posted 10 August 2009 - 05:29 PM

It shows it for me

System requirements
Sophos Anti-Rootkit will support the following operating systems:

Windows 2000
Windows XP
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2008
64-bit platforms
Sophos Anti-Rootkit requires a minimum of 128 Mb RAM


yes, please run it. This is the antirootkit product.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 lktknow

lktknow
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 10 August 2009 - 06:21 PM

ok but this is what it showed me






Sophos Anti-Rootkit will support the following operating systems:
Windows NT 4.0 (SP 6a with IE 4.0)
Windows 2000 (Professional or Server)
Windows XP (Home or Professional)
Windows Server 2003 standard edition
Windows Small Business Server 2003.
On Windows NT 4.0 Sophos Anti-Rootkit will only detect hidden files
and registry entries.
Sophos Anti-Rootkit requires:
Minimum 128 Mb RAM.
A rootkit scan may take several minutes on a desktop computer or
significantly longer on a server. We suggest you run this process at a
time when it will cause least inconvenience. You can stop a scan at any
time, but the results given will be incomplete.
It is strongly recommended that you close down all non-essential
applications, and allow Windows Update to complete before running
Sophos Anti-Rootkit.

#14 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:00 PM

Posted 10 August 2009 - 06:24 PM

Hmmmm... let's try an alternative...

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#15 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:00 PM

Posted 10 August 2009 - 06:27 PM

One other thing... You mentioned earlier that your lawyer adviced you to go to law enforcement to deal with this. Are you sure this isnt what you want to do. Don't compare this to the HP case. Local or state cases are handled differently.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users