Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fear for a RAT on my computer


  • Please log in to reply
1 reply to this topic

#1 LennartNL

LennartNL

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:21 PM

Posted 18 October 2013 - 06:29 AM

Hi guys,

 

Lately I feel like someone has remote access to my computer.

Folders I never opened appeared in my recent places/locations folder and my virus scanner and computer in general have been acting strange.

 

I have also made a topic on the Microsoft community website (link: http://answers.microsoft.com/en-us/windows/forum/windows_7-security/microsoft-security-essentials-can-not-be-started/4a8dd460-6bc8-45c3-b7ec-95d7c1fa3327), but I think the feedback on this website will be more effective for my problem.

 

 

I will now copy my original post from the link above to explain the whole situation in as much detail as I can:

 

"Today I noticed that Microsoft Security Essentials was not defending my computer. It was still running yesterday and I even did a scan, I didn't turn it off so I obviously got suspicious. As I told someone on Skype I feel like it might be a virus I got a pop-up saying that my computer will restart in 1 minute. This happened for no clear reason so this made me even more suspicious, after the restart I disconnected my internet cable because I didn't trust it. After this had happened I tried to go into MSE to start it back up, everytime I press the big button saying ''Start now'' it either loads for ages after which I get a time-out (error 0x800705b4) or it loads for ages, turns it on and whenever I do a scan it gives me the error from the title. Normally it instantly turns on or off whenever I press it. I have restarted the computer multiple times.

 
I just restarted the computer again and it installed 2 updates. When I loaded my account it asked for my password to update a program called sc.exe located in the Windows32 folder (correct me if I'm wrong). It stated that it was a program by Microsoft Corp. so I entered my password and pressed enter, after this a command prompt popped up for a split second, this made me even more suspicious as I don't think a official Windows program would do that unless it's some dodgy program... So, I googled it a little and got to a page with the words ''execute commands on a remote computer'' and even to a page for a remote desktop tool using this function. Now, MSE is up and running but I feel like those updates installed some undetected backdoor in MSE so the Remote Administration Tool can keep doing what it's doing. You might think I'm over-the-top suspicious but today's events has caused me to be so.
 
It might be nothing at all, but I just want to make sure it's not or if something really is wrong. Also, whenever I clear my recent locations/places folder and I wait a while, some folders show up which I haven't been to AT ALL, or it shows a folder called ''CustomDestinations''.
 
Now, these events might just be bad luck, but I really fear that someone has remote access to my computer.
 
I hope you can give me some support/advice about this situation and how I can check for a R.A.T. on my computer and how I can prevent this in the future. I am currently doing a full virus scan with my internet unplugged."
 
 
I got a reply from a support engineer on which I replied with the following:
 
"I have ran multiple fast scans with MSE, and 1 full scan with MSE and it found zero threats every time.
I have downloaded the Microsoft Safety/Security Scanner and did a fast scan, and again, zero threats. I tried booting into safemode but for some reason when I try to open an account I get an error saying something like (rough translation): "A connection with the service Sens could not be made. Please contact the administrator." My system is Dutch, the original error said: "Er kan geen verbinding met de service Sens worden gemaakt. Neem contact op met de systeembeheerder.".
 
Exactly what progress in the task manager do you want me to look out for? I don't really know what you mean unless you want me to look out for anything suspicious. I don't really find any progress suspicious as I have no clue what most of the progresses are and do (or you could say I find them all suspicious).
 
I tried to open the event viewer logs but did not succeed, every time I try to open them I get an error saying: "Can not open the service eventlog on the computer ."
Here is a screenshot of the error:
(check original page)
 
I tried to manually look for updates but got an error when I pressed the "Search updates" button.
Under the button is a bit of text saying "More information about free software from (null). Suspicious how it says "(null)".
Screenshot:
(check original page)
 
Again, very suspicious... I hope I can fix these problems because they make me more suspicious every time.
 
I am now doing a full scan (not in safemode as that doesn't work) with Microsoft Safety Scanner."
 
 
From that point on I have tried to stay offline as much as possible (I would only plug in my internet cable when loading a new internet page).
 
Also, I typed "netstat -ano" in the command prompt to check for established connections (I read that this is a way to check for RATs), and found an established connection to a program called "LMS.exe". I googled this program and found a lot of results with infections of this program. My virus scanner however did never pick it up, it might not be infected, but I thought I'd say it.
 
As you can see it is a pretty suspicious situation. I hope I (we) can figure out whether I really have a RAT/infection or that it was all just bad luck and that nothing is wrong with my system.
 
Sorry for the long post and the copy/pasting from my original posts, I just wanted to give as much information as I possibly can.
 
I am using Windows 7 Home Premium, Service Pack 1 (64-bits).
 
Thank you for your time, I am looking forward to support.
-Lennart

Edited by LennartNL, 18 October 2013 - 06:32 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:21 AM

Posted 18 October 2013 - 07:13 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users