Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I know there is spyware on my computer. I need help getting it off.


  • Please log in to reply
4 replies to this topic

#1 notparanoidafterall

notparanoidafterall

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 April 2015 - 07:00 AM

so i had been assuming for a while that someone had spyware on my computer. well, went to open my webcam and it was already being used by another program. the other day i found a hidden file in my documents for a remote access program (default.rdp). i removed it, it was tricky. then i removed the rest of the program. i guess whoever put this bleep on my computer (i know who it is -- one of two people i know irl) wasn't alright with that. now in \appdata\local there is a folder named "akamai". it was put there 3/29/2015. i didn't download anything that day. i certainly didn't download a cloud sharing program. 

 

in the task manager i notice several things

lsass.exe - this was put in system32 3/11/2015 (modified 3/5/2015 idk if this means anything)

MpCmdRun.exe - this wasn't there before and it has to do with malware protection apparently

netsession_win.exe - this is listed twice, this is where i found that akamai folder.

wmpnetwk.exe - this also wasn't there before (i open task manager maybe a couple times a week)

 

 

this is hard to write and i'm kind of panicked, i feel really violated and scared right now. please help me. i'm a teenage girl and this isn't okay.

 

i don't know what's using my webcam either.



BC AdBot (Login to Remove)

 


#2 notparanoidafterall

notparanoidafterall
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 April 2015 - 07:32 AM

what is TrustedInstaller? it won't let me change permissions on files so i can delete them.

 

edit -

 

found this in system32. these files are hidden.

7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

 

there are actually many recently modified files in system32 and i don't think i trust any. some files are for proxies and things? idk


Edited by notparanoidafterall, 01 April 2015 - 07:37 AM.


#3 buddy215

buddy215

  • Moderator
  • 13,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:26 AM

Posted 01 April 2015 - 08:15 AM

Welcome to BC !

 

First, let's see what adware or malware the programs below can find and cleanup the computer using CCleaner and for later use.

 

Download Malwarebytes' Anti-Malware from Here
Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.

  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR REVIEW.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  •  
  •  
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Edited by buddy215, 01 April 2015 - 08:17 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 notparanoidafterall

notparanoidafterall
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 01 April 2015 - 09:39 AM

 

 

 

 

I know that I didn't do what you said but work with me here. In the registry keys (CurrentControlSet) I found some folders and keys that need to be removed.

 

Here are the folders and SOME of the contents, but all these folders just need to be fully deleted it seems.

 

\RdpVideoMiniport

There is a file in here that straight up says Remote Desktop Video Miniport Driver. I found the .sys file for this in \system32\drivers but I can't delete it. Access is denied when I try to change the permissions, and TrustedInstaller has full control. This user only appears on seemingly malicious files, the intruder changed it so that I can't edit permissions after I deleted the defaul.rdp file.

 

\RDPWD

 

\RemoteAccess

 

\RemoteRegistry

 

\RpcEptMapper

 

\RpcLocator

 

\RpcSs

 

\SamSs

 

\SCardSvr

 

\seclogon

 

\SensrSvc

 

\SessionEnv

 

\SharedAccess

 

\ShellHWDetection

 

\Spooler

 

\sppsvc

 

Okay, that isn't every single folder that has bad things in it, but that should be enough to help you help me delete all of them?

 

Also I was looking through the services list and disabling different ones. The services I pinpointed to the remote access I cannot remove, it says Access Denied or something similar. When I was attempting to change permissions I saw a different user, Account Unknown (S-1-5-32-556), along with TrustedInstaller listed there.

 

Please help me remove these things. Malwarebytes didn't detect anything malicious. I need to dig this out myself I guess :(

 

I'm worried about the things they will change after I go to sleep but I haven't been able to sleep for a long time at this point.



#5 buddy215

buddy215

  • Moderator
  • 13,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:26 AM

Posted 01 April 2015 - 11:24 AM

Nothing there screams spyware or malware. But if you are determined to delete a file protected by TrustedInstaller then you can. I don't recommend it

as it may not have malicious intent.

 

What Is TrustedInstaller & Why Does it Keep Me From Renaming Files?

 

Windows 7 - How to Delete Files Protected by TrustedInstaller


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users