Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: Problems with someone infecting me via pcAnywhere  (Read 5161 times)

0 Members and 1 Guest are viewing this topic.

cheetah

    Topic Starter


    Greenhorn

    • Experience: Beginner
    • OS: Windows 7
    Problems with someone infecting me via pcAnywhere
    « on: May 11, 2013, 07:01:06 PM »
    Well here's my dilemma; I have a virus somewhere on my computer that my antivirus isn't finding. I accessed my router and saw that there was a lot of programs that seemed to be running that I didn't have, most of them games, and in the list found a program called PCAnywhere. I looked into this program and it apparently lets you manage computer's from other locations. I think he is using it to hijack my internet connection to play games, but I think he still may be able to use it to access the info I have on the computer. As I obviously don't want this to happen I was wondering if anyone may be able to help me deal with this issue? Thanks to anyone in advance for takin a minute outta your day to help.
    Logged

    SuperDave

    • Malware Removal Specialist
    • Moderator


      • Genius
      • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: Problems with someone infecting me via pcAnywhere
    « Reply #1 on: May 12, 2013, 10:02:56 AM »
    Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.

    If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
    *************************************************************************
    Does your router have a secure password?

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
    *********************************************
    Please download Malwarebytes Anti-Malware from here.
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Full Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
    *************************************************
    Download Security Check by screen317 from one of the following links and save it to your desktop.

    Link 1
    Link 2

    * Double-click Security Check.bat
    * Follow the on-screen instructions inside of the black box.
    * A Notepad document should open automatically called checkup.txt
    * Post the contents of that document in your next reply.

    Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
    Logged
    Windows 8 and Windows 10 dual boot with two SSD's

    cheetah

      Topic Starter


      Greenhorn

      • Experience: Beginner
      • OS: Windows 7
      Re: Problems with someone infecting me via pcAnywhere
      « Reply #2 on: May 12, 2013, 11:41:45 PM »
      Hey Dave thanks for helpin me out with this. I did change my router password, but I didn't find out how to do that till after the computer was infected. As for the logs, here you go(in the order requested). Malwarebytes didn't come back with anything for me to delete.

      *********************************************************************************************

      # AdwCleaner v2.300 - Logfile created 05/12/2013 at 23:55:17
      # Updated 28/04/2013 by Xplode
      # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
      # User : Devon - PC
      # Boot Mode : Normal
      # Running from : C:\Users\Devon\Downloads\adwcleaner.exe
      # Option [Search]


      ***** [Services] *****


      ***** [Files / Folders] *****

      File Found : C:\Users\Devon\AppData\Local\Temp\Uninstall.exe
      File Found : C:\Users\Devon\AppData\Roaming\Mozilla\Firefox\Profiles\w5qvy1x9.default\searchplugins\Conduit.xml
      Folder Found : C:\Program Files (x86)\Conduit
      Folder Found : C:\Users\Devon\AppData\Local\Conduit
      Folder Found : C:\Users\Devon\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
      Folder Found : C:\Users\Devon\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
      Folder Found : C:\Users\Devon\AppData\Local\Temp\avg@toolbar
      Folder Found : C:\Users\Devon\AppData\Local\Temp\CT3220468
      Folder Found : C:\Users\Devon\AppData\LocalLow\Conduit
      Folder Found : C:\Users\Devon\AppData\LocalLow\PriceGong
      Folder Found : C:\Users\Devon\AppData\Roaming\Mozilla\Firefox\Profiles\w5qvy1x9.default\CT3220468
      Folder Found : C:\Users\Devon\AppData\Roaming\Mozilla\Firefox\Profiles\w5qvy1x9.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
      Folder Found : C:\Users\Devon\AppData\Roaming\Mozilla\Firefox\Profiles\w5qvy1x9.default\Smartbar

      ***** [Registry] *****

      Key Found : HKCU\Software\AppDataLow\Software\Conduit
      Key Found : HKCU\Software\AppDataLow\Software\PriceGong
      Key Found : HKCU\Software\AppDataLow\Software\SmartBar
      Key Found : HKCU\Software\Conduit
      Key Found : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
      Key Found : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
      Key Found : HKCU\Software\IGearSettings
      Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
      Key Found : HKCU\Software\StartSearch
      Key Found : HKLM\Software\AVG Secure Search
      Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3212689
      Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3220468
      Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
      Key Found : HKLM\Software\Conduit
      Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
      Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
      Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
      Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
      Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
      Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
      Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda
      Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
      Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

      ***** [Internet Browsers] *****

      -\\ Internet Explorer v10.0.9200.16537

      [OK] Registry is clean.

      -\\ Mozilla Firefox v20.0.1 (en-US)

      File : C:\Users\Devon\AppData\Roaming\Mozilla\Firefox\Profiles\w5qvy1x9.default\prefs.js

      Found : user_pref("CT3220468.BT_Stats", "{\"last_log\":1354350798,\"uuid\":764901417834466,\"seq_id\":5,\"ss[...]
      Found : user_pref("CT3220468.CBOpenMAMSettings", "0");
      Found : user_pref("CT3220468.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
      Found : user_pref("CT3220468.ENABLE_RETURN_WEB_SEARCH_ON_T HE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
      Found : user_pref("CT3220468.FirstTime", "true");
      Found : user_pref("CT3220468.FirstTimeFF3", "true");
      Found : user_pref("CT3220468.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT322[...]
      Found : user_pref("CT3220468.UserID", "UN13083084702715324");
      Found : user_pref("CT3220468.addressBarTakeOverEnabledInHi dden", "true");
      Found : user_pref("CT3220468.autoDisableScopes", -1);
      Found : user_pref("CT3220468.browser.search.defaultthis.en gineName", true);
      Found : user_pref("CT3220468.cb_experience_000", "2");
      Found : user_pref("CT3220468.cbcountry_001", "CA");
      Found : user_pref("CT3220468.cbfirsttime", "Mon Oct 29 2012 21:56:19 GMT-0600 (Canada Central Standard Time)[...]
      Found : user_pref("CT3220468.embeddedsData", "[{\"appId\":\"129813684258939747\",\"apiPermissions\":{\"cross[...]
      Found : user_pref("CT3220468.enableAlerts", "always");
      Found : user_pref("CT3220468.enableSearchFromAddressBar", "true");
      Found : user_pref("CT3220468.firstTimeDialogOpened", "true");
      Found : user_pref("CT3220468.fixPageNotFoundError", "true");
      Found : user_pref("CT3220468.fixPageNotFoundErrorInHidden", "true");
      Found : user_pref("CT3220468.fixUrls", true);
      Found : user_pref("CT3220468.homepageuserchanged", true);
      Found : user_pref("CT3220468.installId", "fft89B4.tmp.exe");
      Found : user_pref("CT3220468.installType", "XPE");
      Found : user_pref("CT3220468.isCheckedStartAsHidden", true);
      Found : user_pref("CT3220468.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
      Found : user_pref("CT3220468.isNewTabEnabled", true);
      Found : user_pref("CT3220468.isPerformedSmartBarTransition", "true");
      Found : user_pref("CT3220468.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
      Found : user_pref("CT3220468.isWelcomPage", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
      Found : user_pref("CT3220468.keyword", true);
      Found : user_pref("CT3220468.lastVersion", "10.15.0.562");
      Found : user_pref("CT3220468.migrateAppsAndComponents", true);
      Found : user_pref("CT3220468.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\" \",\"EB_MAIN_FRAME_URL\":\"hxxp[...]
      Found : user_pref("CT3220468.openThankYouPage", "true");
      Found : user_pref("CT3220468.openUninstallPage", "FALSE");
      Found : user_pref("CT3220468.search.searchAppId", "129813684258939747");
      Found : user_pref("CT3220468.search.searchCount", "0");
      Found : user_pref("CT3220468.searchInNewTabEnabledInHidden", "true");
      Found : user_pref("CT3220468.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
      Found : user_pref("CT3220468.serviceLayer_service_login_is FirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
      Found : user_pref("CT3220468.serviceLayer_service_login_lo ginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
      Found : user_pref("CT3220468.serviceLayer_service_toolbarG rouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
      Found : user_pref("CT3220468.serviceLayer_service_toolbarG rouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
      Found : user_pref("CT3220468.serviceLayer_service_toolbarG rouping_activeToolbarName", "{\"dataType\":\"strin[...]
      Found : user_pref("CT3220468.serviceLayer_service_toolbarG rouping_invoked", "{\"dataType\":\"string\",\"data[...]
      Found : user_pref("CT3220468.serviceLayer_service_usage_to olbarUsageCount", "{\"dataType\":\"number\",\"data[...]
      Found : user_pref("CT3220468.serviceLayer_services_appTrac kingFirstTime_lastUpdate", "1353991674672");
      Found : user_pref("CT3220468.serviceLayer_services_appsMet adata_lastUpdate", "1354350917321");
      Found : user_pref("CT3220468.serviceLayer_services_gottenA ppsContextMenu_lastUpdate", "1353991674930");
      Found : user_pref("CT3220468.serviceLayer_services_login_1 0.10.27.6_lastUpdate", "1354354022349");
      Found : user_pref("CT3220468.serviceLayer_services_otherAp psContextMenu_lastUpdate", "1353991675013");
      Found : user_pref("CT3220468.serviceLayer_services_searchA PI_lastUpdate", "1354350917414");
      Found : user_pref("CT3220468.serviceLayer_services_service Map_lastUpdate", "1354350917214");
      Found : user_pref("CT3220468.serviceLayer_services_toolbar ContextMenu_lastUpdate", "1353991674975");
      Found : user_pref("CT3220468.serviceLayer_services_toolbar Settings_lastUpdate", "1354354022289");
      Found : user_pref("CT3220468.serviceLayer_services_transla tion_lastUpdate", "1354350917729");
      Found : user_pref("CT3220468.settingsINI", true);
      Found : user_pref("CT3220468.shouldFirstTimeDialog", "false");
      Found : user_pref("CT3220468.smartbar.CTID", "CT3220468");
      Found : user_pref("CT3220468.smartbar.Uninstall", "0");
      Found : user_pref("CT3220468.smartbar.homepage", true);
      Found : user_pref("CT3220468.smartbar.isHidden", true);
      Found : user_pref("CT3220468.smartbar.toolbarName", "uTorrentControl_v2 ");
      Found : user_pref("CT3220468.startPage", "userChanged");
      Found : user_pref("CT3220468.toolbarBornServerTime", "30-10-2012");
      Found : user_pref("CT3220468.toolbarCurrentServerTime", "1-12-2012");
      Found : user_pref("CT3220468.upgradeFromClearSBVersion", true);
      Found : user_pref("CT3220468.url_history0001", "hxxp://www.abovetopsecret.com/live.php:::clickhandler:::1354[...]
      Found : user_pref("CT3220468_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
      Found : user_pref("Smartbar.ConduitHomepagesList", "");
      Found : user_pref("Smartbar.ConduitSearchEngineList", "");
      Found : user_pref("Smartbar.ConduitSearchUrlList", "");
      Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "hxxps://isearch.avg.com/search?cid=%7B5e4ba8b8-3[...]
      Found : user_pref("Smartbar.keywordURLSelectedCTID", "CT3220468");

      -\\ Google Chrome v26.0.1410.64

      File : C:\Users\Devon\AppData\Local\Google\Chrome\User Data\Default\Preferences

      [OK] File is clean.

      *************************

      AdwCleaner[R1].txt - [9743 octets] - [12/05/2013 20:33:08]
      AdwCleaner[R2].txt - [9610 octets] - [12/05/2013 23:55:17]

      ########## EOF - C:\AdwCleaner[R2].txt - [9670 octets] ##########

      ************************************************************************************************

      Malwarebytes Anti-Malware 1.75.0.1300
      www.malwarebytes.org

      Database version: v2013.05.13.01

      Windows 7 Service Pack 1 x64 NTFS
      Internet Explorer 10.0.9200.16540
      Devon :: PC [administrator]

      12/05/2013 8:37:09 PM
      mbam-log-2013-05-12 (20-37-09).txt

      Scan type: Full scan (C:\|D:\|E:\|Q:\|)
      Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
      Scan options disabled: P2P
      Objects scanned: 361654
      Time elapsed: 55 minute(s), 17 second(s)

      Memory Processes Detected: 0
      (No malicious items detected)

      Memory Modules Detected: 0
      (No malicious items detected)

      Registry Keys Detected: 0
      (No malicious items detected)

      Registry Values Detected: 0
      (No malicious items detected)

      Registry Data Items Detected: 0
      (No malicious items detected)

      Folders Detected: 0
      (No malicious items detected)

      Files Detected: 0
      (No malicious items detected)

      (end)

      **************************************************************************************

       Results of screen317's Security Check version 0.99.63 
       Windows 7 Service Pack 1 x64 (UAC is enabled) 
       Internet Explorer 9 
      ``````````````Antivirus/Firewall Check:``````````````[/u]
       Windows Firewall Enabled! 
      ESET Smart Security 6.0   
       Antivirus up to date!   
      `````````Anti-malware/Other Utilities Check:`````````[/u]
       Malwarebytes Anti-Malware version 1.75.0.1300 
       Adobe Flash Player 11.6.602.180 
       Adobe Reader 10.1.0 Adobe Reader out of Date! 
       Mozilla Firefox (20.0.1)
       Google Chrome 26.0.1410.43 
       Google Chrome 26.0.1410.64 
      ````````Process Check: objlist.exe by Laurent````````[/u] 
       ESET NOD32 Antivirus egui.exe 
       ESET NOD32 Antivirus ekrn.exe 
       Malwarebytes Anti-Malware mbam.exe 
       Symantec Norton Online Backup NOBuAgent.exe 
      `````````````````System Health check`````````````````[/u]
       Total Fragmentation on Drive C: 0%
      ````````````````````End of Log``````````````````````[/u]

      Let me know if you need anything else.
      Logged

      SuperDave

      • Malware Removal Specialist
      • Moderator


        • Genius
        • Thanked: 1020
      • Certifications: List
      • Experience: Expert
      • OS: Windows 10
      Re: Problems with someone infecting me via pcAnywhere
      « Reply #3 on: May 13, 2013, 04:00:36 PM »
      Remove the Adware:
      • Please close all open programs and internet browsers.
      • Double click on adwcleaner.exe to run the tool.
      • Click on Delete.
      • Confirm each time with OK
      • Your computer will be rebooted automatically. A text file will open after the restart.
      • Please post the content of that logfile in your reply.
      • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
      *******************************************
      Please download Junkware Removal Tool to your desktop.

      Warning! Once the scan is complete JRT will shut down your browser with NO warning.

      Shut down your protection software now to avoid potential conflicts.

      •Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

      •Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

      •The tool will open and start scanning your system.

      •Please be patient as this can take a while to complete depending on your system's specifications.

      •On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

      •Copy and Paste the JRT.txt log into your next message.
      ***********************************************
      Download Combofix from any of the links below, and save it to your DESKTOP
      If your version of Windows defaults to you download folder you will need to copy it to your desktop.

      Link 1
      Link 2
      Link 3

      To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.
      • Close any open windows and double click ComboFix.exe to run it.

        You will see the following image:


      Click I Agree to start the program.

      ComboFix will then extract the necessary files and you will see this:



      As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

      It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

      If you did not have it installed, you will see the prompt below. Choose YES.



      Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

      Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



      Click on Yes, to continue scanning for malware.

      When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

      Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

      Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
      Logged
      Windows 8 and Windows 10 dual boot with two SSD's
      Pages: [1]   Go Up
      « previous next »