1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

remote access

Discussion in 'Virus & Other Malware Removal' started by gaftop1, Feb 14, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. gaftop1

    gaftop1 Thread Starter

    Joined:
    Jul 20, 2003
    Messages:
    823
    we have an ex employee that was very computer literate and angry. our business computer occasionally comes up with a missing file or starts acting wierd. is there any way the ex could access the computer remotely and sabotage stuff even after we changed the password.
     
  2. gaftop1

    gaftop1 Thread Starter

    Joined:
    Jul 20, 2003
    Messages:
    823
    Logfile of HijackThis v1.99.1
    Scan saved at 2:03:37 PM, on 2/14/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Documents and Settings\tony\Desktop\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{407683BF-2862-4F23-8701-6F988F20DBE7}: NameServer = 64.235.52.51,64.235.52.52
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FD460D2-55E4-4AE7-8852-B6F4E7F8C96F}: NameServer = 208.54.220.20 209.142.136.85
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Problems?
     
  4. gaftop1

    gaftop1 Thread Starter

    Joined:
    Jul 20, 2003
    Messages:
    823
    picked up the %systemdr9iver% trojan and just wondering if i can get rid of it through hijack
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    What is the file name and location?
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Hard to say definitely, but he would have a tough time, depending on the strength of the password.

    You would have to rule out others that have access.

    He could have left some keylogger or something on the system, have you scanned for trojans, keyloggers, spyware in general?

    Do you need the Remote Access enabled, for other employees?

    There's quite a bit of these around...and some, give complete control of the computer to someone else.

    If you are running security software, what ones do you use?
     
  7. gaftop1

    gaftop1 Thread Starter

    Joined:
    Jul 20, 2003
    Messages:
    823
    he can't come on the property so i don't think a key logger would do him any good unless he has a backdoor access, which is what i'm trying to find out if it's possible.
    his cousin was hired as web master before the firing and was bragging how he could get into the computer with no problems from arizona. thought that both parties had to agree to remote access. no security other than a/v, and anti spyware stuff and passwords
    do have the %systemdriver% trojan waiting for a reply on how to get rid of it. other than that spyware malware and the like are scanned and removed daily
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, There are programs that allow unattended access, so no one has to be there, to accept a password or invite the remote user.

    Here is an excerpt from one of those, (a feature from list):

    """Individual permissions for each account let you specify what each user can and what they cannot do on your computer. The following permissions can be granted: view screen, control mouse and keyboard, access file system, download files, upload files, delete files, restrict file access to a specific folder, allow access only when accepted by live person or allow unattended access, set optional inactivity timeout..."""

    http://www.access-remote-pc.com/help/intro-features.shtm

    If you read through that info, you will see that the features are configurable, to allow ONLY acceptance of remote session by live person...or not.

    If he or the cousin installed such a program they can set it up to allow unattended sessions...which can barely be visible (only an icon in system tray).

    These programs would be obvious, but can be hidden.
    A keylogger can have features also> that send data, no one needs access physically. Keyloggers are included with some trojan attacks, however they can also be rootkits, and might not be noticed by you.
    Only some of the better antipsyware tools will show them, and even less can remove them.

    So, much depends on how careful those at your end are, if Internet is available, and how well you watch over things. If you are a domain with static IP addresses, routers, many computers and users, other remote users...things are more less apt to be noticed. Determined attackers could do anything.
     
  9. gaftop1

    gaftop1 Thread Starter

    Joined:
    Jul 20, 2003
    Messages:
    823
    %systemdriver% desktop, my documents, documents and settings, when you get into it it goes to cybertech and another folder. . then it has 2 folders with identical registry entries.
    i'm not at that computer now so i can't give exact info.
     
  10. gaftop1

    gaftop1 Thread Starter

    Joined:
    Jul 20, 2003
    Messages:
    823
    will a program like belarc advisor show any keyloggers or the like.
     
  11. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, No, BelArc Advisor will show legitimate installed Microsoft programs, and Windows Updates, other software, but it does not find spywares as such, like an antispyware program would.

    It's not a removal tool, either, just system information on hardware, software, etc..
     
  12. gaftop1

    gaftop1 Thread Starter

    Joined:
    Jul 20, 2003
    Messages:
    823
    will belarc show if there are any keyloggers or hidden programs.
     
  13. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, No, it will not. It does display the user accounts with some information. Did someone tell you it does?

    BelArc Advisor is not designed to detect hidden programs...
     
  14. gaftop1

    gaftop1 Thread Starter

    Joined:
    Jul 20, 2003
    Messages:
    823
    no nobody said it would just thought it showed all on the computer
     
  15. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, As I posted, it does show all the installed software...but, it will not show anything that is not in Add/Remove Programs, except for a few things like your IP address from the ISP and some other nice details....
    If the keylogger, is installed and in that list, Belarc will show it, but so would Add/Remove Programs.

    Most keyloggers, at least the spyware type, are installed without
    the knowledge of users through trojan or worm infections, ad and spyware types.... They just as easily can be installed by a parent, an employer, a jealous spouse...are we headed in any of those directions?

    They key word you are using, hidden> no, Belarc to my knowledge does not show hidden keyloggers. But, there is software that does.

    Try it for yourself http://www.belarc.com/products.html

    To find spyware, keyloggers included, you need to use antispyware tools....

    Are you interested in finding out if your computer is infected with anything?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/543994

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice