Stopping Remote Access - Help Would Be Appreciated

Hello,

Using Windows XP on a fairly new Toshiba notebook, which appeared to have someone accessing the computer remotely, through it's built-in (factory installed) wireless card.

In addition, we have found odd instances such as IE web page history listing web pages we haven't been to, have had notepad documents popping up on the desktop which we have not composed, and printers being added and printer icons being duplicated on our status bar. There have also been suspicious entries and reports found in Quickbooks.

I have since disabled the card (as it's not needed) and have done all the things required (ran all the requested cleaners, utilities and anti-virus programs) before sending our HijackThis log, which is attached.

Now for the final step and fine tuning, I would appreciate if someone could please check out the HijackThis log and guide me on how to best remove any other traces of potentially harmful items, as we feel there may still be traces of things that would allow someone (unauthorized) to communicate with this computer through our cable (ISP) connection. I am also attaching our PandaScan report.

Thanks very much for any help that you could offer!

S.D.



computer

 

Hello,

Yes, my bitdeffender run had come back clean (no problems were detected) , I'll do the things you suggested.

Again, thanks very much and I'll and post a new HT log soon.

 

Hi,

I did everything requested, less the notes (and comments) below.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [LanzarT2006] "C:\DOCUME~1\NOONEE~1\LOCALS~1\Temp\{D31D3A67-2618-4AFC-90A0-CF14105F1B90}\{98032D6F-3EE6-4646-B68C-40BF012AC89B}\..\..\T2006tmp\Install.exe" /SETUP:"/l0x0009"
(the listing mentioned above was no longer there, so I / HJT couldn't remove it)

O4 - HKLM\..\Run: [LanzarP2006] "C:\DOCUME~1\NOONEE~1\LOCALS~1\Temp\{B00EBE9A-563F-4FED-A879-609E66027A4D}\{EEBA9416-3207-47E0-9022-116440599DBC}\..\..\P2006tmp\Install.exe" /SETUP:"/l0x0009"
(this one was there, so HJT successfully removed it)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\NOONEE~1\Local Settings\Temp <--- delete all files in this Temp folder
"SQL" (in there) gave me a hard time removing, then it also came back (even though it was not read only)

Make sure you tell me how things are working now.
All in all seems better, but the fact that that SQL is there (I don't know why) and wouldn't let me keep it deleted, has me a bit concerned.

New HJT log attached and your help is stilll greatly appreciated! ;-)

 

Very sorry. We wanted to get rid of Symantec because we really hated it and also felt it had let us down. CA\eTrust was available from our ISP (cable) and we thought the change would be good. The new anti-virus program had actually attempted to uninstall Norton first, so I guess it didn't do it rightI let (please forgive ;-)

Also, the computer seemed to be running a little slow while online (maybe it was partially because that Symantec service was still running?)

I have since attempted to remove all traces and mentions of Symantec.

A new HJT log is attached, and thanks again for ALL your help!

 

HJT wouldn't remove it, now was I able to remove it through deleting all instances or mentions of it in the registry. What method do you suggest I try, and any idea why that SQL log file is still showing up under that Local/temp area? (I don't know why it... "SQL" exists at all in there, or what it may have been / or is associated to?)

Thanks again and I FYI, got your e-mail/file, and will follow up on it ;-

Oh yeah... latest HJT log attached.

 

I removed that NT service (and exited HJT and ;left the computer running, haven't let it reboot, as you instructed)

Do you use any SQL applications? If so, they are just using that folder as a Temp folder like many other applications do. What is the file name?

I don't think I use any SQL apps. (I do use Quickbooks, but I don't "think" is uses SQL)

File name (in Local\Temp) is simply "SQL" (and is a 0 byte text file)
.[/QUOTE]

What's next boss? ;-)

 

023 entry is now gone, and file is actually SQL.log (computer was set to hide extentions for known file types, which I since unchecked).

Aside from that, how are we looking (so far) and what else is recommended (I still haven't rebooted either).

I'm not sure, but I get the impression that someone was in this system via a wireless connection (which I since disbled), and want to be sure we keep the bad guys out, as I am helping out a friend with this ;-)