cancel
Showing results for 
Search instead for 
Did you mean: 

Remote

Senior Advisor

Remote

Ever since I am using a computer it seems that someone is remotely controlling my computer.

 

Anyone here can decypher this.

 

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B2381205-833B-4FAE-9065-C15F1B61F561}\Connection@Name  isatap.{B3BB47BA-6B58-49E4-A4DD-24E50B40F316}
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind     \Device\{D07A2C17-23CF-4DC0-8F51-76978AF99903}?\Device\{E91629C4-0B7C-41F0-B63F-3A885826E2CC}?\Device\{607B1863-8721-40B5-8998-EEF77A91A393}?\Device\{B2381205-833B-4FAE-9065-C15F1B61F561}?\Device\{34097E1F-0DBD-4B2F-84F9-9F3F97ED81C9}?\Device\{9D053EF8-675D-4338-9F38-5D82F867A9B7}?\Device\{746FCE53-E7A5-4679-AC2E-966D21C91D1B}?\Device\{3FC08348-043B-4AB2-8EB5-2B99120F146E}?\Device\{30AC64B1-D1B2-4BD1-9AF7-FFE51A0796FB}?\Device\{A5B0DF03-A04C-4FA9-AF9D-04085628CB00}?\Device\{F4409829-C39D-4C75-872A-4A588859EF39}?\Device\{74B85993-6E8E-4FB1-8DA6-6E70C0C696C1}?\Device\{1EA43591-F27E-41FE-B204-ACD5A3457824}?\Device\{DE22AD90-7011-4F52-BC7C-E9490919A352}?\Device\{7EC96DE7-595C-4C2A-971B-77EFD9C36A63}?\Device\{B8662798-8808-4D59-9638-F2D77D9E3307}?\Device\{9B6D0C84-5FCE-4B16-8112-1B9DDD821DCC}?\Device\{3949181C-89FE-4AC4-BE75-DE720FB7A149}?\Device\{2926408A-5324-4983-AA8B-C4768DC70079}?\Device\{BADF0FDD-24B7-490D-9475-957837F9A21B}?\Device\{D83DF1C8-485D-4A2D-B43A-8D014E96A985}?\Device\{E71452D0-EE71-4287-9BB4-EC4
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export   \Device\TCPIP6TUNNEL_{D07A2C17-23CF-4DC0-8F51-76978AF99903}?\Device\TCPIP6TUNNEL_{E91629C4-0B7C-41F0-B63F-3A885826E2CC}?\Device\TCPIP6TUNNEL_{607B1863-8721-40B5-8998-EEF77A91A393}?\Device\TCPIP6TUNNEL_{B2381205-833B-4FAE-9065-C15F1B61F561}?\Device\TCPIP6TUNNEL_{34097E1F-0DBD-4B2F-84F9-9F3F97ED81C9}?\Device\TCPIP6TUNNEL_{9D053EF8-675D-4338-9F38-5D82F867A9B7}?\Device\TCPIP6TUNNEL_{746FCE53-E7A5-4679-AC2E-966D21C91D1B}?\Device\TCPIP6TUNNEL_{3FC08348-043B-4AB2-8EB5-2B99120F146E}?\Device\TCPIP6TUNNEL_{30AC64B1-D1B2-4BD1-9AF7-FFE51A0796FB}?\Device\TCPIP6TUNNEL_{A5B0DF03-A04C-4FA9-AF9D-04085628CB00}?\Device\TCPIP6TUNNEL_{F4409829-C39D-4C75-872A-4A588859EF39}?\Device\TCPIP6TUNNEL_{74B85993-6E8E-4FB1-8DA6-6E70C0C696C1}?\Device\TCPIP6TUNNEL_{1EA43591-F27E-41FE-B204-ACD5A3457824}?\Device\TCPIP6TUNNEL_{DE22AD90-7011-4F52-BC7C-E9490919A352}?\Device\TCPIP6TUNNEL_{7EC96DE7-595C-4C2A-971B-77EFD9C36A63}?\Device\TCPIP6TUNNEL_{B8662798-8808-4D59-9638-F2D77D9E3307}?\Device\TCPIP6TUNNEL_{9B6D0C84-5FCE-4B16-8112-1B9DDD821DCC}?\De
Reg             HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route    "{D07A2C17-23CF-4DC0-8F51-76978AF99903}"?"{E91629C4-0B7C-41F0-B63F-3A885826E2CC}"?"{607B1863-8721-40B5-8998-EEF77A91A393}"?"{B2381205-833B-4FAE-9065-C15F1B61F561}"?"{34097E1F-0DBD-4B2F-84F9-9F3F97ED81C9}"?"{9D053EF8-675D-4338-9F38-5D82F867A9B7}"?"{746FCE53-E7A5-4679-AC2E-966D21C91D1B}"?"{3FC08348-043B-4AB2-8EB5-2B99120F146E}"?"{30AC64B1-D1B2-4BD1-9AF7-FFE51A0796FB}"?"{A5B0DF03-A04C-4FA9-AF9D-04085628CB00}"?"{F4409829-C39D-4C75-872A-4A588859EF39}"?"{74B85993-6E8E-4FB1-8DA6-6E70C0C696C1}"?"{1EA43591-F27E-41FE-B204-ACD5A3457824}"?"{DE22AD90-7011-4F52-BC7C-E9490919A352}"?"{7EC96DE7-595C-4C2A-971B-77EFD9C36A63}"?"{B8662798-8808-4D59-9638-F2D77D9E3307}"?"{9B6D0C84-5FCE-4B16-8112-1B9DDD821DCC}"?"{3949181C-89FE-4AC4-BE75-DE720FB7A149}"?"{2926408A-5324-4983-AA8B-C4768DC70079}"?"{BADF0FDD-24B7-490D-9475-957837F9A21B}"?"{D83DF1C8-485D-4A2D-B43A-8D014E96A985}"?"{E71452D0-EE71-4287-9BB4-EC4F7E5B2D45}"?"{E5698A85-C83F-43AF-A5EC-C40FF5026246}"?"{2057E613-0DDA-415C-9ABD-298147292F70}"?"{8586DEB1-212B-4572-99BD-389562E9F8CF}
Reg             HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{B2381205-833B-4FAE-9065-C15F1B61F561}@InterfaceName                       isatap.{B3BB47BA-6B58-49E4-A4DD-24E50B40F316}
Reg             HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{B2381205-833B-4FAE-9065-C15F1B61F561}@ReusableType                        0
Reg             HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch                                                                              1898

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                                       82AB2F52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntkrnlpa.exe!NtTraceEvent                                                                                                                    82A7DE34 5 Bytes  JMP 934EDC00
.text           ntkrnlpa.exe!RtlSidHashLookup + 224                                                                                                          82ABA724 8 Bytes  [90, CB, C7, 85, 70, CC, C7, ...]
.text           ntkrnlpa.exe!RtlSidHashLookup + 23C                                                                                                          82ABA73C 4 Bytes  [60, B9, BE, 85]
.text           ntkrnlpa.exe!RtlSidHashLookup + 248                                                                                                          82ABA748 4 Bytes  [30, 14, B9, 85]
.text           ntkrnlpa.exe!RtlSidHashLookup + 29C                                                                                                          82ABA79C 4 Bytes  [98, C2, C7, 85] {CWDE ; RET 0x85c7}
.text           ntkrnlpa.exe!RtlSidHashLookup + 318                                                                                                          82ABA818 4 Bytes  [E0, C8, C7, 85]
.text           ntkrnlpa.exe!ZwSaveKeyEx + 13AD                                                                                                              82A8E579 1 Byte  [06]
.text           win32k.sys!CLIPOBJ_cEnumStart + 6CE0                                                                                                         95CF55A5 5 Bytes  JMP 934EDAC0
.text           win32k.sys!CLIPOBJ_cEnumStart + 71E8                                                                                                         95CF5AAD 5 Bytes  JMP 934EDB60
.text           win32k.sys!EngAllocMem + 7E47                                                                                                                95C15142 5 Bytes  JMP 934ED700
.text           win32k.sys!EngCTGetCurrentGamma + 1C7A                                                                                                       95CE9C9C 5 Bytes  JMP 934ED7A0
.text           win32k.sys!EngLpkInstalled + 6119                                                                                                            95C67842 5 Bytes  JMP 934EDA20
.text           win32k.sys!PATHOBJ_bEnum + 7A2F                                                                                                              95C2782E 5 Bytes  JMP 934ED660
.text           win32k.sys!PATHOBJ_vGetBounds + EB7                                                                                                          95CE5C81 5 Bytes  JMP 934ED840
.text           win32k.sys!XFORMOBJ_iGetXform + 331A                                                                                                         95C04C57 5 Bytes  JMP 934ED5C0

---- EOF - GMER 1.0.15 ----

Because my computer been the target of SMB,ICMP attacks.Someone is trying to copy files in my computer.

 

Do let me know.

2 REPLIES 2
F-Secure Employee

Re: Remote

Hello Rusli,

I would suggest you open a support request to us in order for us to be able to investigate the problem a bit further:

http://www.f-secure.com/en_UK/support/home-office/contact-support/

Once you open the support request you can send me the SR ID via a private message.

F-Secure

Re: Remote

If you suspect that someone controls your computer remotely, then you should consider scanning it with F-Secure Rescue CD tool that would be able to detect any rootkits or trojans hooked in Windows, which are not overwise detected because they hide from or bypass the antivirus. You can find more info about F-Secure Rescue CD and links to downloads here: http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/rescue-cd/.