Solved Help! Someone Keeps Hacking Into My Computer!

Thanks Ried ...... and welcome.

IDLERACER, Ried is a trained analyst and you can safely follow any instructions given you.

 

Alright! Now I think we're getting somewhere. I clicked on the "JustUnZIPit" thing, and this time there's a box inside the new folder that opened up. Now where is this thing called the "Retoolkit" located?

 

Thanks, noahdfear. : )

Double click GMER.exe. If asked to allow gmer.sys driver to load, say Yes.

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and make sure the Show all box is unchecked.

Then click the Scan button & wait for it to finish.

Once done click on the [Save..] button. You'll find the report in the gmer folder.

 

Almost Done...

 

O.K, I clicked "Save" and it's asking me to give the file a name. What shall I call it, and shall I store it in "Windows" like it's prompting me to, or somewhere else?

 

Call it gmer.txt

Save it to your desktop so you can find it easily. Post the results in your next reply please.

 

Alright, here 'tis:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-11 22:37:36
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEDF74576]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEDF74432]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEDF74910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEDF7400A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEDF7450C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEDF73F4A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEDF73FAE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEDF7462C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEDF745EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEDF7476C]
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess [0xF7C17604]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3500] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[696] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
IAT C:\WINDOWS\system32\services.exe[696] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.14 ----

 

Please proceed with disabling the wireless connections to the modem as shown here.

Once you have that done, I'd like for you to run an online scan.

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log here.

 

Have you used the GoToAssist software recently? Is it something you require? This problem begin after installing it?

 

That indeed brought me to a page that has something to do with my modem, but no matter what drop-down menu I click on it keeps asking me to change my password. What am I doing wrong?

 

I don't even know what that is. I'll gladly get rid of it if necessary.

 

Then change your password. Make sure it is something you will remember, but one that is also secure. Write it down if needed.

 

GoToAssist is a remote assistance application.
http://www.citrixonline.com/
Do you not know how it got installed on your computer?

 

I just did a search of my computer and discovered that that GoToMyAssist was installed around the 17th. I believe that is around the time this stuff began happening. Shall I dispose of it? Note that since that time, I have had a typing session with a tech support woman in India, who was able to look at my screen and help me fix something. If I eleminate this, will Verizon tech support still be able to help me in this manner?

 

Ah, I was finally able to disable it! Halleluja!

 

Incidentally, The Kaspersky thing is currently downloading.

 

That is where it came from. Next time they need to help you they'll have you download it again.

 

Alright, then I'll remove it after the scan has finished, but I have a feeling the disabling of the wireless part of my modem is going to be the key element in all this.

 

Just letting you know that it's at 75%. Apparently there's alot of stuff to scan!

 

Whoa...It looks like this is going to take a few hours. I'm going to catch some ZZZs and re-connect with you guys in the morning. Thank you so much for all your help this evening. I'm going to fall asleep listening to music on my computer with a bit more peace of mind, knowing that the wireless element has been disabled.