RAT on my PC?

alakazam

Level 9
Thread author
Verified
Mar 25, 2014
398
Someone on skype told me that they put a RAT on my PC. I want to know how I can check if this is true. Tell me what programs to use to scan and delete it if it's true.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hello,


51a46ae42d560-malwarebytes_anti_malware.png
Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.
 

alakazam

Level 9
Thread author
Verified
Mar 25, 2014
398
Scan Date: 10/22/2014
Scan Time: 1:24:16 AM
Logfile: sc11.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.21.11
Rootkit Database: v2014.10.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Lucian

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 363035
Time Elapsed: 6 min, 35 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 8
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{9BB812EA-6A11-4F94-AE32-DB3FD45EC496}, Quarantined, [bca3e92e7705a88e22dd0fcf5ba746ba],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{BDB0F124-48E8-43A5-A263-45A7093CF058}, Quarantined, [ef700d0a3547bd79ad54c41b16ecc43c],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{5C6B193D-C4D0-4A0C-8509-8EA566380A7C}, Quarantined, [ef700d0a3547bd79ad54c41b16ecc43c],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{5C6B193D-C4D0-4A0C-8509-8EA566380A7C}, Quarantined, [ef700d0a3547bd79ad54c41b16ecc43c],
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{BDB0F124-48E8-43A5-A263-45A7093CF058}, Quarantined, [ef700d0a3547bd79ad54c41b16ecc43c],
PUP.Optional.Neurowise.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\neurowise, Quarantined, [4718a37429537abc37a584a522e1dd23],
PUP.Optional.Neurowise.A, HKLM\SOFTWARE\WOW6432NODE\neurowise, Quarantined, [6af5e235641895a16677fd2c04ff4cb4],
PUP.Optional.Neurowise.A, HKU\S-1-5-21-2928522216-2145512440-1471720642-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\neurowise, Quarantined, [a9b66cabf4881422b82695941be844bc],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
PUP.Optional.Neurowise.A, C:\Program Files (x86)\neurowise, Quarantined, [4718a37429537abc37a584a522e1dd23],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],

Files: 44
PUP.Optional.Neurowise.A, C:\Program Files (x86)\neurowise\neurowise.ico, Quarantined, [4718a37429537abc37a584a522e1dd23],
PUP.Optional.Neurowise.A, C:\Program Files (x86)\neurowise\neurowiseUninstall.exe, Quarantined, [4718a37429537abc37a584a522e1dd23],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\chrome.manifest, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\install.rdf, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF.xpt, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF10.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF11.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF12.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF13.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF14.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF15.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF16.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF17.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF18.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF19.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF2.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF20.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF21.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF22.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF23.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF24.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF25.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF26.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF27.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF28.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF29.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF30.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF4.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF5.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF6.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF7.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF8.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\components\SystemKHlpFF9.dll, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\DnsBHO.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\Error404BHO.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\MainBHO.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\NativeHelper.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\NewTabBHO.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\overlay.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\overlay.xul, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\RelatedSearch.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\RequestPreserver.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\SearchBHO.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],
PUP.Optional.SystemK.A, C:\Users\Lucian\AppData\Roaming\Settings Manager\systemk\content\SettingManager.js, Quarantined, [ee71ab6cfc802f0719e4a75ca2616a96],

Physical Sectors: 0
(No malicious items detected)


(end)
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Very good. Let's make few more checks:


adwcleaner_new.png
Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.
  • Right-click on
    adwcleaner_new.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Wait until the database is updated.
  • Accept the Terms of use and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner




FRST.gif
Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 

alakazam

Level 9
Thread author
Verified
Mar 25, 2014
398
AdwCleaner results

# AdwCleaner v4.001 - Report created 22/10/2014 at 11:48:02
# DB v2014-10-21.1
# Updated 20/10/2014 by Xplode
# Operating System : Windows 8.1 Pro (64 bits)
# Username : Lucian
# Running from : C:\Users\Lucian\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Lucian\AppData\Local\Temp\apn
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightspark 0.5.3-git
Folder Deleted : C:\Program Files (x86)\Lightspark 0.5.3-git
Folder Deleted : C:\Users\Lucian\AppData\Roaming\Settings Manager
Folder Deleted : C:\ProgramData\PC Drivers HeadQuarters
Folder Deleted : C:\Program Files (x86)\PC Drivers HeadQuarters
Folder Deleted : C:\Users\Lucian\AppData\Roaming\PC Drivers HeadQuarters
File Deleted : C:\Users\Lucian\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage
File Deleted : C:\Users\Lucian\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal
File Deleted : C:\Users\Lucian\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage

***** [ Scheduled Tasks ] *****

Task Deleted : LaunchSignup
Task Deleted : RunAsStdUser Task

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A1CCCE0D-AE21-42A2-BE58-8E6109410995}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Flash-Enhancer
Key Deleted : HKLM\SOFTWARE\Lightspark Team
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lightspark
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4F564F32-2D53-5000-76A7-A758B70C1200}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\30C16B15B255BD349A1157B8A83E2AF9
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344


-\\ Mozilla Firefox v33.0 (x86 en-US)


-\\ Google Chrome v38.0.2125.104


*************************

AdwCleaner[R0].txt - [6626 octets] - [02/04/2014 01:21:41]
AdwCleaner[R1].txt - [4513 octets] - [22/10/2014 11:44:24]
AdwCleaner[S0].txt - [6469 octets] - [02/04/2014 03:24:11]
AdwCleaner[S1].txt - [4319 octets] - [22/10/2014 11:48:02]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [4379 octets] ##########

Farbar Recovery Scan Tool results - in attachments
 

Attachments

  • FRST.txt
    45.9 KB · Views: 52
  • Addition.txt
    50.4 KB · Views: 111

alakazam

Level 9
Thread author
Verified
Mar 25, 2014
398
I don't know. The only symptoms I could notice in the past few days were my pc monitor modifying its brightness settings by itself and turning itself off once in a while. Could that be because of a R.A.T.?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top