PCTools Firewall OK?

[bbpathd1]

On May 15 I noticed I could not get into a Verizon website of any kind—jokingly thought AT&T must be blocking their competitor which I was searching for. Then the HP Product Assistant kept coming up although the printer was not turned on. Then PCTools Firewall alerted me that Prism Service Module wanted internet access (message had never appeared before), so I unchecked remember and said no to allowing it. I had Firefox 12 already opened, and when I tried to look at tabs already there, for several I got a page that said because of Prism access was denied.

When I could not find Prism in PCTools list of apps, I exited the limited user account and decided to do a System Restore and went back to the most recent restore point and successfully got rid of the access denial by Prism. I got a message stating that PCTools Firewall had been tampered with by an external source and two.ini files were being restored.

I updated and ran SUPERAntispyware I already had installed. Had not set the preferences as you now suggest so I got 103 tracking cookies. Then I updated MalwareBytes I already had installed and found 2 registry keys, Trojan agent.

I thought that might be all I needed to do, but today I decided, better safe than sorry and ran the rest of the Read & Run Me First. I was uncertain whether I had any browser redirection (just could not connect where I wanted to go), but I figured it wouldn’t hurt to flush all the caches and do those steps. I ran FixTDSS and MBRCheck just for completeness, expecting them to show nothing.

All seems to be back to normal, but I still get “The connection was reset” on some pages, like it is timing out. I’d just like a quick confirmation from you that all is OK.

This is my rescued Dell Optiplex 210L from Hard Drive Failing? http://forums.majorgeeks.com/showthread.php?t=252181. It has been working fine ever since I replaced the hard drive and reinstalled Win XP Home and all the Dell drivers.

[bbpathd1]

When I ran MGTools, Avira did not squawk, so I guess they finally fixed that bug. Avira did give me a pop-up regarding the hosts file; seems Avira in its latest version has become very protective of it. I recall Avira would not let Spybot proceed with immunization of hosts when I installed it after Avira.

I could not upload using Firefox, so I had to go to IE. I kept getting “Connection was Reset” with Firefox.

[bbpathd1]

Should I keep PCTools Firewall? I know Comodo and Private Firewall rate higher, but Comodo was too demanding of me to figure it out when I tried to use it three years ago.


If it makes any difference, I have an Ooma attached to my DSL modem, then Ooma to wireless router and then Linksys hub with this computer one of three computers. Have you heard of any malware affecting Ooma? I hope not, because I want to get rid of my AT&T landline and just use the Ooma. I was trying to find an alternative DSL provider but that’s been difficult because the smaller ones all get bad customer service reviews, most foreign-based.

[chaslang]

Quote:

Originally Posted by bbpathd1

Then I updated MalwareBytes I already had installed and found 2 registry keys, Trojan agent.

Just a false detection of orphaned registry keys from Adobe.

Your logs are clean.

Yes the PC Tools Firewall is okay to keep.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

[bbpathd1]

Thanks so much, Chaslang!

[chaslang]

You're welcome. Surf safely!

[bbpathd1]

In the limited account I was still having problems connecting to certain websites, like Verizon, Dell (to look for drivers) and tigerdirect.com looking for Trendnet switch. In the Dell site, for example, the page would look like more of a text page, like the HTML was not being rendered correctly; at the bottom left it said it had errors. When I’d input the service tag, it would not go to the page I needed—just sat there.

I could get to these sites from the Admin acct. I figured it must be some annoying software problem, but I was unsure how I was going to explain it in the Software Forum to get someone to help me figure out what to do about it.

So today I thought I would create a new limited user account and see if I had the same problems with it. When I went to User Accounts to create the new account, I was surprised to see an account that I had never created and that did not show up on the opening screen of users where I would log in:

ASP.NET Machine A (the A has three dots after it, don’t know if leaving them would get me subject to moderation, so I removed them)
Limited acct
Password protected

No one else uses this computer except me, and no one could have ever been physically at the computer to create this account.

I had uninstalled Combofix, but I had not deleted the MGTools folder, so I went back to the files that were from 052012. I was looking for the file that had user information, and I found in Userinfo:

Output from "net user HelpAssistant"
==============================================================================
User name HelpAssistant
Full Name Remote Desktop Help Assistant Account
Comment Account for Providing Remote Assistance
User's comment
Country code 000 (System Default)
Account active No
Account expires Never

Password last set 5/15/2012 8: 06 PM
Password expires Never
Password changeable 5/15/2012 8: 06 PM
Password required Yes
User may change password No

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships
Global Group memberships *None
The command completed successfully.


==============================================================================
Output from "net user Administrator"
==============================================================================
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 5/15/2012 8: 06 PM
Password expires Never
Password changeable 5/15/2012 8: 06 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon Never

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.


HMMMH, isn’t that a surprise. When I set up this computer, I unchecked Remote Assistance, because I did not want to let anyone have remote access unless I specifically granted it to them. And, there on 051512, same day I began having problems , somehow new users Help Assistant and the computer Administrator set up accounts and password-protected them to boot!

What should I do now?

[chaslang]

All part of Windows. We could see all of these in your previous logs including the UserInfo.txt log you mentioned.