Hackers from China? Remote Access on My Computer Enabled

Discussion in 'Malware Help (A Specialist Will Reply)' started by Madam, Dec 20, 2010.

Page 1 of 2
  1. Madam

    Madam Private E-2

    Had Avira until a week or so back. It apparently was NOT blocking IP’s from China
    Example
    21:33:42 Administrator IP-BLOCK 221.192.199.49 (incoming) China Unicom Hebei province network
    22:20:12 Administrator IP-BLOCK 222.186.25.33 ( incoming) CHINANET jiangsu province network
    23:08:09 Administrator IP-BLOCK 221.192.199.49 incoming) China Unicom Hebei province network
    23:23:30 Administrator IP-BLOCK 58.218.199.147 (incoming) CHINANET jiangsu province network

    00:48:36 Administrator IP-BLOCK 94.102.60.168 (Type: outgoing)
    00:48:38 Administrator IP-BLOCK 94.102.60.168 (Type: outgoing)
    00:48:44 Administrator IP-BLOCK 94.102.60.168 (Type: outgoing)
    01:15:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    01:15:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    01:15:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    02:44:02 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    02:44:02 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    10:32:36 (null) MESSAGE Protection started successfully
    10:34:36 Administrator MESSAGE IP Protection started successfully
    11:13:21 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    11:35:28 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    11:44:47 (null) MESSAGE Protection started successfully
    11:46:30 Administrator MESSAGE IP Protection started successfully
    12:51:20 Administrator IP-BLOCK 125.46.39.23 (Type: incoming)
    14:01:49 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    14:26:29 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    14:26:30 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    14:26:30 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    16:50:03 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    17:18:45 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)

    THAT is just a few of the Ip’s trying to access my computer 24/7

    Changed to Norton 360 and started real time (Paid premium) MalwareBytes. Both come on at start up. Malwarebytes seems to be clocking incoming and outgoing communication. However, this is a single PC on a cable modem. I believe the modem is used when I’m off the PC as today when I logged onto the PC, Firfox was running and I close all programs and run CCleaner every night before I log off. I now disconnect the modem when I’m NOT on the computer. I’ve disabled all the connections they set up for remote access too. At least I hope I did all of that correctly. I am admittedly a noob

    I do operate as Administrator and I realize that isn’t “safe” and now I know why. It seems that someone opened a port to communicate remotely and changed some settings allowing them to use my PC.

    Malwarebytes and Norton scans come up “clean” Zero detections
    Malwarebytes' Anti-Malware 1.50
    Database version: 5340
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    12/17/2010 11:17:58 PM
    mbam-log-2010-12-17 (23-17-58).txt
    Scan type: Quick scan
    Objects scanned: 44219
    Time elapsed: 51 minute(s), 58 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0


    CCleaner used every day.

    Just downloaded HiJack This and was hoping someone could look at the scans.

    Note: I no longer have Earthlink as an ISP can I delete those files?
     
    Last edited by a moderator: Dec 20, 2010
    Madam, Dec 20, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to Major Geeks!

    Firstly you need to take a look at this:

    HOW TO: Attach Items To Your Post

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    Kestrel13!, Dec 20, 2010
    #2
  3. Madam

    Madam Private E-2

    See the notes on Normal MSconfig... I was unable to make that change..
    I'm working on the "cleaning" procedures" but I am concerned about my admin user being restricted from making changes.

    Currently running Norton 260 (AV)
    Malwarebytes (premium paid account)

    Norton controls the firewall not Windows

    Viewpoint
    Add and Remove programs doesn’t have anything called Viewpoint. *** But, while roaming around the files in “Start menu” I see View Point in “Application Data”
    View Point
    AxMetaStream_Win
    Viewpoint Experience Technology (with 4 or so “resource” files under them.
    But these files are NOT in add & remove programs...

    • Since I can’t delete this with Add & remove program as it doesn’t appear. How would you like me to remove this?

    Empty ALL Quarantine type folders for antivirus and antispyware applications.

    2 weeks ago I changed from Avira to Norton. At that time I deleted Avira and went through my system and deleted any Avira files, or old AVG, Trend Micro, and Kaspersky files that weren’t removed by Add & Remove programs. The current AV and Malware programs have NOTHING in quarantine as they claim I have no Viruses or Malware.

    <b>Sun Java</B>
    Does NOT appear in Add & Remove Programs. But old files remain in applications. Possibly files left behind after removing the program??

    Ccleaner
    Use it everyday. System and registry comes up “clean”.

    Determine whether you have a 32-bit or 64-bit version of Windows
    I used both methods offered and neither provided me the information. Perhaps because my XP is “Media Edition” and not professional or home?

    Microsoft Windows XP
    Media Edition
    Version 2002
    Service Pack 3

    Enable viewing of hidden files, system files and file extensions DONE

    Msconfig – Could NOT perform this action
    Error message: An Access denied error was returned while attempting to change a service. You may need to log on using an administrator account to make the specified change.

    ** I am Logged on as Administrator as there are NO other users on my account. However, I believe whoever was able to log in when I had Avira has made changes to my user accounts and possibly even password protected files and changed my admin user actions.

    Uninstall Malware via Add/Remove Programs NONE of the programs on your list are in my add & remove listing.

    Defogger downloaded. Clicked “finished” and it didn’t tell me to reboot. So I assume I had no files to remove or disable??

    Before I go further I would like to discuss the McConfig issues and the fact that this isn't the first time I've been told I can't access something as the administrator.

    Any insight would be much appreciated.
     
    Madam, Dec 20, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Perhaps malware is blocking it. Do continue on and start running the scans as requested. When you attach logs I will review them.
     
    Kestrel13!, Dec 20, 2010
    #4
  5. Madam

    Madam Private E-2

    It says download all those programs and DO NOT run them.

    Questions: I see Wild Tangent and Viewpoint in programs & applications. But not in Add and remove. Can I simply delete the files?

    Like I said, I'm NOT tech savvy at all. This is above my head. Since I already had Malwarebytes on my system (the paid version) how do I change the program to mb.exe?

    Defogger ran but told me to do NOTHING??

    Okay, I will continue download ALL the programs. Then I will run them and attach the logs...

    Edit: # RootRepeal - do not download or run on 64 bit systems. See: How to check for 32 bit or 64 bit Windows
    In my notes to you I advised you I was unable to determine if the OS was 32 or 64. Can you view my previous post to advise me??
     
    Madam, Dec 20, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That was just getting you to download everything before running them. We are at the stage now where they need to be run. :)
    You could delete their folders yes, but it's not of vital importance at the moment, when you eventually attach logs, I can seek out any remnants and delete them.

    Don't worry! You'll be just fine.

    Don't bother, simply run it as per the instructions.
    Normal.
    Yes please.
    Then read it carefully, and follow instructions for your operating system. http://support.microsoft.com/kb/827218
     
    Kestrel13!, Dec 20, 2010
    #6
  7. Madam

    Madam Private E-2

    Okay, I've ran ALL the programs you requested.

    Defogger didn't do much that I could see.

    SUPERAntiSpyware ran and detected nothing

    Malwarebytes Anti-Malware (paid program) didn't find anything in the scan. BUT, while I was working with another application found a trojan and I quarantined and deleted it.

    RootRepeal -I couldn't see where this did anything. Report attached for your review in a zip file with several other reports word doc.

    MGtools I'm not sure if the report on this will be complete. the command module stayed open FOREVER and never closed on its own, until I started to run another application. The zip files it produced are attached.

    Combofix.exe This was the only program that detected anything and deleted anything. Although, it made me turn off my AV and stay on the net which I didn't want to do because I am getting pinged (an accessed when I had Avira) by IPs from china 24/7. It did eliminate a few items but Windows errors appeared a few times. So I wonder if it didn't do everything it should have done.

    Remember: My main concern is that I am the Administrator. This is a single PC on a cable connection. I don't belong to any network. I don't work remotely. I wouldn't use my modem to dial in and work anywhere else. I never set up elaborate custom things like my MsConfig is set up. As I'm not that computer savvy. I don't parent lock, or password protect files on my computer because I am the only user of this PC and wouldn't have a reason to do so.

    I would like to eliminate the "locked" files on my computer. I would like to stop the China Ip's from accessing my computer. I would like to disable their set up as I can see they indeed have one established on my PC as there was a Network connection set up for them (One I know I don't use) and when I went to click into Network Connections it said I didn't have access to the network, as I wasn't the administrator which of course I am.

    So someone else is working as "Administrator" and password protecting their files. I want to find those and eliminate them cleaning and resetting my computer.

    Can you help me find and rid the computer of them? As I don't think a malware scan will find this information.

    I can use Malwarebytes file assassin to delete the locked files if you think it will help me and not damage my computer.

    Scans attached. THANKING YOU in Advance for your time, talent and help with these issues.
     

    Attached Files:

    Madam, Dec 21, 2010
    #7
  8. Madam

    Madam Private E-2

    Just an update on my system:
    I re-ran ComboFix to see if it would find anything else since it had some issues last night. It ran but didn't seem to do anything else. I have a new scan available if you'd like to see it.

    Malwarebytes is still blocking the China IP from logging into my computer. See log below. I unplug my modem now whenever I'm not using my computer. I don't know of any other way to stop the pinging, I'm afraid they may eventually gain entry again.

    Malwarebytes Protection Log. From 12. 21. 10
    01:17:13 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    02:01:48 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    02:53:42 Administrator DETECTION C:\Uninstall.exe Trojan.Agent DENY
    02:53:42 Administrator DETECTION C:\Uninstall.exe Trojan.Agent QUARANTINE ( I deleted this I hope that was okay)
    04:06:41 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    04:39:06 Administrator MESSAGE Protection started successfully
    04:39:31 Administrator MESSAGE IP Protection started successfully
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    04:57:05 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    05:06:36 Administrator MESSAGE IP Protection stopped
    05:07:42 Administrator MESSAGE Database updated successfully
    05:07:49 Administrator MESSAGE IP Protection started successfully
    10:44:21 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    12:36:47 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    13:37:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    13:37:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    13:37:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    13:37:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    13:37:50 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)
    17:41:18 Administrator MESSAGE IP Protection stopped
    17:42:44 Administrator MESSAGE Database updated successfully
    17:42:52 Administrator MESSAGE IP Protection started successfully
    17:51:38 Administrator MESSAGE Protection started successfully
    17:51:49 Administrator MESSAGE IP Protection started successfully
    18:14:52 Administrator IP-BLOCK 221.192.199.49 (Type: incoming)
    22:21:49 Administrator IP-BLOCK 58.218.199.147 (Type: incoming)

    MsConfig After running ComboFix it is now in "Normal" mode. However, when I tried to edit something at 5:56p.m. this evening I got that same error message I mentioned to you before:

    An Access Denied Error was returned while attempting to change a service you may need to log on using an administrator account to make the specified change.

    Of course, I AM the administrator. So I believe someone else has administrator rights as well and has a password on their admin login.

    The system is still extremely SLOW to boot up. And it is booting up with programs I haven't used in eons. Yahoo IM, Windows IM and a host of others since using Combofix. I guess because they are in the start up menu. You mentioned not using McConfig's start up menu anymore. So where are the instructions on how to stop using MsConfig? I can set some programs NOT to appear at start up but not all of them. HELP! :)

    Norton 360 also offered a listing of files it felt could be "dangerous". Although, they didn't tell me to delete them. They just aren't "Norton Approved" would you like me to provide their listing? Perhaps comparing it with the scans of the other programs would be helpful.

    Please advise.
    :)
    M
     

    Attached Files:

    Madam, Dec 21, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    MGTools did not run to completion.

    Please rename it to 123.com and try running it again. Attach the c:\MGlogs.zip if succesful. If it fails again then do this:

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.

    Are you running any p2p software such as Limewire for example?
     
    Kestrel13!, Dec 22, 2010
    #9
  10. Madam

    Madam Private E-2

    Hi
    Sorry for the delay in my response. I've been out all day for "Christmas" stuff. :(
    Don't want to sound like a complete idiot. But how would I "rename" Gtools? Once its downloaded to my C drive? Simply right click and rename the program? Or what? Clueless here. And it may not have ran completely because as I stated I waited for what I thought was forever and then decided it was hung up and went on to run another program. When I did that the command module vanished. Can I simply try to rerun it again as is?? And can I delete the two files it produced before doing so?
    Please advise.
     
    Madam, Dec 22, 2010
    #10
  11. Madam

    Madam Private E-2

    Okay, I changed the existing zip file and regular file produced by MGtools to something else so when I tried to re-run the program it wouldn't tell me a file already exists.

    But the command sat for over an hour doing nothing... The last phrase being:
    Ignore any error message blah blah Just wait for the program to finish running.
    The command module is STILL there doing NOTHING... over an hour 20 minutes later.

    Downloaded OTL to my desk top. Clicked Run and got a "Windows Needs To Close" error message asking me if I wanted to send the report to Microsoft. That same error happened 3 times when I tried to run OTL

    So does that mean OTL won't run and MGtools is being blocked from performing? I turned Malwarebytes and Norton off.. That didn't help.. Not to mention it puts me at risk to the Ip's that keep pining my modem regularly.

    Question: When I sign into Fire Fox and access the internet It looks like I am sharing a network with the IP below... So how would I remove THEM?

    Norton's Recent History says this:

    Connected to a shared network (192.168.100.0/255.255.255.0) Status (Shared)
    Note: IP Search says it is NameServer: BLACKHOLE-1.IANA.ORG

    Protecting your connection to a newly detected network on adapter realtek RTL8139 Family DC 1 Fast Ethernet NIC Packet Scheduler Mini port (IP Address 192.168.100.10
    (Status Detected)
    Note: Ip Search says it is: NameServer: BLACKHOLE-1.IANA.ORG

    Connected to a protected network (x.x.216.0/255.255.248.0)
    IP Search says this is OrgName: Road Runner HoldCo LLC * This would be the only connection I WANT...

    Connect to a shared network (00 OT 21 DE Ad 02
    IP Search says: "00 ot 21 de ad 02"could not be resolved. Make sure that you enter an valid IP address, host or domainname.

    So it looks like every time I sign on I am linked to a strange network. Therefore, I would really like to start working on getting rid of these people. Can we move forward without the GMtools and OTP reports? I'm really getting scared to even be on my computer doing my daily work. :(
     
    Last edited by a moderator: Dec 23, 2010
    Madam, Dec 23, 2010
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First let me make a couple of comments based on reading your messages and I don't want you to take this the wrong way. So read it a lighthearted mind. You need to calm down and stop misinterpreting things and you should likely stop investigating things on your own because it seems to be leading to some paranoia. ;)

    Any incoming IP address that are being blocked via your Norton Security program's firewall or by Malwarebytes, are not problems. This is why you install programs like this to begin with. That is, to block the external hacks. It is quite normal for hackers all over the world to be just hunting for valid IP address and to see if that can get past any security ( or to look for lack of security).

    You mentioned a modem in your messages. Do you have a router too? If not is your router part of your modem ( DSL or cable?? )? Router's and modem/router combos normally also have built-in hardware firewalls and you need to make sure it is turned on to add another layer of protection before anything even gets to your PC.

    You should also connect to your router and make sure that you have disabled responding to ICMP pings.

    Again as stated above, I believe you may be misinterpreting what you are seeing. This is likely your own local network ( the one on your PC's side of your modem/router). It is normal to have things set by default to something in the 192.168.x.x area.

    This is part of the external network that your ISP has assigned to you and I will be editing it for your security since you should not open post it in an open forum. It is not really a major issue but it is just more secure not to post it. The end IP address you use to connect to the internet is part of this network created by your ISP.

    Now let's see if we can make some headway with MGtools! Make sure that ALL protection software is shutdown before doing the below to avoid possibly interference. You can disconnect your cable to the internet while doing this if it make you uncomfortable to do the scans while connected with protection disabled.


    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>nwktst <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
    ShowNew <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

    Try each of the above commands and after trying all of them, located the C:\MGlogs.zip file and attach it to your next message.
     
    chaslang, Dec 23, 2010
    #12
  13. Madam

    Madam Private E-2

    you should likely stop investigating things on your own because it seems to be leading to some paranoia
    lol :) I didn't take offense to your comment. I AM Paranoid. :( I don't want anyone using my connection or changing my settings and from what I can see on my computer they have been changed. Oh and THANK YOU for editing my posts to delete anything you feel would leave me open to more hacking or general drama. I just wanted to let you know what I was seeing... Thought it would be helpful.

    Let me see if I can answer your questions.
    Of the ISP mentioned in Norton that I was supposedly "connected to" only 1 was my ISP. Or so I think. :)

    Do you have a router too? No Router
    If not is your router part of your modem ( DSL or cable?? )? Umm, ::waves:: Tech noob here. I have the standard issue WebStar Modem given to me by cable company.
    You should also connect to your router and make sure that you have disabled responding to ICMP pings. ?? Clueless I have NO idea how to do that or if I even can.

    Why I think someone actually gained entrance remotely to my computer is because in Network Connections even though I am the Admin and ONLY user. I was locked out of the Network Work groups. AND there are 2 LAN connections. I've only ever used 1 and I noticed the other was enabled and in use. I disabled it.

    Now let's see if we can make some headway with MGtools! Yeah, because it is still "hanging" and it has been since 10:30 (3 1/2 hours) not moving from the message I posted earlier.

    I will try to run it again. I printed your instructions. I will unplug my modem as MalwareByte is blocking those China Ip's like a MoFo every few minutes. :) THANK YOU for helping me. You're right. This whole ordeal is stressing me out. 0_o
     
    Madam, Dec 23, 2010
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What model #?

    Again you may just be misreading what you are seeing. Most PCs will show several things in the Network Connections area by default. Some will be for wired connections, some for wireless, some for USB, some for firewire...etc. Show me a snapshot ( must be legible ) of what you are looking at. However when I get logs from MGtools, it may also give some info.

    Just terminate the previous one first if you have not already done so.

    You're welcome. Don't panic. If MBAM and your firewall are blocking them, you have nothing to worry about. That's why you install protection. ;)
     
    chaslang, Dec 23, 2010
    #14
  15. Madam

    Madam Private E-2

    Modem: Scientific Atlanta Inc. DPC 2100 Series P/N 4007925

    I am in the command window. At the prompt

    Documents and Setting\Administrator> (I type) cd\MGtools and it says:
    The System Cannont Find The Path Specified. Am I doing something wrong?

    Edit: I tried to start the program the standard way. This time instead of "hanging up" and doing NOTING. It gave me about 20 Access Is Denied and then grep:c:\MGtools\temp\Xlmint2.txt Permission denied

    Now I'm more confused than ever. lol
     
    Last edited by a moderator: Dec 23, 2010
    Madam, Dec 23, 2010
    #15
  16. Madam

    Madam Private E-2

    Okay, even after the No Access messages and other error I kept trying and trying.
    Finally it seems to have worked as I was able to enter each command at the prompt.

    cd\MGtools said checking: (an listed a host of items it was checking)
    Analyse did bring up HJT and I saved the report. Attached for your reference.
    Show New: Finding Copies Of: (and provided a list of files no errors)
    Get Run Key: That brought up the standard message (Running Scan Ignore any error)

    It never does anything after that... a cursor just blinks under that message and nothing ever appears again. Not even a message to exit. ::shrugs:: The command module is still up and cursor is doing nothing.

    I have attached the files I got from this so you can check them out.

    Again, THANKS!!
     

    Attached Files:

    Madam, Dec 23, 2010
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attach the below file to your next message:

    C:\MGtools\temp\rkeysxxx.txt

    Make sure that you attach the above file BEFORE doing the below.

    Now download and save the below to the C:\MGtools folder

    G257.bat

    Then go back to the command prompt and get back into the C:\MGtools folder ( like previously requested ) but this time run G257.bat. Now tell me what happens. I'm trying to locate where the GetRunKey one has been hanging on you.


    By the way, I edited out your MAC address for your modem that you posted in message #15. I only wanted the model number. Posting your MAC address is not a good idea since it is the physical address of your modem.
     
    Last edited: Dec 23, 2010
    chaslang, Dec 23, 2010
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on the below documentation

    https://cprop.fibertel.com.ar/faqs/remoto/downloads/WebStar-DPC2100.pdf

    for your cable modem, it looks like it does not even have a firewall. At least there is no mention of it that I saw in this documentation. It would be in your best interest to insert a router with a firewall inbetween your PC and the cable modem. See the figure on page 11 and where it shows an ethernet hub ( which by the way is a stupid idea of them ) you should replace this ethernet hub with a router. Modern routers are all switches and also have hardware firewalls built into them which gives you an added layer of security. In addition the router gives you the ability to configure/change parameters for security ( example: enabling/disabling answering of pings, blocking various ports...etc ).
     
    chaslang, Dec 23, 2010
    #18
  19. Madam

    Madam Private E-2

    I will most definitely look into installing a router. As paranoid as I am about malware, keyloggers and viruses I probably should have had one already. The cable company doesn't tell you anything. They just provide cable and give everyone the same modem. Had I known about the firewall on a router I would have bought one years ago.

    And THANK YOU for always looking after me. Seems I really am doing a disservice to myself in this forum by providing too much information in this thread. Thankfully, you keep deleting my stupidity looking out for my internet safety. With what I've been doing here no wonder I have system issues. :(
     
    Madam, Dec 23, 2010
    #19
  20. Madam

    Madam Private E-2

    Attached is the file you requested. I am off to perform the other tasks now.
     

    Attached Files:

    Madam, Dec 23, 2010
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes the additional layer of security is good and also if you need or wanted to added wireless support, you can do this by adding a router that has wireless capability ( most do ).

    No problem. That's why we are here ;) As well as trying to remove malware, we strive to help teach you to protect yourself properly.:)
     
    chaslang, Dec 23, 2010
    #21
  22. Madam

    Madam Private E-2

    When I try to click on the link to G257.bat
    I get ISP CP Omega
    Error 404
    /Chaslangsfile/G257.bat file not found.

    So I am at a loss as to what to do next.
     
    Madam, Dec 23, 2010
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on this log, my suspicions were correct and the new scan should work. You were hanging at the below point
    And the new G257.bat file skips this scan.
     
    chaslang, Dec 23, 2010
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I just fixed that. Try it now.
     
    chaslang, Dec 23, 2010
    #24
  25. Madam

    Madam Private E-2

    Got it to downloaded and slapped it in the MGtools folder.. Off to try to cmd work now. THANKS for fixing the issue.
     
    Madam, Dec 23, 2010
    #25
  26. Madam

    Madam Private E-2

    It says:
    Running scan with GetRunKeys
    Then the standard message(Ignore Any Errors)
    then it says: Adding RunKeys.txt
    then back to MGtools prompt ( and nothing further)
     
    Madam, Dec 23, 2010
    #26
  27. Madam

    Madam Private E-2

    I just wanted to mention that a day or two ago after running ComboFix it eliminated the existing “Custom Start Up” from MSconfig. I was at "Normal Startup" That stayed in Normal Start up that day and yesterday.

    I just looked at MSConfig again because the start up today took FOREVER and it started over 40 programs.

    It is back to Customer Start Up again.

    Now, I don’t normally do “custom” anything. So how would it have switched from Normal to Custom in the last 2 days?

    When I tried to edit (alter ) the MSconfig start up to eliminate some of the 40 programs from the start up menu. It says:

    An Access Denied Error was returned while attempting to change a service. You may need to log on using an administrator account to make the specified change.

    Now, I AM the administrator. So why can’t I make these changes.

    AND

    How did my system go from Normal Startup (after combofix ran) to a custom start up when I have made no changes in MSConfig since talking with MajorGeeks??
     
    Madam, Dec 23, 2010
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That means it finished running. Attach the C:\MGlogs.zip file which will now include this log.
     
    chaslang, Dec 23, 2010
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The most likely reason is due to the protection of Norton 360 and Malwarebytes blocking the real change to Normal Startup and putting you back to a previously locked stated which was a Selective Startup mode.

    Norton 360 and Malwarebytes are also likely large contributors ( Norton the largest ) to your startup time, but I will comment further after getting your new log. Also it looks like Norton was just installed on 12/12/2010.

    Either way, thus far, it does not look like you are having malware problems.... at least not based on what I have seen thus far.
     
    chaslang, Dec 23, 2010
    #29
  30. Madam

    Madam Private E-2

    Here is the new MGtools zip
     

    Attached Files:

    Madam, Dec 23, 2010
    #30
  31. Madam

    Madam Private E-2

    So they would allow Normal start up for 48 hours and then decide to change it back to some odd custom start up with over 40 processes that I never created? It took over 15 minutes to start up and even longer to gain access to firefox today.

    I used Norton in 2003 & 2004 (ditched because it was SLOW & didn't catch all viruses)
    Got Trend Micro & used it for 2005 & 2006.
    Switched to AVG for 2006,& 2007. (downloaded from here)

    Downloaded Ccleaner (from here) and started using it daily.

    Majorly screwed up my system in 2008. Best Buy Geek Squad came to help restore it. Suggested Kaspersky. I used it in 2008 ditched because it slowed my system and wasn't all that "user friendly".

    Got premium Avira in 2009. (downloaded from here) Avira kept showing me so many locked files it couldn't scan and its scans always produced some "issue" I started to question how well they were protecting my system. In fact, I noticed Combofix eliminated a lot of the crap Avira talked about in scans but did nothing about. At least I THINK Combo Fix got rid of them. Maybe you can explain that to me.

    Anyway, I purchased Malwarebytes (downloaded from here) & saw Avira had missed some Malware AND wasn't blocking the China IP's from accessing my account.

    My point? lol :-D Yes, yes I know... I talk to much. :-o My system was SLOW to startup with most of these AV programs. That was part of the reason for me dumping Kaspersky for Avira. But currently with 40 processes at start up it is ridiculously SLOW..

    I read good reviews about Norton 360 and was told it wasn't as "bloated" as it was way back when. So I went back to it as Avira was expiring and they had pissed me off by not catching items Malwarebytes was catching and "blocking".

    So why the passwords on the Admin user?
    Passworded files I didn't create?
    The fact that I can't make changes in MSconfig because I don't have access?
    And that fact that a network connection my computer never used before was "enabled" and I couldn't alter changes to "network connections" even as "admin".

    Could someone else sign in as Admin remotely and use my connection? Passwording MY Admin user so I can't change their set up? ::scratches head:: :confused

    I want to clean up the crap on my system I don't need. (if you can help me here that would be AWESOME!)

    I want to get rid of the 40 processes now loading at start up.

    I would like my system "simple", clean and fast again.. I reformated my computer in 2008. That was the fastest it had been in ages. But you're right when I loaded an AV (Kaspersky) it SLOWED way down. :(

    Any help you can provide cleaning up dead weight would be most appreciated. Any help with the inability to make changes because as Admin I'm locked out would be helpful too. As I'm still confused about the Ip's hitting my system (they just did it again while I was typing this). I will go out tomorrow in search of a router for my system for added security. THANK YOU for suggesting that to me. :D
     
    Madam, Dec 23, 2010
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No it would not normally occur 48 hrs later but could have if you had not rebooted in that time frame. It may have only changed them back after a reboot.

    You are incorrect about the 40 processes "that you never created". They were always there based on what Windows needs to run and what you have installed and run. Below I will list in associated groups of what I see which is currently 41 processes but some are due to MGtools being run to obtain the log. So there are 38 total processes running due to Windows and your PC/you. ;)

    Group 1 - Processes for Windows or other software from Microsoft ( like Office...etc) (22 processes )
    Code:
    [COLOR=darkred]alg.exe[/COLOR][COLOR=darkred]              - Required process for Windows[/COLOR]
[COLOR=#8b0000]csrss.exe            - Required process for Windows[/COLOR]
[COLOR=darkred]ctfmon.exe           - Related to MS Office[/COLOR]
[COLOR=darkred]ehmsas.exe           - Part of Microsoft Windows Media Center[/COLOR]
[COLOR=darkred]ehSched.exe          - Microsoft Media Center which adds additional multimedia functions to your PC[/COLOR]
[COLOR=darkred]ehtray.exe           - Part of Microsoft Windows Media Center   - loads system tray icon that allows you to control various aspects of Media Center[/COLOR]
[COLOR=#8b0000]explorer.exe         - Required process for Windows[/COLOR]
[COLOR=darkred]lsass.exe            - Required process for Windows[/COLOR]
[COLOR=darkred]MDM.EXE              - Machine Debug Manager or Office Source Engine belongs Microsoft Visual Studio .NET or Microsoft Development Env[/COLOR]
[COLOR=darkred]MsPMSPSv.exe         - From Windows Media player. Allows for Secure Digital Music Initiative protocol[/COLOR]
[COLOR=darkred]services.exe         - Required process for Windows [/COLOR]
[COLOR=#8b0000][COLOR=darkred]smss.exe             - Required process for Windows[/COLOR]
[COLOR=darkred]spoolsv.exe          - Required process for Windows[/COLOR]
[COLOR=darkred]svchost.exe          - Required process for Windows - you will always see a bunch of these[/COLOR]
[COLOR=darkred]svchost.exe          - Required process for Windows[/COLOR]
[COLOR=darkred]svchost.exe          - Required process for Windows[/COLOR]
[COLOR=darkred]svchost.exe          - Required process for Windows[/COLOR]
[COLOR=darkred]svchost.exe          - Required process for Windows[/COLOR]
[COLOR=darkred]svchost.exe          - Required process for Windows[/COLOR]
[COLOR=darkred]svchost.exe          - Required process for Windows[/COLOR]
winlogon.exe         - Required process for Windows
wmiprvse.exe         - Required process for Windows[/COLOR]
    Group 2 - Processes from Software you installed or came with your PC ( 16 processes )
    Code:
    [COLOR=purple]ccsvchst.exe         - For Norton[/COLOR]
[COLOR=purple]ccsvchst.exe         - For Norton[/COLOR]
[COLOR=purple]nvsvc32.exe          - For Norton[/COLOR]
[COLOR=purple]mbamgui.exe          - Malwarebytes process - you installed[/COLOR]
[COLOR=purple]mbamservice.exe      - Malwarebytes service - you installed[/COLOR]
[COLOR=purple]CTsvcCDA.EXE         - Installed with your Creative Labs sound card[/COLOR]
[COLOR=purple]firefox.exe          - Firefox   - opened because you opened it[/COLOR]
[COLOR=purple]plugin-container.exe - Firefox plugin container   - running because you ran Firefox[/COLOR]
[COLOR=purple]E_FATIAJA.EXE        - Process associated with EPSON Status Monitor[/COLOR]
[COLOR=purple]hpgs2wnd.exe         - HP's Share-to-Web software makes it easy to share content with others online[/COLOR]
[COLOR=purple]hpgs2wnf.exe         - HP's Share-to-Web software makes it easy to share content with others online[/COLOR]
[COLOR=purple]hpsysdrv.exe         - Part of your HP software. If not running, it can prevent the running of the Application Recovery CDs, the use of the multimedia keys, and the HP Instant Support.[/COLOR]
[COLOR=purple]Shwicon.exe          - USB Card Reader tray icon. Shows when the device is plugged in[/COLOR]
[COLOR=purple]taskmgr.exe          - Windows Task Manager for Windows. Probably open because you opened it.[/COLOR]
[COLOR=purple]WINWORD.EXE          - Windows Word   - opened because you opened it or something you ran opened it to view a document [/COLOR]
[COLOR=purple]YahooAUService.exe   - Running because you installed Yahoo Toolbar and Messenger. This is their autoupdater[/COLOR].
    Group 3 - Processes running because MGtools was running but they are all part of Windows ( 3 processes )
    Code:
    cmd.exe              - Windows command prompt program, running because MGtools scan is running
ntvdm.exe            - Windows 16-bit Virtual Machine , running because MGtools scan is running
tasklist.exe         - Windows task lister program, running because MGtools scan is running
    And note that you have the below 5 services trapped in MSconfig as disable services. These would be running too at startup if not trapped in MSconfig and they are all from software you installed;
    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"Apple Mobile Device"=dword:00000002
"Bonjour Service"=dword:00000002
"JavaQuickStarterService"=dword:00000002
"IntuitUpdateService"=dword:00000002
"iPod Service"=dword:00000003

    Uninstall Norton 360 and see how long it takes as a test. At least you will be able to answer whether it changes anything or not. But since Norton almost never uninstalls properly, you will need to run the below after ininstalling to cleanup more.

    Norton Removal Tool (SymNRT)

    You can always reinstall afterwards if you do not see any change.

    Not sure if Norton 360 really made enough progress. It may only be the more recent programs from this year.

    NORMAL!!!! There are many system files that Windows locks and will not allow a scanner to run.

    Nothing that ComboFix removed were really problems.

    Passwords on which files exactly.

    Potentially especially if you had remote desktop sharing allowed and also it is easier too if your real Administrator account has no password on it. If it is not password protected, anyone getting on to your PC as the Administrator account has full control of everything. However I see no signs of this. Vista has constantly been problematic with causing permissions issues. There are hundreds if not thousands of posts on the internet about permissions problems with Vista.

    I will give you some steps below to cleanup what I consider unnecessary, but anything else is up to you. It is impossible for me to really know what you need versus what I would need. Complete the instructions in the order given.

    First uninstall SUPERAntiSpyware now since you improperly installed the program to your root folder instead of to its own folder within the C:\Program Files folder. Do not reinstall it at this time. Just leave it uninstalled.



    Now we need to use ComboFix to remove some non-malware items to improve startup and to remove some left over junk
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 24, 2010
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just realized that I had said Vista while you are using XP. So this does not completely apply as much but there are problems within Windows XP too that cause permissions issues.
     
    chaslang, Dec 24, 2010
    #33
  34. Madam

    Madam Private E-2

    I shut my system down everyday. So I did reboot. It's just odd because so many of the programs running (in the 40+ processes) I haven't seen in the task manager in YEARS. And I review my task manager everyday as I watch what is running. Especially when my system slows.

    Some of what is there I don't use and as I mentioned haven't seen running in years. They didn't reappear until after the combofix and other programs we ran did their thing. ::shrugs::

    The programs or processes above are ones I haven't seen in the task manager for eons. I seldom (very rarely) use the media center so maybe I disabled it from starting at system start up years ago. And I don't know how Microsoft Visual Studio got installed (I don't use it but maybe my system does) but I see an assload of updates in Add/Remove programs for that thing.

    And THANK YOU for the information about Svchost.exe I've always wondered WHY so many of those run in the Windows Task Manager. Some using a considerable amount of memory.

    Again, the above processes I haven't seen in the Windows Task Manager for years if ever at all.

    CTsvcCDA.EXE That one is totally "new" to me. It may have come with the PC but it hasn't run at Start Up or in the task manager for years if ever. WHY now?

    hpgs2wnd.exe I don't share remotely. I've never used these programs. I've always heard that the HP programs are memory hogs and that HP tends to be nosy. Sending their site information from my system. So I may have disabled these processes years and years ago. As I haven't seen them in the Window Task Manager since maybe 2004?

    hpsysdrv.exe This one DOES come up at Start Up and runs in the task panel all the time. I never stopped it because I wasn't sure what it did and the "drv" part made me nervous. So I left it alone. ;)

    YahooAUService.exe Even though I do use yahoo that updater hasn't been seen in my task manager for a LONG time. I must really be behind in my yahoo updates lol:-D

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
    "Apple Mobile Device
    "Bonjour Service"
    "JavaQuickStarterService
    "IntuitUpdateService
    "iPod Service

    Apple Mobile Device isn't in Add/Remove programs as I deleted it after downloading I-tunes a year or more ago. The same goes for Bonjour Service & Ipod service.

    IntuitUpdateService was part of a program I deleted last year. So I wonder why this part got hung up and didn't uninstall.

    Actually, My I-Tunes isn't working right now and hasn't in awhile. I'm not an I-tunes fan and seldom use the program. I was going to uninstall I-tunes and redownload it because it won't open currently. But I KNOW Bonjour the Mobile device & Ipod service were removed from Add/Remove programs but files still exist in applications.

    Do I have to do that now? Can it wait until we do all these other things?

    Well that will SUCK because I just bought it and installed it and it wasn't cheap so I'm "in" for a year. :-o

    I will try to screen cap come of these to show you what I see and upload them later.

    I was ALWAYS careful NOT to allow remote access to my computer. And the only port open was the real tek until I pop over to Network Connection last week and saw the other network connection was now "on" and I couldn't get into "network connection work groups" because I (the admin) didn't have permission. I've never set a password for ANYTHING on my system So as Admin I should be able to access ANYTHING. Thus why I think the China Ip's being blocked by Norton and Malwarebytes were able to get on my PC when I had Avira. Oh and when I go to Users the Admin does have a password at least the box is checked. But damn if I know what it is or how that box got checked.

    I don't know if this is allowed or not. But THIS is Exactly WHAT I was/am experiencing and all these people had Avira free version at some point. Please delete this if its not appropriate to share here.

    Take a look at THIS site. Same problem as I am having with the China Ip’s pinging me for access and interestingly enough they were running Avira free AV
    Malwarebyetes forums
    http://forums.malwarebytes.org/index.php?showtopic=70747

    'famous' registry key no one at Avira wants to talk about?
    http://www.wilderssecurity.com/showthread.php?t=268242&page=17
    The Avira connection to the China Ip's

    Read This as it is what was happening to me before I uninstall Avira and went with Norton. Although, the China Ip’s are still relentless.
    http://forum.avira.com/wbb/index.php?page=Thread&postID=939438#post939438

    I am running Windows XP Media Edition Service Pack 3 NOT Vista.

    Cool :cool I sincerely appreciate the help. I know by now I'm a pain in your ***. :-o But I have learned a lot from your advice and would love to eliminate all the crap from this old computer.

    Since this doesn't appear in add & remove programs. And there is no uninstall module for it in my C drive. How would I do this properly. I know I probably should know this. And You're probably rolling your eyes and sighing heavily at my stupidity but I don't want to mess anything up here and I can't find an uninstall. :(

    I will start all your other requested tasks after advice on the un-installing of SuperAntiSpyware.
     
    Madam, Dec 24, 2010
    #34
  35. Madam

    Madam Private E-2

    Yeah, I caught that and commented on it. ;)
     
    Madam, Dec 24, 2010
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Perhaps because you had been using MSconfig or another program to stop some of them from loading. They were always there but maybe some disabled.

    It has nothing to do with ComboFix or the other scans as they do not change whether these programs startup or not. As I said above, it has to do with MSconfig or a similar progam being used. Even some antivirus/protection type programs sometimes include the abilities to control startup processes. It really does not matter at this point since they are all normal processes. Some necessary and some not. And I already gave you a possible fix for the ones that are not and also the fix address a bunch of other non-malware issues.

    You left lsass.exe in this list. There is zero chance that this was not running. Windows would not run for more than 60 seconds without this process running. So it was always there.

    It is used by many programs. Some Microsoft and also many others. So you may not have directly installed it yourself.

    Quite normal. Many other programs/processes being run on your PC are responsible for some of these svchost.exe processes running. They use svchost.exe to run.

    As stated above, MSconfig is no longer being used to stop it or others.

    All of these became issues because you used MSconfig to control startups and then uninstalled various programs while disable. This made a full uninstall impossible and left all of these residuals around and also trapped these stuck keys in MSconfig since the programs no longer exist. This was all explain in the READ & RUN ME where we said not to use MSconfig and explain some of reasons why.

    You can wait to see the effect of my proposed fix to see what happens before doing anything with uninstalling Norton.

    ?????? If this is true than it is potentially the source of many problems. Every user account ( this includes your account and also the special Administrator account ) should have been password protected. Not doing so would allow any program, any hacker that gets on to your PC, any person using your PC,....etc to do anything they want..... even changing passwords or adding passwords to lock you out.

    Still not completely true as Window still is in control of some things also, being logged into a user account that has admin priviledges ( i.e., a member of the administrative group ) does not mean you have the same priviledges as the Administrator user account which is a special system level account.

    First let me clear up something you are likely misrepresenting. Avira does not include a firewall and would not look at incoming and outgoing packets on your internet connection like Norton does since Norton 360 includes a firewall.

    Now to the IPs you are seeing. Just because IPs are showing up, it does not mean they are getting into your PC and doing anything. I could also send pings and other packets to your PC and they would show up in your list too. Many packets flying around on the internet are looking for PCs that have no protection or improper protection and that will answer a ping or an arp. ( The reason I said to look into a router and disabling ping ). Could they have been doing something more than pinging or hunting for an open PC? Yes of course, but thus far we are not really finding any evidence of it on your PC and the protection you have in place is blocking them now. You still should install a router with a firewall ASAP.

    Then you should edit the password and put in one you know and also do the same for ALL other user accounts and you should do this immediately.

    Yes and it states the same thing I said to you.... "this is why you need a router, firewalls, and other protection" to block the junk. And at the end of the thread it was closed saying
    I have a Avira on one of my PCs still and have no such problems. But since based on all this info, it just adds more reasons why you need to have a router with a hardware firewall as I keep stating.

    Just run my fix where I'm trying to manully remove it as a redundant backup anyway.
     
    chaslang, Dec 24, 2010
    #36
  37. Madam

    Madam Private E-2

    Oops! My bad! You're so right. THAT one is Always there. And you can terminate it. That I know. :-o

    Makes total sense now. Thanks

    I read that in the Read and Run me and was looking to make the changes you suggested. And you can believe I WILL take ALL of your advice. I will buy the router ASAP. I just created a new Admin password. I may create a user account as the Admin account is currently the only user on this computer.

    Cool. I will do that. But I would hate to ditch the new Norton as I just bought it and installed it :cry

    Yes, I know that now. Hence my extreme paranoia about the pings, and Avira allowing the access. And the fact that as Admin I've been locked out of making changes to my own system had me highly suspicious too.

    So you can have more than one user with Admin privileges? Would I be able to see the other user? Currently when I go to User Accounts there is an Administrator Account and then the Guest Account is turned off. So there shouldn't be another user right?

    Thanks for that tid bit of information. I had NO idea it had no firewall. But that would explain why the Windows Firewall was on and when Avira did an update that got hung up (that happened 4 or 5 times recently) the firewall would notify me it was turned off. I would have to go to Avira and turn Avira back on which made the firewall come on as well. :confused

    Well, again I am so very thankful you've taken YOUR valuable time to help me look at all of this. And I sincerely appreciate all the advice you've provided. I've learned a lot here and I can assure you I will heed your advice and make the router purchase as well as make the MSconfig and other changes you've suggested.

    I will also link back to this thread AND the programs you've suggested so that my friends can download these products from MajorGeeks and make purchases from your site as well. I hope that is some compensation for your generosity, time, and talent. You've went beyond the call here. :)

    Done

    Where the hell is the Uninstall on that program? Or did I F*** it up by installing it incorrectly? Will your "fix" remove it for me?

    Just so I'm clear here. You want me to proceed with your "fix" and NOT uninstall the SuperAntiVirus program?

    And proceed to:
    1: ComboFix to remove some non-malware items to improve startup and to remove some left over junk
    2:And then your "fix" * Open Notepad and copy/paste the text in the below quote box into it:Quote:KILLALL::SecCenter::

    3: MGtools again

    4 Attach the below log:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    Madam, Dec 24, 2010
    #37
  38. Madam

    Madam Private E-2

    Ugh I had a b*tch of a time with Combo Fix this time around. Mainly because Norton kept blocking your changes. And I don't know WHY because I turned off the firewall and virus protection before I ran the program. I uninstalled Norton to get Combofix to run. You're right about Norton 360 it IS a Pain In The A$$!! :)

    So if I ditch Norton what is your recommendation? In addition to the router?

    Combo Fix
    I ran it 3 times. Twice I got a report. The last time it gave me an error message stating I didn't have the correct operating system. That I had to have XP. Which of course I do have... Although, I have Windows XP Media Edition which I guess isn't all that popular.

    Anyway, I've attached the reports from ComboFix and MGtool plus a screen cap of the error message.

    Its Christmas! If you celebrate it, I hope this message finds you enjoying time with your friends and family. I wish you Happy Holidays and a Healthy, Happy & Prosperous New Year!

    I'll await your response on the scan results. Thanking you in advance.
    M
     

    Attached Files:

    Madam, Dec 25, 2010
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you notice a change in system performance with it gone? I'm expecting may be a little change but maybe not signicant and I will explain why down further.

    We'll get to the AV and firewall later. Try a Linksys router. Check for sales. ;)

    You only have run it once. But you needed to run it properly. Based on the two logs attached, you ran it by double clicking on it, and thus the fix did not work at all. You made the CFscript.txt files. I can see them in your log, but you did not drag it on top of the ComboFix.exe file. Either that or Norton or MBAM caused a problem in doing this. So basically you did not get anything fix since it did not run the fix. You will need to do the fix again.

    However now I notice that a lot more was added to MSconfig. Did you run MSconfig and add things to it? Shutdown MBAM and any other protection that may be running, and then run MSconfig and select Normal Startup. Then exit MSconfig but do not reboot if/when it tells you it needs to. Just go back and run my last fix from the point of ComboFix all the way thru to the end. And then attach the two new logs.

    By the way, MGtools worked completely now and now that I had a full log I can see that you do have only the user account named Administrator which means that you never created another admin type account when setting up your PC which really would have been a better idea. If you do that now, the new account will not have all of your settings and tweaks for everything you installed so you probably don't want to do this now. Also if you did create a new admin type account, the Administrator account would hide itself in normal boot mode and only show in safe mode ( that is unless a special tweak was made to make it show in normal mode).

    Also now that I have a full set of MGtools logs I can see the below
    Code:
    Total Physical Memory 512.00 MB 
Available Physical Memory 235.55 MB
    This is one of the main reasons for your PC, especially startup being slow. 512 MB is no longer adequate to properly run current versions of Windows and the software you are using. The minimum we recommend is twice this ( or 1 GB ) but it is highly recommended to have 2 GB or 4 times what you have installed.

    Merry Christmas!
     
    chaslang, Dec 25, 2010
    #39
  40. Madam

    Madam Private E-2

    Not too much on start up. But maybe a little accessing web sites.

    That will be my first after Christmas sale I hit. :)

    I ran it 3 times. The last time it told me I had an incorrect operating system.

    The first time I may have double clicked it. But every time I created the note and dragged it over the .exe file where it was eventually sucked up. Except the last time when it said incorrect operating system the CFScript was never absorbed by the exe file. And that was the time I ran it as Admin So go figure. ::shrugs::

    After hours of waiting. I clicked into Norton. Even though I had turned off the AV and the fire wall. It was still blocked everything Combo Fix was trying to do. I could see it in the Norton Logs. Hence Why I uninstalled the dang thing the 3rd time. But Again, the 3rd pass wouldn't work.

    Nope. I've not added or edited MSconfig. I noticed Combofix changed it to "Normal". But remember we talked about it getting switched back to "custom" all on its own within 48 hours of running Combo Fix. I don't know WHY that is happening. But it is NOT me doing it. :confused Normal starts with 43 processes. The Custom starts with 30 or so processes.

    Without MBAM I really have zero protection. And MBAM just blocked another ping to my computer. And stupidly I just set MSconfig back to normal and rebooted BEFORE I read ALL of your note. ::face palm::

    Yeah. I think I probably F**ked myself over here. But in 2003 I was clueless about all that. Still am, which is really sadder. I did put a password on which I didn't have before.

    So is that easily increased? Or should I ditch this system and start over? It is old.. Just slow.

    I will try the combofix again. But I don't think it will work. Remember the error message in the screen cap? That was the last thing that ran.


    M
     
    Madam, Dec 25, 2010
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can unplug your cable to the internet while running the fixes. Then collect all follow up logs and just before coming back here, reenable MBAM and then connect your cable to the internet so that you can surf.

    Yes it is pretty easy. You can even get your PC checked on line for what can be added and what type to buy with the below link:

    http://www.crucial.com/systemscanner/


    After the reboot and with MBAM shut down, it might work.
     
    chaslang, Dec 25, 2010
    #41
  42. Madam

    Madam Private E-2

    Okay, here are 2 zips and a screen cap that now states Combo Fix is corrupt.

    FYI when I try to drag the CFscript over to the exe file it starts to run immediately thus I'm not able to choose to run as Admin. If the reports aren't complete AGAIN. I can redownload ComboFix and try again.

    Thanks for the link to the site that will scan my computer to advise me on what hardware it needs.

    When can we clean off some of the malware programs you had me install? And change back the hidden file deal??

    And stupid question: If the program doesn't appear in Add/Remove programs because I downloaded it to my desk top or the C Drive can I simply delete all the components myself and then run Ccleaner?
     

    Attached Files:

    Madam, Dec 25, 2010
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete your copy of ComboFix and download a fresh copy from here >> combofix.exe

    You are not supposed to be trying to run it as admin especially since you are aleady admin. You just need to left click the CFscript.txt file and simply drag and drop it ontop of ComboFix.exe.

    When we finish everything we need to do in this forum, we will give you final instructions telling you everything you need to do.

    It will not remove everything. The problem was not that you downloaded it to your Desktop or Drive C. The problem is that you installed it in the root folder of drive C.
     
    chaslang, Dec 25, 2010
    #43
  44. Madam

    Madam Private E-2

    Deleted Old ComboFix
    Downloaded new one to Desk top.
    You want me to place the CFscript into ComboFix exe file and rerun it again correct?
     
    Madam, Dec 25, 2010
    #44
  45. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    • You need to create the CFscript.txt file on your Desktop.
    • And then make sure you exit notepad that you used to create the txt file.
    • Then close all browsers and shutdown protection.
    • Then you need to left click on the CFscript.txt file and then while still holding in the left mouse button drag the CFscript.txt file ontop of ComboFix.exe.
    • Then let go of the mouse button
     
    chaslang, Dec 25, 2010
    #45
  46. Madam

    Madam Private E-2

    I followed these directions exactly. Not once but twice.
    The first time I did it and left to clean my kitchen. I was gone 45 minutes or so. Although, in the task manger it said "combofix" was "running" it seemed to be stalled. I knew I hadn't hit any keys, the AV and MBAM were off so there shouldn't be a reason for it to stall.

    So I rebooted the computer. Made sure I was in "normal" mode in MSconfig. Deleted Combo Fix and downloaded it again. Re-recreated the CFscript in note pad and started all over again.

    I followed you instructions exactly Again and went off to watch a movie. Came back two hours later and NOTHING.

    I screen capped what it looks like when it stalls. AND what the task manager says...

    Could there be something in your Kill Script that ComboFix doesn't like? What is the reason it never goes on to produce a log?

    See caps attached

    ComboFix module is still up now. Cursor flashes but NOTHING is happening... and its been hours.

    Advice?
     

    Attached Files:

    Last edited: Dec 26, 2010
    Madam, Dec 26, 2010
    #46
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let me repeat something I said earlier. Do not run any fixes more than once. ;) If it does not work properly the first time or you run into any kind of problem, just stop and come back and give me the details.

    No! It is actually something with your Windows configuration that is causing problems ( not malware... just Windows ). Remember earlier problems where MGtools ( actually GetRunKey ) would hang until I made a modification? Well it is possibly a similar issue that is causing ComboFix to hang. Let's clean this up a different way and I also want you to run another procedure to attempt to fix possible permissions issues.


    Let's work the permissions issue first. Run the below ( only once !!!! ).

    Resetting Registry and File Permissions




    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now after the reboot from Avenger, copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 26, 2010
    #47
  48. Madam

    Madam Private E-2

    I backed up my registry
    I ran the Resetting Registry and File Permissions
    Rebooted
    Downloaded and Ran The Avenger (avenger txt attached)
    BUT, I received and error message: (Attached a screen cap for your reference)
    Error in Processing c0000013 parameters 75b6bf7c 75b6bf7c
    It asks me if I want to Cancel, Try Again or Continue.

    I'm not sure how to proceed here.
    HELP

    Edited to add: If you click Try Again You just get the loud Windows Error noise and the error message
    If you click continue you get the same thing. So I guess you have to click "cancel" to get out of this thing? Should I proceed to Regedit4 or do something else with Avenger?
     

    Attached Files:

    Last edited: Dec 27, 2010
    Madam, Dec 27, 2010
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just continue on but only after a reboot. So if Avenger did not reboot your PC, reboot it yourself and then continue.
     
    chaslang, Dec 27, 2010
    #49
  50. Madam

    Madam Private E-2

    Okey Dokey.. Doing it now. ::izscared:: :-o
     
    Madam, Dec 27, 2010
    #50
Page 1 of 2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds