Main Forum > General Computer Support
Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!
JohnVanDaal:
Hello,
I'm not quite sure what to do here, I've been hit with so many things that my head is kind of spinning. This is all very new to me though I'm trying to learn how to deal with it as fast as I can. I've already gotten rid of a few malware/virus problems, which may or may not be completely gone, and may or may not be returned to me anyway due to what looks like a whole lot of hijacking of my equipment and resources (flurries of TCP traffic coming and going, 100% CPU at times, changes to & destruction of OS settings and files, etc). I'm pretty new to the Networking scene and only know some of the basics of Windows, but that is changing - too slowly unfortunately, for the moment at least.
I'm running Windows 8.1 on an HP 15 laptop and can supply any info and logs that you might need to help, which would be very appreciated since I'm kind of overwhelmed here, and I did read the little sticky, that you run your own shop and have a family, and volunteer your time is commendable indeed, and I appreciate that your time is limited.
Having said that, I'm not sure what type of log would be best to post initially, I may have missed it, but if I come across information related to that before receiving a reply I will do whatever and then post it up.
Thanks in advance.
jraju:
Hi,
It seems the problem is of the recent download. Ok. If this is the problem you face only now, the best way to have your sleep is to do the System Restore.
Go to Start Menu, All programs, Accessories and in the System tools menu click System Restore and then choose a previous restore point, when you did not have this problem. Ok. It will not do any harm to the files you saved otherwise. But the problem will be solved. This is the simple method.
If you cannot do the system restore or if there are no restore points available, then it is sure that some third party programs have made this and you have to go to other alternatives. First try this simple trick, if this is of recent origin
JohnVanDaal:
Hi jraju, thanks for replying.
Actually, most of my original restores were deleted somehow :teeth: though I was able to get a system "Refresh" off a few days ago back to the earliest point where I thought was OK, which has definitely helped quite a bit, but there are only Restores for the past 3 days available to me.
The truth is I really don't download very much but when I do it's just videos from youtube and the occasional PDF about WW2 or something else I'm researching or simply interested in. I don't use any other Social Sites (if Youtube really even qualifies as one) and I don't visit anything even close to porn sites or use any kind of gaming software. On top of that, beginner though I be, I use URL Scanners, check my files before opening them, keep virus/security software running at all times, use smartscreen, med-high level web settings, etc.
The problem I'm seeing is someone simply seems to know how to get into the network and at the very least put something on my system, and that whats being done is being done to perpetuate the use of my things while giving off very little reason for detection as everything it does appears to work on the sly, little by little, you know, and only when I begin trying to gain back control over my computer's settings and functions, and then to get rid of the stuff does it really begin to get aggressive.. There seems to be a bit of intelligence behind what is going on. So my other concern is based on the fact that even though I may at some point become "clear" as far as what's on the system goes, I will still be vulnerable to people gaining access
In any case I've downloaded numerous tools from websites I've come to trust for the most part over the last few weeks, and that have been mentioned here in a positive light so I have some logs, perhaps they will help to figure this out.
In the meantime I'm looking for a good beginner's but comprehensive tutorial or manual on shoring up one's PC for use on public network, where I live there are about 150 units, maybe 500 people altogether who use the same Access Point to connect up, not the best for staying secure but for now it's all I've got, but the problem may be just that - that it's public and up for grabs by those in the know about computers & networking, and have no scruples.
I know for a fact my stuff has been used for nefarious purposes by someone other than myself due to being told that my IP was blocked for being a "known spammer", that just isn't me at all. I have the feeling other people in my complex may be dealing with similar problems possibly stemming from the same origins, but I am not sure, but after finding out that I have been getting into fixing my PC and beginning to study things related to what's been happening, several of my neighbors here in the complex who are even more "Beginner" than I am have approached me asking for help and advice about problems they're having with their own PCs as well (luckily I was actually able to help the first one because it wasn't very complicated and I'll be trying to help another one tonight, the other one's is too complex - similar to problems I'm having so I have to pass at this point in time) and they seem to be similar in nature but I can't say for sure yet, it just wouldn't surprise me that criminals would take advantage of circumstances such as those we have with a public access point.
Now, as far as logs and reports go I'm not sure what's best to post so here are a few choice reports (almost all the tools have been downloaded AFTER the problems returned, and yes I've been a bit scan-happy, maybe jraju is right so I am going to get a little sleep for now :sleep: ) that may be good to work with, at least for starters.
Thanks guys.
Boggin:
Do you still have the problems when you boot up into Safe Mode with Networking http://www.7tutorials.com/5-ways-boot-safe-mode-windows-8-windows-81 or in a clean boot http://support.microsoft.com/kb/929135
It's quite possible that one or more of the security programs you have installed is causing a conflict to produce the side by side error, although that post dates your problems.
There are quite a number of programs listed in those logs which I'm not familiar with but Process Explorer will show if any are a threat.
http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Once you have Process Explorer running click on Options and ensure Verify Signature is checked and then hover over VirusTotal.com and check its box.
When it refreshes look for any programs/processes listed with a red highish value/~50.
Let us know if you have any of those as some can be legit.
Given the scanners you have used, it's doubtful there is any infection left on your system but give AdwCleaner a run (although I didn't spot any malicious Toolbars and the like).
http://www.bleepingcomputer.com/download/adwcleaner/
Click on Scan and when that has completed it may list some items in the lower window that you can uncheck to keep.
Click on Report and it will show you what it has found which it will delete - if there are items in there you also wish to keep alongside what look like undesirables, then close the Report and you can either click on Clean, in which case you would need to reinstall the items you would prefer to keep - or you can click on Uninstall and leave whatever it has found on your computer.
It will produce another report after the reboot if you click on Clean.
I'd also like you to reset the Hosts File should any of what the scanners have removed corrupted that file. http://support.microsoft.com/kb/972034#LetMeFixItMyselfAlways
Also to check that none of your system files are corrupt, open a Command Prompt as an administrator http://www.howtogeek.com/194041/how-to-open-the-command-prompt-as-administrator-in-windows-8.1/ and enter sfc /scannow and let us know what it reports.
The ipconfig /all from MiniToolBox is showing different Subnet Masks for your Wireless adapter and the Tap-Windows Adapter v9 - is the latter the AP ?
JohnVanDaal:
I don't know whether to laugh or cry, I had to prove I wasn't a Robot spamming the site before I could post this reply..
Hmm.
Yes, that's possible. I was actually pondering switching over to Trend Micro's AV/AM & Security software when I was doing the latest scans but just decided to leave whatever was running the way that it was out of plain old exasperation, originally I was only running McAfee LiveSafe and its accoutrements, and during this last fiasco when the computer shutdown and the settings began changing again (when I rebooted and signed back in the firewall was turned off and stayed off for quite some time, neither Windows Defender or McAfee would take up the job, the smartscreen was on the fritz, etc) all I had for a Browser was iexplorer, which has since disappeared from Start and Taskbar and kept switching me to Proxy when I don't use a Proxy (the AP has HTTPS sign-in with password as Proxy) but now I'm wondering if iexplorer.exe being reported as having 'Image Hijack' by the Autoruns Viewer actually stemmed from it being linked to both the classic view and the Win 8.1 view. therefore its deletion was in fact the deletion of its image connected up to more than one region in the OS?? (I apologize for not knowing all the proper terminology yet, but I'm sure you know what i'm getting at) so your thoughts about that are in the ballpark with at least some of what's been going on likely being due to conflicts of one kind or another from the beginning.
*As for running Process Explorer, I didn't start up every program that I have while it was on but I did power up a bunch of non Microsoft progs/apps, ironically after connecting up with VirusTotal the first one to catch my attention was Process Explorer itself with 1/55, and the Screen-Cast-O-Matic 1/55 as well.
VirusTotal has "procexp.exe" listed as 1/55 - Antiy-AVL = Trojan[:HEUR]/Win32.AGeneric
And screencast-o-matic.exe listed as 1/55 - Bkav = W32.Clod98d.Trojan.5ae1
Which are probably the two programs that are the least of my worries. I haven't researched what these companies have said for their reasons yet since I'm trying to get this info back to you as quickly as I can but I'm guessing these classifications are due to their particular rating standards / PUPs?
I've only switched SoM on recently just to test it but if I remember correctly it basically hijacks the Java app when it's in use and combined can cause freezing, so that's a possible complaint factor, but I've never had any problems with it other than occasional short term freezing that I know of.
* Ok after running AdWCleaner at the end here I find it listed by VirusTotal as 2/55 - Jiangmin = TrojanDropper.FrauDrop.uic
& TrendMicroHouseCall = Suspicious_GEN.F47V1124,
(VirusTotal's "Relationships" tab mentions the AdWCleaner file being sent to them in a bundle itself, so that may be why, not sure yet)
*Created the HOSTS file, everything seemed to work out ok.
*Adwcleaner only shows two folders associated with the Browser Guard, I'll just leave them be for now though I may get rid of the whole thing later depending on which AV/AM/Security brand I end up going with, I actually do want to have a singular and harmonious interaction of all the apps, just that I've been in Emergency mode and a bit of trial & error mode lately :thinking: :wink:
*Ran sfc /scannow, it created CBS.log file which I'm attaching, it said there are some problems.
Also when I open the Windows\Logs\CBS folder to get to it every other file in that folder is called "CbsPersist_...***..." with date numbers/etc numbers after the _ the only difference being variations of the date numbers/etc #'s.
There are 5 of these "CbsPersist" files, only the recently accessed/modified one is in Blue in the directory, and so is the CBS.log file just accessed by running the command to scan.
That most recently accessed/modified "CbsPersist" file in Blue is listed as
CbsPersist_20141130120102
Text Document (.log)
Location C:\Windows\Logs\CBS
Size 88.2 MB (92,504,506 bytes)
Size on Disk 22.2 MB (23,367,680 bytes)
Created Wednesday, April 2, 2014, 2:49:52 AM (at least it's not dated from 1869 like the WSCMD.dll "Wondershare" linked/hijacked file had been before the Refresh, and Wondershare had come straight from their professional site!)
Modified Today, November 30, 2014, 10 hours ago
The other 4 "CbsPersist_...###..." files are between 2.24 & 3.6 M/bs.
The Subnet Mask for the TAP=WA-9 is the VPN.
Navigation
[0] Message Index
[#] Next page
Go to full version