Main Forum > General Computer Support
Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!
JohnVanDaal:
--- Quote from: Boggin on December 01, 2014, 01:39:33 am ---Sorry for the typo.
Did you run the DISM /Online /Cleanup-Image /CheckHealth command to see what that reported - while I don't have Win 8.1 to see exactly how that cmd reports, I assume it would be similar to running chkdsk in Win 7 etc. without any parameters and when it finds something amiss, it would recommend either the /f or the /r switch.
Depending upon what /CheckHealth reports, using the /RestoreHealth switch can fix the Component Store and then redo the sfc /scannow cmd to see if it still reports corruption.
--- End quote ---
Please, no worries about the typo, stuff happens :smiley:
Yes, I ran the scan:
C:\WINDOWS\system32>Dism /Online /Cleanup-Image /ScanHealth
Deployment Image Servicing and Management tool
Version: 6.3.9600.17031
Image Version: 6.3.9600.17031
[==========================100.0%==========================]
The component store is repairable.
The operation completed successfully.
I'm not sure what to do now, so I wanted to check. I'm reading through the site you linked me to right now.
Also had a question, are all of the files showing up as corrupt in this report Video/Display related??
There has been an AMD Video related download that the HP Helper/Assistant has had problems with but the alert for it has disappeared and when I run the Video/Display Troubleshooter it doesn't go past the first screen where it asks for which option to troubleshoot, so I'm not sure what's going on with it, I'm trying to figure that our right now too.
I went to the HP site several times before trying to get whatever download was being suggested straightened out but kept being sent to the same pages that didn't do anything to help, just got the Assistant running again and encountered the same problem.
Besides it looking like it can be fixed anyways, it this possibly related - older files that need to be switched out by an HP download?
*(Just an FYI, due to my particular circumstances my hours are a bit different than most. 3 pm to me is like most people's 7 or 8 am, that's about the time I get up, my "morning" if you will. So when 16 hours goes by and 7 or 8 am rolls around, usualy it's "nighty night" time for me. I realized my response time frame might seem strange without knowing about that, so that's why I bring it up.)
EDIT: This is the last Rogue Killer scan I've done, today in the wee morning hours, my yesterday, I haven't done any since. The first 4 I believe are just from setting the HijackThis to monitor on Startup, but the rest appear problematic.
After I hit Delete, one deleted, one said error (2), and the others said "replaced ()"
Below is what Emsisoft keeps snagging.
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
JohnVanDaal:
--- Quote from: Shane on December 01, 2014, 01:29:09 pm ---Sorry for the late post, holiday weekend and I just got back in my office :-)
How are the amount of network connections and cpu doing now after those scans?
My new toolbox has a netstat viewer in it that can show all the connections on the system and what processes is making them, if you still have a lot fo them I can grab the beta I am getting ready and have you use it to copy the netstat list so I can see what is making all the connections.
Shane
--- End quote ---
Completely understandable, but thanks! I'm just grateful for help being available like this. My apologies for getting back so late in the day but as I mentioned in my last post I have different hours than normal these days, we're in my "early morning" at the moment :tongue:
Network connections appear OK and Ive been monitoring the ports now and then and I think (emphasis on "think") pretty much everything can be accounted for at this point, at least it seems that way while I am monitoring.
Though it really does look like some one or some thing is changing settings for Iexplorer, and other functions, and setting registry files to disable key functions, I see some "NORUNS" and "DISABLE" this or that keep popping up - I still have a few things to catch up on from what Boggin has brought to my attention so I'll know a little more in a short while, but not being sure about those commands Emsisoft software and Roguekiller keep snagging makes me hesitant to do a Windows Restart even though it might deal with other issues that may have been fixed now since that is when the worst problems have arisen in the past - I have to restart for whatever reason then suddenly I have no access to this and that, usually the network and most or all security functions.
As for your Toolkit. sure I'll try just about anything you've got, I've been looking at your main website too, top notch my friend, the Simple Internet Meter kicks you know what!!
One thing I'd like to know, if possible, are there certain settings I'm able to check before doing a restart to be basically sure I won't be screwed upon Windows re-opening? Task Scheduler and Autoruns comes to mind, but certain special or hidden things to look out for?
Good for you that you had a nice Holiday weekend, and thanks for the reply.
Boggin:
Stop HJT from running at start and do a scan with the free version of MBAM to see if that finds anything.
Uncheck the box to decline the offer to run a trial of the Premium version if offered. https://www.malwarebytes.org/downloads/
Norton has its own generic names for when it finds something with similar heuristics to other infections, so a Google helps but it can also be a false positive.
The DISM /CheckHealth and /ScanHealth commands don't repair anything and are basically read-only.
Run Dism /Online /Cleanup-Image /RestoreHealth followed by another sfc /scannow to see if that still reports it is unable to repair some files.
If it still reports that it is unable to repair some files, then you're probably looking at the Refresh recovery option. http://windows.microsoft.com/en-GB/windows-8/restore-refresh-reset-pc
This will remove any 3rd party programs you have installed so you will need to decide which of those security programs you want to reinstall.
JohnVanDaal:
--- Quote from: Boggin on December 02, 2014, 02:07:42 am ---Stop HJT from running at start and do a scan with the free version of MBAM to see if that finds anything.
Uncheck the box to decline the offer to run a trial of the Premium version if offered. https://www.malwarebytes.org/downloads/
Norton has its own generic names for when it finds something with similar heuristics to other infections, so a Google helps but it can also be a false positive.
--- End quote ---
Hello Boggin.
I'll switch over to the MBAM asap.
I made use of Shane's Toolbox for a couple things, "Reset Policies Created By Infections", "Unhide Non-system Files", and did the system Restart to see if any of the bad juju had been flushed out by all that's been done and to refresh some things. Interestingly some aspects seem to be working that weren't doing so great, while others still are not working, and some fresh puzzles have popped up.
Should I have two instances of explorer.exe running?
One of them running from Path = C:\Windows\explorer.exe
Command Line = explorer.exe
Current Directory = C:\Windows\System32\
Parent = winlogon.exe(768)
The other instance is listed as "Suspended" in the Auto Viewer running from Path = C:\Windows\explorer.exe
Command Line C:\WINDOWS\Explorer.EXE
Current Directory = C:\Windows\System32\
Parent = <Non-existent Process>(3008)
Autostart Location for both is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.
Funny thing is the C:\Windows\explorer.exe file is there where it says it is, but there's no file showing up in System32 as "Explorer.exe", so I'm guessing it's just hidden but I havent investigated that part yet, but it says the C:\Windows\Explorer.exe instance was created 12/1/2014, so I'm thinking it's from Shane's Toolbox giving me access to some of my real files?
What's going on here?
:shocked:
On top of that, and you may find this interesting considering your affinity for all things McAfee :tongue:
After Restarting Windows, numerous regular processes were being questioned by McAfee regarding the Firewall regulations - that in itself is a mystery to me, they were coming up listed as having been Allowed before but said that they had "Changed" and therefore wanted my permission, this included explorer.exe, this could be good or bad, I don't know but again it seems to be from using the Toolbox because NUMEROUS files were showing up as having been brought out of Hiding before the computer restarted, I'm just not sure where a list would be yet - I though a report/log would pop up after the restart but didn't see one yet, I'll have to dig around.
Since it was new to me I popped open the Snipping Tool to get a little screen shot for good measure, but when I X'ed out the .PNG the McAfee Alert was already gone, so I can't be sure what McAfee chose to do, I don't know its default action for that, I can't seem to learn fast enough to catch up with everything, though I am definitely trying.
Is it possible McAfee froze Explorer.exe but being essential a "temporary" somehow came up in its place?? Or did McAfee "accidentally" halt
--- Quote from: Boggin on December 02, 2014, 02:07:42 am --- The DISM /CheckHealth and /ScanHealth commands don't repair anything and are basically read-only.
Run Dism /Online /Cleanup-Image /RestoreHealth followed by another sfc /scannow to see if that still reports it is unable to repair some files.
If it still reports that it is unable to repair some files, then you're probably looking at the Refresh recovery option. http://windows.microsoft.com/en-GB/windows-8/restore-refresh-reset-pc
This will remove any 3rd party programs you have installed so you will need to decide which of those security programs you want to reinstall.
--- End quote ---
Gotcha, Dism /Online /Cleanup-Image /RestoreHealth is running right now, I'll run the second command as soon as it's finished.
Let's just hope it doesn't come to needing a Refresh.
Thanks again.
Boggin:
You'll need to wait for Shane to get back to you on any side effects after running WR as it seems to run okay on some systems but produces side effects on others.
If you have any Network problems after a reboot or otherwise, open the admin command prompt and enter -
netsh winsock reset
netsh int ip reset
ipconfig /release
ipconfig /renew
exit
Then reboot, but let us know if any of the commands fail - the release and renew commands will report that neither can be done for the Ethernet if you aren't wired to the router.
Edit - I find it's better to save a snip with a .jpg extender as they expand better when posted in a forum.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version