Messages

1

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 05, 2014, 05:53:53 am »

Thanks John, I understand how you would edit a quote - the problem I have is in another forum I post on where they have a separate multiple quote button in addition to the regular one - have you ever come across those ?

As I don't want to spam your thread with a different topic, I'll leave it at that.

(I could swear I already replied to this and saw my reply posted afterwards, but oh well)

lol, Sorry, I misunderstood what you were asking me. To be honest I couldn't understand why you wanted me to explain this but I didn't want to say anything about it, but then again for all I know you're a friend of Shane's helping out here and you've only been using the forum for a week and a half

(EDIT: but I guess the words "Sr. Member" near your moniker settles that one  .   .   .   .   .) or something similar, so please don't be offended, I wasn't trying to insult your intelligence, that's why I wrote what I did at the end, you obviously know what you're doing when it comes to computers.


That's funny though, in a way, since at the time I was suffering from exhaustion from lack of sleep and also had a cold. So yeah I wasn't thinking too clearly, sorry about that.



No, I'm not sure what you mean. I don't normally post on forums, I'm still trying to figure out how the site could think I'm a "Robot, spamming this site"" when I often come here to the forum from a bookmark immediately after turning the Wireless switch on.

It make me think something is still hijacking the system somehow, but then again there could be other answers, especially since the VPN has been doing strange things to the way the browser deals with my websurfing, but that's new to me as well.

2

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 03, 2014, 10:02:02 pm »

Now that everything is running fine I would delete the restore points and manually create a new one - the older ones will have the malware in them that you have previously cleaned out and this is a standard practice after disinfection.

I also create regular system images onto an external HDD that I can restore from should something nasty happen and this is the best counter to any infection by Ransomware - saves you having to shell out Bitcoins to have your files decrypted.

One disadvantage about using an external HDD for these images though, is that the new one overwrites the existing one so you need to be sure that all is okay before creating the new one.

I normally run either a chkdsk or sfc /scannow, CCleaner for clearing the cache then a defrag (don't have a SSD fitted) before creating the image.

The free version CCleaner is a handy tool to have installed. https://www.piriform.com/ccleaner

While it has one of the more intelligent Registry cleaners, leave that and the Removing Duplicate File options alone - although you could use the option to find them if need be.

https://www.piriform.com/docs/ccleaner/using-ccleaner

http://www.howtogeek.com/113382/how-to-use-ccleaner-like-a-pro-9-tips-tricks/

There's one thing that you could help me with and that is using multiple quotes in a reply - never have managed to get the hang of that 

I got the CCleaner. Yeah, I kind of like it, it seems to work quicker than the Disk Cleanup utility provided by Microsoft, but do you happen to know if it;s performing as well and as thorough?

I'm making a .jpg of these instructions and tips for my Toolkit folder, and I'm looking into exactly how to do the system image so good timing bringing it up.




About the multiple quotes.

I'm going to use variation brackets {...} instead of the regular brackets  [...]  so it doesn't actually perform the quote function while I'm explaining it, since then the commands disappear leaving only the text between them.

But that's the key to understanding/remembering how they work, there are the two commands in brackets that act like bookends so to speak, and all of the text that is placed between them is what gets quoted.



The actual function used to quote text on the forum is this:


{quote}   "text to be quoted goes here"   {/quote}



All text placed between the two quoting brackets is what ends up being quoted, and as you know, what you write after/outside of the end quoting brackets ends up appearing as your own text when you post.


To create a second quotation in the same post it's just the same process repeated with another set of quoting bracketed placed somewhere in the reply field after your own text.



{quote}   "text to be quoted goes here"   {/quote}


YOUR TEXT, IMAGE, WHATEVER = HERE . . . . .


{quote}    "2nd text to be quoted goes here"   {/quote}


ETC, ETC,




The difference is when you hit the "Quote" button on someone's post it generates the information about the post you're replying to and quoting from by having that information contained within the 1st set of brackets - Name, Topic#, Message#, and Date, which gets written at the top of the quotation when you post. So it looks like this instead:


{quote author=Boggin link=topic=2619.msg17551#msg17551 date=1417624347}   

"text to be quoted goes here"   

{/quote}



Nothing changes with the characters used for the end brackets "{/quote}", it stays the same either way - and of course I'm using dummy brackets instead of the regular ones like I said at the beginning, but you just repeat the process as many times as needed, with or without the post's info.



So it's the same thing except with an addition of information.


Obviously the easiest and quickest way to make sure the info is correct is to begin the process by pressing the "Quote" button on the person's post and then Copy/Paste as needed.



Hope that makes sense, I'm a bit under the weather today + it's cold, dark and rainy, so I'm kind of fuzzy headed too (Ok, more fuzzy than usual) Try it out once or twice on this thread if you want, you can just delete any mistake post - I'll know what's going on, but somehow I have the feeling you'll pick up on it right away just fine, Boggin   



I do have a couple questions that I want to leave for Shane when he drops by but I'll have to post about them in a while from now, but I wanted to get back to you about the quotes first and foremost.

Take it easy, mate.

3

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 03, 2014, 06:42:03 am »

Just remembered from another forum that MBAM Exploit was updated on 1st December, if you haven't already updated your version.

New features and improvements etc. https://forums.malwarebytes.org/index.php?/topic/132660-malwarebytes-anti-exploit-history-updates/#entry914489

Download link http://www.malwarebytes.org/antiexploit/

I'm not sure if the ESET Scanner will update its definitions if/when you come to use it next, but as it's easily downloaded and it brings itself up to date then, I usually check its box for the auto uninstall when complete.

Actually I did get the update for MBAE and I'll probably end up deleting/uninstalling most of everything I've got except for a bunch of the really good tools and tweaks, not exactly sure yet since I haven't really had time to get used to anything on this laptop.

The AMD Catalyst Control Center demanded a Restart so to be safe I ran AdwCleaner - nothing, Roguekiller - nothing.

I ran the same scans after restart but there was still nothing & ran hyper scan with MBAM - nothing there either, so that's impressive to say the least.

Well done, sir.

4

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 03, 2014, 06:28:43 am »

It sounds like you are good to go but I'll leave the final word for Shane, as he'll probably review your thread as he likes to be aware of any after effects of running WR.

Tom.

Well whatever happens thanks for assisting me this far, you're one of the good guys, Boggin - Tom.



PS - I hate the "EU" too, but I'm with you in that this is neither the time nor the place to discuss politics   


Stay safe out in cyberland.

5

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 02, 2014, 10:32:16 pm »

The original sfc /scannow reported it was unable to repair all files because of a corrupt Components Store.

The /RestoreHealth command repairs the Component Store so the next sfc returns nothing wrong - job done.

Right, and it did a great job, good call.

Are you still getting any "side effects" from running WR ?

I don't believe so, even the McAfee popups are pretty much through popping up. I'll keep a vigilant eye on everything as always but nothing that I know of right now seems to be off.

Just as a recap, what are the security programs you have installed ?

I've left everything from McAfee in place while we worked so it's still there with the all the same components. McAfee LiveSafe controls all the other processes  installed by McAfee, plus there is McAfee SafeKey used for saving Passwords and File Protection type functions.

Got rid of BrowserGuard, replaced with HitmanPro.Alert   


The ESET online scanner still exists as a browser extension for performing the online scan if needed, but I have it disabled, if necessary I'll just uninstall it.

I haven't done anything with Microtrend's RUBotted or HijackThis yet, except for turning HT off at Startup & I don't keep it running, but I'll probably uninstall both if everything is OK and just save the Setups in a Zipped file for future use if things become suspicious.

I've left Malwarebytes Anti-Exploit alone so it's running - it's a Beta so I'm not sure how things will play out with its availability as Freeware in the future though.




Also, I've been able to get the HP Assistant to upgrade some of the software related to the Diagnostics and Update features, there is also an AMD Catalyst Control Center with more features for Troubleshooting and Tune-Ups, checking for missing or updated Drivers, etc., I'm looking those things over right now and I see it wants me to download an update for AMD.


Haven't run any other scans except Malwarebytes AM like you recommended - it didn't pick up anything suspicious with the "Threat Scan", so I have it off for now since McAfee is still up and all.




What are your thoughts for what to do now, good Boggin?

6

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 02, 2014, 04:39:00 pm »

I'm anti EU as I believe they've interfered too much in the running of the UK - but I don't want to get into politics.

Nah, I mean the people, and cultures - in general, I'm not related to the PoliTicks   

Which McAfee program is snagging possible infections ?

Well, Emsisoft keeps picking up those bad Registry files, McAfee Live Safe - Internet Security is the one Alerting about "Changed Programs" ever since I used WR and Restarted. I've been getting popup that say this or that program is trying to reach the internet, that I've allowed it  before, but that it's "recently changed", and then it gives me the option to "Allow Always", "Allow Once" or "Block".

I'm sure McAffee's Default is set to block so I'm wondering if that would exaplain why there is a new other instance of explorer.exe that showed up right around that time.



I'm running MBAM right now so we'll see what it has to say in a few.

7

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 02, 2014, 03:06:26 pm »

Ok I ran the Refresh and it said everything was fine, here's what I got after running sfc/scannow again:



Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.




I'm attaching the recent sfcdetail.txt - unless my eyes are deceiving me or I somehow did something wrong  .  .  .  . it shows zero missing or bad files   

8

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 02, 2014, 08:06:19 am »

Being in the UK I'm 8hrs ahead of the forum's time stamp so it will be another 9hrs or so before I hit the sack - usually 

Tom.

Well Cheers then, mate. I'll probably pass out after a few hours of being up past my usual, but hey, I try.

I did want to point something out while awaiting the Shane, those files HijackThis says are suppsed to be missing appear to all be there, I've checked 6 so far - most are Microsoft O/S files with nothing that I can find wrong with them, a few are currently running as I type this out, such as lsass, one was a McAfee file and it's running and appears to be fine.

False positives?

I remember reading this being a possibility with HijackThis 023's - but then again it may be due to all these weird shenanigans with something trying to "hide" my files and it's picking something up. Argghh, it can be pretty frustrating - so many variables.

I'm going to check the rest of the "missing files" to see what's up and finish up these runs.



Love the UK btw, I'm a Europhile, guess it's in the blood.

9

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 02, 2014, 07:08:58 am »

You'll need to wait for Shane to get back to you on any side effects after running WR as it seems to run okay on some systems but produces side effects on others.

If you have any Network problems after a reboot or otherwise, open the admin command prompt and enter -

netsh winsock reset
netsh int ip reset
ipconfig /release
ipconfig /renew
exit

Then reboot, but let us know if any of the commands fail - the release and renew commands will report that neither can be done for the Ethernet if you aren't wired to the router.

Edit - I find it's better to save a snip with a .jpg extender as they expand better when posted in a forum.

I'll look into the jpg extender, thanks.

It's not that I think the WR caused any problems, I'm leaning towards it having fixed what I wanted it to fix, or it least that it worked properly as it's supposed to regarding those things. I really do hope all these little quirks are just that, quirks, considering Win8.1 is still being worked out to a degree, and I guess there must be some residuals leftover from some junkware or whatever, we'll see.

I'll post up what I get from those runs asap - its my "late evening" now but I'm thinking about making it another "long night" working on this madness.

Thanks Boggin.

10

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 02, 2014, 06:28:35 am »

Stop HJT from running at start and do a scan with the free version of MBAM to see if that finds anything.

Uncheck the box to decline the offer to run a trial of the Premium version if offered. https://www.malwarebytes.org/downloads/

Norton has its own generic names for when it finds something with similar heuristics to other infections, so a Google helps but it can also be a false positive.

Hello Boggin.

I'll switch over to the MBAM asap.

I made use of Shane's Toolbox for a couple things, "Reset Policies Created By Infections", "Unhide Non-system Files", and did the system Restart to see if any of the bad juju had been flushed out by all that's been done and to refresh some things. Interestingly some aspects seem to be working that weren't doing so great, while others still are not working, and some fresh puzzles have popped up.


Should I have two instances of explorer.exe running?



One of them running from Path = C:\Windows\explorer.exe   

Command Line = explorer.exe   

Current Directory = C:\Windows\System32\   

Parent = winlogon.exe(768)


The other instance is listed as "Suspended" in the Auto Viewer running from Path = C:\Windows\explorer.exe

 Command Line C:\WINDOWS\Explorer.EXE

Current Directory = C:\Windows\System32\

Parent = <Non-existent Process>(3008)



Autostart Location for both is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.



Funny thing is the C:\Windows\explorer.exe file is there where it says it is, but there's no file showing up in System32 as "Explorer.exe", so I'm guessing it's just hidden but I havent investigated that part yet, but it says the C:\Windows\Explorer.exe instance was created 12/1/2014, so I'm thinking it's from Shane's Toolbox giving me access to some of my real files?

What's going on here?

 




On top of that, and you may find this interesting considering your affinity for all things McAfee      

After Restarting Windows, numerous regular processes were being questioned by McAfee regarding the Firewall regulations - that in itself is a mystery to me, they were coming up listed as having been Allowed before but said that they had "Changed" and therefore wanted my permission, this included explorer.exe, this could be good or bad, I don't know but again it seems to be from using the Toolbox because NUMEROUS files were showing up as having been brought out of Hiding before the computer restarted, I'm just not sure where a list would be yet - I though a report/log would pop up after the restart but didn't see one yet, I'll have to dig around.

Since it was new to me I popped open the Snipping Tool to get a little screen shot for good measure, but when I X'ed out the .PNG the McAfee Alert was already gone, so I can't be sure what McAfee chose to do, I don't know its default action for that, I can't seem to learn fast enough to catch up with everything, though I am definitely trying.


Is it possible McAfee froze Explorer.exe but being essential a "temporary" somehow came up in its place?? Or did McAfee "accidentally" halt

The DISM /CheckHealth and /ScanHealth commands don't repair anything and are basically read-only.

Run Dism /Online /Cleanup-Image /RestoreHealth followed by another sfc /scannow to see if that still reports it is unable to repair some files.

If it still reports that it is unable to repair some files, then you're probably looking at the Refresh recovery option. http://windows.microsoft.com/en-GB/windows-8/restore-refresh-reset-pc

This will remove any 3rd party programs you have installed so you will need to decide which of those security programs you want to reinstall.

Gotcha, Dism /Online /Cleanup-Image /RestoreHealth is running right now, I'll run the second command as soon as it's finished.

Let's just hope it doesn't come to needing a Refresh.

Thanks again.

11

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 01, 2014, 09:52:47 pm »

Sorry for the late post, holiday weekend and I just got back in my office

How are the amount of network connections and cpu doing now after those scans?

My new toolbox has a netstat viewer in it that can show all the connections on the system and what processes is making them, if you still have a lot fo them I can grab the beta I am getting ready and have you use it to copy the netstat list so I can see what is making all the connections.

Shane

Completely understandable, but thanks! I'm just grateful for help being available like this. My apologies for getting back so late in the day but as I mentioned in my last post I have different hours than normal these days, we're in my "early morning" at the moment   


Network connections appear OK and Ive been monitoring the ports now and then and I think (emphasis on "think") pretty much everything can be accounted for at this point, at least it seems that way while I am monitoring.

Though it really does look like some one or some thing is changing settings for Iexplorer, and other functions, and setting registry files to disable key functions, I see some "NORUNS" and "DISABLE" this or that keep popping up - I still have a few things to catch up on from what Boggin has brought to my attention so I'll know a little more in a short while, but not being sure about those commands Emsisoft software and Roguekiller keep snagging makes me hesitant to do a Windows Restart even though it might deal with other issues that may have been fixed now since that is when the worst problems have arisen in the past - I have to restart for whatever reason then suddenly I have no access to this and that, usually the network and most or all security functions.

As for your Toolkit. sure I'll try just about anything you've got, I've been looking at your main website too, top notch my friend, the Simple Internet Meter kicks you know what!!

One thing I'd like to know, if possible, are there certain settings I'm able to check before doing a restart to be basically sure I won't be screwed upon Windows re-opening? Task Scheduler and Autoruns comes to mind, but certain special or hidden things to look out for?



Good for you that you had a nice Holiday weekend, and thanks for the reply.

12

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 01, 2014, 09:32:10 pm »

Sorry for the typo.

Did you run the DISM /Online /Cleanup-Image /CheckHealth command to see what that reported - while I don't have Win 8.1 to see exactly how that cmd reports, I assume it would be similar to running chkdsk in Win 7 etc. without any parameters and when it finds something amiss, it would recommend either the /f or the /r switch.

Depending upon what /CheckHealth reports, using the /RestoreHealth switch can fix the Component Store and then redo the sfc /scannow cmd to see if it still reports corruption.

Please, no worries about the typo, stuff happens   


Yes, I ran the scan:


C:\WINDOWS\system32>Dism /Online /Cleanup-Image /ScanHealth

Deployment Image Servicing and Management tool
Version: 6.3.9600.17031

Image Version: 6.3.9600.17031

[==========================100.0%==========================]
The component store is repairable.
The operation completed successfully.



I'm not sure what to do now, so I wanted to check. I'm reading through the site you linked me to right now.



Also had a question, are all of the files showing up as corrupt in this report Video/Display related??

There has been an AMD Video related download that the HP Helper/Assistant has had problems with but the alert for it has disappeared and when I run the Video/Display Troubleshooter it doesn't go past the first screen where it asks for which option to troubleshoot, so I'm not sure what's going on with it, I'm trying to figure that our right now too.

I went to the HP site several times before trying to get whatever download was being suggested straightened out but kept being sent to the same pages that didn't do anything to help, just got the Assistant running again and encountered the same problem.

Besides it looking like it can be fixed anyways, it this possibly related - older files that need to be switched out by an HP download?




*(Just an FYI, due to my particular circumstances my hours are a bit different than most. 3 pm to me is like most people's 7 or 8 am, that's about the time I get up, my "morning" if you will. So when 16 hours goes by and 7 or 8 am rolls around, usualy it's "nighty night" time for me. I realized my response time frame might seem strange without knowing about that, so that's why I bring it up.)


EDIT: This is the last Rogue Killer scan I've done, today in the wee morning hours, my yesterday, I haven't done any since. The first 4 I believe are just from setting the HijackThis to monitor on Startup, but the rest appear problematic.

After I hit Delete, one deleted, one said error (2), and the others said "replaced ()"



Below is what Emsisoft keeps snagging.


Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS    detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS    detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS    detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN    detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN    detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN    detected: Setting.NoRun (A)

13

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 01, 2014, 07:57:19 pm »

Hi Boggin, thanks for all your help so far.

I'm just going to copy/paste the quotes I want to reply to since I'm not familiar with the board.

I realize everyone is volunteering their time to help here so I'd like to take up as little of it as possible, but believe me I am grateful for it.



"You could use Win 8.1's Windows Defender supplemented with Avast Free as the latter doesn't have its own firewall and will run with any other active AV program because of that - but if you decide to go that route, check that WD is turned on."



If you're aware of a certain combination of AV/Anti-Spyware/Firewall/Security etc. that works and you're pretty confident about it then I'm all ears (eyes really, I guess) I'd rather use as much of Windows' integrated features as possible, as long as they are truly effective and make things run smoother, at the same time adding as little as possible. As long as the job gets done the right way I'll be perfectly content.

The McAfee LiveSafe is insanely bulky but it comes off in the literature as if you're really going to be taken care of, all bases covered and so on    so I wasn't too keen on ditching the whole thing right away, but now .   .   .   .   .



"The 1/50 VirusTotal.coms are nothing to worry about and it probably snagged AdwCleaner because of its intrusive capabilities."



Right, no, I understand that it's usually nothing at all to be concerned with when seeing a 1/**, I tend to be thorough, sometimes overly thorough, I;ve found it usuallly helps more than it hurts ~ usually   

Also I've learned from my own experience it can be useful to throw in a minor little detail here and there for others down the road who may be dealing with similar issues and looking through the forums for answers. It IS kind of freaky when you're having problems you don't understand and McAfee popups keep telling you that it has found "ARTEMIS/****....."!!   numerous times.

 I read over some topics about why some companies/groups classify certain files in certain ways, like the Google add-on options and so forth, unfortunately McAfee classifies so many things as "ARTEMIS/*****.....". It just takes time getting to know these things.





"Instead of Browser Guard, try HitmanPro.Alert which I know doesn't cause a conflict - I'm running that with Norton 360 in Win 7 x64 HP.

http://www.surfright.nl/en/cryptoguard

I Googled the McAfee LifeSafe and SafeKey but it's up to you if you want to keep them - don't think they would cause any conflicts but I don't like any Toolbars on my laptop - least of al anything from McAfee."




Will try HitmanPro.Alert, thanks for the tip.

I'd also like to have as little add-on bulk as possible, myself. I've had this sucker about 2 weeks now, and prior to last month I'd really never delved into any of the technical issues of computing/networking, as I'm sure everyone can see.

That's all changed now.




"I think MBAM Anti-Exploit should be okay - I just have the free version of MBAM installed.

To eliminate any possible security program conflicts, it's probably just to go back to basics for the purpose of troubleshooting and then you can decide what you want to add/change later."


Gotcha.


I like the way everything is gone over in detail at the sevenforums, I'll def be putting in some mileage reading over there.

One thing I've noticed is there is often 2, 3, sometimes 5 or 6 DIFFERENT places one has to look to find the right information/instructions/help topics when dealing with these Windows functions and applications, settings, etc., sometimes it takes quite a bit of hunting just to get the very basics. It takes a lot of time, trial and error to finally run across everything that's needed to know I guess.

14

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 01, 2014, 06:36:55 pm »

Hello jraju.

Hi, Since you mentioned there are loss of SR Points, i think that some PUP or rootkit would have messed up the things. I think that you have done all the test and the results show needed and not known details to locate the exact problem.
                 I do not mean that you got this virus or rootkit from suspicious sites, but nowadays everything is bundled in to the genuine downloads.
                    Please there is a way to limit the sfc details txt to only know the problematic area which is given in sevenfourm  links. If i remember i will enclose the link. SFC only scans about system integrity files and copies the missing essential files from the storage the installation drive the computer has. I think that your problem needs Shanes deep look in to the logs.
                      Applying many tools in my case has made my some system files deleted which has to be replaced. I would therefore request you to send the problematic log files from sfc details.txt and await Shanes advice

Sure I know what you're saying about the bundles and everything, I didn't take offense but just wanted to highlight the fact that I was doing everything I could from Day 1 to be safe and secure. No problems 

 
In fact some problems exist with files and programs in a brand new Win OS all by itself, a reality I'm starting to understand more an more everyday, but I'm sure you guys knowing what you know are very much aware of this reality.


I'm not sure if you saw but I did get the sfc text file finally which I attached after originally attaching the larger file, there was a typo of some sort but I figured it out.

Or was the second attachment not the correct one?

Thanks.

15

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: December 01, 2014, 06:27:17 pm »

Not sure if that went through, Im not seeing the post.

Well if this is redundant I apologize but I just wrote that I am going over all the new replies to make sure I've followed everything, and a thanks for all the helpful feedback.

16

General Computer Support / Re: Problem with Word after Windows Repair (All In One)

« on: December 01, 2014, 06:24:38 pm »

OK, I am able to get back on.

Thanks guys for all the ffeback, I want to go over everything and make sure I've followed all the steps/advice and then I will post, but for now I have internet access   

17

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: November 30, 2014, 08:30:38 pm »

It looks like something was getting lost in the translation, I copied the text from the http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html  page and it worked just fine.



[Edit: Here is the above text copied and pasted  findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log\ >"%userprofile%\Desktop\sfcdetails.txt"
and here is the text directly from the website      findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"
See it?]



Here it goes:

18

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: November 30, 2014, 05:35:01 pm »

Thanks for the links. Not only are computers speaking a different language, they're in a totally different dimension, but with the right information it's not so bad.


As of right now I'm getting this with the Admin Cmd Prompt

FINDSTR:  Cannot open C:\Windows\Logs\CBS\Cbs.log\


The file is still there, I checked. Is there a different route to take on this one? I tried using GMP for higher elevation but no deal.

19

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: November 30, 2014, 03:21:49 pm »

You said you didn't recognize some of the apps/programs so I came back to mention that a couple of the tools folders I renamed so they wouldn't get deleted, but they're basically similar to the original name, but I remembered something else that might possibly factor into some of this.

The VPN I'm using is CyberGhost and it has features to protect IP and also to protect from website tracking, including masking the OS & Browser type/model.

The only thing is for some reason it's not letting me pull up the UI right now so I'm unable to copy exactly what the features are and VPN is pretty new to me, like everything else actually. I know I don't have the OS/Browser hide checked, but I'm sure I have the tracking protect features checked. I'll try to get to the UI as soon as possible if you think it's a need-to-know type thing.

20

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: November 30, 2014, 02:47:35 pm »

I don't know whether to laugh or cry, I had to prove I wasn't a Robot spamming the site before I could post this reply..

Hmm.


Yes, that's possible. I was actually pondering switching over to Trend Micro's AV/AM & Security software when I was doing the latest scans but just decided to leave whatever was running the way that it was out of plain old exasperation, originally I was only running McAfee LiveSafe and its accoutrements, and during this last fiasco when the computer shutdown and the settings began changing again (when I rebooted and signed back in the firewall was turned off and stayed off for quite some time, neither Windows Defender or McAfee would take up the job, the smartscreen was on the fritz, etc) all I had for a Browser was iexplorer, which has since disappeared from Start and Taskbar and kept switching me to Proxy when I don't use a Proxy (the AP has HTTPS sign-in with password as Proxy) but now I'm wondering if iexplorer.exe being reported as having 'Image Hijack' by the Autoruns Viewer actually stemmed from it being linked to both the classic view and the Win 8.1 view. therefore its deletion was in fact the deletion of its image connected up to more than one region in the OS?? (I apologize for not knowing all the proper terminology yet, but I'm sure you know what i'm getting at) so your thoughts about that are in the ballpark with at least some of what's been going on likely being due to conflicts of one kind or another from the beginning.


*As for running Process Explorer, I didn't start up every program that I have while it was on but I did power up a bunch of non Microsoft progs/apps, ironically after connecting up with VirusTotal the first one to catch my attention was Process Explorer itself with 1/55, and the Screen-Cast-O-Matic 1/55 as well.


VirusTotal has "procexp.exe" listed as 1/55 - Antiy-AVL = Trojan[:HEUR]/Win32.AGeneric

And screencast-o-matic.exe listed as 1/55 - Bkav = W32.Clod98d.Trojan.5ae1



Which are probably the two programs that are the least of my worries. I haven't researched what these companies have said for their reasons yet since I'm trying to get this info back to you as quickly as I can but I'm guessing these classifications are due to their particular rating standards / PUPs?

I've only switched SoM on recently just to test it but if I remember correctly it basically hijacks the Java app when it's in use and combined can cause freezing, so that's a possible complaint factor, but I've never had any problems with it other than occasional short term freezing that I know of.


* Ok after running AdWCleaner at the end here I find it listed by VirusTotal as 2/55 - Jiangmin = TrojanDropper.FrauDrop.uic 

&  TrendMicroHouseCall = Suspicious_GEN.F47V1124,

(VirusTotal's "Relationships" tab mentions the AdWCleaner file being sent to them in a bundle itself, so that may be why, not sure yet)



*Created the HOSTS file, everything seemed to work out ok.


*Adwcleaner only shows two folders associated with the Browser Guard, I'll just leave them be for now though I may get rid of the whole thing later depending on which AV/AM/Security brand I end up going with, I actually do want to have a singular and harmonious interaction of all the apps, just that I've been in Emergency mode and a bit of trial & error mode lately   



*Ran sfc /scannow, it created CBS.log file which I'm attaching, it said there are some problems.


Also when I open the Windows\Logs\CBS folder to get to it every other file in that folder is called "CbsPersist_...***..." with date numbers/etc numbers after the _ the only difference being variations of the date numbers/etc #'s.

There are 5 of these "CbsPersist" files, only the recently accessed/modified one is in Blue in the directory, and so is the CBS.log file just accessed by running the command to scan.



That most recently accessed/modified "CbsPersist" file in Blue is listed as



CbsPersist_20141130120102

Text Document (.log)

Location   C:\Windows\Logs\CBS

Size   88.2 MB (92,504,506 bytes)

Size on Disk   22.2 MB (23,367,680 bytes)

Created   Wednesday, ‎April ‎2, ‎2014, ‏‎2:49:52 AM   (at least it's not dated from 1869 like the WSCMD.dll "Wondershare" linked/hijacked file had been before the Refresh, and Wondershare had come straight from their professional site!)

Modified   ‎Today, ‎November ‎30, ‎2014, ‏‎10 hours ago



The other 4 "CbsPersist_...###..." files are between 2.24 & 3.6 M/bs.




The Subnet Mask for the TAP=WA-9 is the VPN.

21

General Computer Support / Re: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: November 30, 2014, 07:57:50 am »

Hi jraju, thanks for replying.

Actually, most of my original restores were deleted somehow    though I was able to get a system "Refresh" off a few days ago back to the earliest point where I thought was OK, which has definitely helped quite a bit, but there are only Restores for the past 3 days available to me.

The truth is I really don't download very much but when I do it's just videos from youtube and the occasional PDF about WW2 or something else I'm researching or simply interested in. I don't use any other Social Sites (if Youtube really even qualifies as one) and I don't visit anything even close to porn sites or use any kind of gaming software. On top of that, beginner though I be, I use URL Scanners, check my files before opening them, keep virus/security software running at all times, use smartscreen, med-high level web settings, etc.

The problem I'm seeing is someone simply seems to know how to get into the network and at the very least put something on my system, and that whats being done is being done to perpetuate the use of my things while giving off very little reason for detection as everything it does appears to work on the sly, little by little, you know, and only when I begin trying to gain back control over my computer's settings and functions, and then to get rid of the stuff does it really begin to get aggressive.. There seems to be a bit of intelligence behind what is going on. So my other concern is based on the fact that even though I may at some point become "clear" as far as what's on the system goes, I will still be vulnerable to people gaining access

In any case I've downloaded numerous tools from websites I've come to trust for the most part over the last few weeks, and that have been mentioned here in a positive light so I have some logs, perhaps they will help to figure this out.

In the meantime I'm looking for a good beginner's but comprehensive tutorial or manual on shoring up one's PC for use on public network, where I live there are about 150 units, maybe 500 people altogether who use the same Access Point to connect up, not the best for staying secure but for now it's all I've got, but the problem may be just that - that it's public and up for grabs by those in the know about computers & networking, and have no scruples.

I know for a fact my stuff has been used for nefarious purposes by someone other than myself due to being told that my IP was blocked for being a "known spammer", that just isn't me at all. I have the feeling other people in my complex may be dealing with similar problems possibly stemming from the same origins, but I am not sure, but after finding out that I have been getting into fixing my PC and beginning to study things related to what's been happening, several of my neighbors here in the complex who are even more "Beginner" than I am have approached me asking for help and advice about problems they're having with their own PCs as well (luckily I was actually able to help the first one because it wasn't very complicated and I'll be trying to help another one tonight, the other one's is too complex - similar to problems I'm having so I have to pass at this point in time) and they seem to be similar in nature but I can't say for sure yet, it just wouldn't surprise me that criminals would take advantage of circumstances such as those we have with a public access point.



Now, as far as logs and reports go I'm not sure what's best to post so here are a few choice reports (almost all the tools have been downloaded AFTER the problems returned, and yes I've been a bit scan-happy, maybe jraju is right so I am going to get a little sleep for now  ) that may be good to work with, at least for starters.

Thanks guys.

22

General Computer Support / Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!

« on: November 30, 2014, 05:35:50 am »

Hello,

I'm not quite sure what to do here, I've been hit with so many things that my head is kind of spinning. This is all very new to me though I'm trying to learn how to deal with it as fast as I can. I've already gotten rid of a few malware/virus problems, which may or may not be completely gone, and may or may not be returned to me anyway due to what looks like a whole lot of hijacking of my equipment and resources (flurries of TCP traffic coming and going, 100% CPU at times, changes to & destruction of OS settings and files, etc). I'm pretty new to the Networking scene and only know some of the basics of Windows, but that is changing - too slowly unfortunately, for the moment at least.


I'm running Windows 8.1 on an HP 15 laptop and can supply any info and logs that you might need to help, which would be very appreciated since I'm kind of overwhelmed here, and I did read the little sticky, that you run your own shop and have a family, and volunteer your time is commendable indeed, and I appreciate that your time is limited.

Having said that, I'm not sure what type of log would be best to post initially, I may have missed it, but if I come across information related to that before receiving a reply I will do whatever and then post it up.

Thanks in advance.