Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Apears to be Remotely Accessed Even Offline


  • This topic is locked This topic is locked

#16
Terry Noble

Terry Noble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello again Dakeyras :),
Well, I got another good night's sleep, no nocturnal activities by the computer last night to awaken me, of course I am hopeful that means problem resolved but I have not seen any reports of found malware, although I may have overlooked something that your eyes have caught. I said this really just to lead in to something I want to mention that you probably have no way of knowing through the log files I have sent but I could be mistaken about that as well. This computer is usually stationed at another location where broadband is not available except by a wireless air card device. I had been using the air card here too off and on as well as using the DSL 3M connection at this location. For the past two and one half days I have only used the DSL hard wired ethernet connection NOT wireless connection not even to my wireless router, only through the ethernet cable, which my router has a hardware firewall that I have set to maximum security. The first day of this three day period I am speaking of I had it hooked up to the air card for the first half of the day and then disconnected the air card and hooked up the ethernet cable, that night I had some erratic activity but not as many things happened as usual, only opened a few documents and picture folders, the last two nights there has been no activity at all, this may be coincidental but I thought I should mention it to you so as to keep you fully informed as best I can of what I have witnessed happening with the computer. I know that the air cards have a phone # associated with them, I don't know what type of security measures they take to protect them from hackers and the like.

Once again I want to thank you from the bottom of my heart to the top of my head for all the time and effort you are putting into this, I have no idea where you live at present and this is not a fishing expedition to find out but I would be more than happy to find out you were my neighbor and we could maybe share a spot of tea or a cup of coffee. I hope and pray your day is productive, profitable, and blessed in every way possible.

Below you will find the log files you requested:


All processes killed
========== FILES ==========
C:\windows\Tasks\HPCeeScheduleForOWNER-HP$.job moved successfully.
C:\windows\Tasks\HPCeeScheduleForowner.job moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kiosk
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: owner
->Temp folder emptied: 4767553 bytes
->Temporary Internet Files folder emptied: 88387885 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 745 bytes

Total Files Cleaned = 89.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 05122011_213042

Files\Folders moved on Reboot...
C:\Users\owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3K8SQS7C\like[2].htm not found!
C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3K8SQS7C\tweet_button[5].htm moved successfully.
C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3K8SQS7C\xd_proxy[1].htm moved successfully.
C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

Registry entries deleted on Reboot...






Here is the online scan report:



[email protected] as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=2331945b1f270d47b5104d1065335a35
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-13 07:32:02
# local_time=2011-05-13 02:32:02 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 0 56798841 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=508509
# found=0
# cleaned=0
# scan_time=16531
  • 0

Advertisements


#17
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,770 posts
Hi and thanks for the update! :)

Quite the interesting read actually...Air Cards are basically a plug in pseudo Modem though a tad more complicated than that and too the best of my knowledge the security for using such is actually what the machine it is used on has installed say Anti-Virus software etc.

Now as a precaution the next time you do use your Router, reset it and apply a new admin password and have a quick check in the router installation routine. IE, look at the IP addresses in the router set-up to make sure no extras have been added you do not recognise.

Once again I want to thank you from the bottom of my heart to the top of my head for all the time and effort you are putting into this, I have no idea where you live at present and this is not a fishing expedition to find out but I would be more than happy to find out you were my neighbor and we could maybe share a spot of tea or a cup of coffee. I hope and pray your day is productive, profitable, and blessed in every way possible.

You're most welcome, I both understand and appreciate what you mean and take it for what it is and in turn say thank you. All I will say is I am a native Gaeilge speaker though not in the land of my birth and even after all these years sometimes my written English lets myself down as I tend not to think in English at all if you understand that somewhat bizarre train of thought. :unsure:

Anyway levity aside....

Next:

Out of date Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect. We will update this shorty.

Now please go to Start(Windows 7 Orb) >> Control Panel >> Programs and Features and remove the following (if present):

Java™ 6 Update 24

To do so click once on the above to highligh, then click on Uninstall and follow the prompts.

New Java Installation:

Note:- This is for the 32 bit version of Internet Explorer only.

  • Click here to visit Java's website.
  • Scroll down to Java SE 6 Update 25 (JDK or JRE). Click on Download JRE.
  • Check (tick) Java SE Runtime Environment 6u25 License Agreement box.
  • Click on jre-6u25-windows-i586.exe link next to Windows x86 Offline to download it and save this to a convenient location.
  • Right-click on on jre-6u25-windows-i586.exe and select Run as Administrator to install Java.
Note: During installation de-select the option to install McAfee Security Scan Plus if offered.

If you also use the Internet Explorer (64-bit) browser with Windows 7 and want Java installed also you will require a seperate 64 bit installtion as follows:-

New 64 bit Java Installation:

  • Click here to visit Java's website.
  • Scroll down to Java SE 6 Update 25 (JDK or JRE). Click on Download JRE.
  • Check (tick) Java SE Runtime Environment 6u25 License Agreement box.
  • Click on jre-6u25-windows-x64.exe link next to Windows x64 to download it and save this to a convenient location.
  • Right-click on on jre-6u25-windows-x64.exe and select Run as Administrator to install Java.
Note: During installation de-select the option to install McAfee Security Scan Plus if offered.

Next:

Let myself know when completed the above and if any further issuies...if not we will remove the tools used during the Malware Check/Removal process and I will provide some advice about online safety.
  • 0

#18
Terry Noble

Terry Noble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello again Dakeyras :),
I have completed the updates to Java, both 32 and 64 bit versions and I truly want to thank you for bringing that to my attention, I hadn't noticed that there were two versions of IE on this computer, I will have to investigate the difference between the two and what version would be better for what activity. I am assuming from my understanding of your last post that you have declared the computer malware free, that is great news if so, I have learned many things from you in this process and am extremely grateful for all you have done here. I am looking forward to the advice you will give on online safety and if it would not be out of line to ask, I was wandering if you could guide me in setting up Windows Firewall or another Firewall that you would recommend to keep this computer from being breached again, I realize there are no guarantees that a hacker can be stopped from getting in but my knowledge of firewall setup is very poor. Thus far today there have been no other erratic behaviors but it is still early compared to when it usually takes place. I still have it hooked up to the DSL connection that is protected by the hardware Firewall, I want to have a good software firewall set up with adequate restrictions before hooking it back online with the 4G air card. Also I was wondering if you could explain in a bit more detail the resetting of the DSL Router, I understand I think how to set up a different password and that sort of thing but I am a bit confused about checking for additional ip addresses. The router I am using here is a Verizon model 7500 standard issue router with wireless radio broadcast and a 4 port switch built in. If I am asking too much from you, I will understand and will think no differently than I do now about your kindness in helping me thus far in this dilemma I was in. If the intruder shows up in the wee hours of this morning I will post another reply to let you know. Thank you for your professionalism and kindness throughout this ordeal, you are true friend material, which is rare to find in this online world.
  • 0

#19
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,770 posts
Hi. :)

I have completed the updates to Java, both 32 and 64 bit versions and I truly want to thank you for bringing that to my attention, I hadn't noticed that there were two versions of IE on this computer, I will have to investigate the difference between the two and what version would be better for what activity.

Basically the difference between the browsers is in theory a tad more secure and the 64 bit version is supposedly faster also. The only drawback with the latter not all applications say Active X wise for example are truly compatible and the same would apply to certain websites. Overall eventually all should be truly 64 bit compatible but that may be some time of just yet.

I was wandering if you could guide me in setting up Windows Firewall or another Firewall that you would recommend to keep this computer from being breached again, I realize there are no guarantees that a hacker can be stopped from getting in but my knowledge of firewall setup is very poor.

By all means...This article I wrote some time ago explains briefly what a Firewall is, Just scroll down the page. Now the inbuilt Firewall with Windows 7 is a vast improvement upon its predecessor with Vista and the earlier version again with XP SP3. It does provide both inbound and outbound protection and is configurable. The below article written by a MVP is a useful resource:-

How to configure Windows 7 Firewall

To check your firewall(be it a software application and or a hardware router in-built type) is correctly configured and there are no open service ports:

Please visit Shields-Up by Steve Gibson.

  • Scroll down the page and click on the 'Proceed' button/tab.
  • Click on the 'All Service Ports' option, located under 'ShieldsUP!! Services'.
  • The scan will now begin.
  • If the result is anything but 'Your system has achieved a perfect "TruStealth" rating', post back which port(s) are 'Open/Closed'.
Now personally I only use the Windows 7 Firewall on both of my machines with the Operating System inconjunction with the NAT(Network Address Translation) Feature of my Router. Though I do appreciate some do prefer a third party installed and the three below are applications I would recommend but off course only use one and ensure the Windows 7 Firewall is disabled:-

Jetico Personal Firewall

Online Armor Firewall

Windows Firewall Control

The router I am using here is a Verizon model 7500 standard issue router with wireless radio broadcast and a 4 port switch built in.

This site has all the information required, also if you click on the User Guides link, you will be able to download a PDF Format manual for your particular Router and if you have a Installation Disk for your Router the user manual should be on that also.

Thank you for your professionalism and kindness throughout this ordeal, you are true friend material, which is rare to find in this online world.

You're most welcome and thank you for the compliment also!

Next:

Congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

  • Click on Start(Windows 7 Orb)>> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image
Reset SR Points/Clean up with OTL:

  • Right-click OTL and select Run as Administrator to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Commands
[ClearAllRestorePoints]
  • Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
  • Then click the red Run Fix button.
  • Let the program run unhindered. When finished click on OK and close the log that appears.
  • Note: I do not need to review the log produced.
  • Now close all other programs apart from OTL as this step will require a reboot.
  • On the OTL main screen, depress the CleanUp button.
  • Say Yes to the prompt and then allow the program to reboot your computer.
The above process will flush old System Restore points and create a new clean one. It should also clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once at least once per week.

Other installed security software:

Your presently installed security application, Microsoft Security Essentials automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also at least once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

  • Click on Start(Windows 7 Orb) >> All Programs >> Windows Update.
  • In the navigation pane, click Check for updates.
  • After Windows Update has finished checking for updates, click View available updates.
  • Click to select the check box for any found, then click Install.
  • When completed Reboot(restart) your computer if not prompted to do so.
Be careful when opening attachments and downloading files:

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice is avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

Only use one of the above!

Install WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

Next:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

Any questions? Feel free to ask, if not stay safe!
  • 0

#20
Terry Noble

Terry Noble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello again Dakeyras,
The computer is running great with no more erratic behaviors yet, I still have not put it back on the air card yet, I wanted to tighten up the firewall and such before I did and then will run shields up again after I do to see if there is a difference. With it still hooked up to my DSL connection with the hardware firewall set on Maximum Security (High) Steve Gibson's ShieldsUp 'All Service Ports' option shows all ports stealth except for port 20 (ftp-data), port 21 (ftp), and port 500 (isakmp) all three showing closed instead of stealth.
ComboFix /Uninstall did not work, it gives me an error message that it cannot find ComboFix, it is still on the machine or at least the shortcut and application file icons are, I don't remember what it was like to open the program, whether it just took off running ... you and they emphasized that this program should not be run unless instructed to do so. So I didn't try to open it.
I did run both operations on OTL and they were both sucessful in completing.

As I stated above I plan to run ShieldsUp again after switching over to the Air Card to see if it makes a difference, I expect it will and I was hoping I could stay in contact with you until I am certain that the computer is as secure as I can get it. I overlooked the part of your message where you told me to send you a report on what ports were not stealthed in the All Service Ports option and had been trying to figure this out for myself by looking at what was offered on Steve Gibson's site, most of what I found on there was for older operating systems, didn't find much pertaining to Vista or Win7, so I sure was pleased as I was re-reading you message and saw where you said to notify you of what the port scan revealed.

Again I truly wish to thank you for your time, expertise, and effort you have put into this, I am so pleased by everything I have experienced here.
  • 0

#21
Terry Noble

Terry Noble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I have been reading all the help sources you placed in the last message, Wow, lots of really good articles and advice, I have installed the recommended programs too and have been looking them over especially WinPatrol, I also installed MVPS Host File. I was then looking at the slow computer links and was reading about having a host file and disabling the DNS Client Service. This computer is stand alone in its normal operation and I was wondering if this might help secure it as well by not broadcasting as much information about itself on the internet, I must admit I have been reading so much that I am getting a bit bleary eyed and probably my brain is getting a bit mushy as well, but anyway I was wondering if you would recommend disabling the DNS Client Service or not. The computer by the way is not slow, it preforms very well.

By the way I forgot to mention in my last reply how much I appreciated all the links and advice you put in your last message, Wow good stuff and lots of it, I will be trying to digest all of this for a while. I hope your day is profitable, productive, and tremendously blessed.
  • 0

#22
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,770 posts
Hi. :)

I apologise for the delay, I have been experiencing intermittent ISP problems...

all ports stealth except for port 20 (ftp-data), port 21 (ftp), and port 500 (isakmp) all three showing closed instead of stealth.

If they are closed then that is not a problem as they are defacto inactive.

ComboFix /Uninstall did not work, it gives me an error message that it cannot find ComboFix, it is still on the machine or at least the shortcut and application file icons are

Is the executable for ComboFix still on the desktop? It should be according to the prior log created:-

Running from: c:\users\owner\Desktop\ComboFix.exe

In the event it is not re-download the executable to the desktop and run through the uninstalltion procedure again.
  • 0

#23
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,770 posts
Everything OK, do you still require further assistance? :)
  • 0

#24
Terry Noble

Terry Noble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hello Dakeyras,
Sorry for the delay in responding, I wanted to give the situation a little time to resurface if it was going to but, it has been running for three nights on the Verizon 4G Air Card without any return of erratic behaviors. I do still wish I could put my finger on exactly how the hacker was getting in, just for edification sake and to be able to safeguard other computers from such an attack. Referring back to previous messages from you and some of the actions we took to combat this, we disabled or removed some tasks from the "Customer Experience Enhancement HP":

C:\windows\Tasks\HPCeeScheduleForOWNER-HP$.job & C:\windows\Tasks\HPCeeScheduleForowner.job

I will try to research this and see if I can come to a better understanding of what this is and what it does and the possibilities of how it can be breached/safeguarded.

But besides all that, Thank you, Thank you, Thank you, for sticking to the end of this dilemma I was in, you have been a great redeemer of the situation and deserve great accommodation for your expertise and your dedication to the challenge as well as your compassion and patience with detailing the procedures in a manner that was easy to understand and follow. You have been a great friend throughout this ordeal to me and I greatly appreciate it. May your days be many on the face of the earth and be blessed with all the best spiritual blessings and all manners of comfort and peace. I hope to interact with you again soon.

Terry Noble
  • 0

#25
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,770 posts
Not a problem at all and you're most welcome. Thank you for the kind words also, most appreciated! :)
  • 0

Advertisements


#26
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,770 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP