Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TRO/ROOT KIT?


  • Please log in to reply

#166
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
The first time you close word after renaming all of the normal.dot and .dotx and making the changes you tell it Yes. After that you tell it no unless you have just made a change to how you you want all docs to look.

Normally there is no need for Macros to be on in Word so it should not complain. Very doubtful that the macro is really from MS unless you are using a different template from the default. What version of word are we talking about here?
  • 0

Advertisements


#167
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, it is strictly the default everything and fully updated. Genuine Microsoft Office XP Small Business Version 2002. I clicked on yes to close after I made the change to the global template. When I opened it, I got a box that gave me a choice to disable macros. Clicking on "DISABLE" made the connection from Word to the 23.3.68.113 and when I said no to that and hit disable for the macros again Word tried to connect to 23.3.68.114. I was wondering if that is normal for Win, since Netframework tries to connect to 23.3.68.144. All these connections go back to Cambridge (Akamai). Doesn't everybody's Netframework and Word connect to Akamai like this and if not, what is the best way to deal with it?
  • 0

#168
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I really do not know why it should be talking to akamai. I found this while looking for info on your akamai connection.

http://pastebin.com/3GAjYHFR

I can't verify all of the info on the page so it may be somebody's idea of a joke.

Another site told me this:

http://www.robtex.co...et/23.3.68.html

akamai is just a hosting service so it's difficult to say what is really there.

I assume Netframework is .net and I don't know why it would be talking to anybody.
  • 0

#169
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, thanks for the info. I know that Win has had a slew of security/problem updates for .net. A big one right after release of 7.1 and then the latest yesterday 2-15-12. They constantly redo .net in an effort to get it to work, but even now, after their complete redo of .net yesterday, .net makes connections to Akamai all by itself. What do you think I should do about it?
Computer scans free and I have no idea why it connects to Akamai at the .net level. I can block the Word info transfers (I would not want "Homeland Security" reading all my personal Word documents. I thought that was still illegal in the U.S.A), but how do you deal with the .net connections?

Edited by DAV2, 16 February 2012 - 07:07 AM.

  • 0

#170
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Like I say I am not convinced that the tsa.gov site info is authentic. When I do nslookup on the urls I get different addresses but I am on the west coast. Open a command prompt and type:

nslookup

.net is a programming language so it's possible there is something running to tell it to do so. You don't really need it for most things so you could disable it.
http://www.tomshardw...-beta,7208.html

If you run Process Explorer you might be able to see what is going on. Another possibility is Process Monitor. Wireshark is also a possibility. Would be interesting to see exactly what it is saying to Akamai.


get autoruns from
http://live.sysinter...om/autoruns.exe

Download Save and Run the program by right clicking and Run As Admin. File, Save, to your desktop, autoruns.arn, OK

Either zip up the file if you have the ability (7-zip works nicely) or just rename it from autoruns.arn to autoruns.txt then ATTACH it. Do not copy and paste.
  • 0

#171
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, I did the Wireshark, but I am no computer expert. Yes, it connects to the net when I start Word. It gives a lot of info and Akamai is in it along with encryptions and handshakes. What it says, I do not know. Here is a sample

Attached Thumbnails

  • wireaka.PNG

  • 0

#172
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
That just seems to be connection info. Can you get any of the data that it sends?
  • 0

#173
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Well spring is in the air and it reminds me of one of my first spring brakes. There she was pure poetry in motion clad only in the smallest white string bikini I had ever seen. The most beautiful Miss 19 that I had ever seen. I stared spellbound as she spoke her first words to me. "Do you have any of that funny weed?" Now I must have been the most naive man on the planet. Never in the many years of high school had I ever had a conversation with student or faculty that contained the phrase "funny weed". Yes, even though only the outer reaches of her areoles and pubic hair were covered, she new she was legal and in those days it was all real. What you saw is what you got. I was seduced.
Now it truly was a marriage made in heaven. I could never had gotten through college with a 4.0, without her feminine help. I do not know if it was the sex, the pot or the all night sex on pot, but it worked. She was the perfect fitting love machine with the body scalped by God and she meant to show me that she knew how to use it.
How things have changed. Now what you see, you never get. Not made by God at all, but by man. Teeth, nose, T and A, all fake. Now even man made Crack and Speed are used to seduce, but not for mutual benefit, but for systematic destruction.
Where am I going with this? EULA. Yes, I have been seduced again. Two intelligences came together (MS and me) and viewed the same situation (the use of my computer), but had two entirely different takes and it definitely was not mutually beneficial. EULA is entirely man made and it seduces just like the other man made seductresses mentioned above, but I already said how I think about that.
Yes, I actually read the EULA that I have to sign in order to use my computer, but EULA gives the use of my computer to someone else, to use how they please and that isn't what I had in mind.
Now is the computer "clean"? Well I guess that is in the eye of the beholder. MS says it is completely clean and certifies it so, but it is designed through the operating system to do the bidding of MS. Yes, the computer takes a long time to open a Word document. Why? Because it first must send hundreds of lines of code to unknown others before I can proceed. For my benefit? I do not think so. And to think I was seduced into OK`ing EULA, thinking I was actually getting the exclusive use of my computer to be used how I intended it to be used.
Ron, thanks for all your expert help in getting an ignorant wretch like me enlightened in how computers work and thanks Miss 19 for the nirvana that got me through college and able to actually see how things like the market work. Now I do have to get back there with my "clean" computers to play the money making games of the real productive use of a computer today and maybe find a few like minded buddies in the process. Thanks again Ron and in the future, I hope you still have the patience to put up with my stupid questions.
  • 0

#174
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
You might want to try Open office. It's a free knockoff of Office 2003 so should close to what you have now. Be interesting to see if it want to talk to akamai too.

http://www.openoffice.org/

Their version of word is called writer. It will happily open and edit most any Word document. It's what I use and it does not talk to akamai.
  • 0

#175
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, thanks like usual. I will try the OO as you suggested. I will try to give you any feedback. For now I noticed that the hidden drivers that do not show up in "Sigverif" or in any computer search and are errored in "Events" and shown as working just fine in "Show all hidden drivers" have "Siblings", whatever those are. The siblings are "Isatap" and "Teredo" I think they have something to do with network connectivity. (Apparently they are not seen by Combofix either, so I think they may fall into the same class as "Autorun(without S).inf" that are also invisible.) I noticed something also very strange to me. If I block all the "Digitally" signed by "MS" macros in Word, then all connectivity to the net is blocked. I have to reboot and establish connectivity before I block all those "Digitally signed macros in order to connect.

Edited by DAV2, 18 February 2012 - 11:47 AM.

  • 0

Advertisements


#176
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
"Isatap" and "Teredo are just IP version 6 stuff and can be ignored or you can turn it off:
http://support.microsoft.com/kb/929852

It's been a long time since I worked on Word but if you open up Word after renaming or deleting normal.dot you can do Tools, Macro, and then click Macros.
Click Organizer. (I think that's how you get to it.)

You can use the Organizer to pull up that word doc that had the macros. It will show you the macros and should allow you to delete them. You can also use it to pull up the anormal.dot and normal.dot and see what is there. normal.dot should not have any macros if it's freshly created.
  • 0

#177
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Thanks Ron. I organized Word macros, but it does not list any. I have to disable at least 5 digitally signed by "MS" macros to use the Word. If I say to allow only digitally signed "MS" macros then I get access to word, but still no macros show up.(Who can fake digitally signed MS macros besides CIA, Israeli intelligence, Chinese military, Russian mafia? I do not run in those circles, so it must be MS.)
  • 0

#178
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Not sure where the MS macros are coming from. (Do they have names?) Good reason to try Open Office.
  • 0

#179
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Thanks Ron. I agree on using OO, but I still think all the Digitally signed by MS macros are of, by and for MS unwanted and unneeded use of my computer as per EULA ( I already said what I think of EULA) and there is very little I can do about it but not use any MS product at all. Just to prove this I will reload Win from scratch with holographic disks only and test for the hidden macros. What is the best way to prepare the disk? I usually kill disk, re partition and reformat. Can I just re partition and re format then reload Win from holographic disks (including holographic Word) and be "clean"? (always disconnected from the internet)
What I am more concerned about are the drivers that eventually stop loading as per "Event errors" yet are installed and working just fine as per "Hidden" drivers and not findable on the disk, just like Win hides "Autorun(without S).inf and Win making a shortcut to a shortcut and misplacing it when I do a screen shot with the snipping tool. (I have been told that that is simply how Win is designed as per EULA and that I must simply live with it because MS has no intention of changing its deliberately designed malfunction for their purposes of Win use and I was told that by a MS technician while he saw this while connected real time to my computer.)

Edited by DAV2, 19 February 2012 - 09:11 AM.

  • 0

#180
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
On your Hiren's disk you have several tools for cleaning a drive.

You could use MbrWizard's wipe command to remove the mbr and partitions then you wouldn't need to do anything else. It would look like a blank drive to an install DVD.

Expect gparted could do the same.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP