Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer hacked


  • Please log in to reply

#181
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

No, not yet, I'm waiting for your reply, it's asking me to check the file so that it can clean it up, I suppose the program then asks me to do a reboot.


  • 0

Advertisements


#182
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

Temp files can always be removed so go ahead and let them kill it.


  • 0

#183
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

I checked to remove it and it gave me a warning that this might harm my computer, but did it anyway, since you said it was safe and it rebooted.Now there is supposed to be a window with the results but there isn't. Shall I run the scan again to see if it got removed? No problem.

CaptureRootkitCleanUp.PNG


Edited by janji, 09 March 2015 - 06:03 PM.

  • 0

#184
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

I just checked it with the command prompt and it has removed it.
 

%TEMP%\sarscan.log
%TEMP%\sarclean.log

 

Only this one I don't know how to open, notepad doesn't seem to be the right program for it.

%TEMP%\samples.sar


  • 0

#185
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

I suspect %TEMP%\samples.sar is where it puts copies of stuff it removes.  Not something you need to look at.

 

How is it running now?  

 

Let's clear the alarms, reboot and run VEW again to see if we have broken anything:

 

 

 
Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.
 
Reboot. 
 
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.
 
Ron

  • 0

#186
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

Computer is noisy a bit, especially when I go online

 

Here is the VEW system log;

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 10/03/2015 20:55:15

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 10/03/2015 19:51:14
Type: Error Category: 403
Event: 413 Source: Microsoft-Windows-TaskScheduler
Task Scheduler service failed to load tasks at service startup. Additional Data: Error Value: 2147942523.

Log: 'System' Date/Time: 10/03/2015 19:51:14
Type: Error Category: 403
Event: 413 Source: Microsoft-Windows-TaskScheduler
Task Scheduler service failed to load tasks at service startup. Additional Data: Error Value: 2147942523.

Log: 'System' Date/Time: 10/03/2015 19:51:14
Type: Error Category: 403
Event: 412 Source: Microsoft-Windows-TaskScheduler
Task Scheduler service failed to launch tasks triggered by computer startup. Additional Data: Error Value: 2147942523.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 10/03/2015 19:50:31
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.


Edited by janji, 10 March 2015 - 02:06 PM.

  • 0

#187
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

VEW application log:

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 10/03/2015 21:00:57

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 10/03/2015 19:55:52
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <csc://{S-1-5-21-4165335087-975643669-458432890-1000}/> cannot be accessed.

Context:  Application, SystemIndex Catalog

Details:
    The object was not found.  (HRESULT : 0x80041201) (0x80041201)
 


  • 0

#188
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Event: 3036 Source: Microsoft-Windows-Search
The content source <csc://{S-1-5-21-4165335087-975643669-458432890-1000}/> cannot be accessed.

 

 

Do Step 2 of http://techtrix.hubp...-7-Search-Index

 

That should fix that error anyway.

 

We are still getting task scheduler errors.

 

I don't have any automatic way of fixing them.  You just have to go into Task Scheduler and work through each entry to see which gives you an error.  I have found it is wise to make a copy of the folder c:\windows\System32\Tasks to a different location.  Then when you find a problem you can delete the file from c:\windows\System32\Tasks.  It's possible to use the copied files to restore any microsoft tasks that you have to remove.  You go back into Task Scheduler to where the problem was and then Import Task, point it at the copy of the file (you will need to change XML to All Files} then point it at the file you just deleted and Open.  This will reimport the task and hopefully it will be happy next time you go into it.

 

How is it running anyway?  Any problems that you notice?


  • 0

#189
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

Hi Ron,

 

I've indext the files and did a copy of the c:\windows\System32\Tasks to my desktop.
Opened this window but not sure what to do, the first one is Skype Set Up Light and the second one isn't specified.

Capture1.PNG


Edited by janji, 12 March 2015 - 04:56 PM.

  • 0

#190
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

If you don't get an error when you click on Task Scheduler Library then you don' t do anything.  Instead click on the arrow in front of it to open it up and then on Microsoft then on its arrow and then on Windows then on its arrow and then go through and click on each folder and look for an error.

 

 
This is what it should look like clicking on the first windows task folder without an error
 
 
This is a typical error that I got when I select the Autochk folder.  If I click OK then there is nothing showing in the folder.  So I go to C:\windows\system32\tasks\Microsoft\Windows\Autochk and delete the only file which is called Proxy.
 
Now close task scheduler and open it again and go back to the Autochk folder and right click on it and Import Task and point it at my copy of Autochk.  At first it looks like the folder is empty but I change the XML files (.xml) to All File (*.*) and suddenly it looks like:
 
 
I click on Proxy then Open and I get this:
 
 
Hit OK and the task has been restored.
 
Now backup one level and choose the next folder and see if it gets an error.  (each time it hits a bad folder, task scheduler will crash so you will need to restart it)

 

 


  • 0

Advertisements


#191
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

Hi Ron,

 

the programm doesn't seem to work, I've worked through several folders following instructions, deleting the documents  in the respective folders stored under tasks and pointing to import, then my desktop folder which holds the copies. I went up to CertificateServicesClient and checked back to the folders in the C drive that I had already done, and they were still empty.

I couldn't right click and import, that only worked with one file, but had to select import file in the task schedulers window on the right side. Apparently it didn't work. I also get these error messages:

 

 

Capture.PNG

Capture1.PNG

 

Funny thing is that my mouse seems to be working better, I had trouble in controlling it and thought it was because it's an old dysfunctional one, I hadn't used it in a while.


Edited by janji, 13 March 2015 - 10:12 AM.

  • 0

#192
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

VEW application log:

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 14/03/2015 02:01:07

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 14/03/2015 01:01:06
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <csc://{S-1-5-21-4165335087-975643669-458432890-1000}/> cannot be accessed.

Context:  Application, SystemIndex Catalog

Details:
    The object was not found.  (HRESULT : 0x80041201) (0x80041201)


Log: 'Application' Date/Time: 14/03/2015 00:39:35
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <csc://{S-1-5-21-4165335087-975643669-458432890-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
    The object was not found.  (HRESULT : 0x80041201) (0x80041201)


Log: 'Application' Date/Time: 14/03/2015 00:39:27
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <csc://{S-1-5-21-4165335087-975643669-458432890-1000}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
    The object was not found.  (HRESULT : 0x80041201) (0x80041201)


Log: 'Application' Date/Time: 14/03/2015 00:39:27
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <iehistory://{S-1-5-18}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
    (HRESULT : 0x80004005) (0x80004005)


Log: 'Application' Date/Time: 14/03/2015 00:39:27
Type: Warning Category: 3
Event: 3036 Source: Microsoft-Windows-Search
The content source <iehistory://{S-1-5-18}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
    (HRESULT : 0x80004005) (0x80004005)


Log: 'Application' Date/Time: 14/03/2015 00:39:02
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: User Requested}.
 


  • 0

#193
janji

janji

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 210 posts

Does this help,

VEW system log:

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 14/03/2015 02:00:25

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 14/03/2015 00:57:23
Type: Error Category: 403
Event: 413 Source: Microsoft-Windows-TaskScheduler
Task Scheduler service failed to load tasks at service startup. Additional Data: Error Value: 2147942523.

Log: 'System' Date/Time: 14/03/2015 00:57:23
Type: Error Category: 403
Event: 413 Source: Microsoft-Windows-TaskScheduler
Task Scheduler service failed to load tasks at service startup. Additional Data: Error Value: 2147942523.

Log: 'System' Date/Time: 14/03/2015 00:57:23
Type: Error Category: 403
Event: 412 Source: Microsoft-Windows-TaskScheduler
Task Scheduler service failed to launch tasks triggered by computer startup. Additional Data: Error Value: 2147942523.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 14/03/2015 00:56:12
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.


Edited by janji, 13 March 2015 - 07:14 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP