Author Topic: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!  (Read 40676 times)

0 Members and 1 Guest are viewing this topic.

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Hello,

I'm not quite sure what to do here, I've been hit with so many things that my head is kind of spinning. This is all very new to me though I'm trying to learn how to deal with it as fast as I can. I've already gotten rid of a few malware/virus problems, which may or may not be completely gone, and may or may not be returned to me anyway due to what looks like a whole lot of hijacking of my equipment and resources (flurries of TCP traffic coming and going, 100% CPU at times, changes to & destruction of OS settings and files, etc). I'm pretty new to the Networking scene and only know some of the basics of Windows, but that is changing - too slowly unfortunately, for the moment at least.


I'm running Windows 8.1 on an HP 15 laptop and can supply any info and logs that you might need to help, which would be very appreciated since I'm kind of overwhelmed here, and I did read the little sticky, that you run your own shop and have a family, and volunteer your time is commendable indeed, and I appreciate that your time is limited.

Having said that, I'm not sure what type of log would be best to post initially, I may have missed it, but if I come across information related to that before receiving a reply I will do whatever and then post it up.

Thanks in advance.


Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Hi,
          It seems the problem is of the recent download. Ok. If this is the problem you face only now, the best way to have your sleep is to do the System Restore.
           Go to Start Menu, All programs, Accessories and in the System tools menu click System Restore and then choose a previous restore point, when you did not have this problem. Ok. It will not do any harm to the files you saved otherwise. But the problem will be solved. This is the simple method.
              If you cannot do the system restore or if there are no restore points available, then it is sure that some third party programs have made this and you have to go to other alternatives. First try this simple trick, if this is of recent origin
The Bottom line is "Check your hardware first if it supports the task you try".

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Hi jraju, thanks for replying.

Actually, most of my original restores were deleted somehow  :teeth:  though I was able to get a system "Refresh" off a few days ago back to the earliest point where I thought was OK, which has definitely helped quite a bit, but there are only Restores for the past 3 days available to me.

The truth is I really don't download very much but when I do it's just videos from youtube and the occasional PDF about WW2 or something else I'm researching or simply interested in. I don't use any other Social Sites (if Youtube really even qualifies as one) and I don't visit anything even close to porn sites or use any kind of gaming software. On top of that, beginner though I be, I use URL Scanners, check my files before opening them, keep virus/security software running at all times, use smartscreen, med-high level web settings, etc.

The problem I'm seeing is someone simply seems to know how to get into the network and at the very least put something on my system, and that whats being done is being done to perpetuate the use of my things while giving off very little reason for detection as everything it does appears to work on the sly, little by little, you know, and only when I begin trying to gain back control over my computer's settings and functions, and then to get rid of the stuff does it really begin to get aggressive.. There seems to be a bit of intelligence behind what is going on. So my other concern is based on the fact that even though I may at some point become "clear" as far as what's on the system goes, I will still be vulnerable to people gaining access

In any case I've downloaded numerous tools from websites I've come to trust for the most part over the last few weeks, and that have been mentioned here in a positive light so I have some logs, perhaps they will help to figure this out.

In the meantime I'm looking for a good beginner's but comprehensive tutorial or manual on shoring up one's PC for use on public network, where I live there are about 150 units, maybe 500 people altogether who use the same Access Point to connect up, not the best for staying secure but for now it's all I've got, but the problem may be just that - that it's public and up for grabs by those in the know about computers & networking, and have no scruples.

I know for a fact my stuff has been used for nefarious purposes by someone other than myself due to being told that my IP was blocked for being a "known spammer", that just isn't me at all. I have the feeling other people in my complex may be dealing with similar problems possibly stemming from the same origins, but I am not sure, but after finding out that I have been getting into fixing my PC and beginning to study things related to what's been happening, several of my neighbors here in the complex who are even more "Beginner" than I am have approached me asking for help and advice about problems they're having with their own PCs as well (luckily I was actually able to help the first one because it wasn't very complicated and I'll be trying to help another one tonight, the other one's is too complex - similar to problems I'm having so I have to pass at this point in time) and they seem to be similar in nature but I can't say for sure yet, it just wouldn't surprise me that criminals would take advantage of circumstances such as those we have with a public access point.



Now, as far as logs and reports go I'm not sure what's best to post so here are a few choice reports (almost all the tools have been downloaded AFTER the problems returned, and yes I've been a bit scan-happy, maybe jraju is right so I am going to get a little sleep for now  :sleep: ) that may be good to work with, at least for starters.

Thanks guys.

« Last Edit: November 30, 2014, 08:31:36 am by JohnVanDaal »

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Do you still have the problems when you boot up into Safe Mode with Networking http://www.7tutorials.com/5-ways-boot-safe-mode-windows-8-windows-81 or in a clean boot http://support.microsoft.com/kb/929135

It's quite possible that one or more of the security programs you have installed is causing a conflict to produce the side by side error, although that post dates your problems.

There are quite a number of programs listed in those logs which I'm not familiar with but Process Explorer will show if any are a threat.

http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

Once you have Process Explorer running click on Options and ensure Verify Signature is checked and then hover over VirusTotal.com and check its box.

When it refreshes look for any programs/processes listed with a red highish value/~50.

Let us know if you have any of those as some can be legit.

Given the scanners you have used, it's doubtful there is any infection left on your system but give AdwCleaner a run (although I didn't spot any malicious Toolbars and the like).

http://www.bleepingcomputer.com/download/adwcleaner/

Click on Scan and when that has completed it may list some items in the lower window that you can uncheck to keep.

Click on Report and it will show you what it has found which it will delete - if there are items in there you also wish to keep alongside what look like undesirables, then close the Report and you can either click on Clean, in which case you would need to reinstall the items you would prefer to keep - or you can click on Uninstall and leave whatever it has found on your computer.

It will produce another report after the reboot if you click on Clean.

I'd also like you to reset the Hosts File should any of what the scanners have removed corrupted that file. http://support.microsoft.com/kb/972034#LetMeFixItMyselfAlways

Also to check that none of your system files are corrupt, open a Command Prompt as an administrator http://www.howtogeek.com/194041/how-to-open-the-command-prompt-as-administrator-in-windows-8.1/ and enter sfc /scannow and let us know what it reports.

The ipconfig /all from MiniToolBox is showing different Subnet Masks for your Wireless adapter and the Tap-Windows Adapter v9 - is the latter the AP ?

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
I don't know whether to laugh or cry, I had to prove I wasn't a Robot spamming the site before I could post this reply..

Hmm.


Yes, that's possible. I was actually pondering switching over to Trend Micro's AV/AM & Security software when I was doing the latest scans but just decided to leave whatever was running the way that it was out of plain old exasperation, originally I was only running McAfee LiveSafe and its accoutrements, and during this last fiasco when the computer shutdown and the settings began changing again (when I rebooted and signed back in the firewall was turned off and stayed off for quite some time, neither Windows Defender or McAfee would take up the job, the smartscreen was on the fritz, etc) all I had for a Browser was iexplorer, which has since disappeared from Start and Taskbar and kept switching me to Proxy when I don't use a Proxy (the AP has HTTPS sign-in with password as Proxy) but now I'm wondering if iexplorer.exe being reported as having 'Image Hijack' by the Autoruns Viewer actually stemmed from it being linked to both the classic view and the Win 8.1 view. therefore its deletion was in fact the deletion of its image connected up to more than one region in the OS?? (I apologize for not knowing all the proper terminology yet, but I'm sure you know what i'm getting at) so your thoughts about that are in the ballpark with at least some of what's been going on likely being due to conflicts of one kind or another from the beginning.


*As for running Process Explorer, I didn't start up every program that I have while it was on but I did power up a bunch of non Microsoft progs/apps, ironically after connecting up with VirusTotal the first one to catch my attention was Process Explorer itself with 1/55, and the Screen-Cast-O-Matic 1/55 as well.


VirusTotal has "procexp.exe" listed as 1/55 - Antiy-AVL = Trojan[:HEUR]/Win32.AGeneric

And screencast-o-matic.exe listed as 1/55 - Bkav = W32.Clod98d.Trojan.5ae1



Which are probably the two programs that are the least of my worries. I haven't researched what these companies have said for their reasons yet since I'm trying to get this info back to you as quickly as I can but I'm guessing these classifications are due to their particular rating standards / PUPs?

I've only switched SoM on recently just to test it but if I remember correctly it basically hijacks the Java app when it's in use and combined can cause freezing, so that's a possible complaint factor, but I've never had any problems with it other than occasional short term freezing that I know of.


* Ok after running AdWCleaner at the end here I find it listed by VirusTotal as 2/55 - Jiangmin = TrojanDropper.FrauDrop.uic 

&  TrendMicroHouseCall = Suspicious_GEN.F47V1124,

(VirusTotal's "Relationships" tab mentions the AdWCleaner file being sent to them in a bundle itself, so that may be why, not sure yet)



*Created the HOSTS file, everything seemed to work out ok.


*Adwcleaner only shows two folders associated with the Browser Guard, I'll just leave them be for now though I may get rid of the whole thing later depending on which AV/AM/Security brand I end up going with, I actually do want to have a singular and harmonious interaction of all the apps, just that I've been in Emergency mode and a bit of trial & error mode lately  :thinking:  :wink:



*Ran sfc /scannow, it created CBS.log file which I'm attaching, it said there are some problems.


Also when I open the Windows\Logs\CBS folder to get to it every other file in that folder is called "CbsPersist_...***..." with date numbers/etc numbers after the _ the only difference being variations of the date numbers/etc #'s.

There are 5 of these "CbsPersist" files, only the recently accessed/modified one is in Blue in the directory, and so is the CBS.log file just accessed by running the command to scan.



That most recently accessed/modified "CbsPersist" file in Blue is listed as



CbsPersist_20141130120102

Text Document (.log)

Location   C:\Windows\Logs\CBS

Size   88.2 MB (92,504,506 bytes)

Size on Disk   22.2 MB (23,367,680 bytes)

Created   Wednesday, ‎April ‎2, ‎2014, ‏‎2:49:52 AM   (at least it's not dated from 1869 like the WSCMD.dll "Wondershare" linked/hijacked file had been before the Refresh, and Wondershare had come straight from their professional site!)

Modified   ‎Today, ‎November ‎30, ‎2014, ‏‎10 hours ago



The other 4 "CbsPersist_...###..." files are between 2.24 & 3.6 M/bs.




The Subnet Mask for the TAP=WA-9 is the VPN.

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
You said you didn't recognize some of the apps/programs so I came back to mention that a couple of the tools folders I renamed so they wouldn't get deleted, but they're basically similar to the original name, but I remembered something else that might possibly factor into some of this.

The VPN I'm using is CyberGhost and it has features to protect IP and also to protect from website tracking, including masking the OS & Browser type/model.

The only thing is for some reason it's not letting me pull up the UI right now so I'm unable to copy exactly what the features are and VPN is pretty new to me, like everything else actually. I know I don't have the OS/Browser hide checked, but I'm sure I have the tracking protect features checked. I'll try to get to the UI as soon as possible if you think it's a need-to-know type thing.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Can you open the admin cmd prompt again and either enter or copy & paste -

findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log\ >"%userprofile%\Desktop\sfcdetails.txt" and that will output to your desktop just the files it has scanned as the CBS log is quite large when it details all of its operations.

While this tutorial for sfc /scannow is given for Win 7, it pre-dates Win 8 but is still good to use. http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

You can also use these DISM commands in Win 8.1 http://technet.microsoft.com/en-gb/library/hh824869.aspx and use the Refresh option method of recovery should the sfc /scannow or CheckHealth cmds find anything that requires attention.

The Refresh option in Win 8.1 is pretty much like a Repair Install in Win 7 where it just repairs the OS without wiping everything else out.

You could use Win 8.1's Windows Defender supplemented with Avast Free as the latter doesn't have its own firewall and will run with any other active AV program because of that - but if you decide to go that route, check that WD is turned on.

The 1/50 VirusTotal.coms are nothing to worry about and it probably snagged AdwCleaner because of its intrusive capabilities.

Instead of Browser Guard, try HitmanPro.Alert which I know doesn't cause a conflict - I'm running that with Norton 360 in Win 7 x64 HP.

http://www.surfright.nl/en/cryptoguard

I Googled the McAfee LifeSafe and SafeKey but it's up to you if you want to keep them - don't think they would cause any conflicts but I don't like any Toolbars on my laptop - least of al anything from McAfee.

I think MBAM Anti-Exploit should be okay - I just have the free version of MBAM installed.

To eliminate any possible security program conflicts, it's probably just to go back to basics for the purpose of troubleshooting and then you can decide what you want to add/change later.


Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Thanks for the links. Not only are computers speaking a different language, they're in a totally different dimension, but with the right information it's not so bad.


As of right now I'm getting this with the Admin Cmd Prompt

FINDSTR:  Cannot open C:\Windows\Logs\CBS\Cbs.log\


The file is still there, I checked. Is there a different route to take on this one? I tried using GMP for higher elevation but no deal.


Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
It looks like something was getting lost in the translation, I copied the text from the http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html  page and it worked just fine.



[Edit: Here is the above text copied and pasted  findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log\ >"%userprofile%\Desktop\sfcdetails.txt"
and here is the text directly from the website      findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"
See it?]



Here it goes:
« Last Edit: November 30, 2014, 08:36:04 pm by JohnVanDaal »

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Hi, Since you mentioned there are loss of SR Points, i think that some PUP or rootkit would have messed up the things. I think that you have done all the test and the results show needed and not known details to locate the exact problem.
                 I do not mean that you got this virus or rootkit from suspicious sites, but nowadays everything is bundled in to the genuine downloads.
                    Please there is a way to limit the sfc details txt to only know the problematic area which is given in sevenfourm  links. If i remember i will enclose the link. SFC only scans about system integrity files and copies the missing essential files from the storage the installation drive the computer has. I think that your problem needs Shanes deep look in to the logs.
                      Applying many tools in my case has made my some system files deleted which has to be replaced. I would therefore request you to send the problematic log files from sfc details.txt and await Shanes advice
The Bottom line is "Check your hardware first if it supports the task you try".

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Sorry for the typo.

Did you run the DISM /Online /Cleanup-Image /CheckHealth command to see what that reported - while I don't have Win 8.1 to see exactly how that cmd reports, I assume it would be similar to running chkdsk in Win 7 etc. without any parameters and when it finds something amiss, it would recommend either the /f or the /r switch.

Depending upon what /CheckHealth reports, using the /RestoreHealth switch can fix the Component Store and then redo the sfc /scannow cmd to see if it still reports corruption.

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
HI, Boggins,
                Even when i checked the sfc there are some files which could not be repaired. If those files are picture, video and unwanted files, these could be left as it is . But if it is important for system, then it has to be downloaded from Installation DVD with 7zip utility as per sevenforum tutorials.
Hi,john..
                 Please see the useful tips in the mainforum of this site. I have given the entire useful links of Sevenforum.Please see the article, link, how to copy files from Installation DVD.
The Bottom line is "Check your hardware first if it supports the task you try".

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
John is using Win 8.1 - see opening post.

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Hi, Boggins Tips for vista work for my win 7. Is there any different pattern in win 8
The Bottom line is "Check your hardware first if it supports the task you try".

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Hi, Boggins Tips for vista work for my win 7. Is there any different pattern in win 8

Win 8/8.1 are different beasts altogether.

The Refresh option almost does the equivalent of a Win 7 Repair install and will only ask for Recovery/install media if it finds missing files - so it's done that way.

http://windows.microsoft.com/en-GB/windows-8/restore-refresh-reset-pc

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Sorry for the late post, holiday weekend and I just got back in my office :-)

How are the amount of network connections and cpu doing now after those scans?

My new toolbox has a netstat viewer in it that can show all the connections on the system and what processes is making them, if you still have a lot fo them I can grab the beta I am getting ready and have you use it to copy the netstat list so I can see what is making all the connections.

Shane

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Not sure if that went through, Im not seeing the post.

Well if this is redundant I apologize but I just wrote that I am going over all the new replies to make sure I've followed everything, and a thanks for all the helpful feedback.


Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Hello jraju.

Hi, Since you mentioned there are loss of SR Points, i think that some PUP or rootkit would have messed up the things. I think that you have done all the test and the results show needed and not known details to locate the exact problem.
                 I do not mean that you got this virus or rootkit from suspicious sites, but nowadays everything is bundled in to the genuine downloads.
                    Please there is a way to limit the sfc details txt to only know the problematic area which is given in sevenfourm  links. If i remember i will enclose the link. SFC only scans about system integrity files and copies the missing essential files from the storage the installation drive the computer has. I think that your problem needs Shanes deep look in to the logs.
                      Applying many tools in my case has made my some system files deleted which has to be replaced. I would therefore request you to send the problematic log files from sfc details.txt and await Shanes advice


Sure I know what you're saying about the bundles and everything, I didn't take offense but just wanted to highlight the fact that I was doing everything I could from Day 1 to be safe and secure. No problems  :wink:

 
In fact some problems exist with files and programs in a brand new Win OS all by itself, a reality I'm starting to understand more an more everyday, but I'm sure you guys knowing what you know are very much aware of this reality.


I'm not sure if you saw but I did get the sfc text file finally which I attached after originally attaching the larger file, there was a typo of some sort but I figured it out.

Or was the second attachment not the correct one?

Thanks.

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Hi Boggin, thanks for all your help so far.

I'm just going to copy/paste the quotes I want to reply to since I'm not familiar with the board.

I realize everyone is volunteering their time to help here so I'd like to take up as little of it as possible, but believe me I am grateful for it.



"You could use Win 8.1's Windows Defender supplemented with Avast Free as the latter doesn't have its own firewall and will run with any other active AV program because of that - but if you decide to go that route, check that WD is turned on."



If you're aware of a certain combination of AV/Anti-Spyware/Firewall/Security etc. that works and you're pretty confident about it then I'm all ears (eyes really, I guess) I'd rather use as much of Windows' integrated features as possible, as long as they are truly effective and make things run smoother, at the same time adding as little as possible. As long as the job gets done the right way I'll be perfectly content.

The McAfee LiveSafe is insanely bulky but it comes off in the literature as if you're really going to be taken care of, all bases covered and so on  :undecided:  so I wasn't too keen on ditching the whole thing right away, but now .   .   .   .   .



"The 1/50 VirusTotal.coms are nothing to worry about and it probably snagged AdwCleaner because of its intrusive capabilities."



Right, no, I understand that it's usually nothing at all to be concerned with when seeing a 1/**, I tend to be thorough, sometimes overly thorough, I;ve found it usuallly helps more than it hurts ~ usually  :undecided: 

Also I've learned from my own experience it can be useful to throw in a minor little detail here and there for others down the road who may be dealing with similar issues and looking through the forums for answers. It IS kind of freaky when you're having problems you don't understand and McAfee popups keep telling you that it has found "ARTEMIS/****....."!! :evil:  numerous times.

 I read over some topics about why some companies/groups classify certain files in certain ways, like the Google add-on options and so forth, unfortunately McAfee classifies so many things as "ARTEMIS/*****.....". It just takes time getting to know these things.





"Instead of Browser Guard, try HitmanPro.Alert which I know doesn't cause a conflict - I'm running that with Norton 360 in Win 7 x64 HP.

http://www.surfright.nl/en/cryptoguard

I Googled the McAfee LifeSafe and SafeKey but it's up to you if you want to keep them - don't think they would cause any conflicts but I don't like any Toolbars on my laptop - least of al anything from McAfee."




Will try HitmanPro.Alert, thanks for the tip.

I'd also like to have as little add-on bulk as possible, myself. I've had this sucker about 2 weeks now, and prior to last month I'd really never delved into any of the technical issues of computing/networking, as I'm sure everyone can see.

That's all changed now.




"I think MBAM Anti-Exploit should be okay - I just have the free version of MBAM installed.

To eliminate any possible security program conflicts, it's probably just to go back to basics for the purpose of troubleshooting and then you can decide what you want to add/change later."


Gotcha.


I like the way everything is gone over in detail at the sevenforums, I'll def be putting in some mileage reading over there.

One thing I've noticed is there is often 2, 3, sometimes 5 or 6 DIFFERENT places one has to look to find the right information/instructions/help topics when dealing with these Windows functions and applications, settings, etc., sometimes it takes quite a bit of hunting just to get the very basics. It takes a lot of time, trial and error to finally run across everything that's needed to know I guess.


« Last Edit: December 02, 2014, 02:25:19 am by JohnVanDaal »

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Hi, Thanks for the information
The Bottom line is "Check your hardware first if it supports the task you try".

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Sorry for the typo.

Did you run the DISM /Online /Cleanup-Image /CheckHealth command to see what that reported - while I don't have Win 8.1 to see exactly how that cmd reports, I assume it would be similar to running chkdsk in Win 7 etc. without any parameters and when it finds something amiss, it would recommend either the /f or the /r switch.

Depending upon what /CheckHealth reports, using the /RestoreHealth switch can fix the Component Store and then redo the sfc /scannow cmd to see if it still reports corruption.

Please, no worries about the typo, stuff happens    :smiley:


Yes, I ran the scan:


C:\WINDOWS\system32>Dism /Online /Cleanup-Image /ScanHealth

Deployment Image Servicing and Management tool
Version: 6.3.9600.17031

Image Version: 6.3.9600.17031

[==========================100.0%==========================]
The component store is repairable.
The operation completed successfully.



I'm not sure what to do now, so I wanted to check. I'm reading through the site you linked me to right now.



Also had a question, are all of the files showing up as corrupt in this report Video/Display related??

There has been an AMD Video related download that the HP Helper/Assistant has had problems with but the alert for it has disappeared and when I run the Video/Display Troubleshooter it doesn't go past the first screen where it asks for which option to troubleshoot, so I'm not sure what's going on with it, I'm trying to figure that our right now too.

I went to the HP site several times before trying to get whatever download was being suggested straightened out but kept being sent to the same pages that didn't do anything to help, just got the Assistant running again and encountered the same problem.

Besides it looking like it can be fixed anyways, it this possibly related - older files that need to be switched out by an HP download?




*(Just an FYI, due to my particular circumstances my hours are a bit different than most. 3 pm to me is like most people's 7 or 8 am, that's about the time I get up, my "morning" if you will. So when 16 hours goes by and 7 or 8 am rolls around, usualy it's "nighty night" time for me. I realized my response time frame might seem strange without knowing about that, so that's why I bring it up.)


EDIT: This is the last Rogue Killer scan I've done, today in the wee morning hours, my yesterday, I haven't done any since. The first 4 I believe are just from setting the HijackThis to monitor on Startup, but the rest appear problematic.

After I hit Delete, one deleted, one said error (2), and the others said "replaced ()"



Below is what Emsisoft keeps snagging.


Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS    detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS    detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS    detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN    detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN    detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN    detected: Setting.NoRun (A)



« Last Edit: December 01, 2014, 10:07:37 pm by JohnVanDaal »

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Sorry for the late post, holiday weekend and I just got back in my office :-)

How are the amount of network connections and cpu doing now after those scans?

My new toolbox has a netstat viewer in it that can show all the connections on the system and what processes is making them, if you still have a lot fo them I can grab the beta I am getting ready and have you use it to copy the netstat list so I can see what is making all the connections.

Shane


Completely understandable, but thanks! I'm just grateful for help being available like this. My apologies for getting back so late in the day but as I mentioned in my last post I have different hours than normal these days, we're in my "early morning" at the moment   :tongue:


Network connections appear OK and Ive been monitoring the ports now and then and I think (emphasis on "think") pretty much everything can be accounted for at this point, at least it seems that way while I am monitoring.

Though it really does look like some one or some thing is changing settings for Iexplorer, and other functions, and setting registry files to disable key functions, I see some "NORUNS" and "DISABLE" this or that keep popping up - I still have a few things to catch up on from what Boggin has brought to my attention so I'll know a little more in a short while, but not being sure about those commands Emsisoft software and Roguekiller keep snagging makes me hesitant to do a Windows Restart even though it might deal with other issues that may have been fixed now since that is when the worst problems have arisen in the past - I have to restart for whatever reason then suddenly I have no access to this and that, usually the network and most or all security functions.

As for your Toolkit. sure I'll try just about anything you've got, I've been looking at your main website too, top notch my friend, the Simple Internet Meter kicks you know what!!

One thing I'd like to know, if possible, are there certain settings I'm able to check before doing a restart to be basically sure I won't be screwed upon Windows re-opening? Task Scheduler and Autoruns comes to mind, but certain special or hidden things to look out for?



Good for you that you had a nice Holiday weekend, and thanks for the reply.


Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Stop HJT from running at start and do a scan with the free version of MBAM to see if that finds anything.

Uncheck the box to decline the offer to run a trial of the Premium version if offered. https://www.malwarebytes.org/downloads/

Norton has its own generic names for when it finds something with similar heuristics to other infections, so a Google helps but it can also be a false positive.

The DISM /CheckHealth and /ScanHealth commands don't repair anything and are basically read-only.

Run Dism /Online /Cleanup-Image /RestoreHealth followed by another sfc /scannow to see if that still reports it is unable to repair some files.

If it still reports that it is unable to repair some files, then you're probably looking at the Refresh recovery option. http://windows.microsoft.com/en-GB/windows-8/restore-refresh-reset-pc

This will remove any 3rd party programs you have installed so you will need to decide which of those security programs you want to reinstall.

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Stop HJT from running at start and do a scan with the free version of MBAM to see if that finds anything.

Uncheck the box to decline the offer to run a trial of the Premium version if offered. https://www.malwarebytes.org/downloads/

Norton has its own generic names for when it finds something with similar heuristics to other infections, so a Google helps but it can also be a false positive.


Hello Boggin.

I'll switch over to the MBAM asap.

I made use of Shane's Toolbox for a couple things, "Reset Policies Created By Infections", "Unhide Non-system Files", and did the system Restart to see if any of the bad juju had been flushed out by all that's been done and to refresh some things. Interestingly some aspects seem to be working that weren't doing so great, while others still are not working, and some fresh puzzles have popped up.


Should I have two instances of explorer.exe running?



One of them running from Path = C:\Windows\explorer.exe   

Command Line = explorer.exe   

Current Directory = C:\Windows\System32\   

Parent = winlogon.exe(768)


The other instance is listed as "Suspended" in the Auto Viewer running from Path = C:\Windows\explorer.exe

 Command Line C:\WINDOWS\Explorer.EXE

Current Directory = C:\Windows\System32\

Parent = <Non-existent Process>(3008)



Autostart Location for both is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.



Funny thing is the C:\Windows\explorer.exe file is there where it says it is, but there's no file showing up in System32 as "Explorer.exe", so I'm guessing it's just hidden but I havent investigated that part yet, but it says the C:\Windows\Explorer.exe instance was created 12/1/2014, so I'm thinking it's from Shane's Toolbox giving me access to some of my real files?

What's going on here?

 :shocked:




On top of that, and you may find this interesting considering your affinity for all things McAfee   :tongue:   

After Restarting Windows, numerous regular processes were being questioned by McAfee regarding the Firewall regulations - that in itself is a mystery to me, they were coming up listed as having been Allowed before but said that they had "Changed" and therefore wanted my permission, this included explorer.exe, this could be good or bad, I don't know but again it seems to be from using the Toolbox because NUMEROUS files were showing up as having been brought out of Hiding before the computer restarted, I'm just not sure where a list would be yet - I though a report/log would pop up after the restart but didn't see one yet, I'll have to dig around.

Since it was new to me I popped open the Snipping Tool to get a little screen shot for good measure, but when I X'ed out the .PNG the McAfee Alert was already gone, so I can't be sure what McAfee chose to do, I don't know its default action for that, I can't seem to learn fast enough to catch up with everything, though I am definitely trying.


Is it possible McAfee froze Explorer.exe but being essential a "temporary" somehow came up in its place?? Or did McAfee "accidentally" halt





The DISM /CheckHealth and /ScanHealth commands don't repair anything and are basically read-only.

Run Dism /Online /Cleanup-Image /RestoreHealth followed by another sfc /scannow to see if that still reports it is unable to repair some files.

If it still reports that it is unable to repair some files, then you're probably looking at the Refresh recovery option. http://windows.microsoft.com/en-GB/windows-8/restore-refresh-reset-pc

This will remove any 3rd party programs you have installed so you will need to decide which of those security programs you want to reinstall.


Gotcha, Dism /Online /Cleanup-Image /RestoreHealth is running right now, I'll run the second command as soon as it's finished.

Let's just hope it doesn't come to needing a Refresh.

Thanks again.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
You'll need to wait for Shane to get back to you on any side effects after running WR as it seems to run okay on some systems but produces side effects on others.

If you have any Network problems after a reboot or otherwise, open the admin command prompt and enter -

netsh winsock reset
netsh int ip reset
ipconfig /release
ipconfig /renew
exit

Then reboot, but let us know if any of the commands fail - the release and renew commands will report that neither can be done for the Ethernet if you aren't wired to the router.

Edit - I find it's better to save a snip with a .jpg extender as they expand better when posted in a forum.
« Last Edit: December 02, 2014, 06:55:07 am by Boggin »