Author Topic: Should TCP Viewer show my system BLOWING UP? Malware, Spyware & Hijacked, OH MY!  (Read 40659 times)

0 Members and 1 Guest are viewing this topic.

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
You'll need to wait for Shane to get back to you on any side effects after running WR as it seems to run okay on some systems but produces side effects on others.

If you have any Network problems after a reboot or otherwise, open the admin command prompt and enter -

netsh winsock reset
netsh int ip reset
ipconfig /release
ipconfig /renew
exit

Then reboot, but let us know if any of the commands fail - the release and renew commands will report that neither can be done for the Ethernet if you aren't wired to the router.

Edit - I find it's better to save a snip with a .jpg extender as they expand better when posted in a forum.


I'll look into the jpg extender, thanks.

It's not that I think the WR caused any problems, I'm leaning towards it having fixed what I wanted it to fix, or it least that it worked properly as it's supposed to regarding those things. I really do hope all these little quirks are just that, quirks, considering Win8.1 is still being worked out to a degree, and I guess there must be some residuals leftover from some junkware or whatever, we'll see.

I'll post up what I get from those runs asap - its my "late evening" now but I'm thinking about making it another "long night" working on this madness.

Thanks Boggin.




« Last Edit: December 02, 2014, 07:10:30 am by JohnVanDaal »

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Being in the UK I'm 8hrs ahead of the forum's time stamp so it will be another 9hrs or so before I hit the sack - usually  :smiley:

Tom.

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Being in the UK I'm 8hrs ahead of the forum's time stamp so it will be another 9hrs or so before I hit the sack - usually  :smiley:

Tom.

Well Cheers then, mate. I'll probably pass out after a few hours of being up past my usual, but hey, I try.

I did want to point something out while awaiting the Shane, those files HijackThis says are suppsed to be missing appear to all be there, I've checked 6 so far - most are Microsoft O/S files with nothing that I can find wrong with them, a few are currently running as I type this out, such as lsass, one was a McAfee file and it's running and appears to be fine.

False positives?

I remember reading this being a possibility with HijackThis 023's - but then again it may be due to all these weird shenanigans with something trying to "hide" my files and it's picking something up. Argghh, it can be pretty frustrating - so many variables.

I'm going to check the rest of the "missing files" to see what's up and finish up these runs.



Love the UK btw, I'm a Europhile, guess it's in the blood.






Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
I'm anti EU as I believe they've interfered too much in the running of the UK - but I don't want to get into politics.

Which McAfee program is snagging possible infections ?

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Ok I ran the Refresh and it said everything was fine, here's what I got after running sfc/scannow again:



Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.




I'm attaching the recent sfcdetail.txt - unless my eyes are deceiving me or I somehow did something wrong  .  .  .  . it shows zero missing or bad files   :omg:







Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
The original sfc /scannow reported it was unable to repair all files because of a corrupt Components Store.

The /RestoreHealth command repairs the Component Store so the next sfc returns nothing wrong - job done.

Are you still getting any "side effects" from running WR ?

Just as a recap, what are the security programs you have installed ?


Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
I'm anti EU as I believe they've interfered too much in the running of the UK - but I don't want to get into politics.


Nah, I mean the people, and cultures - in general, I'm not related to the PoliTicks   :tongue:




Which McAfee program is snagging possible infections ?


Well, Emsisoft keeps picking up those bad Registry files, McAfee Live Safe - Internet Security is the one Alerting about "Changed Programs" ever since I used WR and Restarted. I've been getting popup that say this or that program is trying to reach the internet, that I've allowed it  before, but that it's "recently changed", and then it gives me the option to "Allow Always", "Allow Once" or "Block".

I'm sure McAffee's Default is set to block so I'm wondering if that would exaplain why there is a new other instance of explorer.exe that showed up right around that time.



I'm running MBAM right now so we'll see what it has to say in a few.


Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
The original sfc /scannow reported it was unable to repair all files because of a corrupt Components Store.

The /RestoreHealth command repairs the Component Store so the next sfc returns nothing wrong - job done.


Right, and it did a great job, good call.


Are you still getting any "side effects" from running WR ?

I don't believe so, even the McAfee popups are pretty much through popping up. I'll keep a vigilant eye on everything as always but nothing that I know of right now seems to be off.

Just as a recap, what are the security programs you have installed ?



I've left everything from McAfee in place while we worked so it's still there with the all the same components. McAfee LiveSafe controls all the other processes  installed by McAfee, plus there is McAfee SafeKey used for saving Passwords and File Protection type functions.

Got rid of BrowserGuard, replaced with HitmanPro.Alert   :wink:


The ESET online scanner still exists as a browser extension for performing the online scan if needed, but I have it disabled, if necessary I'll just uninstall it.

I haven't done anything with Microtrend's RUBotted or HijackThis yet, except for turning HT off at Startup & I don't keep it running, but I'll probably uninstall both if everything is OK and just save the Setups in a Zipped file for future use if things become suspicious.

I've left Malwarebytes Anti-Exploit alone so it's running - it's a Beta so I'm not sure how things will play out with its availability as Freeware in the future though.




Also, I've been able to get the HP Assistant to upgrade some of the software related to the Diagnostics and Update features, there is also an AMD Catalyst Control Center with more features for Troubleshooting and Tune-Ups, checking for missing or updated Drivers, etc., I'm looking those things over right now and I see it wants me to download an update for AMD.


Haven't run any other scans except Malwarebytes AM like you recommended - it didn't pick up anything suspicious with the "Threat Scan", so I have it off for now since McAfee is still up and all.




What are your thoughts for what to do now, good Boggin?





Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
It sounds like you are good to go but I'll leave the final word for Shane, as he'll probably review your thread as he likes to be aware of any after effects of running WR.

Tom.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Just remembered from another forum that MBAM Exploit was updated on 1st December, if you haven't already updated your version.

New features and improvements etc. https://forums.malwarebytes.org/index.php?/topic/132660-malwarebytes-anti-exploit-history-updates/#entry914489

Download link http://www.malwarebytes.org/antiexploit/

I'm not sure if the ESET Scanner will update its definitions if/when you come to use it next, but as it's easily downloaded and it brings itself up to date then, I usually check its box for the auto uninstall when complete.
« Last Edit: December 03, 2014, 06:15:05 am by Boggin »

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
It sounds like you are good to go but I'll leave the final word for Shane, as he'll probably review your thread as he likes to be aware of any after effects of running WR.

Tom.

Well whatever happens thanks for assisting me this far, you're one of the good guys, Boggin - Tom.



PS - I hate the "EU" too, but I'm with you in that this is neither the time nor the place to discuss politics   :wink:


Stay safe out in cyberland.


Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Just remembered from another forum that MBAM Exploit was updated on 1st December, if you haven't already updated your version.

New features and improvements etc. https://forums.malwarebytes.org/index.php?/topic/132660-malwarebytes-anti-exploit-history-updates/#entry914489

Download link http://www.malwarebytes.org/antiexploit/

I'm not sure if the ESET Scanner will update its definitions if/when you come to use it next, but as it's easily downloaded and it brings itself up to date then, I usually check its box for the auto uninstall when complete.


Actually I did get the update for MBAE and I'll probably end up deleting/uninstalling most of everything I've got except for a bunch of the really good tools and tweaks, not exactly sure yet since I haven't really had time to get used to anything on this laptop.

The AMD Catalyst Control Center demanded a Restart so to be safe I ran AdwCleaner - nothing, Roguekiller - nothing.

I ran the same scans after restart but there was still nothing & ran hyper scan with MBAM - nothing there either, so that's impressive to say the least.

Well done, sir.




Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Now that everything is running fine I would delete the restore points and manually create a new one - the older ones will have the malware in them that you have previously cleaned out and this is a standard practice after disinfection.

I also create regular system images onto an external HDD that I can restore from should something nasty happen and this is the best counter to any infection by Ransomware - saves you having to shell out Bitcoins to have your files decrypted.

One disadvantage about using an external HDD for these images though, is that the new one overwrites the existing one so you need to be sure that all is okay before creating the new one.

I normally run either a chkdsk or sfc /scannow, CCleaner for clearing the cache then a defrag (don't have a SSD fitted) before creating the image.

The free version CCleaner is a handy tool to have installed. https://www.piriform.com/ccleaner

While it has one of the more intelligent Registry cleaners, leave that and the Removing Duplicate File options alone - although you could use the option to find them if need be.

https://www.piriform.com/docs/ccleaner/using-ccleaner

http://www.howtogeek.com/113382/how-to-use-ccleaner-like-a-pro-9-tips-tricks/

There's one thing that you could help me with and that is using multiple quotes in a reply - never have managed to get the hang of that  :smiley:
« Last Edit: December 03, 2014, 08:42:35 am by Boggin »

Offline Samson

  • Hero Member
  • *****
  • Join Date: Nov 2011
  • Posts: 915
  • Location: London
  • Karma: 38
    • View Profile
One disadvantage about using an external HDD for these images though, is that the new one overwrites the existing one so you need to be sure that all is okay before creating the new one.

@ Boggin....I guess that depends on what software you are using?
I use Macrium Reflect (the free version 'cos I'm a cheapskate  :wink:), and I have multiple full disk images for each of 4 different machines on an external HDD. Previous images are not overwritten. (these are full, not incremental backup images).

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
I'm an even cheaperskate than that - just use Windows but these are full system images where I include the recovery D: partition as well each time.

As well as having system images for both my laptops on the external HDD, thought it would be prudent to make them for those belonging to two other people who's laptops I've had to work on.

They don't download/install anything - mainly FB users, but one has a habit of picking up adware now and again and while this is easily gotten rid of - it could end up being something more malicious.

AV programs and WUs would need updating of course but....

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Now that everything is running fine I would delete the restore points and manually create a new one - the older ones will have the malware in them that you have previously cleaned out and this is a standard practice after disinfection.

I also create regular system images onto an external HDD that I can restore from should something nasty happen and this is the best counter to any infection by Ransomware - saves you having to shell out Bitcoins to have your files decrypted.

One disadvantage about using an external HDD for these images though, is that the new one overwrites the existing one so you need to be sure that all is okay before creating the new one.

I normally run either a chkdsk or sfc /scannow, CCleaner for clearing the cache then a defrag (don't have a SSD fitted) before creating the image.

The free version CCleaner is a handy tool to have installed. https://www.piriform.com/ccleaner

While it has one of the more intelligent Registry cleaners, leave that and the Removing Duplicate File options alone - although you could use the option to find them if need be.

https://www.piriform.com/docs/ccleaner/using-ccleaner

http://www.howtogeek.com/113382/how-to-use-ccleaner-like-a-pro-9-tips-tricks/

There's one thing that you could help me with and that is using multiple quotes in a reply - never have managed to get the hang of that  :smiley:


I got the CCleaner. Yeah, I kind of like it, it seems to work quicker than the Disk Cleanup utility provided by Microsoft, but do you happen to know if it;s performing as well and as thorough?

I'm making a .jpg of these instructions and tips for my Toolkit folder, and I'm looking into exactly how to do the system image so good timing bringing it up.




About the multiple quotes.

I'm going to use variation brackets {...} instead of the regular brackets  [...]  so it doesn't actually perform the quote function while I'm explaining it, since then the commands disappear leaving only the text between them.

But that's the key to understanding/remembering how they work, there are the two commands in brackets that act like bookends so to speak, and all of the text that is placed between them is what gets quoted.



The actual function used to quote text on the forum is this:


{quote}   "text to be quoted goes here"   {/quote}



All text placed between the two quoting brackets is what ends up being quoted, and as you know, what you write after/outside of the end quoting brackets ends up appearing as your own text when you post.


To create a second quotation in the same post it's just the same process repeated with another set of quoting bracketed placed somewhere in the reply field after your own text.



{quote}   "text to be quoted goes here"   {/quote}


YOUR TEXT, IMAGE, WHATEVER = HERE . . . . .


{quote}    "2nd text to be quoted goes here"   {/quote}


ETC, ETC,




The difference is when you hit the "Quote" button on someone's post it generates the information about the post you're replying to and quoting from by having that information contained within the 1st set of brackets - Name, Topic#, Message#, and Date, which gets written at the top of the quotation when you post. So it looks like this instead:


{quote author=Boggin link=topic=2619.msg17551#msg17551 date=1417624347}   

"text to be quoted goes here"   

{/quote}



Nothing changes with the characters used for the end brackets "{/quote}", it stays the same either way - and of course I'm using dummy brackets instead of the regular ones like I said at the beginning, but you just repeat the process as many times as needed, with or without the post's info.



So it's the same thing except with an addition of information.


Obviously the easiest and quickest way to make sure the info is correct is to begin the process by pressing the "Quote" button on the person's post and then Copy/Paste as needed.



Hope that makes sense, I'm a bit under the weather today + it's cold, dark and rainy, so I'm kind of fuzzy headed too (Ok, more fuzzy than usual) Try it out once or twice on this thread if you want, you can just delete any mistake post - I'll know what's going on, but somehow I have the feeling you'll pick up on it right away just fine, Boggin   :wink:



I do have a couple questions that I want to leave for Shane when he drops by but I'll have to post about them in a while from now, but I wanted to get back to you about the quotes first and foremost.

Take it easy, mate.



« Last Edit: December 03, 2014, 10:07:37 pm by JohnVanDaal »

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Thanks John, I understand how you would edit a quote - the problem I have is in another forum I post on where they have a separate multiple quote button in addition to the regular one - have you ever come across those ?

As I don't want to spam your thread with a different topic, I'll leave it at that.

Offline JohnVanDaal

  • Newbie
  • *
  • Join Date: Nov 2014
  • Posts: 22
  • Karma: 0
    • View Profile
Thanks John, I understand how you would edit a quote - the problem I have is in another forum I post on where they have a separate multiple quote button in addition to the regular one - have you ever come across those ?

As I don't want to spam your thread with a different topic, I'll leave it at that.

(I could swear I already replied to this and saw my reply posted afterwards, but oh well)

lol, Sorry, I misunderstood what you were asking me. To be honest I couldn't understand why you wanted me to explain this but I didn't want to say anything about it, but then again for all I know you're a friend of Shane's helping out here and you've only been using the forum for a week and a half

(EDIT: but I guess the words "Sr. Member" near your moniker settles that one  .   .   .   .   .) or something similar, so please don't be offended, I wasn't trying to insult your intelligence, that's why I wrote what I did at the end, you obviously know what you're doing when it comes to computers.


That's funny though, in a way, since at the time I was suffering from exhaustion from lack of sleep and also had a cold. So yeah I wasn't thinking too clearly, sorry about that.



No, I'm not sure what you mean. I don't normally post on forums, I'm still trying to figure out how the site could think I'm a "Robot, spamming this site"" when I often come here to the forum from a bookmark immediately after turning the Wireless switch on.

It make me think something is still hijacking the system somehow, but then again there could be other answers, especially since the VPN has been doing strange things to the way the browser deals with my websurfing, but that's new to me as well.

« Last Edit: December 05, 2014, 05:59:26 am by JohnVanDaal »

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
On some forums next to the Quote or Reply with Quote option, there's either a Quote box with a squiggly line next to it or an option to click on "+ which is for reply with multiple quotes.

This allows you to quote more than one user's post in a single reply - just thought you may have come across that.