Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked -- How do I get control of my own PC back?!


  • Please log in to reply
15 replies to this topic

#1 lisaf

lisaf

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 08 October 2009 - 09:55 PM

Previously I posted this:

I have a new PC running Vista, which conveniently let someone set up a network the first time I plugged it in. (DSL modem hadn't yet authenticated to the ISP server.) In a Catch-22, before the computer could download its Windows security patches & Norton updates, something snuck in & did a bunch of registry changes, etc. -- & even delayed the start of said Windows updates.

If PC reboots, I have to go into Tools>Internet Options>Advanced, and then "Enable Phishing Filter" (it disables it). Also in that section the selection for "Enable memory protection to help mitigate online attacks" is greyed out.

Also, in Ctrl Panel>System>System Protection, I had to disable "Allow remote assistance connections to this computer" on the Remote tab of the System Properties window.

In Ctrl Panel>Network & Sharing Center, had to turn off File Sharing. In Network Properties it had File & Printer Sharing enabled. Terminal Services keeps re-enabling itself. There is a Public Desktop, etc., etc......................

Anyways I know it's infected/hacked (will post more later), but my question for now is:

If I hook up my new printer/scanner/fax/copier to the computer in order to print a document, is there a chance the malware/whatever could get into the printer's memory & remain resident there? (I did stop the Print Spooler service.)
Edited to add: Of course I'll unhook the ethernet connection first.

(Thanks to garmanma, Mark for replying, "It's highly unlikely".) (Also noticed an error, I meant Print Server not Spooler)

-----------------------------------------------------------------------------


I've procrastinated, but I thought I could just use the HP restore utility eventually. There may have been changes to it though. (In mmc, System Tools>Event Viewer>Windows Logs>Application, on 9/20:
"Windows Installer reconfigured the product. Product Name: HP Recovery Manager RSS. Product Version: 92.0.0.9. Product Language: 1033. Reconfiguration success or error status: 0." (Unless that applies to the printer, I was installing the printer at the time too, I can look up the product version but want to get this posted first).

In Ctrl Panel>Reliability & Performance Monitor, Data Collector Sets, System, Event Trace Sessions (well this is weird but something isn't letting me paste a screenshot, or a copy of the screenshot from a document, into this post...) there are a number of logs running: NT Kernel Logger, Circular Kernel Context Logger, DiagLog, EventLog-Application, EventLog-ForwardedEvents, EventLog-System, NBSMBLOGGER, NtfsLog, RdrLog, WdiContextLog, SCM, WMI_Trace_Session, Spooler Default Session, MsMpPs

In Startup Event Sessions, the logs are: Audio, Circular Kernel Context Logger, DiagLog, EventLog-Application, EventLog-ForwardedEvents, EventLog-Security, EventLog-System, NBSMBLOGGER, NtfsLog, PEAuthLog, RAC_PS, RdrLog, ReadyBoot, SQMLogger, TCPIPLOGGER, WdiContextLog, WFP_IPsec Trace. Note: of those, I disabled Audio (as it was set to "Record"), PEAuthLog, RAC_PS, SQMLogger, TCPIP Logger, WFP-IPSec Trace.

Clicked on one of the running logs, RdrLog (Microsoft-Windows-Remote-FileSystem-Log) -- Properties, Security tab, Advanced, Owner tab, Other Users or Groups, Advanced, Find Now, and saw a huge list. Showing as "In Folder" LISA-PC are Users: Administor, Guest (I disabled it), & lisa (me). Groups In Folder LISA-PC are: Administrators, Distributed COM Users, Event Log Readers, Guests, Performance Log Users, Performance Monitor Users, and Users. The following are shown as Groups (but not In Folder LISA-PC) : ANONYMOUS LOGON, Authenticated Users, BATCH, CREATOR GROUP, CREATOR OWNER, DIALUP, Everyone, IIS_USERS, INTERACTIVE, IUSR, LOCAL SERVICE, NETWORK, NETWORK SERVICE, OWNER RIGHTS, REMOTE INTERACTIVE LOGON, SERVICE, SYSTEM, TERMINAL SERVER USER.

After it was hacked something called "TrustedInstaller" immediately made a bunch of changes to my system. (Registry, etc., plus a lot of developer stuff, C++, & other tools.) Discovered I was part of an Intranet but I deleted that IP address & changed settings. I disabled numerous services but am unable to stop RasMan (Remote Access Connections Manager), & RpcSc (Remote Procedure Call).

Other oddities, among many, in System Tools>Event Viewer>Windows Logs>System:

DCOM started the service TrustedInstaller with arguments "" in order to run the server:{752073A1-23F2-4396-85F0-8FDB879ED0ED
Driver Management has concluded the process to add Service tunnel for Device Instance ID ROOT\*ISATAP\0000 with the following status: 0.
Failed to upgrade printer settings for printer \\LISA-PC\HP Officejet J4500 Series,LocalOnly driver C:\Windows\system32\spool\DRIVERS\x64\3\UNIDRVUI..DLL. Error: 5. The device settings for the printer are set to those configured by the manufacturer.
Driver Management has concluded the process to add Service usbscan for Device Instance ID USB\VID_03F0&PID_2A12&MI_00\6&26EF38BF&0&0000 with the following status: 0.
Driver Management concluded the process to install driver FileRepository\usbprint.inf_260bdbfc\usbprint.inf for Device Instance ID USB\VID_03F0&PID_2A12&MI_01\6&26EF38BF&0&0001 with the following status: 0.
Driver Management concluded the process to install driver NULL Driver for Device Instance ID USB\VID_03F0&PID_2A12&MI_02\6&26EF38BF&0&0002 with the following status: 3758096899.
Driver Management concluded the process to install driver NULL Driver for Device Instance ID USB\VID_03F0&PID_2A12&MI_02\6&26EF38BF&0&0002 with the following status: 3758096899.
The description for Event ID 8207 from source StillImage cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: HP Officejet J4500, Windows Image Acquisition (WIA)

(Note above, it seemed to want to install a net driver not original HP driver? Didn't let it finish, there were some files that said HP but "Not Digitally Signed" according to Windows Defender...)

There is also much weirdness in the Application & Security logs...

In Ctrl Panel\Network Connections, when I click Advanced on the menu, Advanced Settings, Provider order, there are three listed: Microsoft Windows Network, Microsoft Terminal Server Network Provider, and Web Client Network.

Network Properties shows a 2nd IPv4 DNS server (besides my ISP), & there is a Link-Local IPv6 Address: fe80::216d:cb59:18a (& then a bunch more characters.......)

In Resource Monitor in the Network pane, I've watched it populate w/various IP addresses & machine names, etc.

I could go on but I think you get the picture........ Like the nerd I am (old habits die hard, but last worked in IT in 2003) I documented a lot more -- many of the event/error codes seem to apply to Windows Server 2003. But it comes down to this: I don't know what to do!!

HELP please!! :thumbsup:

Edited to add: I know the event logs "EventLog-Application", "EventLog-System", are supposed to be there (I use them) but when I try to use "EventLog-ForwardedEvents", there is never anything there. Also, I have noticed weird events saying something like "Suppress duplicate log entries for 86400 seconds". There are numerous other events, basically saying changes are constantly being made to my system, there are Logins (after Login attempts), special rights being assigned, etc., etc., -- I could post them if needed. Any help is greatly appreciated, thanks!

Edited by lisaf, 09 October 2009 - 01:31 PM.


BC AdBot (Login to Remove)

 


#2 lisaf

lisaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 16 October 2009 - 01:54 PM

Sorry to bump my own post, but I have no clue what to do... Apparently I'm just a user on my own computer, part of someone else's Workgroup. I can't view the "Owner" of many tasks, etc., I don't have rights to certain folders, & it's very frustrating knowing something is "writing home to mama" about everything I do.

If there's anymore information I can give please let me know.

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:03 AM

Posted 17 October 2009 - 08:22 PM

I will relay your request to members who have more insight to your problems
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:03 AM

Posted 18 October 2009 - 07:06 AM

Feel free to hook up your scanner/printer/etc. It wont be affected. There are rare cases of HP Jetdirect cards being able to tilized by hackers, but this is definitely not your case here.

I personally do not think this is a hacked server, but rather a corruption in the Vista config. I assume you have run various virus scans and they all come up clean?

TrustInstaller is actually a legitimate service in Windows Vista.

#5 lisaf

lisaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 26 October 2009 - 04:40 PM

Thank you Mark, hope someone can help.

Grinler, my computer was hacked before my ISP's modem could authenticate to its server. It was a brand new PC so had to download the latest signatures online before being fully protected. There is no reference to my ISP's modem anywhere on my computer. The only thing mentioned is "Agere Systems PCI-SV92EX Soft Modem", described as an internal modem.

There shouldn't be any type of Remote Server, nor Terminal Services, running on my PC. I shouldn't be part of anyone's network.

In Ctrl Panel>Performance Info & Tools>Advanced Tools>System Information>Components>Network>Adapter, there are references to 11 different adapters:

Adapter Type -------- Adapter--------------------------------------------- PNP Device ID
Not Available----- [00000000] WAN Miniport (L2TP)------ ROOT\MS_L2TPMINIPORT\0000
Wide Area Network ------ [00000001] WAN Miniport (PPTP) ------ ROOT\MS_PP2PMINIPORT\0000
Wide Area Network ------ [00000002] WAN Miniport (PPPOE) ------ ROOT\MS_PPOEMINIPORT\0000
Not Available ------ [00000003] WAN Miniport (iPv6) ------ ROOT\MS_NDISWANIPV6\0000
Ethernet 802.3 ------- [00000004] Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS6D) ------ PCI\VEN_10EC&DEV_8168&SUBSYS_2A6F103C&REV_02\4&5D52B92&0&00E2
Tunnel ------ [00000005] Microsoft ISATAP Adapter ------ ROOT\*ISATAP\0000
Not Available ------ [00000006] WAN Miniport (IP) ------ ROOT\MSNDISWANIP\0000
Ethernet 802.3 ------ [00000007] Microsoft TUN Miniport Adapter ------ ROOT\TUNMP\0000
Not Available ------ [00000009] RAS Async Adapter ------ Not available
Not Available ------ [000000010] WAN Miniport (SSTP) ------ ROOT\MS_SSTPMINIPORT\0000
Not Available ------ [000000011] WAN Miniport (Network Monitor) ------ ROOT\MW_MDISWANBH\0000
There are 8 different protocols mentioned, some of which are connectionless.

Additionally I discovered Internet Explorer is virtualized, & by looking at the source code of any webpage I visit, it's obvious that it's simply pulling code from each site, for example, from Verisign:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

&lt;script language="JavaScript">
var g_HttpRelativeWebRoot = "/stellent/";
var SSContributor = false;
</script>
&lt;script type="text/javascript" nodeid="59" layouttype="hcsp"

src="./stellent/websites/59/contributor.js" websiteid="59" language="JScript"

id="SSContributorScript"></script>
&lt;script type="text/javascript" src="./stellent/websites/59/sitenavigation.js" language="JScript"

id="SSNavigationScript"></script>
&lt;script language="JavaScript">
var g_navNode_Path = new Array();

g_navNode_Path[0] = '59';

var g_ssSourceNodeId = "59";
var g_prefixToStaticRoot = ".";
var g_strLanguageId = "en";
</script>

<title>VeriSign - Security (SSL Certificates), Intelligent Communications, Domain Name Services, and Identity Protection</title> <meta name="description" content="VeriSign, Inc. is the trusted provider of Internet infrastructure services for the digital world. Products include SSL, SSL Certificates, Extended Validation SSL certificates (EV), identity protection, Domain Name Services, Com Net Registry." /> <meta name="keywords" content="ssl, ssl certificates, internet infrastructure services, digital content solutions, extended validation, two-factor authentication, identity protection, managed security services, public key infrastructure (PKI), security consulting, domain name services, com net registry, verisign" />

&lt;script type="text/javascript" src="/hp07/j/s.js">
</script>
&lt;script type="text/javascript" src="//www.verisign.com/hp07/j/gm.js">
</script>
&lt;script type="text/javascript" src="//www.verisign.com/hp07/j/swfobj.js">
</script>
&lt;script type="text/javascript" src="//www.verisign.com/js/mbox.js">
</script>
&lt;script type="text/javascript" src="//www.verisign.com/js/baynote/baynote.js">
</script>
<link rel="stylesheet" type="text/css" href="//www.verisign.com/hp07/css/hbase.css" />
<style type="text/css">
#productsFrame, #products ul li{width:220px;}

I did some homework of my own & found that in startup was something called "HP Advisor", which isn't listed in your database. So I went to Sophos which suggested it could be a trojan. Downloaded their product but it hung at scanning for Rootkits. (Later looked @ their site & saw that I shouldn't have just let it run a general scan, but a specific one.)

Something disabled Sophos, & I was following in Event Monitor & saw that "Interactive Rights" were taken away, & then something tried to change Sophos Infrastructure.dll file w/something else... So I guess I could contact Sophos, or do you think I should go to your Rootkit forum?

Edited by lisaf, 26 October 2009 - 04:51 PM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:03 AM

Posted 27 October 2009 - 12:05 PM

Hi Lisaf,

I just looked, and I have the same or similar network adapters and I know I have definitely not been hacked. These are normal and should not be worried about.

What do you mean by "I discovered Internet Explorer is virtualized"? Not sure I understand you.

and this "by looking at the source code of any webpage I visit, it's obvious that it's simply pulling code from each site, for example, from Verisign:"? What site were you visiting..not seeing anything bad there.

As for HP Advisor, I just added it to the startup database. It's not a malicious program:

http://www.bleepingcomputer.com/startups/H....exe-25238.html

Let's do a rootkit scan to be safe:

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.


#7 lisaf

lisaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 29 October 2009 - 12:38 AM

Thanks Grinler, I'll do the scan, but wanted to let you know some other reasons I know it's hacked (besides the fact there's no mention of my modem, an Adaptec M1000). I don't know what default settings (or options) should appear where in Vista & was unaware of TrustedInstaller.

But I do know that I shouldn't have a roaming profile, nor should there be groups such as Distributed COM Users, ANONYMOUS LOGON, BATCH, INTERACTIVE, REMOTE INTERACTIVE LOGON, & TERMINAL SERVER USER. I don't think there should be (in Network Settings, Advanced Settings) Network Providers such as Microsoft Terminal Server Network Provider or Web Client Network. Also shown there, on the Adapters & Bindings tab, is Remote Access Connections in addition to Local Area Connection. When I click on it nothing shows, but when I click back to Local Area Connections there is a brief time when settings can be seen for Remote Access before the LAC settings are shown. This is also where I had to originally uncheck File & Printer Sharing.

In Task Manager (which no longer appears when I press Ctrl+Alt+Del, I have to go thru Ctrl Panel) I used to be able to click on "Show Processes From All Users". Now if I do, Task Manager shuts down. In Control Panel if I click on "Show me all the shared network folders on this computer", nothing happens (it should at least perform a search).

I am unable to stop the following services: RasMan (Remote Access Connection Manager), LanManServer, RpcSs (Remote Procedure Call), DCOM Server Process Launcher, Terminal Services, & similar. I've seen files such as "DataToPostToServer". My temp user file is online. (In Device Manager, under System Devices, I was able to uninstall Terminal Server Keyboard Driver & Terminal Server Mouse Driver.)

Internet Explorer has File Virtualization enabled. There are program files which run scripts that change what I can view, as well as enabling user impersonation & starting a shell service, running programs to record what's viewed, & then starting mail services, etc., & sending logs. Sometimes if I open a new window it appears in the correct widescreen format, other times it's narrow. Edited to add: The odd thing about the widescreen/narrow screen thing is that it's when opening the same page within the same site. Specifically, if I'm on eBay & right click on Saved Searches & choose Open in New Window, a window opens widescreen. Immediately afterward I'll do the same thing & the window opens w/a narrow format. (Unless that's just an eBay thing?)

Numerous changes were made to my machine while I was on the phone w/my ISP's technical support because their startup disk hadn't worked. That was before my PC had authenticated to their server. There's more info if you need it, but I used to work w/computers & I do know that it's hacked.

Anyways I'll do the scan.

Edited by lisaf, 29 October 2009 - 01:18 PM.


#8 lisaf

lisaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 29 October 2009 - 05:50 AM

The GMER interface didn't give me a choice to uncheck the named items -- they were already greyed out. Also greyed out were System, Devices, Modules, Processes, Threads, & Libraries. Already checked were Services, Registry, Files, C:\, & ADS. I checked D:\ since on my computer it lists system files among contents.

After the scan there was no window giving me an option to save anything. The only thing displayed was a msg box stating, "GMER hasn't found any system modification."; the only option was to click an OK button or X on the menu bar to close the box.

??

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:03 AM

Posted 29 October 2009 - 05:46 PM

Hi Lisaf,

ANONYMOUS LOGON, BATCH, INTERACTIVE, REMOTE INTERACTIVE LOGON, & TERMINAL SERVER USER


I have them too and I am not hacked.

I am unable to stop the following services: RasMan (Remote Access Connection Manager), LanManServer, RpcSs (Remote Procedure Call), DCOM Server Process Launcher, Terminal Services, & similar.


Me neither, nor are you supposed to. Disable them and reboot if you want to shut them down. Disabling Rpcss will make your computer act funny though.

My temp user file is online.


I am not sure what this means?

In Task Manager (which no longer appears when I press Ctrl+Alt+Del, I have to go thru Ctrl Panel) I used to be able to click on "Show Processes From All Users". Now if I do, Task Manager shuts down. In Control Panel if I click on "Show me all the shared network folders on this computer", nothing happens (it should at least perform a search).


This is a bit strange I have to admit. Could be a corruption or other issue though.

Internet Explorer has File Virtualization enabled.


How can you tell this was enabled? TO be honest I am unfamiliar with what you are talking about here. Is this an option that you enable?

"GMER hasn't found any system modification.";


Then it looks like you do not have any rootkits.


Personally, I think you are so convinced that you are hacked, that you are taking legitimate services, users, etc and seeing them as cause for concern.

The only thing I can say, is if you think you are hacked, then reinstall. That is the only sure way of cleaning your system after being hacked.

#10 lisaf

lisaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 30 October 2009 - 05:09 PM

One thing I noticed in the GMER box on the Registry tab is that a bunch of items are in red. Do you know what that means?

As I said, I don't know what files/services are defaults, but I should not have a roaming profile. That means I am part of someone's network.

In Event Manager, there are numerous logon attempts, then successes, then the new user is assigned "special privileges" including impersonate user, etc. There are a lot of events I didn't mention that show the PC is hacked. (But the latest is that when I installed Sophos, something immediately logged on & took away its interactive rights, & disabled Sophos.)

Also I forgot to mention, the D:\ partition is almost full.

I'll have to go to the HP site to reinstall, but am curious about the registry stuff...

Edited to add: In Event Manager, the time of any event is always shown as 7 hrs ahead of my system's time.
Also added: Shouldn't GMER have been able to check System, Devices, Modules, Processes, Threads, & Libraries (they were greyed out & I couldn't check them)?

Edited by lisaf, 30 October 2009 - 05:46 PM.


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:03 AM

Posted 01 November 2009 - 08:39 PM

I honestly do not know at this point. There are no signs of active malware or unusual services starting. You really should reinstall to be safe.

#12 lisaf

lisaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 02 November 2009 - 04:23 AM

Yeah, I'll go ahead & do that. No point in overanalyzing it at this point.......... Thanks!

#13 lisaf

lisaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 08 November 2009 - 07:22 PM

Haven't reinstalled yet but just wanted to add this & ask a question. Since I leave my computer on, it downloads some updates automatically, one of which was IE8 (but I had to OK some terms to allow installation to complete). Could be that its "advanced security" actually works, b/c I am now advised of an important Vista update from 7/12/09. My PC was hooked up/hacked on 8/6, & that update wasn't mentioned.

I was curious about a file & did a search which directed me to another post here on BleepingComputer.com from a few days ago, in which elise025 advised a user about GMER. I just wanted to let you know that you forgot to include an important step when you advised me of its use (shown in bold below). If I'd been offline before running the program, it probably would have checked System, Devices, Modules, Processes, Threads, & Libraries -- which were greyed out. (I did close all running programs though.) I don't see how GMER can state "GMER hasn't found any system modification" if it was unable to check System, etc.

Should I uninstall it & try again, or is it a moot point since I'll probably have to reinstall Windows anyways? I just wish there was some way of getting my system back (getting rid of the 2nd domain in which I'm a user) w/o having to go through the HP site...


Please download GMER from one of the following locations and save it to your desktop:
•Main Mirror
This version will download a randomly named file (Recommended)
•Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
•Disconnect from the Internet and close all running programs.
•Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
•Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
•Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
•GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
•If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
•Now click the Scan button. If you see a rootkit warning window, click OK.
•When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
•Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.



#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:03 AM

Posted 09 November 2009 - 01:31 PM

Just reinstall Windows. If you were hacked, then its more than likely we will never find all of the items that were changed and thus you may always be vulnerable. malware infestations and hacks are very different beasts and should be treated differently.

#15 lisaf

lisaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 10 November 2009 - 04:05 PM

OK, maybe it's a good time to upgrade to Windows 7 anyway. Maybe this time Microsoft will get their syntax right.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users