Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help! I'm going crazy!


  • This topic is locked This topic is locked
6 replies to this topic

#1 Bryan Mohr

Bryan Mohr

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 March 2013 - 11:56 PM

I have several computers that are being used by unauthorized people from who knows where. None of the AV products finds them. But within an hour or two of me connecting a new machine to the network, NetFX has been installed, Windows Media Player has been setup to allow remote access, new user names have been created, and several hidden network adapters have been created (and no, I don't mean the hidden ones that are normally setup with Windows 7). I've tried turning off every service I can think of that might be a problem, setting up a local security policy (oh yeah, and MANY group policy entries added ... not by me), I don't know what else to do. If I fire up WireShark, sometimes I will see some of my files being sent ... somewhere. It has to stop. Can someone please help me lock down these machines?

 

There are 9 computers, all running Windows 7 ... except the tablet which is running Windows 8.

 

 



BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:26 AM

Posted 07 March 2013 - 04:55 AM

Hi -

I see no abnormal items from what you describe so far - Have your IT people found problems ??

NetFx is apparently just shorthand for "Microsoft .NET Framework." which is a normal part of Windows7 -

Windows Media Player has been setup to allow remote access < This is also normal. You can disable if you wish.

 

There are 9 computers, all running Windows 7 < < These are all configuring to your own internal network


What  active Antivirus / Antimalware programs are you running ?? If you are not 100% sure, please do this check >
Download Security Check by Screen317 from HERE and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post back the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

Thank You -



#3 Bryan Mohr

Bryan Mohr
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 07 March 2013 - 03:49 PM

Well, my IT department is me. These are home computers. As for AV, I currently run MSE, MalwareBytes, and Emsisoft. But I've also used Kaspersky, Panda, and a few other scanners from a boot drive.

 

Here is checkup.txt:

 

 Results of screen317's Security Check version 0.99.60  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Emsisoft Anti-Malware           
Microsoft Security Essentials   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 iSpy     
 Secunia PSI (3.0.0.4001)   
 Malwarebytes Anti-Malware version 1.70.0.1100  
 abylon EXIF-CLEANER 2013   
 Java 7 Update 15  
 Adobe Flash Player 11.6.602.171  
 Adobe Reader XI  
 Mozilla Firefox (19.0)
 Mozilla Thunderbird (17.0.3)
 Google Chrome 24.0.1312.57  
 Google Chrome 25.0.1364.97  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 Emsisoft Anti-Malware a2service.exe   
 EMSISOFT ANTI-MALWARE a2guard.exe   
 StartupDefender.exe    
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````
 

 

Ok, those two examples may not have caused any concern. How about the fact that the Assistance Platform 1.0 Client SDK was installed without me knowing about it? Or that HomeGroupUser$ was registered as a user (not group) on the computers?



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:26 AM

Posted 08 March 2013 - 08:53 PM

Hi -

Did you install abylon EXIF-CLEANER 2013, as this is often included in OEM software with some computers ?

 

A sample of Visual Basics that helps your system to run better - Installed as standard - If missing, some programs will not run.
The Assistance Platform 1.0 Client SDK includes three sample applications, one each in C++, C# and Visual Basic.
The sample applications are installed with the Windows SDK to the following location: C:\Program Files\Microsoft SDKs\Windows\vX.X\Samples\winui\HelpAPISample (if the SDK is installed to C: ).

 

According to Emisoft, this is also a Fully Functional Antivirus program - If you pay the (about) US$40 Per Year Fee -
Emisoft FAQ - Frequent questions - Can it replace my current antivirus software?
Yes. Emsisoft Anti-Malware is a complete antivirus solution that provides protection against all manner of threats that are lurking on the internet. Two full virus scanning engines are used to ensure optimal detection and cleaning, while the three-layered real-time protection prevents new infections from entering your PC. Read how it works.

This means that your second Antivirus (Microsoft Security Essentials) should be removed -

 

Minor item Java 7 Update 15  was updated to Update 17 a couple of days ago -

 

I do not like the look of  Zards Startup Defender, as it seems to be a waste of your $10, and does very little -

Web site http://www.zardssoftware.com

 

When you install any program, please read the details of that program, and compare it to any other installed programs -

 

There is no examples of false programs in this that I can find -

 

Please download , Save it to your desktop
Close any Firefox browsers you may have open
Double click the icon to launch the program
Make sure the following options are checked:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (Problem only)
  • List Users, Partitions and Memory size.
    Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
    Please copy and paste the contents in your reply

 

Thank You -



#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:26 AM

Posted 10 March 2013 - 01:25 AM

Sorry that I forgot your other listed item, HomeGroupUser$ - It is optional.


Step 1:
Try running the HomeGroup troubleshooter and check if it helps:
Open the HomeGroup troubleshooter

Step 2:

Delete the HomeGroup and then create and join HomeGroup again and check if it helps:
HomeGroup: frequently asked questions
HomeGroup: recommended links


All of this is direct from M/soft -

Thank You -



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:26 AM

Posted 10 March 2013 - 04:49 PM

Hello again -

There are some items that I am unable to help with in this area of the forum, as some logs are not allowed. 

We can answer most of your "specific questions" in this area if you wish to continue to ask about individual items, but the choice is always yours.

 

Only since you seem very concerned on this situation will I put this idea forward to you -

 

If you do wish to have one of the computers fully inspected I would suggest that you make a fresh topic in the Malware Removal area of the forum so they can look for detailed problems, and assure you if the computer is fully clean of malware or intruders -

 

Please leave a link to the start of this topic, and also explain your fears / problems in your post -

 

Please follow the instructions in ==>This Guide<== starting from step 6.

If you cannot complete a step, skip it and continue.

 

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, and what you have done to resolve them.

If you can produce at least some logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get.

If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

 

Please be patient if you do post there as they are Volunteers and are often busy.

 

If HelpBot replies to your topic, PLEASE follow His Step One so it will report your topic to the team members.

 

Thank You -



#7 Platypus

Platypus

  • Moderator
  • 12,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:09:26 AM

Posted 19 April 2013 - 07:15 PM

Matter has been resolved here:

 

http://www.bleepingcomputer.com/forums/t/489802/iphlpsvc-trying-to-open-ports-to-china/


Top 5 things that never get done:

1.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users