PDA

View Full Version : HOW TO TAKE CONTROL OF MY COMPUTER?



azureimage
27-06-2009, 09:47 PM
My questions(and I have a lot of them)will probably seem stupid,but I am pretty much a beginner on some computer issues!After some serious security concerns,including having my credit card details stolen,I am trying to ensure that I am doing everything possible to stop future problems,and to try and detect anything that should not be running.
I have a standalone HP computer running XP media Centre,SP3,up to date antivirus,Spybot,and I keep Windows up to date.
My query is to do with the way the administrator system works in my situation,how should it be set up so no one can alter the system remotely,(no one else has access to the actual machine)?
I do not seem to have full control,for instance not being able to suspend,or kill certain processes,install more security,view all temporary files etc
Hope this makes sense,hope you can help

.

davidmmac
27-06-2009, 09:58 PM
Welcome to the forum :)

Which anti-virus program do you have?

azureimage
27-06-2009, 10:05 PM
Hi,and thanks...Avast Pro,which never shows any problems,spybot and the MRT are always clear too

Sweep
27-06-2009, 10:08 PM
Assuming you connect to the internet I would get a good firewall as well as disabling remote services.

Speedy Gonzales
27-06-2009, 10:14 PM
The 1st thing I would would do, is if you've got any file sharing programs, get rid of them / uninstall them. Then get malwarebyes and trojan remover below. Update both then scan. If you've got 64 bit, dont use trojan remover it wont work with 64 bit

azureimage
27-06-2009, 10:21 PM
Hi,don't use file sharing,P2P,don/t click on any strange email attachments,or links,am utterly paranoid(and so boring,hehe)I just use the Windows firewall,know it is not the best,but have lost confidence in the more complex ones,also I am on slowwww dialup,so downloads take forever...But want to be supreme controller,I mean only HP Administrator,running everything

Speedy Gonzales
27-06-2009, 10:26 PM
Where in Auckland are you? Youre not in Mt Wellington are you?

azureimage
27-06-2009, 10:32 PM
Any security programmes I try to download seem to end up corrupted,that includes Mbam,and Trojanremover

bob_doe_nz
27-06-2009, 10:38 PM
Where in Auckland are you? Youre not in Mt Wellington are you?

You moved there?

Speedy Gonzales
27-06-2009, 10:39 PM
Could still be infected with something. Disable system restore. Reboot then try booting into safe mode (press hold F8 down, after you reboot) / networking. Get hijackthis below. Rename it to something else, run it. Then click on scan the system and save a log. Copy and paste the log here

Speedy Gonzales
27-06-2009, 10:39 PM
You moved there?

No, but I know someone called Azure from there

azureimage
27-06-2009, 10:45 PM
Thanks for that advice,but still want to go through steps,to ensure that I am the only administrator,running on my system...I suspect a keylogger,due to the theft of my credit card details,but want to get the admin thing sorted,if possible

Speedy Gonzales
27-06-2009, 10:47 PM
Well, first you have to remove whatever you've got before you decide to do anything else. And a hijackthis log will tell us (if you've still got something nasty) on your PC. Trying to fix the admin prob (without removing the main prob - a trojan / keylogger). wont accomplish anything

azureimage
27-06-2009, 10:56 PM
OK,already have Hijack This v2.02,is that current?And copy and paste into this forum?

Speedy Gonzales
27-06-2009, 11:00 PM
Correct, thats the latest version , after you click on scan the system and save a log, copy and paste whats in the log here.

Sweep
27-06-2009, 11:01 PM
2.0.2 is the current download.

azureimage
27-06-2009, 11:30 PM
Hi,log below,also the HJT ADs scan shows some hidden files
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:39 PM, on 27/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.microsoft.com/fwlink/events.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.packingshed.co.nz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://security.kolla.de/
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk.disabled
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3936818-D808-43EB-9356-DFB08847EF22}: NameServer = 192.168.1.1
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

--
End of file - 6912 bytes

azureimage
27-06-2009, 11:32 PM
Thanks,will check in tomorrow

Speedy Gonzales
27-06-2009, 11:37 PM
That doesnt look too bad. Tick these entries then tick fix checked

Close browsers

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - Global Startup: LUMIX Simple Viewer.lnk.disabled

Try getting / running malwarebytes / trojan remover in safe mode. See what happens, then update and scan with them

pctek
28-06-2009, 10:32 AM
Now that the HJT log has been sorted.
Download MalwareBytes as well as your Spybot.
Run both at least once a week, update them both first.

Stop using IE and use either Firefox or Chrome.

Go into Control Panel, System.

Untick allow Remote.

Take a look at Black Vipers website - the Windows Services.
Be cautious, but mainly you want to disable any remote stuff, Remote Registry etc etc.

Blam
28-06-2009, 01:26 PM
Any security programmes I try to download seem to end up corrupted,that includes Mbam,and Trojanremover

How it it corrupted. This could be a nasty peice of malwware remaining, possibly a rootkit.

Download ComboFix and follow the tutorial here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

And disable then re-enable system restore before you run it.

Blam

azureimage
28-06-2009, 03:25 PM
Hi all.Thanks Speedy,fixed those HJT items.Downloaded MBAM again,it won't let me update(error 732),but did the safe mode scan anyway,no result.
pctek,I always use Firefox( recently added NoScript addon)and Thunderbird.
I disabled remote registry,and secondary logon,when I had the credit card issue.
I have looked at the services,there are so many,and I am so uninformed on that side of things...will check out Black Viper
blam,Mbam refuses to update,trojan remover gives me a handy little notice telling me the setup files are corrupted.
I also now get that unverified publisher/do you wish to run notice,on anything I try to run,never used to happen
I ran the HJT ADS spy scan too,it shows hidden temp files,although I have show all files and folders enabled.I have the log if of any use.

Blam
28-06-2009, 03:31 PM
Have you run Combo fix yet?

azureimage
29-06-2009, 04:46 PM
Aaaaargh!....do I have too?Is that the only option?Can this forum help with log analysis and removal?
And is the Bleeping Computer article on instant detection of Conficker,by being able to view 6 images,for real?Or was it an April 1st attempt at a joke?

Speedy Gonzales
29-06-2009, 04:51 PM
Did you install TR and malwarebytes, update both then scan? Then select all options under utilities in TR?

Blam
29-06-2009, 07:12 PM
Aaaaargh!....do I have too?Is that the only option?Can this forum help with log analysis and removal?
And is the Bleeping Computer article on instant detection of Conficker,by being able to view 6 images,for real?Or was it an April 1st attempt at a joke?

Its very real. Not a joke. How many of the images can you see.

azureimage
29-06-2009, 09:04 PM
Only 3

Blam
29-06-2009, 09:22 PM
Which 3.

azureimage
29-06-2009, 09:31 PM
The first 3?....Having a lot of trouble viewing this forum page,will only half open,and then takes aaaages to load,like something doesn't want me to read it(paranoia strikes deep,hehe)

zqwerty
29-06-2009, 09:32 PM
Ahhhhhhh, that explains all the problems, he's got more than one of the variations of Conficker.

Blam
29-06-2009, 09:37 PM
Follow the instructions here:
http://www.eset.com/threat-center/blog/?p=865

Blam

zqwerty
29-06-2009, 09:39 PM
Read this for more info:

http://blogs.technet.com/rhalbheer/archive/2009/01/13/additional-information-on-conficker-msrt-removing-conficker.aspx

azureimage
29-06-2009, 09:45 PM
Rechecked,and can view 5 and a half...only half a penguin!

azureimage
29-06-2009, 11:27 PM
So...not Conficker?

Blam
29-06-2009, 11:33 PM
Hm...probably not.

Try Visiting the security sites manually.

zqwerty
29-06-2009, 11:53 PM
Good idea to run the MS malicious software removal tool anyway, it's updated each month, and sooner depending on threats.