Over 1 million tech questions and answers.

PSEXEC attack

Q: PSEXEC attack

Hello Team,
Please I want to ask if it is possible for ATA to detect when an attacker launch remote code execution (psexec) against a server on the network. I know ATA detects when such attack is launched against domain controllers, but what if the targeted machine
is a member server or workstation, will ATA still detect it?
Thanks.

BR, David Sunday

Read other answers
RELEVANCY SCORE 200
Preferred Solution: PSEXEC attack

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 44.4

Kindly help me how to run below script to mutiple machines using PSEXEC and powershell both methos

<#Script Disclaimer: The sample scripts provided here are not supported under any Microsoft standard support program or service.
All scripts are provided AS IS without warranty of any kind.
ERRORS:UpdatesDeployment.logJob error (0x80004005) received for assignment ({bf7a48e6-d220-4070-bb9b-ecc239107584}) action UpdatesDeploymentAgent 12/6/2017
10:32:27 AM 2096 (0x0830)WUAHandler.logUnable to read existing WUA Group Policy object. Error = 0x80004005. WUAHandler 12/6/2017 3:41:00 AM 2828 (0x0B0C)Failed
to Add Update Source for WUAgent of type (2) and id ({3AAB6A76-CE2D-4E8A-9F11-741AE69677A2}). Error = 0x80004005. WUAHandler 12/6/2017 11:03:31 AM 2276 (0x08E4)Author:
Twitter @Syswow64blogWeb: systemcenterblog.co.uk#>
$Registrypol= (TEST-PATH C:\Windows\System32\GroupPolicy\Machine\Registry.pol)$RegistrypolOLD=
(TEST-PATH C:\Windows\System32\GroupPolicy\Machine\Registry.pol.OLD)$commentcmtx=(TEST-PATH C:\Windows\System32\GroupPolicy\Machine\comment.cmtx)$commentcmtxOLD=(TEST-PATH
C:\Windows\System32\GroupPolicy\Machine\comment.cmtx.OLD)$SOFTWAREDISTRIBUTIONOLD=(TEST-PATH C:\Windows\SOFTWAREDISTRIBUTION.OLD)
GET-SERVICE -NAME WUAUSERV
| STOP-SERVICE
IF($Registrypol) {write-host
"Registrypol = true"
IF(!($RegistrypolOLD)) {
write-host "RegistrypolOLD = FALSE"
Rename-item -path
"C:\Windows\System32\GroupPolicy\Machine\Registry.pol&... Read more

Read other answers
RELEVANCY SCORE 44

Hi,
I have a question regarding psexec or an alternative perhaps? Basically, I have a batch file I made, that I want to allow a friend from a remote machine to exec. However, I want him ONLY to be able to exec this file, and not mess around anywhere else on the machine. Psexec gives too much privilege and he could open other things, etc. I did come across the program RemoteExec, but after the 15 day trial that won't be of much value to me(not paying 400$ for this singular occurrence). Any ideas or help would be GREATLY appreciated!!!

Thanks
 

A:Psexec related question

Why do you want to give remote access to this file? This kind of sounds like a classroom project you are trying to get help with.

At any rate, what about installing Apache web server and having the file access granted through the webserver?
 

Read other 1 answers
RELEVANCY SCORE 44

Hi there,
I am facing difficulty in using pcexec , i am simply trying to use an ipconfig command and remote pc.
both PCs are win Xps
psexec \\10.10.xx.xx -u XXX -p XXX ipconfig
but all am getting is
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich

Could not start PsExec service on 10.10.XX.XX:
Access is denied.      HELP PLEASE

A:Could not start PsExec service

it should be something like this
psexec \\marklap cmd
ipconfig
after you connect to the remote cmd then you issue "ipconfig"

Read other 10 answers
RELEVANCY SCORE 44

Hello all, I have a question about setting up Remote Desktop on PCs in our company. For most of the PCs on our network Remote Desktop is disabled by decree of the management. When I do need access to a machine I'll use psexec to enable the service then I'll disable it when I'm done. Some of the PCs are accessed by normal (non-admin) users on the network using Remote Desktop - we're looking for a way to remotely edit the list of users that can access the PCs that way - it'll be one specific user allowed per machine so a group policy doesn't seem to be the right way to go... Basically I'm looking for a way to remotely edit a machine's local secpol, specifically the "Allow logon through terminal services" setting.
I found this MS article http://technet.microsoft.com/en-us/library/bb457125.aspx that mentions the SeNetworkLogonRight but I don't see that in the registry... I must be missing something stupid here - there has to be an easy way to do what I'm trying to do... Does anyone know what that easy way is?
This is the command I use to enable remote desktop - it seems like something similar could be used to edit the userlist? Argh!
psexec \\machine reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

-Oh, it's an Active Directory Domain, all the PCs are WinXP - Thanks!
 

Read other answers
RELEVANCY SCORE 44

Hi Guys I know there's probably a lot of these on these forums but when i type in the command

psexec \\computername cmd it says access is denied

I am running cmd as admin and havn't tried anything else,
i'm not very good with cmd so would someone please help?

Thank you

A:psexec access is denied

You need to supply username and password.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Read other 9 answers
RELEVANCY SCORE 44

am in the process of putting a batch file together to detect and force microsoft updates to a machine or a group of machines using PSEXEC.exe and a VBS script created by Rob Dunn and posted over at the forums at www.wsus.info.

I have listed below the steps needed to complete this task and would like it put together (if possible) in a batch file, UPDATE.VBS is the name of the script that I copy over to the machine and the PSTOOLS dir is the directory that PSEXEC resides in.

If I run these commands one at a time everything runs well, I would just like to know if it is possible to make this a "one step process"?
Ok here are all the cmds I need in order to run the script

1. net use \\TARGETMACHINE\C$ /user:"DOMAIN\DOMAIN USER"

2. copy update.vbs \\TARGETMACHINE\C$\update.vbs

3. exit back into PSTOOLS directory

3. psexec.exe \\TARGETMACHINE -u "DOMAIN\DOMAIN USER" -p PASSWORD -e -i cmd.exe /c cscript.exe //B C:\UPDATE.vbs
I have tested this on multiple machines and everything is running well. Any suggestions on how to set this up in one batch file? Of course I will eventually setup the PSTOOLS dir on a network drive instead of my local machine.
 

A:Using PSEXEC and VBS script with WSUS

Ok after a few weeks of playing around with the script and lots of help from Karlchen over at http://forum.sysinternals.com/default.asp I got it running, it goes a little something like this:

@echo off
:: Programme: remoteupd.bat
:: Function : copy update.vbs to \\target
:: launch update.vbs on \\target using psexec
:: &nbs p; will read computerlist.txt and launch update.vbs on each
:: &nbs p; of the hostnames\IPs inside the file
:: Status : third draft, arguments given on commandline, uses a listfile
:: Note : we will assume "computerlist.txt" is located in F:\Work Applications\WSUS Force Update, too.
:: Usage : remoteupd.bat adminuser password
::
:: Check that 2 arguments have been given on the commandline
if "%2"=="" (
echo usage: remoteupd.bat adminuser password
echo Try again.
exit /b 1
)
set ADMUSER="ADMIN USER\DOMAIN"
set ADMPASS="PASSWORD"
set LISTFILE=computerlist.txt

:: go to the source folder
f:
cd \Work Applications\WSUS Force Update

:: check that the listfile is there
if not exist %LISTFILE% (
echo Listfile %LISTFILE% not found. Create it and try again.
exit /b 1
)

:: Finally, all checks done, let us do our work in a for loop
for /F %%i in (%LISTFILE%) do (
REM 1. net use if ADMPASS has got no space character the
REM double quotes may be removed
net use \\%%i\C$ /user:"ADMIN USER\DOMAIN" "PASSWORD"

REM 2. copy update.vbs
copy update.vbs \\%%i\C$\update... Read more

Read other 1 answers
RELEVANCY SCORE 44

Hello Fangzhou CHEN,

Per your instructions below.  Is the U/P my admin info or the users?  Please advise.

We could use the PsExec tool to conduct the remote control.
1. Download the tool and copy to file to C:\Windows\System32

2. Run cmd as administrator
3. We could run the command psexec  \\ <computername >
-u <username> -p <password> <command>to run command in remote computer.

Read other answers
RELEVANCY SCORE 44

I am in the process of putting a batch file together to detect and force microsoft updates to a machine or a group of machines using PSEXEC.exe and a VBS script created by Rob Dunn and posted over at the forums at www.wsus.info.

I have listed below the steps needed to complete this task and would like it put together (if possible) in a batch file, UPDATE.VBS is the name of the script that I copy over to the machine and the PSTOOLS dir is the directory that PSEXEC resides in.

If I run these commands one at a time everything runs well, I would just like to know if it is possible to make this a "one step process"?


Ok here are all the cmds I need in order to run the script

1. net use \\TARGETMACHINE\C$ /user:"DOMAIN\DOMAIN USER"

2. copy update.vbs \\TARGETMACHINE\C$\update.vbs

3. exit back into PSTOOLS directory

3. psexec.exe \\TARGETMACHINE -u "DOMAIN\DOMAIN USER" -p PASSWORD -e -i cmd.exe /c cscript.exe //B C:\UPDATE.vbs


I have tested this on multiple machines and everything is running well. Any suggestions on how to set this up in one batch file? Of course I will eventually setup the PSTOOLS dir on a network drive instead of my local machine.

A:Using PSEXEC and VBS script with WSUS

Ok after a few weeks of playing around with the script and lots of help from Karlchen over at http://forum.sysinternals.com/default.asp I got it running, it goes a little something like this:

@echo off
:: Programme: remoteupd.bat
:: Function : copy update.vbs to \\target
:: launch update.vbs on \\target using psexec
:: &nbs p; will read computerlist.txt and launch update.vbs on each
:: &nbs p; of the hostnames\IPs inside the file
:: Status : third draft, arguments given on commandline, uses a listfile
:: Note : we will assume "computerlist.txt" is located in F:\Work Applications\WSUS Force Update, too.
:: Usage : remoteupd.bat adminuser password
::
:: Check that 2 arguments have been given on the commandline
if "%2"=="" (
echo usage: remoteupd.bat adminuser password
echo Try again.
exit /b 1
)
set ADMUSER="ADMIN USER\DOMAIN"
set ADMPASS="PASSWORD"
set LISTFILE=computerlist.txt

:: go to the source folder
f:
cd \Work Applications\WSUS Force Update

:: check that the listfile is there
if not exist %LISTFILE% (
echo Listfile %LISTFILE% not found. Create it and try again.
exit /b 1
)

:: Finally, all checks done, let us do our work in a for loop
for /F %%i in (%LISTFILE%) do (
REM 1. net use if ADMPASS has got no space character the
REM double quotes may be removed
net use \\%%i\C$ /user:"ADMIN USER\DOMAIN" "PASSWORD"

REM 2. copy updat... Read more

Read other 1 answers
RELEVANCY SCORE 43.2

I am trying to determine why IE7 installer fails to work when using PSEXEC to remotely install it?
I have the IE7 installer in c:\temp
This does not work (The switches are valid)
 
psexec \\new_computer c:\temp\ie7.exe /quiet /update-no /norestart /log:c:\temp
 
 
 
It installs fine with the same switches if I manually run it locally but I *MUST* remotely install it as I have multiple PCs to manage and don't need to bother the users 
Below is the log it generates yet it's not making any sense.

00:00.000: ====================================================================
00:00.218: Started: 2011/05/21 (Y/M/D) 21:11:52.900 (local)
00:00.468: Time Format in this log: MM:ss.mmm (minutes:seconds.milliseconds)
00:00.609: Command line: c:\ba1df32f992674d86f0534\update\iesetup.exe /quiet /update-no /norestart /log:c:\temp
00:00.890: INFO: Acquired Package Installer Mutex
00:01.125: INFO: Operating System: Windows Workstation: 5.2.3790 (Service Pack 2)
00:01.656: INFO: Checking version for C:\Program Files\Internet Explorer\iexplore.exe: 6.0.3790.1830
00:01.765: INFO: C:\Program Files\Internet Explorer\iexplore.exe version: 6.0.3790.1830
00:01.781: INFO: Checking if iexplore.exe's current version is between 7.0.0.0...
00:01.812: INFO: ...and 7.1.0.0...
00:01.890: INFO: Maximum version on which to run IEAK branding is: 7.1.0.0...
00:01.906: INFO: iexplore.exe version check success. Install can proceed.
00:01.922: INFO: EULA not shown in passive or... Read more

A:Unable to remotely install IE7 using PSEXEC

Hi,

 

Regarding the issue, I’m just wondering that if you can collect the IE7 log (%windir%\ie7.log)for me, then we can try to find the cause.


 

Please understand, we need more detail information to troubleshooting the issue.You may upload the file via SkyDrive and post a link here.

 

Also please refer:

 

http://support.microsoft.com/kb/917925

 

Also if you want remote install IE7, you may use the .msi file to do. Please refer:

 

http://support.microsoft.com/kb/942812

 

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e41d8800-d134-4356-a2e7-c01bee790908&displaylang=en
Please remember to click ?Mark as Answer? on the post that helps you, and to click ?Unmark as Answer? if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ?

Read other 7 answers
RELEVANCY SCORE 43.2

Hi Tech Support,
I got below error when using psexec on remote computer (india). user123 is admin at india. Admin$ and IPC$ can access without error. Please help....
psexec \\india -u india\user123 -p [email protected] -h cmd
Error establishing communication with PsExec service on india:
Access is denied.

Read other answers
RELEVANCY SCORE 43.2

Has anyone experienced this or similar recently? We've seen multiple unrelated clients get hit with something that resembles a worm. It appears to use mimikatz to steal passwords for the currently logged on user (Active Directory) and then reaches out to other PCs on the network and uses psexec to run something. I assume it's trying to steal the next computer's username/password and so on. Processes can be seen in Task Manager running under other user accounts that are NOT logged into the PC. The users (which have never otherwise logged into the PC) then have profiles in C:\users. This process leaves the PSEXECSVC Windows service (visible in services.msc) and saves mimikatz.exe and other random KB_______.exe and ms_______.exe files in C:\ProgramData and C:\users\username\appdata\roaming and \appdata\local\temp. It seems to disable the Windows Firewall and Windows Update services, and it breaks Show Hidden Files so it can't be turned on or off.
 
Users have complained of audio/music playing in the background, and we've found .mp3 files in c:\users\username\appdata\roaming. It's hard to recover from this because cleaning the PCs one by one is great until an infected one is turned back on with network connectivity and hits all the cleaned/rebuilt ones again.
 
The thing that's most worrying to me is that I can't find much about this online. This appears to be the closest thing: http://blog.cylance.com/operation-cleaver-net-crawler
 
Any ideas what t... Read more

A:Some type of worm using psexec and mimikatz?

First thing first, it would have to eb running at domain adminlevel to execute through psexec, so change the administrators password pronto.
Also setup a group policy to disallow psexec.exce from running on C:\*
Thirdly make sure no user account has admin rights, ecspecially global admin rights or local admin rights.
If its conencting to each amchine IPC$ then im assuming it has the Domain\Administrator account token/password.

Read other 7 answers
RELEVANCY SCORE 43.2

I am looking PSEXEC comamnd or  setps to delete file C:\windows\abc.exe and delete service from the registry (HKLM\System\currentcontolset\services\abc) on mutiple machines using PSEXEC commands

Read other answers
RELEVANCY SCORE 43.2

I am looking psexec commands to fulfil below requirements
1) copy file into C:\temp on remote machines including bat file and source files
2) Install using batch files (EXE file using batch file)

looking sample psexec commands to install EXE, MSI, WSU, bat, cmd etc

Read other answers
RELEVANCY SCORE 42.8

Ok imma give a full rundown of the situation. Currently on the network we are on because of the way it is setup wake on lan doesn't work, so SCCM has at best a 70 success rate for patching. So I am currently spending a couple days a week remoting into computers and running a batch file to manually update computers. I need a way, that isn't psexec to execute a batch file on a remote computer. If anyone has any ideas they would be greatly appreciated.

Additional Notes
- Batch file is on share drive atm.

A:Run Batch File On Remote Computer Without PsExec

So, you are using RDP and remotely logging into the computer? If that's the case, you should be able to put the batch file on a network share, and then execute it while you are in the RDP session.

Read other 9 answers
RELEVANCY SCORE 42.8

Hi,

After migrating on Windows 10 from Windows 8 when using psexec I've started to recieve an error message when enumerating domain. Error is "A system error has occurred: 53". On other machine where still Windows 8 is installed everything works fine. 
When I use psexec \\pcname command is executed without problems, but when I use psexec \\* I've get  "A system error has occurred: 53"

Sorry for bad english :)

Thanks.

Read other answers
RELEVANCY SCORE 42.8

I am looking psexec commands to install exe
scenario:
I had copied source folders \\server1\test  into  designation (C:\windows\test) via PowerShell
now I am looking psxec complete command to run exe on remote machines (remote machines will take from txt file)
PSEXEC syntax or command  to run exe on multiple machines 

Read other answers
RELEVANCY SCORE 42.8

I have created a couple batch files to easily update firefox on users computers. See the scripts below.

This executes a batch file on all computers listed in the firefoxusers.txt file.
Code:
psexec @firefoxusers.txt -u [I]AdminUsername[/I] -p [I]password[/I] c:\installers\firefox.bat
This is the file that is executed from the one above to install the file silently from a shared drive.
Code:
pushd \\server\applications\firefox

firefoxsetup.exe -ms

popd
My problem is that when I run this script I have no idea if the software was installed correctly or not. I am looking for a way to just output what was run so I can go through and see if anything failed.

Any help would be appreciated.

Thanks
 

A:Solved: Output log file from PSExec batch

Not sure if Redirection will work or not.
http://www.robvanderwoude.com/redirection.php

You could try this.
psexec @firefoxusers.txt -u AdminUsername -p password c:\installers\firefox.bat 2> errorlog.txt

or inside your batch file. Not sure if this one witll work or not.
firefoxsetup.exe -ms 2> \\server\applications\firefox\errorlog.txt
 

Read other 2 answers
RELEVANCY SCORE 42.8

I am looking sample powershell scripts which uses PSEXEC command in powershell scripts 

Read other answers
RELEVANCY SCORE 42.4

Hi there,
As described in the following link on how to run a disk defragment using Disk Defragmenter via PsExec http://www.winhelponline.com/blog/how-to-run-disk-defragmenter-on-a-remote-computer/,
would you say that all parameters mentioned by the author in the blog are applicable? If not, please could you specify which parameters aren't needed in order for me achieve this task efficiently, I've been trying to understand all the parameters for PsExec
and from what I can understand I don't think parameters -s and -f are applicable as mentioned in
http://technet.microsoft.com/en-gb/sysinternals/bb897553.aspx. Reason why I say this is that when you when specify parameter -s (using system account) in the command and log on as a
user of that remote computer in which I've been using Remote Desktop to achieve this as well as Command Prompt, the prompt comes up with "Disk Defragmenter exited with error code 0" straightaway when logging on and logging off as that user on the
remote computer, the same also applies when logging off as that user on the remote computer when running the command when being logged on as that user whereas if you don't specify parameter -s the message is delayed for longer which is what I would expect,
I'm assuming error code 0 means that the task has completed successfully as mentioned in the following link
http://aumha.org/a/defragerr.htm. Another reason as to why I don't think parameter -f is needed is that the program (Disk Def... Read more

A:Clarification of running Disk Defragmenter remotely using PsExec

Case closed, managed to solve issue.

Read other 1 answers
RELEVANCY SCORE 42.4

Hello.I have a Windows XP Pro SP3 with several problems:* I cannot accede to http: // es.mcafee.com from Firefox or Internet Explorer.* I cannot update the antivirus Mcafee. In addition, before its icon appears close to the clock on the task bar and now it does not appear.* On having looked for something in google in the Firefox, some links open windows with porn and mobiles. In Internet Explorer it works well.* The Firefox crushes when you sail with it (version 3.0.8).* Emulate also crushes on having executed.* Spyboot Search and destroy does not find anything.* Mcafee has not found anything (one week ago had the virus of the double tilde that it could erease).* SuperAntiSpyware does not find anything.* Malwarebytes ' Anti-Malware does not find anything either.* WebRoot finds a HackTool App/Psexec-Gen and Bullet Proof Software Spyware but since I do not have a subscription cannot eliminate them.I can't open Mcafee's page from the fail-safe mode with network's funtions either.HitJack log is this:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:50:35, on 02/04/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Archivos de programa\Webroot\WebrootSecurity\WRConsumerService .exeC:\WINDOWS�... Read more

A:HackTool App/Psexec-Gen and Bullet Proof Software Spyware

I see you have Quadruple posted http://forum.securitycadets.com/index.php?showtopic=10287http://www.security-forums.com/viewtopic.p...48934e99b8d813fhttp://www.bleepingcomputer.com/forums/lof...hp/t216359.htmlhttp://forums.techguy.org/malware-removal-...mcafee-web.htmlAll Malware Removal/Hijackthis forums greatly frown on anyone that double, triple or quadrupile posts, as it creates back logs and wastes our time! Since you are receiving help Katana at Security Cadets I am closing this thread.

Read other 1 answers
RELEVANCY SCORE 42.4

I am looking PSEXEC command to install msu files on mutiple machines or list of computers. looking setps to copy msu file locally and install via PSEXEC

Read other answers
RELEVANCY SCORE 42

Hi,
I am trying to execute psexec command to remote machine.
My command is
psexec -u domain\user -p password \\machineName -c abc.bat
I am trying from windows 7(64 bit)  machine. The remote machines are xp and windows 7(32 and 64 bit).
In XP machines, it is working and also in some windows 7 machines. But in some windows 7 machines it give message-
"Could not start PsExec service on target machine.
Access is denied."
 
If I try to execute psexec command from XP machines, it works to all machines.
Suddenly what happen I do not know but one of the windows 7 machine( where psexec was not starting) , psexec started. but not in other machines.
Now I am very much confuse here exactly what happen. and what is the issue.
Please help. It urgent.
Thanks.

A:Could not start PsExec service on target machine. Access is denied.

Hi,

 

When opening the Command Prompt, please right click it and run as Administrator. Meanwhile, make sure the user has administrator privileges on target PC. If the issue
persists, try to disable UAC on both sides.

 

As far as I know the Security Level on Windows 7 is higher than the level on Windows XP.  Therefore, 'psexec' works to all machines.

 

Best Regards,

Niki
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Read other 20 answers
RELEVANCY SCORE 42

I recently scanned my computer with Malwarebytes Anti-Malware, Spybot Search & Destroy, and Avira AntiVir personal.MBAM and SB S&D came up with nothing but Avira did. This is the 2nd time this month that Avira detected "appl/psexec.e" found in "C:\System Volume Information". There are 3 different instances in the Quarantine.Please look through my HJT log to help stop this recurrence.Also, users on this computer use Firefox Portable from portableapps.com run from 2 different USB drives. Both equppied with the add-ons NoScript, AdBlock Plus, and Web of Trust (WOT) to better protect us from viruses & etc.Thank you for your time.- - - - -Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:17:23 AM, on 5/15/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exeC:&... Read more

A:Avira detects appl/psexec.e reoccured 2nd time this month

Hi PixelPlay,Sorry for the delay the forums here at BC are always very busy and we do are best to keep up. Sinceyour log is quite old and alot could have changed, I would like to see a new log please. If you nolonger require any help could you let me no please, so this topic can be closed.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Thanks

Read other 18 answers
RELEVANCY SCORE 41.6

Hi,
We are unable to take backup of "Favorites","Desktop" folders in a user profile when scanstate is run remotely using "Psexec \\computername -s scanstate.exe /ue:*\* /ui:domain\user /i:miguser.xml /config:config.xml /c" command.
These folders are redirected to a shared folder on a server and when we try to see the folders by using UNC path(\\computername\c$\users\username) on the user's machine they dont appear under user profile. Even though "Documents" are redirected,
we are able to take backup of the "Documents" folder.
However, when scanstate is run locally on the system, all folders are backedup to usmt.mig file. We are using "miguser.xml" and "Config.xml" for scanstate, since we need backup of "Documents","Desktop" and "Favorites"
only. After searching over internet, we doubt that, this behavior has got something to do with "Shell Folders" and "User Shell Folders" in the registry under "HKCU\Software\Microsoft\Windows\Currentversion\explorer\shell folders",
where paths to all user profile related folders information is stored. We dont find "Documents" folder there, may be thats the reason why we are able to take backup of only "My Documents" and not the rest of the folders (Favorites,Desktop).
When scanstate is run locally, the backup of "Favorites","Desktop" and "Documents" is... Read more

Read other answers
RELEVANCY SCORE 40.4

Hello,
 
On my web site - http://incinerama.com/ , if you select specific pages like http://incinerama.com/1953_march.htm , you get the error message:
 
"Norton blocked an attack by: Web Attack: Cookie Bomb Injection Website "
 
I ran Malwarebytes, hijackthis, etc. on the computer that uploaded pages to the web site and found no problems.
 
Any ideas on what is causing this and how I can remove this?
 
Thanks!
 
Roland
 
 
 

Read other answers
RELEVANCY SCORE 40.4

Dear friend, I am fedup with the problem of popup security warning and automatic adding of sites in favourite and opening of webpage while brausing internet. Also after sometimes it changes my desktep to red signal showing your privacy in danger. Also three sites shortcut are automatically adding to my desktop.I follow your step by step instruction of running ad-aware and then spybot and then stringer. Also problem is that when i am cleaning with smitfraudfix tool it is getting cleared but after using computer sometimes it is comming back and even if i am not using internet it is comming back. Also when i am using computer sometimes command prompt is opening automatically and something is happened there and it is closing automatically. Same things happened three to four times and then all those things are again came back to my screen.Below is the log of hijack this file. please help me to solve the problem. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:32:28 PM, on 11/27/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files&... Read more

A:Antispylab Problem- Popup Warning For Virus Attack And Spyware Attack

Hello dipaknpatel,NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Please download SmitfraudFix Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htmYou should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following :Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account.Once in Safe Mode, double-click SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infectio... Read more

Read other 2 answers
RELEVANCY SCORE 40.4

OS - Windows XP Service Pack 3 with all updates. Antivirus - Norton 360 with all updates
Windows firewall disabled (because Norton says it's better)
Remote computer IP address is 192.168.1.4
Norton says it blocks the attack, but it keeps happening. Am I infected?

A:Norton blocked an attack by : OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

Hello,And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.Malwarebytes Anti-MalwarePlease download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Full Scan"... Read more

Read other 13 answers
RELEVANCY SCORE 37.6

I'm being DDoS attacked. My ping was been spiking from 50 to 250+. I've tried changing my IP multiple times and I still was attacked (Note: I own 3 computers and 1 tablet). I've tried disabling startup processes, av scans, and basic rootkit scans and found nothing. However, after I uninstalled Akamai Net Session Downloader, FlashGet, and Tornado Force 2 (a chinese version of the game "Soldier Front 2"), it seems as though the attacks stopped. I'm not sure if they will come back or of something is infected but I'd appreciate some help to make sure everything is fine and not infected. EDIT: I'm still seeing these attacks pop up in the logs

This is what my NETGEAR Router was showing in the logs:

[admin login] from source 192.168.0.3, Friday, June 14,2013 18:25:12
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:24:12
[DoS attack: ACK Scan] from source: 69.168.106.22:80, Friday, June 14,2013 18:22:58
[DoS attack: RST Scan] from source: 50.17.180.125:80, Friday, June 14,2013 18:11:49
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:09:37
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:09:11
[DoS attack: ACK Scan] from source: 69.168.106.22:80, Friday, June 14,2013 18:08:00
[DHCP IP: (192.168.0.4)] to MAC address 00:26:2D:3A:44:7D, Friday, June 14,2013 18:01:50
[DoS attack: ACK Scan] from source:... Read more

A:DDoS Attack, Changed IPs Still Under Attack

Do you own a Domain Name/Website?

Read other 9 answers
RELEVANCY SCORE 37.6

One of my employees is the victim of some kind of cybercrime.  For the last two weeks, she has dealt with thieves calling her credit union, posing as her, and requesting wire transfers.  She has changed account numbers there twice, and still they find out her account numbers THE SAME DAY and attempt to steal from her.
So she changed banks completely, and immediately after the first time she used her new debit card, several fraudulent charges showed up on her account from use of her card number.
This may or may not be related:  Just before all this started, we were staffing a table at an outdoor festival, and both she and her boyfriend noticed a message on their Android phones that seemed to indicate that their phones had been bluesnarfed.  My employee thinks she remembers seeing something being installed.  She has since hard reset the phone (I think yesterday).
The FBI is not helping because she hasn't actually lost any $$ so far because of the vigilance of the banks, but it seems like it's only a matter of time before they clean her out unless she can defeat whatever access they have.
 
Any ideas?  Thanks!

A:Employee under attack, but what kind of attack and what to do?

Has she contacted local police? At least to the point of making a report of the activity you have documented thus far. It can show pattern of behavior. In the unfortunate event she does lose access to her funds or loses them completely.

Read other 3 answers
RELEVANCY SCORE 37.6

I frequently visit a website called comicbookresoures.com for news on the comic book industry and related topics. I have a Norton SafeWeb toolbar installed in my broswer on Internet Explorer 8. Yesterday, the SafeWeb icon displayed a caution icon. When I clicked it, it said that the website had a report on a virus threat. The report can be referenced as follows:
 
http://safeweb.norton.com/report/show?url=http:%2F%2Fwww.comicbookresources.com%2Fnews&product=N360&version=20.4.0.40&layout=OEM&lang=0901&source=toolbar
 
So, out of a sense of caution, I ran scans with Norton 360 (quick and full).  It found and removed tracking cookies.  I ran a scan with Norton Power Eraser and it fixed something with the registry.  Also, I ran scans with TDSS Killer and Malwarebytes Anti-Malware.  Nothing turned up there.  I also ran TFC to clear out the temp files.
 
So far, my PC has been functioning normally.  Is there anything else I should do just in case there is something else hiding on my PC that I don't know anything about?
 
((If you want, I can also forward the logs from Norton 360 and NPE.  I just need to know how I can access and post those logs for review)).
 
Thanks for your time.
 
 

A:Possible attack with Web Attack: Red Exploit Kit Website

I'm nor surprised.
Two days ago my web site was marked by Norton with "Caution".
Here is a funny (or tragic) part.
It was marked with "Caution" because of a few links leading to.....BleepingComputer, specifically to couple of registry fixes posted by....BC owner, Mr. Grinler.
 
On a top of it it happened for the second time this year for the very same links.
 
To make things even more pathetic re-evaluation link at Norton site didn't work so I had to email them.
They fixed it next day but do you want to trust them?
I won't.

Read other 6 answers
RELEVANCY SCORE 37.6

I uninstalled Trend Micro this morning and installed the free Avira Antivirus. It detected "psexec.cfexe" which has something to do with the "APPL/PsExec.E application". I have included a copy of the scan results as well as a HJT log.

Avira AntiVir Personal
Report file date: Sunday, 9 August 2009 11:26

Scanning for 1618860 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : A-PC

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 29/07/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 05:06:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 02:28:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 03:05:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 02:28:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 04:00:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 00:51:42
ANTIVIR2.VDF : 7.1.5.60 2235904 Bytes 3/08/2009 01:54:52
ANTIVIR3.VDF : 7.1.5.85 445952 Bytes 7/08/2009 01:55:08
Engineversion : 8.2.0.248
AEVDF.DLL : 8.1.1.1 106868 Bytes 28/07/2009 05:01:50
AESCRIPT.DLL : 8.1.2.23 455033 Bytes 9/08/2009 01:55:50
AESCN.DLL : 8.1.2.4 127348 Bytes 23/07/2009 01:29:39
AERDL.DLL : 8.1.2.4 430452 Bytes 23/07/2009 01:29:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 28/07/2009 05:01:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 23/07/2009 01:29:39
AEHEUR.DLL : ... Read more

A:Avira detected "psexec.cfexe"?

Read other 6 answers
RELEVANCY SCORE 35.6

Hello.
I like to run a program like "explorer.exe" via "PsExec" but when I did "psexec.exe \\remote IP explorer.exe" then never happened. Why?

Thank you.

Read other answers
RELEVANCY SCORE 28

I have a netgear hardware firewall guarding my LAN... However, I keep getting alerts of 'sub seven attack dropped' and a source (which I presume is the IP of the attacker) This IP address changes - I have tried resolving it using Sam Spade and sending notification to the abuse desks, but it keeps happening... Is it serious and is there something else I should be doing to protect my network?
 

A:Sub Seven Attack!

While I'm not familiar with that firewall, such notifications are a regular part of firewall use. You will probably get them everyday -- it is just the nature of the beast. Hacking programs which scan for vulnerabilities are widely available and ranges of IP addresses are constantly being scanned by them. When yours falls within their range you get notified of such a "probe" by your firewall.

The bottom line is, they can knock, but they can't get in. The notifications have educational value only, for the most part. Trying to get a resonse from their host ISPs is usually futile, due to the large number of reports they probably receive, but not always.
 

Read other 1 answers
RELEVANCY SCORE 28

I just submitted a form to this company after clicking send I got the following message:

XSS Attact Recorded With Ip : **.***.***.**. This is your 1. XSS attact. Your information is recorded.

Anything I should be worrying about?
 

A:xss attack help

Closing duplicate.

Please do not start more than one thread for the same issue.
 

Read other 1 answers
RELEVANCY SCORE 28

Hi, I ran the scans and here are my results.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Brian at 2:33:17.71 on Wed 03/04/2009
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1917.1045 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\lxbkcoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\P... Read more

A:May Day, May Day, I'm Under Attack

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

It appears that you have two antivirus programs installed, McAfee and AVG. Even though AVG is not running, they can still conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Programs and Features in your Control Panel.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
I... Read more

Read other 19 answers
RELEVANCY SCORE 28

Hy guys, not too sure what to do, so I'll post a copy of the log of my Hijack This thing here. It's complete an unedited.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:42:50 AM, on 4/12/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exeC:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program ... Read more

A:Under Attack!

Hello Rocker_Centauri,Welcome to Bleeping Computer You posted perfectly, thanks. I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! After ComboFix has completed you can reenable them all, then come back online to post the reports. Thanks!This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 13 answers
RELEVANCY SCORE 28

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:46: VIRUS ALERT!, on 27/09/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\RTHDCPL.EXEC:&... Read more

A:Under Attack

Hello donna lisney,Welcome to Bleeping Computer This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 2 answers
RELEVANCY SCORE 28

I have been under steady DoS attack for about 3 months, ive tried running every program I can think of , ive ipconfig/release etc , ive left my modem unplugged long enough to get a new public address. everything I have tried fails. Not sure if im super infected or what.

Read other answers
RELEVANCY SCORE 28

my friend is being attack or somebady is trying to hack her pc. The antivirus program says something like this"Attack..DCOM EXPLOIT 63.232.115.76.135/TCP" The other numbers on differents attacks vary (63.235.121.165.135)
She is suspicious of an online friend, just to make sure if this the guy, can somebody tells us where this attacks are coming from? We mean what country
 

A:attack!!!!

As long as you have a good anti Virus and a good firewall or/and router then your ok? Why not tell your friend to ditch talking to this person!

This is not a valid IP address as there are onlyy four groups of numbers!

63.235.121.165.135

You can go to

http://www.grc.com/default.htm
and download idserve. When you get the persons IP address, copy and paste it into thethe top part of ID serve and hit query the server. Sometimes you get nothing if they are using a proxy or an anonymiser!

The IP address might be harmless like your ISP or a RIPE server pinging you!
 

Read other 1 answers
RELEVANCY SCORE 28

Getting pop-up for every website I visit. I am using FireFox and pop-up still get thought even with pop up block on.



DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Owner at 21:08:00.32 on Tue 08/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1339 [GMT -5:00]

AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
c:\Program F... Read more

A:Pop-Up attack

Hello and welcome to TSF.

Kindly follow my instructions in the order they are presented, and please refrain from any self-fixing or running of scanners unless requested by me or another helper at this forum.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

How to disable your security applications

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following mes... Read more

Read other 8 answers
RELEVANCY SCORE 28

Greetings fellow Techies!In IE, Manage Add-Ons - jkkjh.dllI have it disabled but whenever I restart it enables itself again and it also adjusts my cookies settings to accept all!The file is loacted in my C/Windows/System32/jkkjh.dll. Windows will not let me delete, it says that it is in use, blah, blah, blahRan Norton, Norton's Vundo, HiJackThis. HJT deletes it but it comes right on back! Also tried all of this in safe mode as well.Has anybody out there had any luck in deleting this sucker. I'm usually pretty good at getting rid of the nasties but this one is driving me crazy!!!!!!!!!!!!Here is my HJT log, thanks in advance and God bless.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:27:18 AM, on 9/22/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared ... Read more

A:My Pc Is Under Attack!

Hello Decorte,Welcome to Bleeping Computer 1. Download this file - combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 11 answers
RELEVANCY SCORE 28

My Pc started running slowly and outlook would not send so I ran spybot and cleaned about 400 identified threats. outlook still wont send so I am posting a hijack this log and also a DDS log hopefully someone can solve the problem.

HJT:

"Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:22:45, on 03/12/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\vsnp2uvc.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
F:\Kaspersky\avp.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\TelevisionFanatic\bar\1.bin\64brmon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Expat Shield\bin\openvpntray.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet E... Read more

Read other answers
RELEVANCY SCORE 28

My son is running Windows 7 on an HP notebook, and it appears that the virus scan that came with the machine has since expired. I would like to go an install Microsoft Security Essentials or an AVG product for free, but the computer won't let me do anything on start-up. I keep getting pop ups that there is malware, spyware intrusion - specifically, I get a pop up that is a WIn 7 Antispyware 2012 Firewall Alert with the options:

-Yes, activate WIn 7 Antispyware (which takes me to a purchase option)
-No, Continue unprotected (Dangerous)

If I click No, it still does not let me browse at all. I have tried Safe Mode but from there cannot download Security Essentials.
I am at a loss as the machine is now inoperable until I can get past this.

Any tips to get back on track are greatly appreciated.

Thanks a million. (PS - I am accessing the Forum through another machine.)
 

A:Under attack!

Can anyone please help me get this laptop back in order? I am unable to do anything on it until I can remove the malware. Thanks so much in advance.
 

Read other 1 answers
RELEVANCY SCORE 28

i have a computer that has fallen to several virus - malware. i have found the following qncguscw.dll and iiffded.dll. Nortons caught the rest and removed them. Please help me remove the remaining infections. This is my first time using this type of help, please be patient with me.
 

A:under attack

here is my hijack this log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:33 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray... Read more

Read other 1 answers
RELEVANCY SCORE 28

Help! Appear to be under attack

I think I'm under attack...

Out of the blue up pops a dialogue box with the following..........

Spy Bot has detected an important registry entry that has been changed

Category: Browser Helper Object
Change: Value Added
{9BE56BA3-E4B2-4811-A4604-6AD95A2914DC}

I will say "deny" and "remember my decision"....BUT then another set of boxes comes up titled "resident" and these boxes constantly appears on my screen and say "registry change denied -- user decision..."the constantly come up and take space on the right side of the screen...about 6 boxes..as if they are attacking and Spy Bot is preventing them from entering into the registry

I've also gotten one (similar ..Spy Bot has detected an important registry entry that has been changed).
which was ...
Change 70X18561
Data: c:\windows\system32\cgtaghsa.dll",b

Potentially others as well thought they disappear beofre i can write them down.

Also, when i try to exit I get things like....

rundll32.exe dll initialization failed
Also, when I open a browser, one of the windows opens to Fling.com...I've not directed it to this....
Here is the Hijack log below.

Thanks for your help!!!!!!!!!!!!!!!!!!

Dave
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:57 AM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\sms... Read more

Read other answers