Over 1 million tech questions and answers.

PSEXEC attack

Q: PSEXEC attack

Hello Team,
Please I want to ask if it is possible for ATA to detect when an attacker launch remote code execution (psexec) against a server on the network. I know ATA detects when such attack is launched against domain controllers, but what if the targeted machine
is a member server or workstation, will ATA still detect it?
Thanks.

BR, David Sunday

Read other answers
RELEVANCY SCORE 200
Preferred Solution: PSEXEC attack

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 44.4

Hi there,
I am facing difficulty in using pcexec , i am simply trying to use an ipconfig command and remote pc.
both PCs are win Xps
psexec \\10.10.xx.xx -u XXX -p XXX ipconfig
but all am getting is
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich

Could not start PsExec service on 10.10.XX.XX:
Access is denied.      HELP PLEASE

A:Could not start PsExec service

it should be something like this
psexec \\marklap cmd
ipconfig
after you connect to the remote cmd then you issue "ipconfig"

Read other 10 answers
RELEVANCY SCORE 44.4

am in the process of putting a batch file together to detect and force microsoft updates to a machine or a group of machines using PSEXEC.exe and a VBS script created by Rob Dunn and posted over at the forums at www.wsus.info.

I have listed below the steps needed to complete this task and would like it put together (if possible) in a batch file, UPDATE.VBS is the name of the script that I copy over to the machine and the PSTOOLS dir is the directory that PSEXEC resides in.

If I run these commands one at a time everything runs well, I would just like to know if it is possible to make this a "one step process"?
Ok here are all the cmds I need in order to run the script

1. net use \\TARGETMACHINE\C$ /user:"DOMAIN\DOMAIN USER"

2. copy update.vbs \\TARGETMACHINE\C$\update.vbs

3. exit back into PSTOOLS directory

3. psexec.exe \\TARGETMACHINE -u "DOMAIN\DOMAIN USER" -p PASSWORD -e -i cmd.exe /c cscript.exe //B C:\UPDATE.vbs
I have tested this on multiple machines and everything is running well. Any suggestions on how to set this up in one batch file? Of course I will eventually setup the PSTOOLS dir on a network drive instead of my local machine.
 

A:Using PSEXEC and VBS script with WSUS

Ok after a few weeks of playing around with the script and lots of help from Karlchen over at http://forum.sysinternals.com/default.asp I got it running, it goes a little something like this:

@echo off
:: Programme: remoteupd.bat
:: Function : copy update.vbs to \\target
:: launch update.vbs on \\target using psexec
:: &nbs p; will read computerlist.txt and launch update.vbs on each
:: &nbs p; of the hostnames\IPs inside the file
:: Status : third draft, arguments given on commandline, uses a listfile
:: Note : we will assume "computerlist.txt" is located in F:\Work Applications\WSUS Force Update, too.
:: Usage : remoteupd.bat adminuser password
::
:: Check that 2 arguments have been given on the commandline
if "%2"=="" (
echo usage: remoteupd.bat adminuser password
echo Try again.
exit /b 1
)
set ADMUSER="ADMIN USER\DOMAIN"
set ADMPASS="PASSWORD"
set LISTFILE=computerlist.txt

:: go to the source folder
f:
cd \Work Applications\WSUS Force Update

:: check that the listfile is there
if not exist %LISTFILE% (
echo Listfile %LISTFILE% not found. Create it and try again.
exit /b 1
)

:: Finally, all checks done, let us do our work in a for loop
for /F %%i in (%LISTFILE%) do (
REM 1. net use if ADMPASS has got no space character the
REM double quotes may be removed
net use \\%%i\C$ /user:"ADMIN USER\DOMAIN" "PASSWORD"

REM 2. copy update.vbs
copy update.vbs \\%%i\C$\update... Read more

Read other 1 answers
RELEVANCY SCORE 44.4

Hi Guys I know there's probably a lot of these on these forums but when i type in the command

psexec \\computername cmd it says access is denied

I am running cmd as admin and havn't tried anything else,
i'm not very good with cmd so would someone please help?

Thank you

A:psexec access is denied

You need to supply username and password.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Read other 9 answers
RELEVANCY SCORE 44.4

Hello Fangzhou CHEN,

Per your instructions below.  Is the U/P my admin info or the users?  Please advise.

We could use the PsExec tool to conduct the remote control.
1. Download the tool and copy to file to C:\Windows\System32

2. Run cmd as administrator
3. We could run the command psexec  \\ <computername >
-u <username> -p <password> <command>to run command in remote computer.

Read other answers
RELEVANCY SCORE 44.4

Hi,
I have a question regarding psexec or an alternative perhaps? Basically, I have a batch file I made, that I want to allow a friend from a remote machine to exec. However, I want him ONLY to be able to exec this file, and not mess around anywhere else on the machine. Psexec gives too much privilege and he could open other things, etc. I did come across the program RemoteExec, but after the 15 day trial that won't be of much value to me(not paying 400$ for this singular occurrence). Any ideas or help would be GREATLY appreciated!!!

Thanks
 

A:Psexec related question

Why do you want to give remote access to this file? This kind of sounds like a classroom project you are trying to get help with.

At any rate, what about installing Apache web server and having the file access granted through the webserver?
 

Read other 1 answers
RELEVANCY SCORE 44.4

I am in the process of putting a batch file together to detect and force microsoft updates to a machine or a group of machines using PSEXEC.exe and a VBS script created by Rob Dunn and posted over at the forums at www.wsus.info.

I have listed below the steps needed to complete this task and would like it put together (if possible) in a batch file, UPDATE.VBS is the name of the script that I copy over to the machine and the PSTOOLS dir is the directory that PSEXEC resides in.

If I run these commands one at a time everything runs well, I would just like to know if it is possible to make this a "one step process"?


Ok here are all the cmds I need in order to run the script

1. net use \\TARGETMACHINE\C$ /user:"DOMAIN\DOMAIN USER"

2. copy update.vbs \\TARGETMACHINE\C$\update.vbs

3. exit back into PSTOOLS directory

3. psexec.exe \\TARGETMACHINE -u "DOMAIN\DOMAIN USER" -p PASSWORD -e -i cmd.exe /c cscript.exe //B C:\UPDATE.vbs


I have tested this on multiple machines and everything is running well. Any suggestions on how to set this up in one batch file? Of course I will eventually setup the PSTOOLS dir on a network drive instead of my local machine.

A:Using PSEXEC and VBS script with WSUS

Ok after a few weeks of playing around with the script and lots of help from Karlchen over at http://forum.sysinternals.com/default.asp I got it running, it goes a little something like this:

@echo off
:: Programme: remoteupd.bat
:: Function : copy update.vbs to \\target
:: launch update.vbs on \\target using psexec
:: &nbs p; will read computerlist.txt and launch update.vbs on each
:: &nbs p; of the hostnames\IPs inside the file
:: Status : third draft, arguments given on commandline, uses a listfile
:: Note : we will assume "computerlist.txt" is located in F:\Work Applications\WSUS Force Update, too.
:: Usage : remoteupd.bat adminuser password
::
:: Check that 2 arguments have been given on the commandline
if "%2"=="" (
echo usage: remoteupd.bat adminuser password
echo Try again.
exit /b 1
)
set ADMUSER="ADMIN USER\DOMAIN"
set ADMPASS="PASSWORD"
set LISTFILE=computerlist.txt

:: go to the source folder
f:
cd \Work Applications\WSUS Force Update

:: check that the listfile is there
if not exist %LISTFILE% (
echo Listfile %LISTFILE% not found. Create it and try again.
exit /b 1
)

:: Finally, all checks done, let us do our work in a for loop
for /F %%i in (%LISTFILE%) do (
REM 1. net use if ADMPASS has got no space character the
REM double quotes may be removed
net use \\%%i\C$ /user:"ADMIN USER\DOMAIN" "PASSWORD"

REM 2. copy updat... Read more

Read other 1 answers
RELEVANCY SCORE 44.4

Hello all, I have a question about setting up Remote Desktop on PCs in our company. For most of the PCs on our network Remote Desktop is disabled by decree of the management. When I do need access to a machine I'll use psexec to enable the service then I'll disable it when I'm done. Some of the PCs are accessed by normal (non-admin) users on the network using Remote Desktop - we're looking for a way to remotely edit the list of users that can access the PCs that way - it'll be one specific user allowed per machine so a group policy doesn't seem to be the right way to go... Basically I'm looking for a way to remotely edit a machine's local secpol, specifically the "Allow logon through terminal services" setting.
I found this MS article http://technet.microsoft.com/en-us/library/bb457125.aspx that mentions the SeNetworkLogonRight but I don't see that in the registry... I must be missing something stupid here - there has to be an easy way to do what I'm trying to do... Does anyone know what that easy way is?
This is the command I use to enable remote desktop - it seems like something similar could be used to edit the userlist? Argh!
psexec \\machine reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

-Oh, it's an Active Directory Domain, all the PCs are WinXP - Thanks!
 

Read other answers
RELEVANCY SCORE 43.6

Hi Tech Support,
I got below error when using psexec on remote computer (india). user123 is admin at india. Admin$ and IPC$ can access without error. Please help....
psexec \\india -u india\user123 -p [email protected] -h cmd
Error establishing communication with PsExec service on india:
Access is denied.

Read other answers
RELEVANCY SCORE 43.6

Has anyone experienced this or similar recently? We've seen multiple unrelated clients get hit with something that resembles a worm. It appears to use mimikatz to steal passwords for the currently logged on user (Active Directory) and then reaches out to other PCs on the network and uses psexec to run something. I assume it's trying to steal the next computer's username/password and so on. Processes can be seen in Task Manager running under other user accounts that are NOT logged into the PC. The users (which have never otherwise logged into the PC) then have profiles in C:\users. This process leaves the PSEXECSVC Windows service (visible in services.msc) and saves mimikatz.exe and other random KB_______.exe and ms_______.exe files in C:\ProgramData and C:\users\username\appdata\roaming and \appdata\local\temp. It seems to disable the Windows Firewall and Windows Update services, and it breaks Show Hidden Files so it can't be turned on or off.
 
Users have complained of audio/music playing in the background, and we've found .mp3 files in c:\users\username\appdata\roaming. It's hard to recover from this because cleaning the PCs one by one is great until an infected one is turned back on with network connectivity and hits all the cleaned/rebuilt ones again.
 
The thing that's most worrying to me is that I can't find much about this online. This appears to be the closest thing: http://blog.cylance.com/operation-cleaver-net-crawler
 
Any ideas what t... Read more

A:Some type of worm using psexec and mimikatz?

First thing first, it would have to eb running at domain adminlevel to execute through psexec, so change the administrators password pronto.
Also setup a group policy to disallow psexec.exce from running on C:\*
Thirdly make sure no user account has admin rights, ecspecially global admin rights or local admin rights.
If its conencting to each amchine IPC$ then im assuming it has the Domain\Administrator account token/password.

Read other 7 answers
RELEVANCY SCORE 43.6

I am looking psexec commands to fulfil below requirements
1) copy file into C:\temp on remote machines including bat file and source files
2) Install using batch files (EXE file using batch file)

looking sample psexec commands to install EXE, MSI, WSU, bat, cmd etc

Read other answers
RELEVANCY SCORE 43.6

I am trying to determine why IE7 installer fails to work when using PSEXEC to remotely install it?
I have the IE7 installer in c:\temp
This does not work (The switches are valid)
 
psexec \\new_computer c:\temp\ie7.exe /quiet /update-no /norestart /log:c:\temp
 
 
 
It installs fine with the same switches if I manually run it locally but I *MUST* remotely install it as I have multiple PCs to manage and don't need to bother the users 
Below is the log it generates yet it's not making any sense.

00:00.000: ====================================================================
00:00.218: Started: 2011/05/21 (Y/M/D) 21:11:52.900 (local)
00:00.468: Time Format in this log: MM:ss.mmm (minutes:seconds.milliseconds)
00:00.609: Command line: c:\ba1df32f992674d86f0534\update\iesetup.exe /quiet /update-no /norestart /log:c:\temp
00:00.890: INFO: Acquired Package Installer Mutex
00:01.125: INFO: Operating System: Windows Workstation: 5.2.3790 (Service Pack 2)
00:01.656: INFO: Checking version for C:\Program Files\Internet Explorer\iexplore.exe: 6.0.3790.1830
00:01.765: INFO: C:\Program Files\Internet Explorer\iexplore.exe version: 6.0.3790.1830
00:01.781: INFO: Checking if iexplore.exe's current version is between 7.0.0.0...
00:01.812: INFO: ...and 7.1.0.0...
00:01.890: INFO: Maximum version on which to run IEAK branding is: 7.1.0.0...
00:01.906: INFO: iexplore.exe version check success. Install can proceed.
00:01.922: INFO: EULA not shown in passive or... Read more

A:Unable to remotely install IE7 using PSEXEC

Hi,

 

Regarding the issue, I’m just wondering that if you can collect the IE7 log (%windir%\ie7.log)for me, then we can try to find the cause.


 

Please understand, we need more detail information to troubleshooting the issue.You may upload the file via SkyDrive and post a link here.

 

Also please refer:

 

http://support.microsoft.com/kb/917925

 

Also if you want remote install IE7, you may use the .msi file to do. Please refer:

 

http://support.microsoft.com/kb/942812

 

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e41d8800-d134-4356-a2e7-c01bee790908&displaylang=en
Please remember to click ?Mark as Answer? on the post that helps you, and to click ?Unmark as Answer? if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ?

Read other 7 answers
RELEVANCY SCORE 43.2

Hi,

After migrating on Windows 10 from Windows 8 when using psexec I've started to recieve an error message when enumerating domain. Error is "A system error has occurred: 53". On other machine where still Windows 8 is installed everything works fine. 
When I use psexec \\pcname command is executed without problems, but when I use psexec \\* I've get  "A system error has occurred: 53"

Sorry for bad english :)

Thanks.

Read other answers
RELEVANCY SCORE 43.2

I am looking psexec commands to install exe
scenario:
I had copied source folders \\server1\test  into  designation (C:\windows\test) via PowerShell
now I am looking psxec complete command to run exe on remote machines (remote machines will take from txt file)
PSEXEC syntax or command  to run exe on multiple machines 

Read other answers
RELEVANCY SCORE 43.2

Ok imma give a full rundown of the situation. Currently on the network we are on because of the way it is setup wake on lan doesn't work, so SCCM has at best a 70 success rate for patching. So I am currently spending a couple days a week remoting into computers and running a batch file to manually update computers. I need a way, that isn't psexec to execute a batch file on a remote computer. If anyone has any ideas they would be greatly appreciated.

Additional Notes
- Batch file is on share drive atm.

A:Run Batch File On Remote Computer Without PsExec

So, you are using RDP and remotely logging into the computer? If that's the case, you should be able to put the batch file on a network share, and then execute it while you are in the RDP session.

Read other 9 answers
RELEVANCY SCORE 43.2

I have created a couple batch files to easily update firefox on users computers. See the scripts below.

This executes a batch file on all computers listed in the firefoxusers.txt file.
Code:
psexec @firefoxusers.txt -u [I]AdminUsername[/I] -p [I]password[/I] c:\installers\firefox.bat
This is the file that is executed from the one above to install the file silently from a shared drive.
Code:
pushd \\server\applications\firefox

firefoxsetup.exe -ms

popd
My problem is that when I run this script I have no idea if the software was installed correctly or not. I am looking for a way to just output what was run so I can go through and see if anything failed.

Any help would be appreciated.

Thanks
 

A:Solved: Output log file from PSExec batch

Not sure if Redirection will work or not.
http://www.robvanderwoude.com/redirection.php

You could try this.
psexec @firefoxusers.txt -u AdminUsername -p password c:\installers\firefox.bat 2> errorlog.txt

or inside your batch file. Not sure if this one witll work or not.
firefoxsetup.exe -ms 2> \\server\applications\firefox\errorlog.txt
 

Read other 2 answers
RELEVANCY SCORE 42.8

Hello.I have a Windows XP Pro SP3 with several problems:* I cannot accede to http: // es.mcafee.com from Firefox or Internet Explorer.* I cannot update the antivirus Mcafee. In addition, before its icon appears close to the clock on the task bar and now it does not appear.* On having looked for something in google in the Firefox, some links open windows with porn and mobiles. In Internet Explorer it works well.* The Firefox crushes when you sail with it (version 3.0.8).* Emulate also crushes on having executed.* Spyboot Search and destroy does not find anything.* Mcafee has not found anything (one week ago had the virus of the double tilde that it could erease).* SuperAntiSpyware does not find anything.* Malwarebytes ' Anti-Malware does not find anything either.* WebRoot finds a HackTool App/Psexec-Gen and Bullet Proof Software Spyware but since I do not have a subscription cannot eliminate them.I can't open Mcafee's page from the fail-safe mode with network's funtions either.HitJack log is this:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:50:35, on 02/04/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Archivos de programa\Webroot\WebrootSecurity\WRConsumerService .exeC:\WINDOWS�... Read more

A:HackTool App/Psexec-Gen and Bullet Proof Software Spyware

I see you have Quadruple posted http://forum.securitycadets.com/index.php?showtopic=10287http://www.security-forums.com/viewtopic.p...48934e99b8d813fhttp://www.bleepingcomputer.com/forums/lof...hp/t216359.htmlhttp://forums.techguy.org/malware-removal-...mcafee-web.htmlAll Malware Removal/Hijackthis forums greatly frown on anyone that double, triple or quadrupile posts, as it creates back logs and wastes our time! Since you are receiving help Katana at Security Cadets I am closing this thread.

Read other 1 answers
RELEVANCY SCORE 42.8

I am looking PSEXEC command to install msu files on mutiple machines or list of computers. looking setps to copy msu file locally and install via PSEXEC

Read other answers
RELEVANCY SCORE 42.8

Hi there,
As described in the following link on how to run a disk defragment using Disk Defragmenter via PsExec http://www.winhelponline.com/blog/how-to-run-disk-defragmenter-on-a-remote-computer/,
would you say that all parameters mentioned by the author in the blog are applicable? If not, please could you specify which parameters aren't needed in order for me achieve this task efficiently, I've been trying to understand all the parameters for PsExec
and from what I can understand I don't think parameters -s and -f are applicable as mentioned in
http://technet.microsoft.com/en-gb/sysinternals/bb897553.aspx. Reason why I say this is that when you when specify parameter -s (using system account) in the command and log on as a
user of that remote computer in which I've been using Remote Desktop to achieve this as well as Command Prompt, the prompt comes up with "Disk Defragmenter exited with error code 0" straightaway when logging on and logging off as that user on the
remote computer, the same also applies when logging off as that user on the remote computer when running the command when being logged on as that user whereas if you don't specify parameter -s the message is delayed for longer which is what I would expect,
I'm assuming error code 0 means that the task has completed successfully as mentioned in the following link
http://aumha.org/a/defragerr.htm. Another reason as to why I don't think parameter -f is needed is that the program (Disk Def... Read more

A:Clarification of running Disk Defragmenter remotely using PsExec

Case closed, managed to solve issue.

Read other 1 answers
RELEVANCY SCORE 42.4

I recently scanned my computer with Malwarebytes Anti-Malware, Spybot Search & Destroy, and Avira AntiVir personal.MBAM and SB S&D came up with nothing but Avira did. This is the 2nd time this month that Avira detected "appl/psexec.e" found in "C:\System Volume Information". There are 3 different instances in the Quarantine.Please look through my HJT log to help stop this recurrence.Also, users on this computer use Firefox Portable from portableapps.com run from 2 different USB drives. Both equppied with the add-ons NoScript, AdBlock Plus, and Web of Trust (WOT) to better protect us from viruses & etc.Thank you for your time.- - - - -Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:17:23 AM, on 5/15/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exeC:&... Read more

A:Avira detects appl/psexec.e reoccured 2nd time this month

Hi PixelPlay,Sorry for the delay the forums here at BC are always very busy and we do are best to keep up. Sinceyour log is quite old and alot could have changed, I would like to see a new log please. If you nolonger require any help could you let me no please, so this topic can be closed.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Thanks

Read other 18 answers
RELEVANCY SCORE 42.4

Hi,
I am trying to execute psexec command to remote machine.
My command is
psexec -u domain\user -p password \\machineName -c abc.bat
I am trying from windows 7(64 bit)  machine. The remote machines are xp and windows 7(32 and 64 bit).
In XP machines, it is working and also in some windows 7 machines. But in some windows 7 machines it give message-
"Could not start PsExec service on target machine.
Access is denied."
 
If I try to execute psexec command from XP machines, it works to all machines.
Suddenly what happen I do not know but one of the windows 7 machine( where psexec was not starting) , psexec started. but not in other machines.
Now I am very much confuse here exactly what happen. and what is the issue.
Please help. It urgent.
Thanks.

A:Could not start PsExec service on target machine. Access is denied.

Hi,

 

When opening the Command Prompt, please right click it and run as Administrator. Meanwhile, make sure the user has administrator privileges on target PC. If the issue
persists, try to disable UAC on both sides.

 

As far as I know the Security Level on Windows 7 is higher than the level on Windows XP.  Therefore, 'psexec' works to all machines.

 

Best Regards,

Niki
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Read other 20 answers
RELEVANCY SCORE 42

Hi,
We are unable to take backup of "Favorites","Desktop" folders in a user profile when scanstate is run remotely using "Psexec \\computername -s scanstate.exe /ue:*\* /ui:domain\user /i:miguser.xml /config:config.xml /c" command.
These folders are redirected to a shared folder on a server and when we try to see the folders by using UNC path(\\computername\c$\users\username) on the user's machine they dont appear under user profile. Even though "Documents" are redirected,
we are able to take backup of the "Documents" folder.
However, when scanstate is run locally on the system, all folders are backedup to usmt.mig file. We are using "miguser.xml" and "Config.xml" for scanstate, since we need backup of "Documents","Desktop" and "Favorites"
only. After searching over internet, we doubt that, this behavior has got something to do with "Shell Folders" and "User Shell Folders" in the registry under "HKCU\Software\Microsoft\Windows\Currentversion\explorer\shell folders",
where paths to all user profile related folders information is stored. We dont find "Documents" folder there, may be thats the reason why we are able to take backup of only "My Documents" and not the rest of the folders (Favorites,Desktop).
When scanstate is run locally, the backup of "Favorites","Desktop" and "Documents" is... Read more

Read other answers
RELEVANCY SCORE 40.4

Hello,
 
On my web site - http://incinerama.com/ , if you select specific pages like http://incinerama.com/1953_march.htm , you get the error message:
 
"Norton blocked an attack by: Web Attack: Cookie Bomb Injection Website "
 
I ran Malwarebytes, hijackthis, etc. on the computer that uploaded pages to the web site and found no problems.
 
Any ideas on what is causing this and how I can remove this?
 
Thanks!
 
Roland
 
 
 

Read other answers
RELEVANCY SCORE 40.4

Dear friend, I am fedup with the problem of popup security warning and automatic adding of sites in favourite and opening of webpage while brausing internet. Also after sometimes it changes my desktep to red signal showing your privacy in danger. Also three sites shortcut are automatically adding to my desktop.I follow your step by step instruction of running ad-aware and then spybot and then stringer. Also problem is that when i am cleaning with smitfraudfix tool it is getting cleared but after using computer sometimes it is comming back and even if i am not using internet it is comming back. Also when i am using computer sometimes command prompt is opening automatically and something is happened there and it is closing automatically. Same things happened three to four times and then all those things are again came back to my screen.Below is the log of hijack this file. please help me to solve the problem. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:32:28 PM, on 11/27/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files&... Read more

A:Antispylab Problem- Popup Warning For Virus Attack And Spyware Attack

Hello dipaknpatel,NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Please download SmitfraudFix Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htmYou should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following :Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account.Once in Safe Mode, double-click SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infectio... Read more

Read other 2 answers
RELEVANCY SCORE 40.4

OS - Windows XP Service Pack 3 with all updates. Antivirus - Norton 360 with all updates
Windows firewall disabled (because Norton says it's better)
Remote computer IP address is 192.168.1.4
Norton says it blocks the attack, but it keeps happening. Am I infected?

A:Norton blocked an attack by : OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

Hello,And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.Malwarebytes Anti-MalwarePlease download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Full Scan"... Read more

Read other 13 answers
RELEVANCY SCORE 38

I uninstalled Trend Micro this morning and installed the free Avira Antivirus. It detected "psexec.cfexe" which has something to do with the "APPL/PsExec.E application". I have included a copy of the scan results as well as a HJT log.

Avira AntiVir Personal
Report file date: Sunday, 9 August 2009 11:26

Scanning for 1618860 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : A-PC

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 29/07/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 05:06:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 02:28:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 03:05:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 02:28:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 04:00:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 00:51:42
ANTIVIR2.VDF : 7.1.5.60 2235904 Bytes 3/08/2009 01:54:52
ANTIVIR3.VDF : 7.1.5.85 445952 Bytes 7/08/2009 01:55:08
Engineversion : 8.2.0.248
AEVDF.DLL : 8.1.1.1 106868 Bytes 28/07/2009 05:01:50
AESCRIPT.DLL : 8.1.2.23 455033 Bytes 9/08/2009 01:55:50
AESCN.DLL : 8.1.2.4 127348 Bytes 23/07/2009 01:29:39
AERDL.DLL : 8.1.2.4 430452 Bytes 23/07/2009 01:29:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 28/07/2009 05:01:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 23/07/2009 01:29:39
AEHEUR.DLL : ... Read more

A:Avira detected "psexec.cfexe"?

Read other 6 answers
RELEVANCY SCORE 37.6

One of my employees is the victim of some kind of cybercrime.  For the last two weeks, she has dealt with thieves calling her credit union, posing as her, and requesting wire transfers.  She has changed account numbers there twice, and still they find out her account numbers THE SAME DAY and attempt to steal from her.
So she changed banks completely, and immediately after the first time she used her new debit card, several fraudulent charges showed up on her account from use of her card number.
This may or may not be related:  Just before all this started, we were staffing a table at an outdoor festival, and both she and her boyfriend noticed a message on their Android phones that seemed to indicate that their phones had been bluesnarfed.  My employee thinks she remembers seeing something being installed.  She has since hard reset the phone (I think yesterday).
The FBI is not helping because she hasn't actually lost any $$ so far because of the vigilance of the banks, but it seems like it's only a matter of time before they clean her out unless she can defeat whatever access they have.
 
Any ideas?  Thanks!

A:Employee under attack, but what kind of attack and what to do?

Has she contacted local police? At least to the point of making a report of the activity you have documented thus far. It can show pattern of behavior. In the unfortunate event she does lose access to her funds or loses them completely.

Read other 3 answers
RELEVANCY SCORE 37.6

I'm being DDoS attacked. My ping was been spiking from 50 to 250+. I've tried changing my IP multiple times and I still was attacked (Note: I own 3 computers and 1 tablet). I've tried disabling startup processes, av scans, and basic rootkit scans and found nothing. However, after I uninstalled Akamai Net Session Downloader, FlashGet, and Tornado Force 2 (a chinese version of the game "Soldier Front 2"), it seems as though the attacks stopped. I'm not sure if they will come back or of something is infected but I'd appreciate some help to make sure everything is fine and not infected. EDIT: I'm still seeing these attacks pop up in the logs

This is what my NETGEAR Router was showing in the logs:

[admin login] from source 192.168.0.3, Friday, June 14,2013 18:25:12
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:24:12
[DoS attack: ACK Scan] from source: 69.168.106.22:80, Friday, June 14,2013 18:22:58
[DoS attack: RST Scan] from source: 50.17.180.125:80, Friday, June 14,2013 18:11:49
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:09:37
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:09:11
[DoS attack: ACK Scan] from source: 69.168.106.22:80, Friday, June 14,2013 18:08:00
[DHCP IP: (192.168.0.4)] to MAC address 00:26:2D:3A:44:7D, Friday, June 14,2013 18:01:50
[DoS attack: ACK Scan] from source:... Read more

A:DDoS Attack, Changed IPs Still Under Attack

Do you own a Domain Name/Website?

Read other 9 answers
RELEVANCY SCORE 37.6

I frequently visit a website called comicbookresoures.com for news on the comic book industry and related topics. I have a Norton SafeWeb toolbar installed in my broswer on Internet Explorer 8. Yesterday, the SafeWeb icon displayed a caution icon. When I clicked it, it said that the website had a report on a virus threat. The report can be referenced as follows:
 
http://safeweb.norton.com/report/show?url=http:%2F%2Fwww.comicbookresources.com%2Fnews&product=N360&version=20.4.0.40&layout=OEM&lang=0901&source=toolbar
 
So, out of a sense of caution, I ran scans with Norton 360 (quick and full).  It found and removed tracking cookies.  I ran a scan with Norton Power Eraser and it fixed something with the registry.  Also, I ran scans with TDSS Killer and Malwarebytes Anti-Malware.  Nothing turned up there.  I also ran TFC to clear out the temp files.
 
So far, my PC has been functioning normally.  Is there anything else I should do just in case there is something else hiding on my PC that I don't know anything about?
 
((If you want, I can also forward the logs from Norton 360 and NPE.  I just need to know how I can access and post those logs for review)).
 
Thanks for your time.
 
 

A:Possible attack with Web Attack: Red Exploit Kit Website

I'm nor surprised.
Two days ago my web site was marked by Norton with "Caution".
Here is a funny (or tragic) part.
It was marked with "Caution" because of a few links leading to.....BleepingComputer, specifically to couple of registry fixes posted by....BC owner, Mr. Grinler.
 
On a top of it it happened for the second time this year for the very same links.
 
To make things even more pathetic re-evaluation link at Norton site didn't work so I had to email them.
They fixed it next day but do you want to trust them?
I won't.

Read other 6 answers
RELEVANCY SCORE 36

Hello.
I like to run a program like "explorer.exe" via "PsExec" but when I did "psexec.exe \\remote IP explorer.exe" then never happened. Why?

Thank you.

Read other answers
RELEVANCY SCORE 28

Hy guys, not too sure what to do, so I'll post a copy of the log of my Hijack This thing here. It's complete an unedited.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:42:50 AM, on 4/12/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Autodesk\Data Management Server 5\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exeC:\Program Files\Autodesk\Data Management Server 5\Server\Webserver\Connectivity.EDMWS.Server.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Microsoft SQL Server\MSSQL$AUTODESKVAULT\Binn\sqlservr.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program ... Read more

A:Under Attack!

Hello Rocker_Centauri,Welcome to Bleeping Computer You posted perfectly, thanks. I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! After ComboFix has completed you can reenable them all, then come back online to post the reports. Thanks!This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 13 answers
RELEVANCY SCORE 28

i have a computer that has fallen to several virus - malware. i have found the following qncguscw.dll and iiffded.dll. Nortons caught the rest and removed them. Please help me remove the remaining infections. This is my first time using this type of help, please be patient with me.
 

A:under attack

here is my hijack this log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:33 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray... Read more

Read other 1 answers
RELEVANCY SCORE 28

Greetings fellow Techies!In IE, Manage Add-Ons - jkkjh.dllI have it disabled but whenever I restart it enables itself again and it also adjusts my cookies settings to accept all!The file is loacted in my C/Windows/System32/jkkjh.dll. Windows will not let me delete, it says that it is in use, blah, blah, blahRan Norton, Norton's Vundo, HiJackThis. HJT deletes it but it comes right on back! Also tried all of this in safe mode as well.Has anybody out there had any luck in deleting this sucker. I'm usually pretty good at getting rid of the nasties but this one is driving me crazy!!!!!!!!!!!!Here is my HJT log, thanks in advance and God bless.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:27:18 AM, on 9/22/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared ... Read more

A:My Pc Is Under Attack!

Hello Decorte,Welcome to Bleeping Computer 1. Download this file - combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 11 answers
RELEVANCY SCORE 28

Hello,
 
I am a bit concerned about this situation, i recently installed Zone Alarm and it looks like there is a huge amount of intrusion attempts into my laptop, i have another laptop on my network that is probably severely inffected but its currently turned off.
 

 
I want to know whats going on here, it doesn't feel safe at all... Should i be worried about this?
 
System Info:
 
Windows 7 home premium 64 bits - almost clean install, it has 1 week or so, been downloading some torrents tho.
Toshiba satellite
 
Forgot to add: I've run MBAM and it says the system is 100% clean.

A:Looks like I am under attack? what should i do?

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware to your desktop.NOTE. If you already have MBAM 2.0 installed scroll down.Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
At the end, be sure a checkma... Read more

Read other 18 answers
RELEVANCY SCORE 28

I have a netgear hardware firewall guarding my LAN... However, I keep getting alerts of 'sub seven attack dropped' and a source (which I presume is the IP of the attacker) This IP address changes - I have tried resolving it using Sam Spade and sending notification to the abuse desks, but it keeps happening... Is it serious and is there something else I should be doing to protect my network?
 

A:Sub Seven Attack!

While I'm not familiar with that firewall, such notifications are a regular part of firewall use. You will probably get them everyday -- it is just the nature of the beast. Hacking programs which scan for vulnerabilities are widely available and ranges of IP addresses are constantly being scanned by them. When yours falls within their range you get notified of such a "probe" by your firewall.

The bottom line is, they can knock, but they can't get in. The notifications have educational value only, for the most part. Trying to get a resonse from their host ISPs is usually futile, due to the large number of reports they probably receive, but not always.
 

Read other 1 answers
RELEVANCY SCORE 28

I work for a group of facilites that have recently come under attack from what seems like a variety of malware/spyware. We are a client/server based network enviroment. It seems that only our Win2000 boxes are affected but they are having a variety of problems which include:

dbsarticles.com and/or freeart1cile.com hijacks the homepage of the clients.
Also we've identified C:\winnt\system32\a.exe and C:\lox.exe as possible problems. I've run a HiJackThis log on one of the infected boxes and was hoping someone knew of a fix for the clients that isn't reformatting the box. Thanks in advance for any help in resolving this matter!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:06 PM, on 6/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TIREMOTE\wuser32.exe
C:\WINNT\TIREMOTE\TIRemoteService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\system32\msmsgs.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\syste... Read more

A:PCs under attack

Hi, welcome to tsf!

Is your antivirus protection up to date?

if you still need assistance, please post a fresh hijackthis log.

Read other 1 answers
RELEVANCY SCORE 28

my friend is being attack or somebady is trying to hack her pc. The antivirus program says something like this"Attack..DCOM EXPLOIT 63.232.115.76.135/TCP" The other numbers on differents attacks vary (63.235.121.165.135)
She is suspicious of an online friend, just to make sure if this the guy, can somebody tells us where this attacks are coming from? We mean what country
 

A:attack!!!!

As long as you have a good anti Virus and a good firewall or/and router then your ok? Why not tell your friend to ditch talking to this person!

This is not a valid IP address as there are onlyy four groups of numbers!

63.235.121.165.135

You can go to

http://www.grc.com/default.htm
and download idserve. When you get the persons IP address, copy and paste it into thethe top part of ID serve and hit query the server. Sometimes you get nothing if they are using a proxy or an anonymiser!

The IP address might be harmless like your ISP or a RIPE server pinging you!
 

Read other 1 answers
RELEVANCY SCORE 28

Hi all
Just getting over an attacked big time could someone check this log and tell me what to delete>?

I;m on my second puter the first ome just wont run right yet search is very very slow. I have rr so it should be faster..?


Logfile of HijackThis v1.99.1
Scan saved at 19:08:23, on 22.09.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Cheetah Burner\Cheetah CD Burner\NMSAccess.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Mic... Read more

A:Just getting over an attack

Still needing Help, still cant download from internet and still cant window explorer back to computer, I know there are some trojans that will not go away.I have tried everything a know..?
Could I reinstall win xp and fix the software problems? or install vista? would this get rid of the trojans?

Thanks for any help

Read other 1 answers
RELEVANCY SCORE 28

heres my router firewall summary its 2700-hgv

my specs:Radeon HD5770
AMD 5000X2

Windows 7 64bits

Today This Week
Total Attacks Blocked 24 997
High Risk 0 0
Med Risk 0 0
Low Risk 24 997



---------- Today This Week
Total Number of Attacks 26 999
High Risk 1 1
UDP Flood Detected 1 1
Med Risk 0 0
Low Risk 25 998
TCP Port Scan Detected, Packet Dropped 24 953
UDP Port Scan Detected, Packet Dropped 1 31
Invalid IP source received from private/home network, Packet Dropped 0 14




Top Attackers
Total Number of Attacks
IP Address Attacker Domain High Risk Med Risk Low Risk
118.100.29.204 Not available 0 0 16 View attack details
60.17.17.102 Not available 0 0 13 View attack details
192.168.1.64 Not available 0 0 12 View attack details
114.25.101.53 114-25-101-53.dynamic.hinet.net 0 0 9 View attack details
111.69.241.32 32.241.69.111.dynamic.snap.net.nz 0 0 8 View attack detail

ternet Domain: Not available
Internet Address: 118.100.29.204
Today This Week
Total Attacks Blocked 0 16
High Risk 0 0
Med Risk 0 0
Low Risk 0 16
TCP Port Scan Detected, Packet Dropped 0 16


Funny thing is the ip are all telcom ips
i notice my torrent speed is slow too from 100-200kb/s to 10kb-30kb/s and it has mroe seed than leechers

A:Am i being attack?

Hi, let's take a quicl look for malware.First run TFC by OTPlease download TFC by Old Timer and save it to your desktop. alternate download linkSave any unsaved work. TFC will close ALL open programs including your browser! Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator. Click the Start button to begin the cleaning process and let it run uninterrupted to completion. Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program wi... Read more

Read other 12 answers
RELEVANCY SCORE 28

Logfile of HijackThis v1.99.1Scan saved at 11:50:10 AM, on 3/29/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16414)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\PMObserv.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\system32\bcmwltry.exeC:\WINDOWS\system32\carpserv.exeC:\Program Files\ATI Technologies\ATI Co... Read more

A:Help, Im Under Attack

Please download VundoFix.exeto your desktop. Double-click VundoFix.exe to run it.Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the aboveinstructions starting from "Click the Scan for Vundo button." whenVundoFix appears at reboot.

Read other 3 answers
RELEVANCY SCORE 28

Hello,

My name is Warren. Recently I cleaned out my computer and installed some new drivers for my processor (dual core optomizer/cool n' queit), used ccleaner, and then defraged etc., and afterward my computer began to slowdown, so I restored to an earlier point. Fast forward a day or two and I have restored back and forth, cleaned here and there, and my computer is still somewhat slower than it should be (nothing big, just longer than usual delays when opening windows, etc.). So I settle on a restore point, run ccleaner, change my virtual memory, and a few other things, and my computer begins to pick up speed again. Just to feel at ease, I used PcPitstop's Pc Matic to just see how my overall system performance is looking. I was surprised to find that according to Pc Matic there was a "rogue security software" installed on my computer, it didn't give me a location, it just gave me a security identifier, but it labeled it a TDSS. I scanned with AVG and Malwarebyte. AVG found nothing, while Malwarebyte found 4-6 infections, and then upon a rescan found 1 more. I deleted all of them restarted my computer. Feeling insecure I downloaded some additional security precautions including: spyware blaster, webroot, combofix, eset, and hijackthis (I think that these are all legitimate downloads, but I am not certain). I went nuts this time, doing multiple scans in safemode, and using alot of the features of the other AV/AS/AM stuff. Upon trying to use malwarebyt... Read more

A:Under Attack?

Try this:http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller

Read other 1 answers
RELEVANCY SCORE 28

All of a sudden, about a half hour ago, I started receiving notifications from Norton saying that attacks had been blocked. I've looked over the reports and they are all from different IPs. I've had over 400 attempted attacks in the past hour. I've searched my system and I haven't found any trojans. Does anyone know what is going on or how I can stop these waves of attacks?
 

A:Am I under attack?

I just came back to my computer and there were another 500 attacks. All were blocked. Should I be worried?
 

Read other 3 answers
RELEVANCY SCORE 28

Getting pop-up for every website I visit. I am using FireFox and pop-up still get thought even with pop up block on.



DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Owner at 21:08:00.32 on Tue 08/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1339 [GMT -5:00]

AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
c:\Program F... Read more

A:Pop-Up attack

Hello and welcome to TSF.

Kindly follow my instructions in the order they are presented, and please refrain from any self-fixing or running of scanners unless requested by me or another helper at this forum.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

How to disable your security applications

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following mes... Read more

Read other 8 answers
RELEVANCY SCORE 28

Hi about 3 weeks ago i started getting redirected when i was browsing the net , this happened on firefox or ie , it sometimes redirected me to a spyware dl page , i never dled anything off any of the sites , i got avira antivirus scanned my pc and it told me i had TR/Vundo.gen so i came here and searched , found the vundo fix exe ran it found 3 and it was fine , well about 2 days later the same thing starts to go on again , so i decide to search out these funny dll files that i keep getting warnings from trying to access my pc , my friend reccommended that we try hijack this to find the BHO thats messin with me , turns out we kill like 9 BHO that are no good , well as of this morning my alarm is goin off again and now it wont stop with the warngins for example .

C:\WINDOWS\system32\vozaposo.dll is the TR/Crypt.XPAC.gen trojan
but heres the kicker none of the 6 files its sayin are trying to infexct are in this folder anywhere its like they dont exist plz if u can help me with this issue i would greatly appreciate it
Here is my hijack this log as of this morning


Logfile of HijackThis v1.99.1
Scan saved at 9:44:32 AM, on 12/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Progra... Read more

A:Plz help my pc is under attack ><

Read other 6 answers
RELEVANCY SCORE 28

For the past few weeks I have been lately bombarded with pop up websites, a lot of them claiming to be antivirus downloads, and even if you say cancel and no it opens anyway and begins scanning your computer. The only way to keep it from doing anything is to click the x at the top righthand corner of the screen. I have run RegCure, anti-Malware, scandisk, you name it. I keep getting pop ups and now today I have the sound of something playing on the computer but no physical evidence. No website popped up, no program running in the background. It is just playing some kind of news channel like the BBC or something and I don't know how to get rid of it. I have never had problems with pop ups before a month ago. Never ever had a single pop up. Now I can't get rid of them. I am sick of it and frightened and need help! Here is my log info from Hijackthis. If anyone can help I would greatly appreciate it. Thank you and Merry Christmas!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:13 PM, on 12/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Nero\Ne... Read more

A:I am under attack!

Hiya and welcome to Tech Support Guy

Are you still having this problem? If so, do the following:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Download and scan with SUPERAntiSpyware Free for Home Users
Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click &q... Read more

Read other 1 answers
RELEVANCY SCORE 28

Have mistakenly downloaded (from a Mozilla Thunderbird attempted download on Mozilla's website, I thought)
MyPc Backup By JDiBackup; Oprtimizer Pro v 3.2 by PC Utilities Software; Super Optimizer 3.2 by Super PC Tools; RegPro Cleaner Version 2.0 by Reg Pro; Remote Desktop Access (VuuPC) by CMI Ltd; s5mark and Shopperz 2.0.0.457 by Shopperz.
My machine and I are being attacked. I have been unable to uninstall these programs using the Uninstall method which yields only a message stating to wait until other program is finished uninstalling. I have looked for other information on the net and found only hucksters seeking a sale.
If you know how to rid a machine (Windows 7) of these pernicious operators and their programs, please respond ASAP.
 

Read other answers