Over 1 million tech questions and answers.

PSEXEC attack

Q: PSEXEC attack

Hello Team,
Please I want to ask if it is possible for ATA to detect when an attacker launch remote code execution (psexec) against a server on the network. I know ATA detects when such attack is launched against domain controllers, but what if the targeted machine
is a member server or workstation, will ATA still detect it?
Thanks.

BR, David Sunday

Read other answers
RELEVANCY SCORE 200
Preferred Solution: PSEXEC attack

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 44.4

Hello Fangzhou CHEN,

Per your instructions below.  Is the U/P my admin info or the users?  Please advise.

We could use the PsExec tool to conduct the remote control.
1. Download the tool and copy to file to C:\Windows\System32

2. Run cmd as administrator
3. We could run the command psexec  \\ <computername >
-u <username> -p <password> <command>to run command in remote computer.

Read other answers
RELEVANCY SCORE 44.4

I am in the process of putting a batch file together to detect and force microsoft updates to a machine or a group of machines using PSEXEC.exe and a VBS script created by Rob Dunn and posted over at the forums at www.wsus.info.

I have listed below the steps needed to complete this task and would like it put together (if possible) in a batch file, UPDATE.VBS is the name of the script that I copy over to the machine and the PSTOOLS dir is the directory that PSEXEC resides in.

If I run these commands one at a time everything runs well, I would just like to know if it is possible to make this a "one step process"?


Ok here are all the cmds I need in order to run the script

1. net use \\TARGETMACHINE\C$ /user:"DOMAIN\DOMAIN USER"

2. copy update.vbs \\TARGETMACHINE\C$\update.vbs

3. exit back into PSTOOLS directory

3. psexec.exe \\TARGETMACHINE -u "DOMAIN\DOMAIN USER" -p PASSWORD -e -i cmd.exe /c cscript.exe //B C:\UPDATE.vbs


I have tested this on multiple machines and everything is running well. Any suggestions on how to set this up in one batch file? Of course I will eventually setup the PSTOOLS dir on a network drive instead of my local machine.

A:Using PSEXEC and VBS script with WSUS

Ok after a few weeks of playing around with the script and lots of help from Karlchen over at http://forum.sysinternals.com/default.asp I got it running, it goes a little something like this:

@echo off
:: Programme: remoteupd.bat
:: Function : copy update.vbs to \\target
:: launch update.vbs on \\target using psexec
:: &nbs p; will read computerlist.txt and launch update.vbs on each
:: &nbs p; of the hostnames\IPs inside the file
:: Status : third draft, arguments given on commandline, uses a listfile
:: Note : we will assume "computerlist.txt" is located in F:\Work Applications\WSUS Force Update, too.
:: Usage : remoteupd.bat adminuser password
::
:: Check that 2 arguments have been given on the commandline
if "%2"=="" (
echo usage: remoteupd.bat adminuser password
echo Try again.
exit /b 1
)
set ADMUSER="ADMIN USER\DOMAIN"
set ADMPASS="PASSWORD"
set LISTFILE=computerlist.txt

:: go to the source folder
f:
cd \Work Applications\WSUS Force Update

:: check that the listfile is there
if not exist %LISTFILE% (
echo Listfile %LISTFILE% not found. Create it and try again.
exit /b 1
)

:: Finally, all checks done, let us do our work in a for loop
for /F %%i in (%LISTFILE%) do (
REM 1. net use if ADMPASS has got no space character the
REM double quotes may be removed
net use \\%%i\C$ /user:"ADMIN USER\DOMAIN" "PASSWORD"

REM 2. copy updat... Read more

Read other 1 answers
RELEVANCY SCORE 44.4

am in the process of putting a batch file together to detect and force microsoft updates to a machine or a group of machines using PSEXEC.exe and a VBS script created by Rob Dunn and posted over at the forums at www.wsus.info.

I have listed below the steps needed to complete this task and would like it put together (if possible) in a batch file, UPDATE.VBS is the name of the script that I copy over to the machine and the PSTOOLS dir is the directory that PSEXEC resides in.

If I run these commands one at a time everything runs well, I would just like to know if it is possible to make this a "one step process"?
Ok here are all the cmds I need in order to run the script

1. net use \\TARGETMACHINE\C$ /user:"DOMAIN\DOMAIN USER"

2. copy update.vbs \\TARGETMACHINE\C$\update.vbs

3. exit back into PSTOOLS directory

3. psexec.exe \\TARGETMACHINE -u "DOMAIN\DOMAIN USER" -p PASSWORD -e -i cmd.exe /c cscript.exe //B C:\UPDATE.vbs
I have tested this on multiple machines and everything is running well. Any suggestions on how to set this up in one batch file? Of course I will eventually setup the PSTOOLS dir on a network drive instead of my local machine.
 

A:Using PSEXEC and VBS script with WSUS

Ok after a few weeks of playing around with the script and lots of help from Karlchen over at http://forum.sysinternals.com/default.asp I got it running, it goes a little something like this:

@echo off
:: Programme: remoteupd.bat
:: Function : copy update.vbs to \\target
:: launch update.vbs on \\target using psexec
:: &nbs p; will read computerlist.txt and launch update.vbs on each
:: &nbs p; of the hostnames\IPs inside the file
:: Status : third draft, arguments given on commandline, uses a listfile
:: Note : we will assume "computerlist.txt" is located in F:\Work Applications\WSUS Force Update, too.
:: Usage : remoteupd.bat adminuser password
::
:: Check that 2 arguments have been given on the commandline
if "%2"=="" (
echo usage: remoteupd.bat adminuser password
echo Try again.
exit /b 1
)
set ADMUSER="ADMIN USER\DOMAIN"
set ADMPASS="PASSWORD"
set LISTFILE=computerlist.txt

:: go to the source folder
f:
cd \Work Applications\WSUS Force Update

:: check that the listfile is there
if not exist %LISTFILE% (
echo Listfile %LISTFILE% not found. Create it and try again.
exit /b 1
)

:: Finally, all checks done, let us do our work in a for loop
for /F %%i in (%LISTFILE%) do (
REM 1. net use if ADMPASS has got no space character the
REM double quotes may be removed
net use \\%%i\C$ /user:"ADMIN USER\DOMAIN" "PASSWORD"

REM 2. copy update.vbs
copy update.vbs \\%%i\C$\update... Read more

Read other 1 answers
RELEVANCY SCORE 44.4

Hello all, I have a question about setting up Remote Desktop on PCs in our company. For most of the PCs on our network Remote Desktop is disabled by decree of the management. When I do need access to a machine I'll use psexec to enable the service then I'll disable it when I'm done. Some of the PCs are accessed by normal (non-admin) users on the network using Remote Desktop - we're looking for a way to remotely edit the list of users that can access the PCs that way - it'll be one specific user allowed per machine so a group policy doesn't seem to be the right way to go... Basically I'm looking for a way to remotely edit a machine's local secpol, specifically the "Allow logon through terminal services" setting.
I found this MS article http://technet.microsoft.com/en-us/library/bb457125.aspx that mentions the SeNetworkLogonRight but I don't see that in the registry... I must be missing something stupid here - there has to be an easy way to do what I'm trying to do... Does anyone know what that easy way is?
This is the command I use to enable remote desktop - it seems like something similar could be used to edit the userlist? Argh!
psexec \\machine reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

-Oh, it's an Active Directory Domain, all the PCs are WinXP - Thanks!
 

Read other answers
RELEVANCY SCORE 44.4

Hi,
I have a question regarding psexec or an alternative perhaps? Basically, I have a batch file I made, that I want to allow a friend from a remote machine to exec. However, I want him ONLY to be able to exec this file, and not mess around anywhere else on the machine. Psexec gives too much privilege and he could open other things, etc. I did come across the program RemoteExec, but after the 15 day trial that won't be of much value to me(not paying 400$ for this singular occurrence). Any ideas or help would be GREATLY appreciated!!!

Thanks
 

A:Psexec related question

Why do you want to give remote access to this file? This kind of sounds like a classroom project you are trying to get help with.

At any rate, what about installing Apache web server and having the file access granted through the webserver?
 

Read other 1 answers
RELEVANCY SCORE 44.4

Hi Guys I know there's probably a lot of these on these forums but when i type in the command

psexec \\computername cmd it says access is denied

I am running cmd as admin and havn't tried anything else,
i'm not very good with cmd so would someone please help?

Thank you

A:psexec access is denied

You need to supply username and password.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Read other 9 answers
RELEVANCY SCORE 44.4

Hi there,
I am facing difficulty in using pcexec , i am simply trying to use an ipconfig command and remote pc.
both PCs are win Xps
psexec \\10.10.xx.xx -u XXX -p XXX ipconfig
but all am getting is
PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich

Could not start PsExec service on 10.10.XX.XX:
Access is denied.      HELP PLEASE

A:Could not start PsExec service

it should be something like this
psexec \\marklap cmd
ipconfig
after you connect to the remote cmd then you issue "ipconfig"

Read other 10 answers
RELEVANCY SCORE 44

I am looking psexec commands to fulfil below requirements
1) copy file into C:\temp on remote machines including bat file and source files
2) Install using batch files (EXE file using batch file)

looking sample psexec commands to install EXE, MSI, WSU, bat, cmd etc

Read other answers
RELEVANCY SCORE 44

I am trying to determine why IE7 installer fails to work when using PSEXEC to remotely install it?
I have the IE7 installer in c:\temp
This does not work (The switches are valid)
 
psexec \\new_computer c:\temp\ie7.exe /quiet /update-no /norestart /log:c:\temp
 
 
 
It installs fine with the same switches if I manually run it locally but I *MUST* remotely install it as I have multiple PCs to manage and don't need to bother the users 
Below is the log it generates yet it's not making any sense.

00:00.000: ====================================================================
00:00.218: Started: 2011/05/21 (Y/M/D) 21:11:52.900 (local)
00:00.468: Time Format in this log: MM:ss.mmm (minutes:seconds.milliseconds)
00:00.609: Command line: c:\ba1df32f992674d86f0534\update\iesetup.exe /quiet /update-no /norestart /log:c:\temp
00:00.890: INFO: Acquired Package Installer Mutex
00:01.125: INFO: Operating System: Windows Workstation: 5.2.3790 (Service Pack 2)
00:01.656: INFO: Checking version for C:\Program Files\Internet Explorer\iexplore.exe: 6.0.3790.1830
00:01.765: INFO: C:\Program Files\Internet Explorer\iexplore.exe version: 6.0.3790.1830
00:01.781: INFO: Checking if iexplore.exe's current version is between 7.0.0.0...
00:01.812: INFO: ...and 7.1.0.0...
00:01.890: INFO: Maximum version on which to run IEAK branding is: 7.1.0.0...
00:01.906: INFO: iexplore.exe version check success. Install can proceed.
00:01.922: INFO: EULA not shown in passive or... Read more

A:Unable to remotely install IE7 using PSEXEC

Hi,

 

Regarding the issue, I’m just wondering that if you can collect the IE7 log (%windir%\ie7.log)for me, then we can try to find the cause.


 

Please understand, we need more detail information to troubleshooting the issue.You may upload the file via SkyDrive and post a link here.

 

Also please refer:

 

http://support.microsoft.com/kb/917925

 

Also if you want remote install IE7, you may use the .msi file to do. Please refer:

 

http://support.microsoft.com/kb/942812

 

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e41d8800-d134-4356-a2e7-c01bee790908&displaylang=en
Please remember to click ?Mark as Answer? on the post that helps you, and to click ?Unmark as Answer? if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ?

Read other 7 answers
RELEVANCY SCORE 44

Has anyone experienced this or similar recently? We've seen multiple unrelated clients get hit with something that resembles a worm. It appears to use mimikatz to steal passwords for the currently logged on user (Active Directory) and then reaches out to other PCs on the network and uses psexec to run something. I assume it's trying to steal the next computer's username/password and so on. Processes can be seen in Task Manager running under other user accounts that are NOT logged into the PC. The users (which have never otherwise logged into the PC) then have profiles in C:\users. This process leaves the PSEXECSVC Windows service (visible in services.msc) and saves mimikatz.exe and other random KB_______.exe and ms_______.exe files in C:\ProgramData and C:\users\username\appdata\roaming and \appdata\local\temp. It seems to disable the Windows Firewall and Windows Update services, and it breaks Show Hidden Files so it can't be turned on or off.
 
Users have complained of audio/music playing in the background, and we've found .mp3 files in c:\users\username\appdata\roaming. It's hard to recover from this because cleaning the PCs one by one is great until an infected one is turned back on with network connectivity and hits all the cleaned/rebuilt ones again.
 
The thing that's most worrying to me is that I can't find much about this online. This appears to be the closest thing: http://blog.cylance.com/operation-cleaver-net-crawler
 
Any ideas what t... Read more

A:Some type of worm using psexec and mimikatz?

First thing first, it would have to eb running at domain adminlevel to execute through psexec, so change the administrators password pronto.
Also setup a group policy to disallow psexec.exce from running on C:\*
Thirdly make sure no user account has admin rights, ecspecially global admin rights or local admin rights.
If its conencting to each amchine IPC$ then im assuming it has the Domain\Administrator account token/password.

Read other 7 answers
RELEVANCY SCORE 44

Hi Tech Support,
I got below error when using psexec on remote computer (india). user123 is admin at india. Admin$ and IPC$ can access without error. Please help....
psexec \\india -u india\user123 -p [email protected] -h cmd
Error establishing communication with PsExec service on india:
Access is denied.

Read other answers
RELEVANCY SCORE 43.6

Ok imma give a full rundown of the situation. Currently on the network we are on because of the way it is setup wake on lan doesn't work, so SCCM has at best a 70 success rate for patching. So I am currently spending a couple days a week remoting into computers and running a batch file to manually update computers. I need a way, that isn't psexec to execute a batch file on a remote computer. If anyone has any ideas they would be greatly appreciated.

Additional Notes
- Batch file is on share drive atm.

A:Run Batch File On Remote Computer Without PsExec

So, you are using RDP and remotely logging into the computer? If that's the case, you should be able to put the batch file on a network share, and then execute it while you are in the RDP session.

Read other 9 answers
RELEVANCY SCORE 43.6

I have created a couple batch files to easily update firefox on users computers. See the scripts below.

This executes a batch file on all computers listed in the firefoxusers.txt file.
Code:
psexec @firefoxusers.txt -u [I]AdminUsername[/I] -p [I]password[/I] c:\installers\firefox.bat
This is the file that is executed from the one above to install the file silently from a shared drive.
Code:
pushd \\server\applications\firefox

firefoxsetup.exe -ms

popd
My problem is that when I run this script I have no idea if the software was installed correctly or not. I am looking for a way to just output what was run so I can go through and see if anything failed.

Any help would be appreciated.

Thanks
 

A:Solved: Output log file from PSExec batch

Not sure if Redirection will work or not.
http://www.robvanderwoude.com/redirection.php

You could try this.
psexec @firefoxusers.txt -u AdminUsername -p password c:\installers\firefox.bat 2> errorlog.txt

or inside your batch file. Not sure if this one witll work or not.
firefoxsetup.exe -ms 2> \\server\applications\firefox\errorlog.txt
 

Read other 2 answers
RELEVANCY SCORE 43.6

I am looking psexec commands to install exe
scenario:
I had copied source folders \\server1\test  into  designation (C:\windows\test) via PowerShell
now I am looking psxec complete command to run exe on remote machines (remote machines will take from txt file)
PSEXEC syntax or command  to run exe on multiple machines 

Read other answers
RELEVANCY SCORE 43.6

Hi,

After migrating on Windows 10 from Windows 8 when using psexec I've started to recieve an error message when enumerating domain. Error is "A system error has occurred: 53". On other machine where still Windows 8 is installed everything works fine. 
When I use psexec \\pcname command is executed without problems, but when I use psexec \\* I've get  "A system error has occurred: 53"

Sorry for bad english :)

Thanks.

Read other answers
RELEVANCY SCORE 42.8

Hi there,
As described in the following link on how to run a disk defragment using Disk Defragmenter via PsExec http://www.winhelponline.com/blog/how-to-run-disk-defragmenter-on-a-remote-computer/,
would you say that all parameters mentioned by the author in the blog are applicable? If not, please could you specify which parameters aren't needed in order for me achieve this task efficiently, I've been trying to understand all the parameters for PsExec
and from what I can understand I don't think parameters -s and -f are applicable as mentioned in
http://technet.microsoft.com/en-gb/sysinternals/bb897553.aspx. Reason why I say this is that when you when specify parameter -s (using system account) in the command and log on as a
user of that remote computer in which I've been using Remote Desktop to achieve this as well as Command Prompt, the prompt comes up with "Disk Defragmenter exited with error code 0" straightaway when logging on and logging off as that user on the
remote computer, the same also applies when logging off as that user on the remote computer when running the command when being logged on as that user whereas if you don't specify parameter -s the message is delayed for longer which is what I would expect,
I'm assuming error code 0 means that the task has completed successfully as mentioned in the following link
http://aumha.org/a/defragerr.htm. Another reason as to why I don't think parameter -f is needed is that the program (Disk Def... Read more

A:Clarification of running Disk Defragmenter remotely using PsExec

Case closed, managed to solve issue.

Read other 1 answers
RELEVANCY SCORE 42.8

Hello.I have a Windows XP Pro SP3 with several problems:* I cannot accede to http: // es.mcafee.com from Firefox or Internet Explorer.* I cannot update the antivirus Mcafee. In addition, before its icon appears close to the clock on the task bar and now it does not appear.* On having looked for something in google in the Firefox, some links open windows with porn and mobiles. In Internet Explorer it works well.* The Firefox crushes when you sail with it (version 3.0.8).* Emulate also crushes on having executed.* Spyboot Search and destroy does not find anything.* Mcafee has not found anything (one week ago had the virus of the double tilde that it could erease).* SuperAntiSpyware does not find anything.* Malwarebytes ' Anti-Malware does not find anything either.* WebRoot finds a HackTool App/Psexec-Gen and Bullet Proof Software Spyware but since I do not have a subscription cannot eliminate them.I can't open Mcafee's page from the fail-safe mode with network's funtions either.HitJack log is this:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:50:35, on 02/04/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Archivos de programa\Webroot\WebrootSecurity\WRConsumerService .exeC:\WINDOWS�... Read more

A:HackTool App/Psexec-Gen and Bullet Proof Software Spyware

I see you have Quadruple posted http://forum.securitycadets.com/index.php?showtopic=10287http://www.security-forums.com/viewtopic.p...48934e99b8d813fhttp://www.bleepingcomputer.com/forums/lof...hp/t216359.htmlhttp://forums.techguy.org/malware-removal-...mcafee-web.htmlAll Malware Removal/Hijackthis forums greatly frown on anyone that double, triple or quadrupile posts, as it creates back logs and wastes our time! Since you are receiving help Katana at Security Cadets I am closing this thread.

Read other 1 answers
RELEVANCY SCORE 42.4

Hi,
I am trying to execute psexec command to remote machine.
My command is
psexec -u domain\user -p password \\machineName -c abc.bat
I am trying from windows 7(64 bit)  machine. The remote machines are xp and windows 7(32 and 64 bit).
In XP machines, it is working and also in some windows 7 machines. But in some windows 7 machines it give message-
"Could not start PsExec service on target machine.
Access is denied."
 
If I try to execute psexec command from XP machines, it works to all machines.
Suddenly what happen I do not know but one of the windows 7 machine( where psexec was not starting) , psexec started. but not in other machines.
Now I am very much confuse here exactly what happen. and what is the issue.
Please help. It urgent.
Thanks.

A:Could not start PsExec service on target machine. Access is denied.

Hi,

 

When opening the Command Prompt, please right click it and run as Administrator. Meanwhile, make sure the user has administrator privileges on target PC. If the issue
persists, try to disable UAC on both sides.

 

As far as I know the Security Level on Windows 7 is higher than the level on Windows XP.  Therefore, 'psexec' works to all machines.

 

Best Regards,

Niki
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Read other 20 answers
RELEVANCY SCORE 42.4

I recently scanned my computer with Malwarebytes Anti-Malware, Spybot Search & Destroy, and Avira AntiVir personal.MBAM and SB S&D came up with nothing but Avira did. This is the 2nd time this month that Avira detected "appl/psexec.e" found in "C:\System Volume Information". There are 3 different instances in the Quarantine.Please look through my HJT log to help stop this recurrence.Also, users on this computer use Firefox Portable from portableapps.com run from 2 different USB drives. Both equppied with the add-ons NoScript, AdBlock Plus, and Web of Trust (WOT) to better protect us from viruses & etc.Thank you for your time.- - - - -Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:17:23 AM, on 5/15/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exeC:&... Read more

A:Avira detects appl/psexec.e reoccured 2nd time this month

Hi PixelPlay,Sorry for the delay the forums here at BC are always very busy and we do are best to keep up. Sinceyour log is quite old and alot could have changed, I would like to see a new log please. If you nolonger require any help could you let me no please, so this topic can be closed.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Thanks

Read other 18 answers
RELEVANCY SCORE 42

Hi,
We are unable to take backup of "Favorites","Desktop" folders in a user profile when scanstate is run remotely using "Psexec \\computername -s scanstate.exe /ue:*\* /ui:domain\user /i:miguser.xml /config:config.xml /c" command.
These folders are redirected to a shared folder on a server and when we try to see the folders by using UNC path(\\computername\c$\users\username) on the user's machine they dont appear under user profile. Even though "Documents" are redirected,
we are able to take backup of the "Documents" folder.
However, when scanstate is run locally on the system, all folders are backedup to usmt.mig file. We are using "miguser.xml" and "Config.xml" for scanstate, since we need backup of "Documents","Desktop" and "Favorites"
only. After searching over internet, we doubt that, this behavior has got something to do with "Shell Folders" and "User Shell Folders" in the registry under "HKCU\Software\Microsoft\Windows\Currentversion\explorer\shell folders",
where paths to all user profile related folders information is stored. We dont find "Documents" folder there, may be thats the reason why we are able to take backup of only "My Documents" and not the rest of the folders (Favorites,Desktop).
When scanstate is run locally, the backup of "Favorites","Desktop" and "Documents" is... Read more

Read other answers
RELEVANCY SCORE 40.4

Hello,
 
On my web site - http://incinerama.com/ , if you select specific pages like http://incinerama.com/1953_march.htm , you get the error message:
 
"Norton blocked an attack by: Web Attack: Cookie Bomb Injection Website "
 
I ran Malwarebytes, hijackthis, etc. on the computer that uploaded pages to the web site and found no problems.
 
Any ideas on what is causing this and how I can remove this?
 
Thanks!
 
Roland
 
 
 

Read other answers
RELEVANCY SCORE 40.4

Dear friend, I am fedup with the problem of popup security warning and automatic adding of sites in favourite and opening of webpage while brausing internet. Also after sometimes it changes my desktep to red signal showing your privacy in danger. Also three sites shortcut are automatically adding to my desktop.I follow your step by step instruction of running ad-aware and then spybot and then stringer. Also problem is that when i am cleaning with smitfraudfix tool it is getting cleared but after using computer sometimes it is comming back and even if i am not using internet it is comming back. Also when i am using computer sometimes command prompt is opening automatically and something is happened there and it is closing automatically. Same things happened three to four times and then all those things are again came back to my screen.Below is the log of hijack this file. please help me to solve the problem. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:32:28 PM, on 11/27/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files&... Read more

A:Antispylab Problem- Popup Warning For Virus Attack And Spyware Attack

Hello dipaknpatel,NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Please download SmitfraudFix Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htmYou should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following :Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account.Once in Safe Mode, double-click SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infectio... Read more

Read other 2 answers
RELEVANCY SCORE 40.4

OS - Windows XP Service Pack 3 with all updates. Antivirus - Norton 360 with all updates
Windows firewall disabled (because Norton says it's better)
Remote computer IP address is 192.168.1.4
Norton says it blocks the attack, but it keeps happening. Am I infected?

A:Norton blocked an attack by : OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

Hello,And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.Malwarebytes Anti-MalwarePlease download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Full Scan"... Read more

Read other 13 answers
RELEVANCY SCORE 38

I uninstalled Trend Micro this morning and installed the free Avira Antivirus. It detected "psexec.cfexe" which has something to do with the "APPL/PsExec.E application". I have included a copy of the scan results as well as a HJT log.

Avira AntiVir Personal
Report file date: Sunday, 9 August 2009 11:26

Scanning for 1618860 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : A-PC

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 29/07/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 21/07/2009 05:06:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/02/2009 02:28:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/02/2009 03:05:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/02/2009 02:28:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 04:00:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 24/06/2009 00:51:42
ANTIVIR2.VDF : 7.1.5.60 2235904 Bytes 3/08/2009 01:54:52
ANTIVIR3.VDF : 7.1.5.85 445952 Bytes 7/08/2009 01:55:08
Engineversion : 8.2.0.248
AEVDF.DLL : 8.1.1.1 106868 Bytes 28/07/2009 05:01:50
AESCRIPT.DLL : 8.1.2.23 455033 Bytes 9/08/2009 01:55:50
AESCN.DLL : 8.1.2.4 127348 Bytes 23/07/2009 01:29:39
AERDL.DLL : 8.1.2.4 430452 Bytes 23/07/2009 01:29:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 28/07/2009 05:01:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 23/07/2009 01:29:39
AEHEUR.DLL : ... Read more

A:Avira detected "psexec.cfexe"?

Read other 6 answers
RELEVANCY SCORE 37.6

I frequently visit a website called comicbookresoures.com for news on the comic book industry and related topics. I have a Norton SafeWeb toolbar installed in my broswer on Internet Explorer 8. Yesterday, the SafeWeb icon displayed a caution icon. When I clicked it, it said that the website had a report on a virus threat. The report can be referenced as follows:
 
http://safeweb.norton.com/report/show?url=http:%2F%2Fwww.comicbookresources.com%2Fnews&product=N360&version=20.4.0.40&layout=OEM&lang=0901&source=toolbar
 
So, out of a sense of caution, I ran scans with Norton 360 (quick and full).  It found and removed tracking cookies.  I ran a scan with Norton Power Eraser and it fixed something with the registry.  Also, I ran scans with TDSS Killer and Malwarebytes Anti-Malware.  Nothing turned up there.  I also ran TFC to clear out the temp files.
 
So far, my PC has been functioning normally.  Is there anything else I should do just in case there is something else hiding on my PC that I don't know anything about?
 
((If you want, I can also forward the logs from Norton 360 and NPE.  I just need to know how I can access and post those logs for review)).
 
Thanks for your time.
 
 

A:Possible attack with Web Attack: Red Exploit Kit Website

I'm nor surprised.
Two days ago my web site was marked by Norton with "Caution".
Here is a funny (or tragic) part.
It was marked with "Caution" because of a few links leading to.....BleepingComputer, specifically to couple of registry fixes posted by....BC owner, Mr. Grinler.
 
On a top of it it happened for the second time this year for the very same links.
 
To make things even more pathetic re-evaluation link at Norton site didn't work so I had to email them.
They fixed it next day but do you want to trust them?
I won't.

Read other 6 answers
RELEVANCY SCORE 37.6

One of my employees is the victim of some kind of cybercrime.  For the last two weeks, she has dealt with thieves calling her credit union, posing as her, and requesting wire transfers.  She has changed account numbers there twice, and still they find out her account numbers THE SAME DAY and attempt to steal from her.
So she changed banks completely, and immediately after the first time she used her new debit card, several fraudulent charges showed up on her account from use of her card number.
This may or may not be related:  Just before all this started, we were staffing a table at an outdoor festival, and both she and her boyfriend noticed a message on their Android phones that seemed to indicate that their phones had been bluesnarfed.  My employee thinks she remembers seeing something being installed.  She has since hard reset the phone (I think yesterday).
The FBI is not helping because she hasn't actually lost any $$ so far because of the vigilance of the banks, but it seems like it's only a matter of time before they clean her out unless she can defeat whatever access they have.
 
Any ideas?  Thanks!

A:Employee under attack, but what kind of attack and what to do?

Has she contacted local police? At least to the point of making a report of the activity you have documented thus far. It can show pattern of behavior. In the unfortunate event she does lose access to her funds or loses them completely.

Read other 3 answers
RELEVANCY SCORE 37.6

I'm being DDoS attacked. My ping was been spiking from 50 to 250+. I've tried changing my IP multiple times and I still was attacked (Note: I own 3 computers and 1 tablet). I've tried disabling startup processes, av scans, and basic rootkit scans and found nothing. However, after I uninstalled Akamai Net Session Downloader, FlashGet, and Tornado Force 2 (a chinese version of the game "Soldier Front 2"), it seems as though the attacks stopped. I'm not sure if they will come back or of something is infected but I'd appreciate some help to make sure everything is fine and not infected. EDIT: I'm still seeing these attacks pop up in the logs

This is what my NETGEAR Router was showing in the logs:

[admin login] from source 192.168.0.3, Friday, June 14,2013 18:25:12
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:24:12
[DoS attack: ACK Scan] from source: 69.168.106.22:80, Friday, June 14,2013 18:22:58
[DoS attack: RST Scan] from source: 50.17.180.125:80, Friday, June 14,2013 18:11:49
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:09:37
[DoS attack: ACK Scan] from source: 208.47.185.65:80, Friday, June 14,2013 18:09:11
[DoS attack: ACK Scan] from source: 69.168.106.22:80, Friday, June 14,2013 18:08:00
[DHCP IP: (192.168.0.4)] to MAC address 00:26:2D:3A:44:7D, Friday, June 14,2013 18:01:50
[DoS attack: ACK Scan] from source:... Read more

A:DDoS Attack, Changed IPs Still Under Attack

Do you own a Domain Name/Website?

Read other 9 answers
RELEVANCY SCORE 36

Hello.
I like to run a program like "explorer.exe" via "PsExec" but when I did "psexec.exe \\remote IP explorer.exe" then never happened. Why?

Thank you.

Read other answers
RELEVANCY SCORE 28

Logfile of HijackThis v1.99.1Scan saved at 7:58:25 AM, on 4/18/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exeC:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\M-Audio USB Quattro\Install\QuatInst.exeC:\WINDOWS\Explorer.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exeC:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exeC:\Program Files\Common Files\Symantec Sh... Read more

A:Please help i'm under attack

Read other 10 answers
RELEVANCY SCORE 28

I was transferring files from one server to another via scp when, using SSH, I did a netstat command to check my connections. That's when I noticed an odd connection "www.gethosted.com:#####". The ##### was obviously the port number. What was so strange is a.) I queried that host and found no information, no WHOIS, nothing b.) also, each time I netstat the port number was different!

I'm new to this, so I could have been seeing something common such as this may be how scp works. Can anyone tell me what they think?

FYI- I am running firewall "ipkungfu" and have since blocked host "www.gethosted.com" just for safety.
 

A:Was I under attack??

Guess no one knows. Oh well.... thanks anyway!
 

Read other 3 answers
RELEVANCY SCORE 28

Posted here a week or so ago, did all the steps, whatever is attacking me keeps happening. I am running the steps as suggested before, I'll post the logs as they come up. Grateful for the help.

A:still under attack

Please just stick to this topic in malware removal now, thanks, post all your replies hereNOTE: we will be cleaning one computer at a time, please only post the FRST scan from the computer that is infected the worstPlease do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The note... Read more

Read other 4 answers
RELEVANCY SCORE 28
Q: Attack

Can someone please check out this HiJack log? Unfortunately, the computer has a network attacking virus and I cant update, install any virus or anti-spyware software. I got the network connection up to speed as of now, but I know that will change. Also, I know it needs a lot of work. There are a lot of suspicious games and other programs. Any help is very much appreciated and I thank you so much in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:20 PM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightS... Read more

Read other answers
RELEVANCY SCORE 28

My Pc started running slowly and outlook would not send so I ran spybot and cleaned about 400 identified threats. outlook still wont send so I am posting a hijack this log and also a DDS log hopefully someone can solve the problem.

HJT:

"Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:22:45, on 03/12/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\vsnp2uvc.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
F:\Kaspersky\avp.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\TelevisionFanatic\bar\1.bin\64brmon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Expat Shield\bin\openvpntray.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet E... Read more

Read other answers
RELEVANCY SCORE 28

Please help. My computer is overwelmed with Popup ads and unwanted downloads. here is my hijack this log. Thank you, for your help!

Logfile of HijackThis v1.99.1
Scan saved at 9:30:31 AM, on 6/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program... Read more

A:Under attack

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order.


* * * * * *


Please download & run VundoFix.exePut a check next to Run VundoFix as a task.
Click OK when you will receive a message saying vundofix will close and re-open in a minute or less.
When VundoFix re-opens, click the Scan button followed by the Remove button
** Your desktop will go blank as it starts removing Vundo. **
It will produce a log of it's actions at C:\vundofix.txt

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install - CleanUp.exe (not recommended for WinXP64)

Download Dr.Web CureIt & save it on desktop. We shall be using it later

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following conf... Read more

Read other 5 answers
RELEVANCY SCORE 28

Hello, I'm a new member here & I was wondering; how can you get rid of pop-ups stuck inside of files in my documents (like music, pictures, e-books etc.)? Now, I don't do porn, but for some reason, I'm getting a lot of pornographic pop-ups. I don't know if my computer is infected but these are the exact pop-ups I'm getting, sexbuddies.com, partypoker.com, adultfriendfinder.com, & exittracking.com. I also get the pop-ups for the win anti-virus protection all of the time. So, can somebody please help me??? lol. I'm not really all that computer savvy even though my name is cpgeek50; so can you please break it down step-by-step for me. Thanks A lot. And just to note, I've tried a lot of things like McFee security service, Internet Explorer pop-up blockers, & even deleting files that have the pop-ups in but still nothing works!!! So again, Thanks for your help everyone. P.S. Just to let you know, I have a Dell/Windows XP computer.
 

A:Attack Of The Pop-Ups!!!

Read other 9 answers
RELEVANCY SCORE 28

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:46: VIRUS ALERT!, on 27/09/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\RTHDCPL.EXEC:&... Read more

A:Under Attack

Hello donna lisney,Welcome to Bleeping Computer This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Thanks,tea

Read other 2 answers
RELEVANCY SCORE 28

Hi there, I?ve got some major problems with my computer that just won?t seem to go away whatever I do - I?ve literally spent the whole week trying to fix things myself but nearly every time I got rid of something it would just show up again later on. So then I tried some of the recommended software programs that were supposed to clean my computer up like Spybot, Ad-Aware, Spy Sweeper and Norton Anti-virus and once again they seemed to get rid of a lot of things, and once again most of these things would just come back onto my computer later on. So I think the time has come for me to bring out the white flag and call in some expert help? What I thought I would do is put down everything I know about my situation so far, as well as including a HijackThis log so you can get an idea of what?s going on with my system (although I really don?t think the log itself gives a full picture of my problems). I also thought that this approach might be helpful to other people in identifying similarities with their own situations and seeing what actions they need to take to get rid of a particular program.As I understand it, I?ve been infected with some adware/spyware programs, most of which I seem to be able to identify and ?delete? from my computer easily enough, but either I?m not removing them permanently or there?s something still there that is putting them right back on my computer the next time I go online (and most probably it?s both of these). In fact, I?m pretty sure that some of the... Read more

A:HELP! Under attack from everything!

Chizz -- Thanks for sending your HijackThis log.The detail in your first post is very helpful.I think you may have a new variant of the Look2Me infection. To start, we'll need to gather sme more information about your system.Since this infection changes it's filenames of every reboot, please do not reboot once you start collecting information for me. 1 -- Run a full scan using Ad-aware with the most recent reference file, and delete anything it finds to remove as much as possible before starting. 2 -- Reboot and download these 2 utilities ready.Dllcompare (version(1.0.0.127)which will scan for locked files created by VX2)and Killbox (version 2.0.0.76, which will be responsible for removing the files found)3 -- Using DllCompareCopy the dllcompare.exe to your desktop, don't just run it from the download site.It is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.When the scan is complete, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the [Compare] button.It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.In a few minutes it will complete *in blue CompletedClick the button [Make a Log of what was Found]Copy and paste this log into your reply to this message.Also include a fresh HijackThis log.I'll follow up with the next instructions for using killbox.Thanksdaveai

Read other 1 answers
RELEVANCY SCORE 28

Getting pop-up for every website I visit. I am using FireFox and pop-up still get thought even with pop up block on.



DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Owner at 21:08:00.32 on Tue 08/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1339 [GMT -5:00]

AV: Norton AntiVirus 2005 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
c:\Program F... Read more

A:Pop-Up attack

Hello and welcome to TSF.

Kindly follow my instructions in the order they are presented, and please refrain from any self-fixing or running of scanners unless requested by me or another helper at this forum.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

How to disable your security applications

Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following mes... Read more

Read other 8 answers
RELEVANCY SCORE 28

Hi,

I was just wondering if anyone knows why someones computer would suddenly become under vigorous attack by would be intruders. I was just glancing at my firewall logs and noticed that in the last hour alone, there have been over 250 attempts into my computer. Usually I get about 70 in a 24 hour period. I am not really worried about this as my firewall is blocking them, but I am curious as to why this would be happening. The only reason I even noticed this is because my firewall icon is showing constant activity and since it had just started a new log about an hour ago and there were already so many hits on it, it was quite obvious something was going on.

One computer has made 44 attempts, another one has made 56, another one 40, another one 58, another one 61, another one 70 and it just keeps going. I haven't looked up any of the IP addresses but the addy of most of these end in .UK or .au. The one that has tried 70 times looks to be from Canada as it is from ShawCable which I believe is in Canada. There are a bunch of other ones that have tried multiple times too, some of which are from the US (which is where I live) as they have Comcast in the addy, but those are sporadic and have not made nearly as many attempts as the ones I listed here. None of them appear to be pings from my ISP.

The only site I have been on all night have been my trusted TV listing site and this one.

Anyone know why this might be happening?

It isn't slowing down at all, here it is about 3 hour... Read more

A:Under Attack

If your firewall provides an alert which indicates it has blocked access to a port that does not necessarily mean your system has been compromised. These alert messages are a response to unrequested traffic from remote computers (an external host) to access a port on your computer. Even if the port is open, the alert message indicates that your firewall has blocked the attempt to access it. These alerts are often classified by the network port they arrive on and allow you to see the activity of what is happening on your firewall. It is not unusual for a firewall to provide numerous alerts regarding such attempted access. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for vulnerable ports - commonly probed ports and make repeated attempts to access them. Your firewall is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts. However, not all unrequested traffic is malevolent. Even your ISP will send out regular checks to see if your computer is still there, so you may need to investigate an attempted intrusion. The alerts allow the firewall to notify you in various ways about possible penetration and intrusion attempts on your computer.If the alerts become too annoying, you should be able to go into your firewall settings and turn them off (Hide notification messages).

Read other 6 answers
RELEVANCY SCORE 28

Hello,
 
I am a bit concerned about this situation, i recently installed Zone Alarm and it looks like there is a huge amount of intrusion attempts into my laptop, i have another laptop on my network that is probably severely inffected but its currently turned off.
 

 
I want to know whats going on here, it doesn't feel safe at all... Should i be worried about this?
 
System Info:
 
Windows 7 home premium 64 bits - almost clean install, it has 1 week or so, been downloading some torrents tho.
Toshiba satellite
 
Forgot to add: I've run MBAM and it says the system is 100% clean.

A:Looks like I am under attack? what should i do?

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware to your desktop.NOTE. If you already have MBAM 2.0 installed scroll down.Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
At the end, be sure a checkma... Read more

Read other 18 answers
RELEVANCY SCORE 28

I just submitted a form to this company after clicking send I got the following message:

XSS Attact Recorded With Ip : **.***.***.**. This is your 1. XSS attact. Your information is recorded.

Anything I should be worrying about?
 

A:xss attack help

Closing duplicate.

Please do not start more than one thread for the same issue.
 

Read other 1 answers
RELEVANCY SCORE 28
Q: Attack?

hi
last few days some thing comes to my pc
this note says
net work attack instrusion.win.mssql.worm..hellcern from address 218.75.199.50 has been successfully repelled
WHAT 218.75.199.50 mean
what do i have do thank you for your help

A:Attack?

That warning is telling you your firewall is doing its job. If the warnings keep coming, and I am sure they will, just turn off the warning balloon.

Read other 2 answers
RELEVANCY SCORE 28

Hi, thankfully it has been a while since I have needed your help but my pc has recently picked up a virus (or two) and your expertise would be hugely appreciated!

I've followed your 'Instructions before posting' thread and have attached the requested zip file. I'll post the contents of DDS.txt at the end of this post.

Twice this week my pc has carried out an unprompted blue screen physical memory dump and once it simply rebooted itself (no blue screen). These crashes occurred when I clicked 'Close' on separate programs, one being 'KMP Media Player' and the other 'Pokerstars'.
Upon boot up I'm being presented with a highly suspicious looking 'Codec Update' screen which is claiming to be from the 'Windows Essential Codec Pack' which I do have installed except that I have noticed that this screen spells Essential...Essencial. I've also noticed interference with sound as well as occasional visual flickering of some running programs.

I have carried out two full system AVG scans and deleted or locked up the threats it found. The first scan found 3 threats with the same name...

C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP770\A0218125.exe

...and were listed as Trojan horse BackDoor.Generic_c.CJW.

The second scan found 6 identical .exe entries which matched the file name above except for the last number being a 6 rather than a 5 and this time they were listed as 'Virus found Downloader.Swizzor'. I took screenshots of the results wh... Read more

A:I'm under attack!

Hi

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so.


Combofix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please read all the information carefully!

You MUST disable your AntiVirus and AntiSpyware applications - please read this thread as a guide. They may otherwise interfere with our tools and interrupt the cleansing process.

Please include the log C:\ComboFix.txt in your next reply for further review.

Read other 17 answers
RELEVANCY SCORE 28

i have a computer that has fallen to several virus - malware. i have found the following qncguscw.dll and iiffded.dll. Nortons caught the rest and removed them. Please help me remove the remaining infections. This is my first time using this type of help, please be patient with me.
 

A:under attack

here is my hijack this log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:33 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray... Read more

Read other 1 answers
RELEVANCY SCORE 28

Hi, I ran the scans and here are my results.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Brian at 2:33:17.71 on Wed 03/04/2009
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1917.1045 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\lxbkcoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\P... Read more

A:May Day, May Day, I'm Under Attack

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

It appears that you have two antivirus programs installed, McAfee and AVG. Even though AVG is not running, they can still conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Programs and Features in your Control Panel.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
I... Read more

Read other 19 answers