check my files please

Discussion in 'other security issues & news' started by angelfromabove, Jan 2, 2004.

Thread Status:
Not open for further replies.
  1. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    I have much abuse, just days evidence :p
    -

    http://www.villagephotos.com/pubbrowse.asp?selected=702162

    http://www16.brinkster.com/infaithsplace/t5t.txt
    -
    what i need help on, is not this comp but my other laptop xp, when dialing up i says 'remote connection'

    as if there is another connection joined :mad: :mad: :mad:

    in zone lab there are apps like nt logon/command processor/services controller
    updater
    ms dtc console program ?/generic host bl bla/app layer gate /liveupdateengine com....

    well if the link works your see a image showing all, i also get as you see pings and people trying to have power to either plant stuff aa see stuff cobtrol haha fun for me not :oops: :blink: :doubt:

    I have two comps and this one is **** so i hope to use it to save my other, so i CAN'T work...
     

    Attached Files:

  2. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    Hi LowwaterMark :)

    I think what you said puts it well, a possible infection and or remote intrusion connection by some bad application embeded in my computer!

    To clarify, initially my xp laptop has a remote connction inform of text, when I dial up... I hate the chance for anybody to abuse me... I've had a windows ME for 2 years, and had abuse for 1 half years, so I saved up for a laptop!...it seems they kill my comp every 1/2 months and play games all the same games... now it's different, i have a full hd of info on my new comp which i'm nervous it'll be killed by possible trojan or virus or wrom or something that has a timing

    I know i'm confusing, I'll clarify if you point me in direction
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hi,

    Welcome to the forum!

    Since you've edited your post a couple times, I decided to totally redo my reply. ;)

    Let me start with something from your first post because you may be under a false assumption and I think we should clear that up first.

    I've looked at your text file, (t5t.txt), and that appears to be fairly normal probes from the Internet. Your system is blocking them (otherwise it wouldn't be recording them) so that is not a problem at all. We all get Subseven scans from the outside, it doesn't mean our systems are infected. They are nothing more than attempts to connect to our systems to see if we are infected by Subseven.

    As for the pings, those are normal too, though hopefully that activity is going to reduce as time goes by. All these probes and scans are nothing more than other people's infected systems trying to reach out and infect our systems. They are harmless if we block them and aren't infected by something previously.

    Blocked scans do not mean you are infected. It's important to realize that.

    Now, as for the "priority order" we should follow to address your situation, the most important thing is to get all the facts out and then determine if your system is infected or not, regardless of the external scan info.

    To proceed... First, which system is the one you believe has the problem? The Windows ME system? Is that where the image above comes from - the Windows ME task manager (ctrl alt del)?

    If that's the system it has Anti-Trojan Shield running. But, do you have a regular Anti-Virus package on there? Norton? McAfee? other? We'll need to start with a scan. If you don't have an AV package, we'll do an online scan instead.

    Side note: It looks like you are running two software firewalls - LooknStop and Zone Alarm. That's not a good idea. A system should only ever have 1 installed and running software firewall application.


    Edit: I think I'll move this thread to the "other security issues" forum section later on. There will be a moved placeholder left in this forum with a link to the new thread. In any case, look for it there later.
     
  4. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    Hi, I understand thats cool then...

    I did have norton and still crashed! I'll look for a antivirus, which do you recommend as there are ,many free ones?

    my images originated from both xp & me, I wish to save both from any future problems, but xp laptop has a full hd, I've ordered a new hd, do you think this will help as the external hd can be offline and disconnected from laptop at any time? :cool:

    I'd like to know what you think of my dial up details, when dialing up it says remote connection...

    I'm testing looknstop, i will drop it if it fails me.

    ok, this one is interesting, why am i trying to connect to myself? if you see i virtually made some lines for you, it has my computer name! my ip i think?
     

    Attached Files:

  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hi again,

    First, there is nothing unusual in your Port Explorer image (for as much of it as is visible in that screen shot). Did you have specific questions about it? I think you are evaluating Port Explorer so, if you do have questions about it then you should start a new topic in our Port Explorer (link) forum section with details regarding whatever concerns you.

    As for anti-virus, you do need one! Especially if you are concerned that your system is infected. At this point though, I'm still wondering if you are infected at all. There has not been any clear indication of an infection in what you've posted so far.

    My first advice is to run an online anti-virus scan. I suggest the Panda Scanner. It runs right from your Internet Explorer browser window. A link to it is available from our Free Services page here:

    http://www.wilders.org/free_services.htm

    It's the Panda Active Scan. It'll take a while to run, but it is very powerful. You should run that and report back about what it finds, if anything.

    As to running two firewalls, the "remote connection" message, and your Zone Alarm image above, let's leave that until after we find out whether your system is infected or not. An active malware infection is much worse than any of these other things so let's find that out first.
     
  6. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    Hi
    panda has error, i'll try it later.meanwhile i'll try download it..


    I can't imagine why i'd have a 'remote connection' ?


    I should be back tomorrow, please :)
    I must thankyou for making things more positive:)
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    FYI - If Panda is down then just use Housecall, it's the next one down on our page there.

    When you come back, try to type in the full message regarding that "remote connection". I'm still not clear on exactly what that is yet. It may be something normal, I can't tell until I see the exact message. (If you can capture a screen image of the message and post that, it'd be much better.)

    See you when you get back! Have a good day. :)
     
  8. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    I'm back on my laptop to post this thing

    brb!
     

    Attached Files:

  9. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    more weird stuff i think
     

    Attached Files:

    • 5454.JPG
      5454.JPG
      File size:
      71.1 KB
      Views:
      421
  10. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    I'm sorry about the spam, please don't deleted it if you are, i'll save it to my web site first, it's the only way I could get it up fast
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hmm, I don't see anything wrong in the images you've posted.

    Still waiting to hear the results of your online virus scan. If not Panda, then Housecall. :)

    The remote computer line in the dialup dialog is totally normal. Your modem dials, connects to a computer (for authentication) at your IPS ISP and sends it the username and password the ISP assigned you. That's how a login is done.

    My svchost.exe is identical to the one you posted an image of above. The differing sizes are simply because files are allocated in blocks of space on a disk, in your case and mine that is in multiples of 4KB. If a file is 5KB in actual size, it would show 8KB in the Size on disk field. I've attached the "Version" tab of my svchost just so you can step down through that and see all the Microsoft specs in there. I highlighted the file version field. But, your looks fine from here.

    Since svchost is a generic container for multiple network based functions, that's why there are many functions in the policy screen that map to different svchost startup commands. Also, that's why there are multiple copies of svchost running in the task manager. I have 4 myself here, though I've seen people with as many as 6, I think.

    Really, you should do a full system scan and let us know what it finds if anything. Also, we can do more after that. Any other specific questions?
     

    Attached Files:

  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Angel

    In addition to the things LWM recommended, it would be also helpful if you could ...

    ...download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Also, can you please download DCS's OpenPorts program from

    http://www.diamondcs.com.au/downloads/openports.zip

    Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

    openports > openports.txt

    and then press the Enter key

    Then type;

    openports.txt

    and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review

    Thanks
     
  13. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    Hi LowWaterMark ... I'm very greatful for all your help ;)

    I have a question which may be linked with just another app, when I startup or connect I get loads of dialupconnection loading boxes, I guess it's not a uestion of why but what app?

    anyway I'm downloading trend which I think is house call...and I'll try to download all the trojans and things, I often wonder are they just companys, or do they all have great depth of quality in there scans? locating my problem is all i need, purchase must a precise chose as i'm saving for a hd and I see most apps are free, I'd like a setup consisting of all corners i.e. firewall,virus,trojan,spyware all free applications that do there job

    Hi Dan thanks, heres the file, what do you think about keenware=updater o_O

    I could'nt work openport, it just flashes, msdos apps :p

    Can you guide me please

    Q: what is the punishment for the people who ping me or hack me, I reported some!

    Q: in zone alarm blocked pings? how did they change there destination source dns
    is it a special trojan app that customizes, and do you think if I change my ip it would help, I don't seem to have a very good ip ripe, if you see it can you learn from me o_O well I don't live in leeds... and how can I customize it?

    I guess I could have someones old ip?
     

    Attached Files:

  14. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    I'm still wondering how your sure this is normal, may I please inquire more, if you study it, it does seem strange, if your not 100% sure then I could report it to mircosoft tell them they have spaces?!!!!
    :oops:
    http://www.wilderssecurity.com/attachments/dialup1.jpg

    http://www.wilderssecurity.com/attachments/okwhatever8.jpg

    I've deleted some of my images above, for privacy sake for those absorbent anti foke
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Angel,

    I never said I was 100% sure that everything is fine on your system. I simply meant that based solely on what you posted, there is no sign that there is a problem. Having multiple svchost.exe running, for example, is totally normal. Everyone running XP has those. The size of your svchost.exe is totally normal. Neither of those is a sign of a problem.

    As for the dialup dialog image you posted. "Connected to remote computer" is also normal. The "remote computer" is your ISP's authentication server. That's is simply how it validates that you are who you say you are (username & password) and it then gives you your Internet connection. So this is also not a sign of a problem. (Edit: See image below. I went over to my old Windows 95 system that has the same type of dialer as you are using and captured that picture. Notice it is the same as yours.)

    The thing that I was trying to stress as most important and a priority was to run an online virus scan, which you still haven't done. A couple times above you said you were "downloading the product". I was not saying to go and get an evaluation copy of those AV scanners, or to buy anything at this moment. (We can advice you later about different products, from free ones to really good pay products.)

    The "online scanners" I pointed you to are just webpage applets that run in your browser and scan your system for free. You can use them anytime. The links over on our free services page should bring you right into either the Panda scanner or the Housecall scanner. Click on them in IE, if necessary add their sites to your IE trusted zone and then run the scanner in the browser window. Let it scan for viruses and trojans and it'll report back when it is done.

    If you are worried about having something bad on your system you should be running these scans first thing!

    As for the spaces in that one image, that looks like an oddity to me, but I've never seen that myself. I won't say right away that it is anything to be worried about because I've seen lots of display problems before. The virus scan should find anything bad.

    More coming in my next post...
     

    Attached Files:

  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Openports is a command line utility program. You need to run it from a CMD window (it looks like an old style MS-DOS window). To get a CMD window up on XP... "Start" menu > "Run..." > enter "CMD" in the line next to Open: (see image below) > hit "OK button.

    This should bring up a CMD window, see next post.
     

    Attached Files:

  17. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Angel,

    Yes openports is a command-line app and cannot be launched just by double-clicking on it. It needs to be launched from a command prompt window as I described. I went through my own instructions to make sure I left nothing out and it works fine for me. Perhaps you skipped a step?
     
  18. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Here's what it looks like...
     

    Attached Files:

  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Pings and misc. scans from the Internet are totally normal and there are so many of them occurring that ISP's rarely act upon any of the reports unless... One person is doing a real lot of scanning and causing serious problems on the ISP, though this is rare. Or, if a person is actually caught hacking, which is extremely rare.

    These probes against you are not serious hack attempts. You can report them, but don't expect to much from the ISP.

    I'm not sure what you concern is here. Reverse DNS lookups are available for a lot of ISP connected people. In your image above, you circled a few and wrote things like "there all different" when talking about the "source" of the probes. That is normal. These are coming in from all over the Internet so of course they are different sources (different people, different computers out there) and both the IP address and their name is different. They aren't "changing" their DNS, those are simply what their ISP's assign to them as hostnames.

    The destination in all the circled cases is your system, so, your IP address and DNS name are the same in all those records.
     
  20. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Angel,

    It appears you did not select all the required options in asviewer (see attached image). Can you please try it again after selecting those options and repost a fresh log?

    Regarding KeenValue, it is not well respected :) please see the following page;

    http://www.doxdesk.com/parasite/KeenValue.html

    Thanks
     

    Attached Files:

  21. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    HERS WINME thing, I was going to reply yesterday but it keeped login me out, I'll post the rest of xp stuff soon today or tomorrow...


    later

    ps: I downlaod some virus things but they all not work, weird reasons I tell you
     

    Attached Files:

  22. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Angel, I looked through your asviewer log for the ME system and found nothing there that would raise any alarms. We'll see about the other when you get an opportunity to post it.

    :)
     
  23. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    Hi Dan and all :) lowwatermark I sent you a email in a panic state, no worrys no, It was just one little setting called 'mobile code control' in zone alarm...

    it stops any embebed stuff, stopping wilder forum from embeding a cookie or applet?

    so if anybody has troubles i'm there it's that!

    .......................

    As you people are so kind and keen to help, I actually have a range of prolems, that i feel are just as wickedly strange!

    Q: I attached a image, do you know what that program is doing this when I shutdown?
     

    Attached Files:

    • why.JPG
      why.JPG
      File size:
      15.3 KB
      Views:
      421
  24. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi angel,
    happy new year...
    u hav real one player right??
    the problem is for that it may seem..
    maybe u can find some help here
    http://www.nocrash.com/ncbbs/msgs/3550.shtml
    and some more help for u angel :)
    - Computer running abnormally slow
    - Computer not being able to shut down (generally Windows 95/98/machines)
    - Receiving notifications that "RNADMIN is not responding"

    It appears in all these cases the culprit is the new RealPlayer from RealNetworks. The version has varied, but one customer had RealPlayer 9 Gold, and others had RealOne Player (the newest version of RealPlayer available). Uninstalling RealPlayer has fixed the problem in all the cases . RNADMIN is part of RealPlayer, and customers that found it in their startup configuration were able to just disable it and still use RealPlayer normally. If you are having problems with your system and RealPlayer is installed, this may be something you can try.
     
  25. angelfromabove

    angelfromabove Registered Member

    Joined:
    Jan 1, 2004
    Posts:
    48
    heres my security logs
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.