|
Answer» I bought a new 500 GB HDD and installed Windows XP Professional and started having problems just like the ones I have listed here. So I wrote zeros to the drive, and reinstalled Windows XP Professional.
The folders/files on the installation disk are:
FOLDERS: DOCS, I386, SUPPORT, VALUEADD
FILES: AUTORUN.INF, README.HTM, SETUP.EXE, WIN51, WIN51IP
AND I KNOW THIS IS WRONG but I don't know what to do about it!!!
I kept telling the local computer guy that I think EITHER my MBR was screwed up, or that I
have been hacked and somebody is controlling this thing remotely, but he would "run
diagnostics" and said there was "absolutely NOTHING WRONG!" He did it 3 times. So I have come to you hoping you can help me. I really, REALLY want my computer back.
_______________________________________ _____________________________
_______________________________________ _____________________________
*When I start my computer, there are 36 processes running.*
_______________________________________ _____________________________
_______________________________________ _____________________________
I started by TRYING to follow your ten steps to get me started.
I downloaded "OnlineArmor, but when I tried to run the setup I got a dialog box that said,
"The publisher could not be verified. Are you sure you want to
run this software?"
Name: OnlineArmorSetup.exe
Publisher: Unknown Publisher
Type: Application
From: C:\Documents and Settings\Dorothy\My Documents\Downloads
Run Cancel
(*When I click on the OnlineArmor file in my folder it says "Emsi Software GmbH"*)
_______________________________________ _____________________________
_______________________________________ _____________________________
SUPERAntiSpyware said "Set up failed"
"Error reading setup data"
*There are two files==SUPERAntiSpyware(1).exe and also
SUPERAntiSpyware(1).exe.part
_______________________________________ _____________________________
I next went to get the Essential Software Tools, but when I got them onto my computer and ready to install, I got the same "Unknown Publisher" message as above. So I've tried
to do everything you ask, but I can't.
_______________________________________ _____________________________
_______________________________________ _____________________________
[I'm starting with Registry Entries that I don't understand. Most of these showed up after I downloaded Microsoft Office Small Business 2007, which I have a valid product key for.]
(*Many Registry entries have similar garbled things listed under the "C:\program files\etc*)
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit
"C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" /n /dde
*====> w_1^VY!!!!!!!!!MKKSkWORDFiles>tW{~$4Q][emailprotected]`,xaTO5 /n /dde <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec
*====> [REM _DDE_Direct][FileOpen("%1")] <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec\Application
*====> WinWord <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec\Topic
*====> System <====*
w_1^VY!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q][emailprotected]=l2xaTO5 /e
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q][emailprotected][emailprotected] %1
w_1^VY!!!!!!!!!MKKSkWORDFiles>tW{~$4Q][emailprotected]`,xaTO5 /n /dde
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q][emailprotected][emailprotected] %1
w_1^VY!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q][emailprotected]=l2xaTO5 /e
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q][emailprotected][emailprotected] %1
and they're all followed by:
[REM _DDE_Direct][FileOpen("%1")]
w_1^VY!!!!!!!!!MKKSkACCESSFiles>tW{~$4Q][emailprotected])AxaTO5 /NOSTARTUP "%1" %2 %3 %4 %5 %6 %7 %8 %9
[SetForeground][ShellOpenDatabase "%1"]
w_1^VY!!!!!!!!!MKKSkACCESSFiles>tW{~$4Q][emailprotected])AxaTO5 /RUNTIME "%1" %2 %3 %4 %5 %6 %7 %8 %9
*Then a few other odd-ball ones:
(Default) C:\Program Files\Microsoft Office\Office12\REFEDIT.DLL
InprocServer32 w_1^VY!!!!!!!!!MKKSkProductNonBootFiles>Ulbm)[emailprotected]$
(Default) C:\Program Files\Common Files\Microsoft Shared\INK\INKOBJ.DLL
InprocServer32 w_1^VY!!!!!!!!!MKKSkWISPHidden>+G9P$cp(j=d8+fTjNKNm
Threading Model Apartment
{168FA21B-D0BE-11D1-87C8-00AA00A71E2D},outlmime.dll
w_1^VY!!!!!!!!!MKKSkGimme_OnDemandData
msosec,fileVersion="7.10.5077.0",version="7.0.5000.00",culture="neutral",publicKeyToken="B03F
5F7F11D50A3A"
w_1^VY!!!!!!!!!MKKSkWhiteRabbitHidden>3w2x^IGfe?Cxl5heAvK.
_______________________________________ _____________________________
CD Recorder Drive \\?\Volume{2a801e90-92aa-11e0-b458-806d6172696f}\
HKCU\Software\Microsoft\Windows\Explorer\User Assist (Two Folders--samples follow):
{5E6AB780-7743-11CF-A12B-00AA004AE837}
Count HRZR_HVGBBYONE (string of numbers)
{75048700-EF1F-11D0-9888-006097DEACF9}
Count HRZR_EHACNGU
HRZR_EHACNGU:P:\Cebtenz Svyrf\Fnsre Argjbexvat\SvyrNylmre 2\SvyrNylmre2.rkr
HRZR_EHACNGU:P:\Cebtenz Svyrf\Urjyrgg-Cnpxneq\UC Qrfxwrg 9800
Frevrf\Gbbyobk\UCJDGOK.rkr
_______________________________________ _____________________________
There are many, many of these: {00000000-0000-0000-0000-00000000000}
_______________________________________ _____________________________
HKEY_USERS are:
.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-21-1801674531-220523388-725345543-1003
SPECIALACCOUNTS
UserList
HelpAssistant
IUSR_
IWAM_
NetShowServices
SQLAgentCmdExec
TsInternetUser
VUSR_
_______________________________________ _____________________________
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
ProductSuite
ProductType WinNT
ENOUGH CRAP FROM THE REGISTRY
_______________________________________ _____________________________
_______________________________________ _____________________________
*Whenever I'm moving from one site to another the address bar says "about:blank"*
_______________________________________ _____________________________
_______________________________________ _____________________________
*Whenever I try to open the sidebar in the Network Connection folders, I just get the
directory of stuff on the computer. There are no options available for the connections. If
I click on "Advanced" and "Optional Network Components" I get a dialog box that says:*
"Windows XP Setup"
Invalid program arguments were specified:
/i:-(required) Specifies the name of the master.inf.
The installation source path is taken from here.
/u:-Specifies unattended operation parameters.
/r -Suppress reboot (when reboot is necessary).
/z -Indicates that args that follow are not OC args
and should be passed to components
/n -Forces the specified master inf to be treated as new.
/f -Indicates that all component installation states
should be initialized as if their installers had
never been run.
/c -Disallow cancel during final installation phase.
/x -Suppresses the 'initializing' banner.
/q -for use with /u. Runs the unattended installation
without UI.
/w -for use with /u. Runs If a reboot is required, prompt
the user instead of automatically rebooting.
/l -Multi-Language aware installation
and an "OK" button
_______________________________________ _____________________________
In CONTROL PANEL\SYSTEM\HARDWARE\DEVICEMANAGER\DISK DRIVES the properties lists my WDC WD5000AADS-0059B0 as Volume C: with a capacity of 131060 MB {{Sharing Tab: Share this folder. Share name: C$. Comment: Default share. User Limit: Maximum Allowed
SECURITY: Administrators; CREATOR OWNER; Everyone; SYSTEM; Users}}
In CONTROL PANEL\ADMINISTRATIVE TOOLS\COMPUTER MANAGEMENT\STORAGE\DISK MANAGEMENT
I have: Volume (C:) | Partition Basic | File System NTFS | Status Healthy (System) |
Capacity 127.99 GB | Free Space 110.43 GB |88% Free | No Fault Tolerance | 0% Overhead
In the space below it shows Disk 0; Basic; 465.76 GB; Online
(C:) 127.99 GB NTFS Healthy (System) and then 337.77 GB Unallocated
I tried extend through DiskPart, but I got the message:
DiskPart failed to extend this volume.
Please make sure the volume is valid for extending.
_______________________________________ _____________________________
I really hope you can help. I'm not even sure what's relevant and what's not. I could open some of the .dll files and find weird things for you, and also the ntldr file with it's oddball instructions, but I thought that what I've given you here might be enough. If you need more, or other, information, I'll be glad to send it. I am...One Lost Eskimo!!!Welcome to CH.
First of all, there is so much information to examine. Yet some important details are missing. Please provide.
During install the Windows CD must be booted by the computer and the install program will repair any problems with the MBR,. Also, there is the option to format the hard drive, so it should not be necessary to write 0s to the drive with another utility. So MBR ISSUE is unlikely.
How old is the Computer? Did it already have a working XP on it before you installed a new drive?
Is this a new t SP3 version of XP? OEM or Retail?
Were there any warning messages during the install of Windows XP from the CD? If so, what?
It would be very unlikely, even impossible, for a hacker to get i into your PC before the install was completed and you got on to the internet.
Without knowing more, it would appear that something is wrong with the Windows XP install CD. Have you used it before and got it to work alright on another hard drive or another PC?
You say the drive was tested by someone else, so there is no reason to think anything is wrong with the drive.
Quote from: OneLostEskimo on JUNE 20, 2011, 05:46:13 PM The folders/files on the installation disk are:
FOLDERS: DOCS, I386, SUPPORT, VALUEADD
FILES: AUTORUN.INF, README.HTM, SETUP.EXE, WIN51, WIN51IP
AND I KNOW THIS IS WRONG but I don't know what to do about it!!!
You know is wrong? If you are referring to the content of the disc, it looks normal to me.
Quote*When I start my computer, there are 36 processes running.* Sounds normal to me.
QuoteI downloaded "OnlineArmor, but when I tried to run the setup I got a dialog box that said,
"The publisher could not be verified. Are you sure you want to
run this software?"
Name: OnlineArmorSetup.exe
Publisher: Unknown Publisher
Type: Application
From: C:\Documents and Settings\Dorothy\My Documents\Downloads
Run Cancel
(*When I click on the OnlineArmor file in my folder it says "Emsi Software GmbH"*)
This is normal, all programs downloaded from the internet will have a zone identifier, and when you try to run a program windows looks for that identifier and if present will show the dialog. The reason the publisher field is empty (and technically there is no "verification" ever done anyway so that dialog is misleading at best) is because the setup program doesn't have one- the program run probably does. Or, also possible, it's looking at another field.
Either way- this is not a concern.
QuoteSUPERAntiSpyware said "Set up failed"
"Error reading setup data"
*There are two files==SUPERAntiSpyware(1).exe and also
SUPERAntiSpyware(1).exe.part
It didn't finish downloading.
QuoteI next went to get the Essential Software Tools, but when I got them onto my computer and ready to install, I got the same "Unknown Publisher" message as above. Every program you download from the internet is going to show you that dialog. (the reason the SAS setup didn't was because it didn't finish downloading, which is also why the .part file is still there as well as why it fails when it tries to run).
Quote[I'm starting with Registry Entries that I don't understand. Most of these showed up after I downloaded Microsoft Office Small Business 2007, which I have a valid product key for.]
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit
"C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" /n /dde
*====> w_1^VY!!!!!!!!!MKKSkWORDFiles>tW{~$4Q][emailprotected]`,xaTO5 /n /dde <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec
*====> [REM _DDE_Direct][FileOpen("%1")] <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec\Application
*====> WinWord <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec\Topic
*====> System <====*
w_1^VY!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q][emailprotected]=l2xaTO5 /e
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q][emailprotected][emailprotected] %1
w_1^VY!!!!!!!!!MKKSkWORDFiles>tW{~$4Q][emailprotected]`,xaTO5 /n /dde
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q][emailprotected][emailprotected] %1
w_1^VY!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q][emailprotected]=l2xaTO5 /e
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q][emailprotected][emailprotected] %1
and they're all followed by:
[REM _DDE_Direct][FileOpen("%1")]
w_1^VY!!!!!!!!!MKKSkACCESSFiles>tW{~$4Q][emailprotected])AxaTO5 /NOSTARTUP "%1" %2 %3 %4 %5 %6 %7 %8 %9
[SetForeground][ShellOpenDatabase "%1"]
w_1^VY!!!!!!!!!MKKSkACCESSFiles>tW{~$4Q][emailprotected])AxaTO5 /RUNTIME "%1" %2 %3 %4 %5 %6 %7 %8 %9
*Then a few other odd-ball ones:
(Default) C:\Program Files\Microsoft Office\Office12\REFEDIT.DLL
InprocServer32 w_1^VY!!!!!!!!!MKKSkProductNonBootFiles>Ulbm)[emailprotected]$
(Default) C:\Program Files\Common Files\Microsoft Shared\INK\INKOBJ.DLL
InprocServer32 w_1^VY!!!!!!!!!MKKSkWISPHidden>+G9P$cp(j=d8+fTjNKNm
Threading Model Apartment
{168FA21B-D0BE-11D1-87C8-00AA00A71E2D},outlmime.dll
w_1^VY!!!!!!!!!MKKSkGimme_OnDemandData<OUTLOOKFiles
msosec,fileVersion="7.10.5077.0",version="7.0.5000.00",culture="neutral",publicKeyToken="B03F
5F7F11D50A3A"
w_1^VY!!!!!!!!!MKKSkWhiteRabbitHidden>3w2x^IGfe?Cxl5heAvK.
These are internal values all used by MS Office 2003 and higher for things like DDE and OLE automation. I recall somebody else complaining about them because they looked FUNKY but they are normal and are present on all my machines that have Office 2003 or later installed; possibly even my ancient Pentium-1 machine (Office 2000) but I never checked.
QuoteCD Recorder Drive \\?\Volume{2a801e90-92aa-11e0-b458-806d6172696f}\ This is normal as well. It states the Unicode ARC path to your CD-Burner for the burning facility of windows.
QuoteHKCU\Software\Microsoft\Windows\Explorer\User Assist (Two Folders--samples follow):
{5E6AB780-7743-11CF-A12B-00AA004AE837}
Count HRZR_HVGBBYONE (string of numbers)
{75048700-EF1F-11D0-9888-006097DEACF9}
Count HRZR_EHACNGU
HRZR_EHACNGU:P:\Cebtenz Svyrf\Fnsre Argjbexvat\SvyrNylmre 2\SvyrNylmre2.rkr
HRZR_EHACNGU:P:\Cebtenz Svyrf\Urjyrgg-Cnpxneq\UC Qrfxwrg 9800
Frevrf\Gbbyobk\UCJDGOK.rkr
I cannot state with any certainty what these are, but unless they are referring to present files (on a P drive...) they don't do anything at all. Another question might be, how, in either case, you feel these are suspicious? Because you don't know why they are there? My guess would be they are used for Remote Assistance information. Again, all the computers running windows I have access to have these entries. This includes the Virtual Machines, which I've only used for testing my own applications and have never had access to the Internet.
QuoteThere are many, many of these: {00000000-0000-0000-0000-00000000000} Empty/null CLSID's are not surprising. They aren't valid so are probably being used to denote that there is nothing there or the entry is a sentinel.
QuoteHKEY_USERS are:
.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-21-1801674531-220523388-725345543-1003
SPECIALACCOUNTS
UserList
HelpAssistant
IUSR_
IWAM_
NetShowServices
SQLAgentCmdExec
TsInternetUser
VUSR_
_______________________________________ _____________________________
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
ProductSuite
ProductType WinNT
Those are all normal.
QuoteWhenever I'm moving from one site to another the address bar says "about:blank"*
Also, Normal. I'm trying to figure out how that could even be construed as malicious activity.
Quote*Whenever I try to open the sidebar in the Network Connection folders, I just get the
directory of stuff on the computer. There are no options available for the connections. If
I click on "Advanced" and "Optional Network Components" I get a dialog box that says:*
"Windows XP Setup"
Invalid program arguments were specified:
/i:<master_oc_inf>-(required) Specifies the name of the master.inf.
The installation source path is taken from here.
/u:<unattend_spec>-Specifies unattended operation parameters.
/r -Suppress reboot (when reboot is necessary).
/z -Indicates that args that follow are not OC args
and should be passed to components
/n -Forces the specified master inf to be treated as new.
/f -Indicates that all component installation states
should be initialized as if their installers had
never been run.
/c -Disallow cancel during final installation phase.
/x -Suppresses the 'initializing' banner.
/q -for use with /u. Runs the unattended installation
without UI.
/w -for use with /u. Runs If a reboot is required, prompt
the user instead of automatically rebooting.
/l -Multi-Language aware installation
and an "OK" button
This is interesting in that it is a common issue pirated copies of Windows XP...
QuoteIn CONTROL PANEL\SYSTEM\HARDWARE\DEVICEMANAGER\DISK DRIVES the properties lists my WDC WD5000AADS-0059B0 as Volume C: with a capacity of 131060 MB {{Sharing Tab: Share this folder. Share name: C$. Comment: Default share. User Limit: Maximum Allowed Administrative shares. You can delete them at the command prompt using net share C$ /delete, but they are recreated on reboot. Before anybody can access the shares they need to be able to access the appropriate RPC ports (which are usually masked by a router) as well as have a valid account on the machine; all the accounts listed are part of the default setup from installing windows.
QuoteI have: Volume (C:) | Partition Basic | File System NTFS | Status Healthy (System) |
Capacity 127.99 GB | Free Space 110.43 GB |88% Free | No Fault Tolerance | 0% Overhead
In the space below it shows Disk 0; Basic; 465.76 GB; Online
(C:) 127.99 GB NTFS Healthy (System) and then 337.77 GB Unallocated
I tried extend through DiskPart, but I got the message:
DiskPart failed to extend this volume.
Please make sure the volume is valid for extending.
The default size used by windows XP to create a system partition is ~128GB or so. Also, without Service packs XP setup can only see 128GB or so as well. diskpart can only extend data volumes, not system or boot volumes, as detailed here.
QuoteI really hope you can help.
Help with what? Trying to validate what appears to be paranoia? Everything you've detailed seems completely normal, And unless you feel this exact same hacker has taken over every single one of my PCs, (including those which have never been connected to the internet, which would be quite a feat if you ask me). it has absolutely no basis in reality. Just because you don't know what registry key or dll file or something does or is for doesn't automatically mean it's malicious.Help with what? Trying to validate what appears to be paranoia? Everything you've detailed seems completely normal, And unless you feel this exact same hacker has taken over every single one of my PCs, (including those which have never been connected to the internet, which would be quite a feat if you ask me). it has absolutely no basis in reality. Just because you don't know what registry key or dll file or something does or is for doesn't automatically mean it's malicious.
OK. Thank you. You may unsubscribe me now so I no longer clutter up your wonderful site.Quote from: OneLostEskimo on June 21, 2011, 09:08:47 AMHelp with what? Trying to validate what appears to be paranoia?
.....
OK. Thank you. You may unsubscribe me now so I no longer clutter up your wonderful site.
You did not provide some simple information.
How old is the computer?
- Old PC will not go a 500 GB drive. Failure is chaotic
Did it already have a working OS on it?
- If not, the PC could have many issues.
Did you use a XP SP3 CD to install?
- Older versions of XP also cause **chaotic failure.
**chaotic failure. In this context it means the hardware and software performance and recovery does not fit a obvious nor rational pattern. This can be when hard drive data is corrupted by an errant process, but not a malicious process. That behavior has been identified and documented elsewhere when using an old PC with an older XP CD and a large hard drive.
You lack of willingness to provide essential information about the history of the PC has led to this thread, which is as you said, a lot of clutter for the CH site. BC's curt response reveals that your post has the earmarks of an attempt to sabotage the CH web site.
For the benefit of others reading this: Do not ever try to install andolder version of a Windows OS on an older PC with a hard drive larger that 127 GB. This has been very well discussed elsewhere. The mere FACT that somebody else did it does not mean it always WORKS. We don't want to beat a dead horse.Quote from: Geek-9pm on June 21, 2011, 11:33:08 AMBC's curt response reveals that your post has the earmarks of an attempt to sabotage the CH web site.
No, it just seems clear that they are looking for problems where there are none; as they noted, they've taken it to a tech who said they couldn't find anything wrong, but instead of going "oh, OK, silly me" they instead chalk that up to the tech not knowing what they are doing. They state these registry entries and other otherwise normal (for the installed software) entries as "problems", when they simply don't understand them. I don't understand what the heck they do (the Word ones, for example) but I do know those keys appear on a perfectly clean install of Office on a machine that is never connected to the net, and deleting the keys breaks Office application associations, so clearly they do something.
I think what confused me is they said they "were having the problems they listed" but they don't actually list any problems. This is probably the most important thing to know- what is wrong. Listing registry keys and files doesn't tell us the problems one is having!There were no problems as posted...QuoteI bought a new 500 GB HDD and installed Windows XP Professional and started having problems just like the ones I have listed here. So I wrote zeros to the drive, and reinstalled Windows XP Professional. My point was that he did not identify the PC nor the version of XP. He then goes on to talk about things that do not offer any clarification. Without knowing which PC and which XP, it is hard to even guess at what problems he really has.
Therefore it would appear to be , IMHO, deliberate obfuscation.
Pardon me if I missed the real point of his post.
Quote from: Geek-9pm on June 21, 2011, 05:28:19 PMMy point was that he did not identify the PC nor the version of XP. He then goes on to talk about things that do not offer any clarification. Without knowing which PC and which XP, it is hard to even guess at what problems he really has.
Therefore it would appear to be , IMHO, deliberate obfuscation.
Pardon me if I missed the real point of his post.
Good point.
In any case, They've gone somewhere else. I personally think they just need ONE person to confirm their suspicions that there is a "hacker" watching them; anybody else just doesn't know what they are talking about...Yes, he wan ts to blame somebody. Notice this:
QuoteThe folders/files on the installation disk are:
FOLDERS: DOCS, I386, SUPPORT, VALUEADD
FILES: AUTORUN.INF, README.HTM, SETUP.EXE, WIN51, WIN51IP
AND I KNOW THIS IS WRONG but I don't know what to do about it!!!
Like you said, he won't be back.
|
