Dear friends, first let me thank you for your support. I am an intermediate advaced user with Windows 7 Home Premium, using a Linksys E 2500 dual band router [which I believe is compromised based on research in the registry].
Hope this doesn’t sound crazy, but I think I have been made a client computer on someone’s administrative account. Here are some of the problems:
Despite the fact that I just reformatted last week and have very few mega bytes taking up space, this HP p6710f is running very sluggishly. I did a ‘Leak test’ and Avast firewall failed the Leak test.
I found this in my MMC:
Computer-administrator
WIN-G2BTSRMU4GD [NOT MY COMPUTER!!!]
[a setting changed inside parental controls] [I have never set 'Parental controlsw]
459 Group Policy errors [didn’t think I was on Group policy]
DHCPv6 router adverting settings have changed?
DHCP client has received network hint
And there are numerous other small details which has caused my brain to fry. I suspect the use of shell scripts in WMI and other places. Have used almost every anti-virus available to no avail. Found settings [unknown area code] in Remote desktop that I did not do. Have run SFC and Disk Clean to no avail. Could not find Linksys info in registry…but many generic modem settings. Found MSHTA in Winsxs. 193 CAP12 events…
I am very sorry if I have included irre4levant info, but I am like the blind lady trying to describe the elephant.
I am at my wits end…a very short walk. I am ready to follow your directions explicitly. Please help. I look forward to your assistance
Gentlemen, thank you for your support. I noticed the details of your mixed ntstructions. Because I want to do this correctly, please tell me again where to begin.
PS I also wanted to mention that I used AUTORUNS and found no network connections or boot image listed there.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.
THEN
Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the “Scan” button to start scan
Dear EssexBoy, thank you for your time and expertise. I think I have attached the logs as instructed. I very much do look forward to the results. I know it sounds crazy but I think my router has been hacked. Could be my email? I’m rambling.
Did you previously have Comcast constant guard installed
There is a super administrator built in to all windows so that may be what you are seeing
Network hint will be used if you change routers or network ISP
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Dear EssexBoy, WOW, immediately following the FRST 64 FIX , my computer freaked out and stopped me from using any browser at all. Avast kept saying [just like last week] that the pages had security problems and would not open this page or hardly any others. Could not open control panel or windows explorer even though I was still online. So the only way that I could get back to you was to restore back to 12/5. Might have wiped out what we have done. Afraid to run AdwCleaner.exe
Did you previously have Comcast constant guard installed And I have NEVER USED COMCAST. This thing is FOOBAR!
Soo now what?
Seems as though something took umbrage at being removed, bigger hammer time
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
[size=12pt]Allrighty then…With limited use the computer seems okay, but I did notice that the Welcome screen backround was changed [not by me] from the default HP sage green to the Windows 7 Upgrade colors of sky blue with little flowers or birds. I have no idea how that happened. Also I became concerned when glancing through the MMC and found this notation: Computer-administrator
WIN-G2BTSRMU4GD
[a setting changed inside parental controls???
I am not using parental controls. Also I found some things regarding router advertisement flags being changed and I am worried that my router has been compromised.
Another thing that really freaked me out was that I started finding duplicates of my songs in my library with a long row of letters and numbers as identifiers. Also, I have two external hard drives not attached at this time that contain a rather larger personal music library. So please advise on these topics if possible.
[size=14pt] And thank you SO MUCH! PS I forgot to disable Windows Defender…then I looked at it and could not figure out how to turn it off anyway…sorry Sir, I will cheerfully accept my lashes!
[/size]
[b] I tried to post the entire log, but the page said it was too large. I could not find the C:\ComboFix.txt in that place, so I manually saved to the Desktop. But despite the fact that I can see it on my Desktop, when I use attach-choose file…IT’S NOT THERE. Let me know what to do about this glitch… thanks!
[/size]
Finally managed to attach the ComboFix Log. Although while I’m sure there is a good reason, I don’t understand why I continue to enumerate my concerns and they somehow never are addressed. ???
I woke up this morning to a message that my computer had been successfully restore to 12-5…only thing is I did not initiate a restore. I shut down my computer to install updates. Got the restore message when I booted it up this morning. Seems a little fishy?
Dear EssexBoy, of course I mean no disrespect. Please do not read a bad attitude into my words. It is only that some things are not right with this computer. I have asked about the dangers of connecting external hard drives…and a blue welcome screen that did not come with my Windows installation…a system restore that I did not perform…And I use event viewer in the Management console. I do not have nor have I ever been able to find a column called Local Groups and users. It is not available to add to the MMC. But I did find this event in the Event Viewer which causes me some concern. Below is the entry I saved from that log. I will attach the screen shot of the MMC that I just took. The computer designation, “WIN-G2BTSRMU4GD” does not match any number I have ever seen associated with my PC.
Again…I am grateful for your time and patience.
Log Name: Microsoft-Windows-ParentalControls/Operational
Source: Microsoft-Windows-ParentalControls
Date: 11/23/2014 3:13:36 PM
Event ID: 1
Task Category: SettingChange
Level: Information
Keywords: WPC
User: Mobo9-HP\Administrator
Computer: WIN-G2BTSRMU4GD
Description:
A Setting changed inside of the parental controls settings
Event Xml: