1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

8 Step Log Results for Laptop

By Husky44 ยท 16 replies
May 22, 2009
  1. Starting the holiday weekend with computer cleanup chores. I have a laptop and a desktop to do, so you'll see another post soon with the desktop logs.

    Thanks for the help!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for making it clear that you're working on two different computers! We don't always get that information and it makes us scratch our heads at times!

    First thing for you to do is Empty the Recycle Bin- it's full of malware trash.

    Are you having any problems or is this a kind of 'screening'? Mbam removed one file. HJ has left over toolbar from Real.com

  3. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28


    Thanks again. Here's the laptop results:

    -Security Center: On this computer, All three show "On" and a green light. Not sure why you're saying it was off?

    -Recycle Bin: It was empty when I opened it. Not sure why it was showing full of malware?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There are 10 of these entries in SAS:
    C:\RECYCLER\S-1-5-21-2855437500-1594634220-3818733573-500\DC31\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE

    This is actually the Recycle Folder- Per MS:
    The identifiers such as {6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA} all point to Wild Tangent which Dell included in the game console.
    What is Wild Tangent?
    Check Add/Remove Programs for Wild Tangent. If found, uninstall it.

    You can try to empty the Recycler Folder:
    Right click on Start> Explore> click to expand Recycler Folder> right click> delete on each file.

    You may get an error preventing you from deleting the files- I usually do- it refers tot he folder being in use. Each user has their own Recycler- but in my case, there is no other user> Let me know if you can do the deletes and in the meantime, I'll ask around and see if their is some way to delete the malware files from the Recycler.

    Mbam found one entry indicating the security center features had all been shut down. but it was quarantine and removed. If you show it as a "go", that's fine.

    Meet me back here with results of attempts to remove contents of Recycler.

    EDIT: Please run SDFix that I set up for the desktop. I want to be sure the Registry entries for the Security center shutdown are removed. Same instruction as given for desktop.
  5. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28

    1) Couldn't locate the recycle folder you referenced above. Tried search function, scanning through Windows Explorer--no luck. No C:\Recycler that I can find.

    2) Initially tried to run SDFix on this machine. It got farther in the process than my other computer, but locked up with a message that said "cannot load VDM IPX/SPX support". I waited for at least 10 minutes with no change, then had to do a hard reboot to get out of it.

    When I rebooted (not in safe mode), A blue screen opened that said
    "Finishing Malware check
    Please be patient as this may take several minutes
    cannot load VDM IPX/SPX support".

    I ended the task, then ran Combo-Fix and HiJackThis. Logs attached.

    When I rebooted again, SDFix tried to run again, with the same message.

    Obviously I need help figuring out how to turn off SDFix and undoing any damage I may have done by partially running it.

    I'm also concerned that there is something wrong with my security center. On the main screen it says my firewall is on, but when I open the detail, it says it's turned off?


    EDIT: Went for a walk after I posted this. When I got back, I had an SDFix window open, that said it was complete?! Wasn't running in safe mode, but I've attached the log. How much damage did I do?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36


    Have you specifically set these Ports to be globally open in the Firewall?
    TCP 135: Transacted connection to SQL Server to create, connect or track.
    TCP 5000-5020: Secondary RPC ports (Remote Procedure Call) endpoint mapper
  7. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28

    NO! I'm not that smart or technically savvy to do something like that! :O
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hold on Husky- I'm getting a 'consult' about this port listing.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We've all been so busy here- sorry for the delay. I've asked to see if you can close the ports using the CFFix for the Combofix entries. In the meantime, open the firewall port section of the Symantec program. IF you see checks to ALLOW port TCP 135 and TCP ports 5000 through 5020, uncheck them.

    Here is the Combofix entry:
    "135:TCP"= 135:TCP:TCP Port 135
    "5000:TCP"= 5000:TCP:TCP Port 5000
    "5001:TCP"= 5001:TCP:TCP Port 5001
    "5002:TCP"= 5002:TCP:TCP Port 5002
    "5003:TCP"= 5003:TCP:TCP Port 5003
    "5004:TCP"= 5004:TCP:TCP Port 5004
    "5005:TCP"= 5005:TCP:TCP Port 5005
    "5006:TCP"= 5006:TCP:TCP Port 5006
    "5007:TCP"= 5007:TCP:TCP Port 5007
    "5008:TCP"= 5008:TCP:TCP Port 5008
    "5009:TCP"= 5009:TCP:TCP Port 5009
    "5010:TCP"= 5010:TCP:TCP Port 5010
    "5011:TCP"= 5011:TCP:TCP Port 5011
    "5012:TCP"= 5012:TCP:TCP Port 5012
    "5013:TCP"= 5013:TCP:TCP Port 5013
    "5014:TCP"= 5014:TCP:TCP Port 5014
    "5015:TCP"= 5015:TCP:TCP Port 5015
    "5016:TCP"= 5016:TCP:TCP Port 5016
    "5017:TCP"= 5017:TCP:TCP Port 5017
    "5018:TCP"= 5018:TCP:TCP Port 5018
    "5019:TCP"= 5019:TCP:TCP Port 5019
    "5020:TCP"= 5020:TCP:TCP Port 5020

    None of these should be globally open.
  10. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28

    Thanks, and NO worries about timing. You guys provide an awesome service for an unbeatable price--how can I complain if you're busy?

    The only place I could find a specific reference to these port numbers was in a screen that listed 50 or so ports. They had check boxes next to them, a field for name, "secured", and "Trojan". On all of them, the boxes were checked, "secure" was blank, and "Trojan" was x'ed. There was a radio button above that said "enable Secure Port technology". It was initially off, but when I turned it on, it changed all of the "secured" fields to x'ed also.

    I'm pretty much bumbling in the dark here, so let me know if that was a good thing or not...
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Husky, I consulted touch about writing code for these ports. He was kind enough to do it. It should solve the port problem:

    Originally Posted by touch
    This should do the trick ->

    Thank you touch.

    Rescan with HijackThis when through and attach the new log along with the Combofix log.
  12. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28

    Ran the script as directed. First time it didn't fully launch Combo-fix. Ran it a second time, and first received a message: A critical update is required.

    It then displayed a message saying it was connecting to Combofix servers, and did a countdown of some sort of download. Once complete, Combofix ran.

    Here are the logs.

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Husky, if you used the code for the ports, it didn't work. You need to open the Symantec firewall and manually close the ports. It will be easier if you do it in Safe Mode.

    If you can't do that, uninstall then reinstall the security suite. NOTE: do this offline. IF you have the CD, use that. IF you don't download the setup to your desktop but don't install. Then> File> Work offline> uninstall> reinstall.

    Hopefully it will reconfigure without those ports open. HJ is OK
  14. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28


    Thanks for all your help. This port thing is kicking my rear because I can't figure out how to close the ports. When I open Symantec firewall, I don't see the ports specifically listed anywhere, nor do I find anything that says "close ports".

    As far as re-installing, I'm going to need a new product. Got this access free from my old employer. Now that I'm retired, I have to pay for whatever I get.

    Given that: I'm not a total technological *****, but I'm certainly not a guru when it comes to this stuff. I'd rather have something that's "set and forget" (other than an occasional preventative maintenance check every month or six).

    Are Symantec's tools still good choices for a user like me (someone who doesn't want to spend a lot of time-or a little time on a regular basis-tinkering with my computer)? If not, what would you recommend for a good anti-virus and firewall?

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Greg, this might help. Get down to #17 and tell me what is listed in the dialog box "What types of communication do you want to permit:

    Begin here: http://www.pocketpcfaq.com/faqs/symatec-firewall.htm

    Malware can change firewall settings- even close it down entirely. And Symantec/Norton has never made anything 'easy' for users- including uninstalling it!
  16. Husky44

    Husky44 TS Rookie Topic Starter Posts: 28

    OK, I'm tracking down to item #17. I added the two port #s shown in the example (5678 and 5679). When I clicked next, the box appeared exactly like the one shown below. The slider buttons (up and down arrrows) were grayed out--I couldn't use either one.

    (I clicked cancel, so I didn't actually add the ports, but can go back and do so if needed).

    You're certainly going above and beyond on this one! I can't tell you how much I appreciate it.

    If Symantec isn't easy/user-friendly, would you recommend a firewall and AV that is? Would that be the quickest way to resolve this? I'm willing to get a little drastic, (but would prefer not to do a complete reformat if there's another viable option).
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Ah this is an easy one! But if you have the suite, it means you paid for it. If that is the case- to keep but reconfigure:

    • [1]Go offline (File> Work Offline)
      [2]You will need to make sure though that it does not start when you boot, or it will not allow the uninstall:
      [o]Start> Run> type in ''msconfig' without the quotes> Selective Start-up> Startup tab> uncheck the processes that is for this> Apply> OK.
      [o]Reboot> Close the nag message that comes up after checking 'don't show this message again'.Stay in Selective Startup.
      [3]Save your Product Key
      [4]Now do the uninstall in the Control Panel> Add/Remove Programs.
      [5]Reboot the computer.
    Reinstall the suite. Go back online. Update. Hopefully that will reset the ports correctly.

    If you are near the end of the subscription or if you want to make the change anyway:
    Run full system scan with new AV. Check firewall programs settings.

    The Symantec/Norton product uses a lot of resources. My preference is a combination of stand-alone products. There are many good free programs and there are also paid stand alones like Nod32 AV. And I think all of the 'suites' cost $$.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...