Help, I've been hacked

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have very very stramge entries in my registry and event viewer that are
adding up to no good.

I have talked with Microsoft today, and what we tried did not solve the
problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection manager
is in the registry?
 
TxRose said:
I have very very stramge entries in my registry and event viewer that
are adding up to no good.

I have talked with Microsoft today, and what we tried did not solve
the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection
manager is in the registry?

Perhaps instead if you gave us specifics to your problem...
Otherwise - why not clean up and secure your system yourself?

Microsoft has these suggestions for Protecting your computer from the
various "bad things" that could happen to you/it:

Protect your PC
http://www.microsoft.com/security/protect/


Although those tips are fantastic, there are many things you should
know above and beyond what is there as well as other methods and
applications you can use to protect yourself. Below I have detailed
out many steps that can not only help you cleanup a problem PC but
keep it clean and secure as well as running at its top performance mark.

I know this list can seem intimidating - it is quite long and a lot
to take in for a novice - but I assure you that one trip through this
list and you will understand your computer and the options available
to you for protecting your data much better and that the next time
you review these steps, the time it takes will be greatly reduced.

Let's take the cleanup of your computer step-by-step. Yes, it will take
up some of your time - but consider what you use your computer
for and how much you would dislike it if all of your stuff on your
computer went away because you did not "feel like" performing some
simple maintenance tasks - think of it like changing the oil in your car,
changing the air filter on your home A/C unit, paying your bills on time,
etc.

Let's go through some maintenance first that should only have to be done
once (mostly):

Tip (1):
Locate all of the software (the installation media - CDs, etc) that you
have installed on your computer. Collect these CDs into a single pile
and locate the original installation media (CDs, disks) in a central and
safe place along with their CD keys and such. Make backups of these
installation media sets using your favorite copying method (CD Burner and
application, Disk copier, etc.) You'll be glad to know that if you have
a CD burner, you may be able to use a free application to make a
duplicate copy of your CDs. One such application is ISORecorder:

ISORecorder home page (with general instructions on use):
http://isorecorder.alexfeinman.com/isorecorder.htm

Pre-SP2 version:
http://isorecorder.alexfeinman.com/IsoRecorder/download.asp

Post-SP2 beta version:
http://isorecorder.alexfeinman.com/download/ISORecorderV2B2.zip

More full function applications (free) for CD/DVD burning would be:

DeepBurner Free
http://www.deepburner.com/

CDBurnerXP Pro
http://www.cdburnerxp.se/

Another Option would be to search the web with Pricewatch.com or
Dealsites.net and find deals like these:

Roxio Easy CD 7.0 Basic-DVD Edition
http://www.softwareandstuff.com/SWW12310.html

Nero Suite 6.3
http://snipurl.com/cwvc


Tip (2):
Empty your Internet Explorer Temporary Internet Files and make sure the
maximum size for this is small enough not to cause trouble in the future.
Empty your Temporary Internet Files and shrink the size it stores to a
size between 128MB and 512MB..

- Open ONE copy of Internet Explorer.
- Select TOOLS -> Internet Options.
- Under the General tab in the "Temporary Internet Files" section, do the
following:
- Click on "Delete Cookies" (click OK)
- Click on "Settings" and change the "Amount of disk space to use:" to
something between 128MB and 512MB. (Betting it is MUCH larger right
now.)
- Click OK.
- Click on "Delete Files" and select to "Delete all offline contents"
(the checkbox) and click OK. (If you had a LOT, this could take 2-10
minutes or more.)
- Once it is done, click OK, close Internet Explorer, re-open Internet
Explorer.


Tip (3):
If things are running a bit slow or you have an older system
(1.5GHz or less and 256MB RAM or less) then you may want to look into
tweaking the performance a bit by turning off some of the memory
using Windows XP "prettifications". The fastest method is:

Control Panel --> System --> Advanced tab --> Performance section,
Settings button. Then choose "adjust for best performance" and you
now have a Windows 2000/98 look which turned off many of the annoying
"prettifications" in one swift action. You can play with the last
three checkboxes to get more of an XP look without many of the
other annoyances. You could also grab and install/mess with one
(or more) of the Microsoft Powertoys - TweakUI in particular:

http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx


Tip (4):
Understanding what a good password might be is vital to your
personal and system security. You may not need to password your home
computer, as you may have it in a locked area (your home) where no
one else has access to it. Remember, however, that locked area is
unlocked when you access the Internet unless you are taking proper
precautions. Also, you aren't always "in that locked area" when using
your computer online - meaning you likely have usernames and passwords
associated with web sites and the likes that you would prefer other
people do not discover/use. This is why you should understand and
utilize good passwords.

Good passwords are those that meet these general rules
(mileage may vary):

Passwords should contain at least six characters, and the character
string should contain at least three of these four character types:
- uppercase letters
- lowercase letters
- numerals
- nonalphanumeric characters (e.g., *, %, &, !)

Passwords should not contain your name/logon name. Passwords should
be unique to you and easy to remember. One method many people are
using today is to make up a phrase that describes a point in their
life and then turning that phrase into their password by using only
certain letters out of each word in that phrase. It's much better
than using your birthday month/year or your anniversary in a pure
sense. For example, let's say my phrase is:
"Moved to new home in 2004"
I could come up with this password from that:
"Mv2n3whmN04"

The password tip is in the "one time" section, but I highly
recommend you periodically change your passwords. The suggested time
varies, but I will throw out a "once in every 3 to 6 months for
every account you have."


Tip (5):
This tip is also "questionable" in the "one time" section. However,
if properly setup, this one can be pretty well ignored for most people
after the initial "fiddle-with" time.

Why you should use a computer firewall..
http://www.microsoft.com/athome/security/viruses/fwbenefits.mspx

You should, in some way, use a firewall. Hardware (like a nice
Cable Modem/DSL router) or software is up to you. Many use both of
these. The simplest one to use is the hardware one, as most people
don't do anything they need to configure their NAT device for and
those who do certainly will not mind fiddling with the equipment to
make things work for them. Next in the line of "simplicity" would
have to be the built-in Windows Firewall of Windows XP. In SP2 it
is turned on by default. It is not difficult to turn on in any
case, however:

Enable/Disable the Internet Connection Firewall (Pre-SP2):
http://support.microsoft.com/kb/283673

More information on the Internet Connection Firewall (Pre-SP2):
http://support.microsoft.com/kb/320855

Post-SP2 Windows Firewall Information/guidance:
http://snipurl.com/atal

The trouble with the Windows Firewall is that it only keeps things
out. Truthfully, for most people who maintain their system in other
ways, this is MORE than sufficient. However, you may feel otherwise.
If you want to know when one of your applications is trying to obtain
access to the outside world so you can stop it, then you will have to
install a third-party application and configure/maintain it. I have
compiles a list with links of some of the better known/free firewalls
you can choose from:

ZoneAlarm (Free and up)
http://snipurl.com/6ohg

Kerio Personal Firewall (KPF) (Free and up)
http://www.kerio.com/kpf_download.html

Outpost Firewall from Agnitum (Free and up)
http://www.agnitum.com/download/

Sygate Personal Firewall (Free and up)
http://smb.sygate.com/buy/download_buy.htm

Symantec's Norton Personal Firewall (~$25 and up)
http://www.symantec.com/sabu/nis/npf/

BlackICE PC Protection ($39.95 and up)
http://blackice.iss.net/

Perhaps you can find the right firewall for your situation in that
list and set it up/configure it. Every firewall MAY require some
maintenance. Essentially checking for patches or upgrades (this
goes for hardware and software solutions) is the extent of this
maintenance - but you may also have to configure your firewall to
allow some traffic depending on your needs. Also, don't stack these
things. Running more than one firewall will not make you safer
- it would likely (in fact) negate some protection you gleamed
from one or the other firewalls you run.



Now that you have some of the more basic (one-time) things down..
Let's go through some of the steps you should take periodically to
maintain a healthy and stable windows computer. If you have not
done some of these things in the past, they may seem tedious at
first - however, they will become routine and some can even be
automatically scheduled.


Tip (6):
The system restore feature is a new one - first appearing in Windows
ME and then sticking around for Windows XP. It is a VERY useful
feature - if you keep it maintained and use it to your advantage.
However, remember that the system restore pretty much tells you in
the name what it protects - "system" files. Your documents, your
pictures, your stuff is NOT system files - so you should also look
into some backup solution.

I'll mainly work around Windows XP, as that is what the bulk of this
document is about. I will, however, point out a single place for you
poor souls still stuck in Windows ME where you can get information on
maintaining your system right now:

Windows ME Computer Health:
http://www.microsoft.com/windowsME/using/computerhealth/articles/

Pay close attention to the sections:
(in order)
- Clean up your hard disk
- Check for errors by running ScanDisk
- Defragment your hard disk
- Roll back the clock with System Restore

Now back to the point at hand - maintaining your system restore in
Windows XP SHOULD be automatic - but I have seen the automatic go wrong
too many times not to suggest the following.. Whenever you think about
it (after doing a once-over on your machine once a month or so would
be optimal) - clear out your System Restore and create a manual
restoration point. Why? Too many times have I seen the system restore
files go corrupt or get a virus in them, meaning you could not or
did not want to restore from them. By clearing it out periodically
you help prevent any corruption from happening and you make sure you
have at least one good "snapshot".
(This, of course, will erase any previous restore point you have.)

- Turn off System Restore.
http://support.microsoft.com/kb/310405
- Reboot.
- Turn on System Restore.
http://support.microsoft.com/kb/310405
- Make a Manual Restoration Point.
http://snipurl.com/68nx

That covers your system files, but doesn't do anything for the files
that you are REALLY worried about - yours! For that you need to look
into backups. You can either manually copy your important files, folders,
documents, spreadsheets, emails, contacts, pictures, drawings and so on
to an external location (CD/DV - any disk of some sort, etc) or you can
use the backup tool that comes with Windows XP:

How To Use Backup to Back Up Files and Folders on Your Computer
http://support.microsoft.com/kb/308422

Yes - you still need some sort of external media to store the results
on, but you could schedule the backup to occur when you are not around,
then burn the resultant data onto CD or DVD or something when you are
(while you do other things!)


Tip (7):
You should sometimes look through the list of applications that are
installed on your computer. The list MIGHT surprise you. There are more
than likely things in there you KNOW you never use - so why have them
there? There may even be things you KNOW you did not install and
certainly do not use (maybe don't WANT to use.)

This web site should help you get started at looking through this list:

How to Uninstall Programs
http://snipurl.com/8v6b

A word of warning - Do NOT uninstall anything you think you MIGHT need
in the future unless you have completed Tip (1) and have the installation
media and proper keys for use backed up somewhere safe!


Tip (8):
Patches and Updates!

This one cannot be stressed enough. It is SO simple, yet so neglected
by many people. It is especially simple for the critical Windows patches!
Microsoft put in an AUTOMATED feature for you to utilize so that you do
NOT have to worry yourself about the patching of the Operating System:

How to configure and use Automatic Updates in Windows XP
http://support.microsoft.com/kb/306525

However, not everyone wants to be a slave to "automation", and that is
fine - as long as you are willing to do things manually. Admittedly, I
prefer this method on some of my more critical systems.

Windows Update
http://windowsupdate.microsoft.com/

Go there and scan your machine for updates. Always get the critical ones
as you see them. Write down the KB###### or Q###### you see when
selecting the updates and if you have trouble over the next few days,
go into your control panel (Add/Remove Programs), match up the latest
numbers you downloaded recently (since you started noticing an issue) and
uninstall them. If there was more than one (usually is), uninstall them
one by one - with a few hours of use in between, to see if the problem
returns. Yes - the process is not perfect (updating) and can cause trouble
like I mentioned - but as you can see, the solution isn't that bad - and is
MUCH better than the alternatives.

Windows is not the only product you likely have on your PC. The
manufacturers of the other products usually have updates as well. New
versions of almost everything come out all the time - some are free, some
are pay - some you can only download if you are registered - but it is best
to check. Just go to their web pages and look under their support and
download sections. For example, for Microsoft Office update, you should
visit:

Microsoft Office Updates
http://office.microsoft.com/
(and select "downloads")

You also have hardware on your machine that requires drivers to interface
with the operating system. You have a video card that allows you to see on
your screen, a sound card that allows you to hear your PCs sound output and
so on. Visit those manufacturer web sites for the latest downloadable
drivers for your hardware/operating system. Always (IMO) get the
manufacturers' hardware driver over any Microsoft offers. On the Windows
Update site I mentioned earlier, I suggest NOT getting their hardware
drivers - no matter how tempting. First - how do you know what hardware
you have in your computer? Invoice or if it is up and working now - take
inventory:

Belarc Advisor
http://belarc.com/free_download.html

EVEREST Home Edition
http://www.lavalys.com/products/download.php?pid=1&lang=en

Once you know what you have, what next? Go get the latest driver for your
hardware/OS from the manufacturer's web page. For example, let's say you
have an NVidia chipset video card or ATI video card, perhaps a Creative
Labs sound card or C-Media chipset sound card...

NVidia Video Card Drivers
http://www.nvidia.com/content/drivers/drivers.asp

ATI Video Card Drivers
http://www.atitech.com/support/driver.html

Creative Labs Sound Device
http://us.creative.com/support/downloads/

C-Media Sound Device
http://www.cmedia.com.tw/e_download_01.htm

Then install these drivers. Updated drivers are usually more stable and
may provide extra benefits/features that you really wished you had before.

As for Service Pack 2 (SP2) for Windows XP, Microsoft has made this
particular patch available in a number of ways. First, there is the
Windows Update web page above. Then there is a direct download site
and finally, you can order the FREE CD from Microsoft.

Direct Download of Service Pack 2 (SP2) for Windows XP
http://snipurl.com/8bqy

Order the Free Windows XP SP2 CD
http://snipurl.com/8umo


Tip (9):
What about the dreaded word in the computer world, VIRUS?

Well, there are many products to choose from that will help you prevent
infections from these horrid little applications. Many are FREE to the
home user. Which one you choose is a matter of taste, really. I wouldn't
list one here I had not personally used - and they all work. Many people
have emotional attachments or performance issues with one or another
AntiVirus software. Try some out, read reviews and decide for yourself
which you like more:

avast! (Free and up)
http://www.avast.com/

AVG Anti-Virus System (Free and up)
http://www.grisoft.com/

AntiVir (Free and up)
http://www.free-av.com/

RAV AntiVirus Online Virus Scan (Free!)
http://www.ravantivirus.com/scan/

Symantec (Norton) AntiVirus (~$11 and up)
http://www.symantec.com/nav/nav_9xnt/

Kaspersky Anti-Virus (~$49.95 and up)
http://www.kaspersky.com/products.html

Panda Antivirus Titanium (~$39.95 and up)
http://www.pandasoftware.com/
(Free Online Scanner: http://www.pandasoftware.com/activescan/)

McAfee VirusScan (~$11 and up)
http://www.mcafee.com/

Trend Micro (~$49.95 and up)
http://www.trendmicro.com/en/home/us/personal.htm
(Free Online Scanner:
http://housecall.trendmicro.com/housecall/start_corp.asp)

Untested (by me):
eTrust EZ Antivirus ($29.95 and up)
https://www2.my-etrust.com/commerce/buy.it.cfm

Most of them have automatic update capabilities. You will have to
look into the features of the one you choose. Whatever one you finally
settle with - be SURE to keep it updated (I recommend at least daily) and
perform a full scan periodically (yes, it protects you actively, but a
full scan once a month at 4AM probably won't bother you.)


Tip (10):
The most rampant infestation at the current time concerns SPYWARE/ADWARE.
I hate this stuff. It has no purpose. I have seen people try to justify
it over and over - it's worthless. It slows down your PC, it can send
your private information to people you'll never meet and did I mention,
it's worthless. You need to eliminate it from your machine.

If you use P2P software, this COULD make that stop working. Find some
decent software to do the same thing - what you are currently using is
crap.

Anyway - there is no one software that cleans and immunizes you against
everything. Antivirus software - you only needed one. Firewall, you
only needed one. AntiSpyware - you may need several. I have a list and
I recommend you use at least the first 5. I know that sounds like a lot,
and you may be saying "But you said earlier that I should clean my system,
now you are telling me to install more software - 5 pieces in fact!" Okay,
I get your point, but please consider that this stuff has prevented the
install of the latest service pack for some people, it has the potential
to slow and crater your PC, it can send your private information around
the world to people you do not know - it is all around BAD.

First - make sure you have NOT installed "Rogue AntiSpyware". There are
people out there who created AntiSpyware products that actually install
spyware of their own! You need to avoid these:

Rogue/Suspect Anti-Spyware Products & Web Sites
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Also, you can always visit this site..
http://mvps.org/winhelp2002/unwanted.htm
For more updated information.

Then, my suggestion again is that you at least install the first five of
these: (Install, Run, Update, Scan with..)

Lavasoft AdAware (Free and up)
http://www.lavasoft.de/support/download/
(How-to: http://snipurl.com/atdn )

Spybot Search and Destroy (Free!)
http://www.safer-networking.net/en/download/index.html
(How-to: http://snipurl.com/atdk )

Bazooka Adware and Spyware Scanner (Free!)
http://www.kephyr.com/spywarescanner/
(How-to: http://snipurl.com/ate3 )

SpywareBlaster (Free!)
http://www.javacoolsoftware.com/sbdownload.html
(How-to: http://snipurl.com/ate6 )

IE-SPYAD (Free!)
https://netfiles.uiuc.edu/ehowes/www/resource.htm
(How-to: http://snipurl.com/ate7 )

CWShredder (Free!)
http://www.softbasket.com/download/s_8114.shtml

Hijack This! (Free)
http://mjc1.com/mirror/hjt/
( Tutorial: http://hjt.wizardsofwebsites.com/ )

ToolbarCop (Free!)
http://windowsxp.mvps.org/toolbarcop.htm

Browser Security Tests
http://www.jasons-toolbox.com/BrowserSecurity/

Popup Tester
http://www.popuptest.com/

The Cleaner (49.95 and up)
http://www.moosoft.com/

If used properly, you should have a malware free system now. The last
two of the first five I suggest you install are immunization applications.
None of these programs (in these editions) run in the background unless you
TELL them to. The space they take up and how easy they are to use greatly
makes up for any inconvenience you may be feeling.

Unfortunately, although that will lessen your popups on the Internet/while
you are online, it won't eliminate them. I have looked at a lot of options,
seen a lot of them used in production with people who seem to attract popups
like a plague, and I only have a few other suggestions that should help.
This
one ends up serving double duty (search engine and popup stopper in one):

The Google Toolbar (Free!)
http://toolbar.google.com/

Yeah - it adds a bar to your Internet Explorer - but it's a useful one. You
can search from there anytime with one of the best search engines on the
planet (IMO.) And the fact it stops most popups - wow - BONUS! If you
don't like that suggestion, then I am just going to say you go to
www.google.com and search for other options.

Please notice that Windows XP SP2 does help stop popups as well.

Another option is to use an alternative Web browser. I suggest
"Mozilla Firefox", as it has some great features and is very easy to use:

Mozilla Firefox
http://www.mozilla.org/products/firefox/

One more suggestion is to disable your Windows Messenger service. This
service is not used frequently (if at all) by the normal home user and
in cooperation with a good firewall, is generally unnecessary. Microsoft
has instructions on how to do this for Windows XP here:

http://www.microsoft.com/windowsxp/pro/using/howto/communicate/stopspam.asp


So your machine is pretty clean and up to date now. If you use the sections
above as a guide, it should stay that way as well! There are still a few
more
little things you can do to keep your machine running in top shape.


Tip (11):
You should periodically check your hard drive(s) for errors and defragment
them. Only defragment after you have cleaned up your machine of
outside parasites and never defragment as a solution to a quirkiness in
your system. It may help speed up your system, but it should be clean
before you do this.

How to use Disk Cleanup
http://support.microsoft.com/?kbid=310312

How to scan your disks for errors
http://support.microsoft.com/?kbid=315265

How to Defragment your hard drives
http://support.microsoft.com/?kbid=314848

I would personally perform the above steps at least once every three months.
For most people this should be sufficient, but if the difference you notice
afterwards is greater than you think it should be, lessen the time in
between
its schedule.. If the difference you notice is negligible, you can increase
the time.


Tip (12):
SPAM! JUNK MAIL!
This one can get annoying, just like the rest. You get 50 emails in one
sitting and 2 of them you wanted. NICE! (Not.) What can you do? Well,
although there are services out there to help you, some email
servers/services that actually do lower your spam with features built into
their servers - I still like the methods that let you be the end-decision
maker on what is spam and what is not. I have two products to suggest to
you, look at them and see if either of them suite your needs. Again, if
they don't, Google is free and available for your perusal.

SpamBayes (Free!)
http://spambayes.sourceforge.net/

Spamihilator (Free!)
http://www.spamihilator.com/

As I said, those are not your only options, but are reliable ones I have
seen function for hundreds+ people.


Tip (13):
ADVANCED TIP! Only do this once you are comfortable under the hood of your
computer!

There are lots of services on your PC that are probably turned on by default
you don't use. Why have them on? Check out these web pages to see what all
of the services you might find on your computer are and set them according
to
your personal needs. Be CAREFUL what you set to manual, and take heed and
write down as you change things! Also, don't expect a large performance
increase or anything - especially on today's 2+ GHz machines, however - I
look
at each service you set to manual as one less service you have to worry
about
someone exploiting. A year ago, I would have thought the Windows Messenger
service to be pretty safe, now I recommend (with addition of a firewall)
that most home users disable it! Yeah - this is another one you have to
work for, but your computer may speed up and/or be more secure because you
took the time. And if you document what you do as you do it, next time, it
goes MUCH faster! (or if you have to go back and re-enable things..)

Task List Programs
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Black Viper's Service List and Opinions (XP)
http://www.blackviper.com/WinXP/servicecfg.htm

Processes in Windows NT/2000/XP
http://www.reger24.de/prozesse/

There are also applications that AREN'T services that startup when you start
up the computer/logon. One of the better description on how to handle these
I have found here:

Startups
http://www.pacs-portal.co.uk/startup_content.php


If you follow the advice laid out above (and do some of your own research as
well, so you understand what you are doing) - your computer will stay fairly
stable and secure and you will have a more trouble-free system.
 
[[Remote Access Auto Connection Manager is on by default in Windows XP
Professional computers that are not members of a domain and in Windows XP
Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection Manager |
If the service is running, click the Stop button | When it has stopped,
under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop Help
Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
Allow Remote Assistance invitations to be sent from this computer
Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Hi Shenan,

Thank you so much for the great tips and advice. Also, thank you for taking
the time to go through this with me.

Let me tell you a little more about my system, and that I don't mind
spending time keeping my computer in a good healthy state.
I have spen numerous hours doing this very thing.

But also, now that I have got this problem, I have spent at least 8 hours at
a time, if not more, every day, for weeks trying to get it straightened back
out again.

Yes, I am running xp. It came installed with SP-2. My computer is an Intel,
and about 2 months old.
As of this past Thursday, I am using Road Runner.

I do have the installation disks that I have running on my system, handy
with their keys.

I use Nero 6 for my cd burning.
I use Zone Alarm for my firewall. But not before this trouble started. I was
using the Windows firewall, and doing the updates automatically.

I have done the Panda scan, the MeAfee scan, Trend Micro, and the eTrustEZ
scans.
They find nothing.

I get my updates automatically from Windows Update, and have installed a
dozen or so patches in the last two months.
I also go into the catalog and look for patches I may need.
The ones I do download, I am then told that the ones on my computer are
newer than the ones I've downloaded. So, I choose the option to save the ones
I already have.

The computer came with the free version of AVG installed. That is the
anvirus I was using when about a month ago I got hit with a virus called
parser.class.
From then on, when ever AVG did the scans, it showed up as shell32.dll had
been changed.
I have never been able to find out any info on the parser.class.

I do weekly updates with my programs such as SpySweeper, and AdAware, things
of that nature.

Most of the iunfor mation I have been able to gather with the problems on my
computer is through ZoneAlarm, and the Event Viewer.

The properties of each listing in Event Viewer were very alarming, and
caused me to bring it to my then diap-up ISP's attention.
I was then told to call the FBI.
Which I did. That was 3 days ago.

In all honesty, I believe I have a two fold problem. A few nasty worms, and
a local hacker.

I believe the worms are remotely accessing my computer, and I keep getting
hits from a place in China, trying to penetrate different ports.

I have disabled Windows Messenger from the start. I would also like to
disable Bluetooth somehow. I did not even know this was installed on my pc,
as there is no icon in the control panel for it, nor is there any entry in
the task manager.
The only way I knew I was running it, was Zone Alarm had it listed as one of
the programs running in the backgound.
I have no wireless devices plugged into my computer. I don't want anything
wireless plugged into or that can remotely access my computer.

You see, I am now totally afraid of any RF signals..LOL
No, really, this does get worse.
Stay with me here.

We have caught our wonderful neighbor tapping our telephones. This is to the
point of even listening in on the conversations in the room when the phone
was on the hook. Yes, this is possible.
The FBI is investigating that too.
This wonderful neighbor has also been heard making personal threats to his
buddies in his driveway.

Okay, yes, I am scared. The phones have been unplugged for 3 weeks now. The
computer speakers are gone. The computer microphone is gone.

Maybe I am taking this a bit far, but I really don't think so. Not with what
that is going on around here.

Yes, my local police are involved now too.

I am going to get that jerk put behind bars. It may take awhile, but it will
happen.
He has violated me and my family too much. It is to the point of being
stalked.

Now, back to the computer.

When I got hit with the parser.class, I had downloaded a file from the
internet into a new folder I made just for that purpose.
I then scanned it, and AVG said it was clean.
So, I proceeded to install it.
It was then that the box popped up (the one with the ugly gremlins) saying I
had been hit with parser.class.
AVG would not let me dlete it, repair it, or quarantine it. Nothing.
I was stuck.

I have since bought and installed Norton's Antivirus 2005. I have always
liked Nortons, and that is what I have used for years on my 98SE, and ME
systems.

Okay, that was just a couple of weeks ago that I ditched the AVG, and
installed Norton's.

But, I was still having problems. So, I installed a antivirus I ran across,
called Avast!
It has found about 6 or 7 viruses in the last couple of days, that Norton's
has totally missed.

So, I have uninstalled Norton's. But, it is acting like a virus itself, I
can't get rid of all the files.

I have found so many strange entries in the registry, and .dll's Zone Alarm
has listed.
These are dll's that a remote program uses, and I am not able to disable
them. or remove them.

Let me explain why I think it is both the nasty worms and a local hacker
causing my problems.
Now, these problems started when I was using a local dial up ISP.

Let me start first with the local hacker.

In the properties of the Event Viewer on the Security listings, there have
been 55 Unknown user name or bad password attempts with in a 7 day period.

There are at least 50 warnings in the properties on the System listings for
TCP/IP has reached the security limit imposed on the number of concurrent TCP
connect attempts.
Some were listed as using the Log In name as anonymous.

It got to the point where it took me 12 times to dial up to get a
connection. When I did get connected, I would be bounced right back off in a
matter of seconds.
Over and over again.

So, I carried my computer to my ISP, and had them look at it, thinking there
was something wrong with my modem. They checked it out, and were able to
connect time and time again, with no problems at all. They thought there was
something wrong with my phone line causing the problem.

The tech enter in a code in the modem properties, to stabalize things.
That worked great.
I didn't have that trouble again. Until a week ago.
It started again, even with the code entered.

Bear in mind, I have used this phone line for 15 years. For the last 5 of
those years, I have made this line a dedicated computer line, plugged into
the back of my computer, and dialed up to the same ISP daily.
I could tell when something was not right.

I am now with Road Runner, and these warning and such are still being made
to this day.
I have not cancelled my dial up account, thinking if I left it open, it may
help the authorities catch who ever is behind all this.
Also, I went with another provider, to stay out of the way of the
investigations.

Now for the worms.
The properties in Event viewer has listed things like MSGina as a Login In
Process name, and other weird names. I know the ones like CHAP are a needed
thing.
But, Secondary Logon Service?

There are way too many to count listings of Failure Audits saying:
IPSec Services failed to get the complete list of network interfaces on the
machine. This can be a potential security hazard to the machine since some of
the network interfaces may not get the protection as desired by the applied
IPSec filters. Please run IPSec monitor snap-in to further diagnose the
problem.

Also way too many to count Remote Access connections.

This is where I had posted the question about the Remote Access Connection
Manager.
I did a search on that and came up with this:
https://www.gotomypc.com/tr/over/remote_access_connection_manager/g25Hbrdlp?Target=mm/g25Hbrdlp.tmpl

The ZoneAlarm had sent up alerts telling me things like it had blocked my
computer from sending out packets to a computer disguising itself as my ISP.

This is the point where my server and I called in the FBI.

Now, as far as system retore, well ...LOL
(I know this is far from funny, it's just that I feel almost feel brain dead
now going through all of this.)
I have "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume
Information\_restore{3C87EDD3-CBF4-4856-90B0-93F337A97205}\RP12\A0003283.exe"
file.

I am by no means a computer genius, but I don't know how to or what to do
with that new info. Except maybe to cry. But, I know that won't help either.

Okay, I think my story is about complete now, at least to give you an idea
of what the computer problems are.

Maybe I should just have it formatted and a clean install done?

Also, maybe my family and I just need to move away.

Thank you for listening Shenan.

Kim
 
Thank you Wesley.

I am going to do that right now!

Kim

Wesley Vogel said:
[[Remote Access Auto Connection Manager is on by default in Windows XP
Professional computers that are not members of a domain and in Windows XP
Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection Manager |
If the service is running, click the Stop button | When it has stopped,
under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop Help
Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from this computer
 Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
I have very very stramge entries in my registry and event viewer that
are adding up to no good.

I have talked with Microsoft today, and what we tried did not solve
the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection
manager is in the registry?
 
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did the type
set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I did the
type set to disabled.

The Remote Access Connection Manager would not allow me to stop it.
The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local Computer.
Error 1053: The service did not respond to the start or control request in a
timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon, and set
it to disabled too.

It looks like there are alot of things there I would like to disable, but I
won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it is
unchecked to Allow REmote Assistance invitations to be sent from this
computer.
There was not another option listed.

Kim

Wesley Vogel said:
[[Remote Access Auto Connection Manager is on by default in Windows XP
Professional computers that are not members of a domain and in Windows XP
Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection Manager |
If the service is running, click the Stop button | When it has stopped,
under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop Help
Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from this computer
 Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
I have very very stramge entries in my registry and event viewer that
are adding up to no good.

I have talked with Microsoft today, and what we tried did not solve
the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection
manager is in the registry?
 
I failed to mention that even though I set the Remote Access Connection
Manager to disabled, it still shows that it is started.

Also, last night, no matter how many times I removed www.checkpoint.com from
the list in ZoneAlarm, to be allowed access, it popped right back in there on
the list again.
Now it seems to be gone.
I'm glad of that.

But, I am trying everything I can on the ZoneAlarm settings to be able to
access websites. Even places like the TechNet Discussion Group, and
Microsoft.com.
I can add them to the site list, and even add to the trusted sites list, but
I have to turn off the firewall to get websites to download on my computer
for me.

Does anyone have any idea what I can do to access websites on the list that
won't show, or of another good firewall that is a little more user friendly?


TxRose said:
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did the type
set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I did the
type set to disabled.

The Remote Access Connection Manager would not allow me to stop it.
The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local Computer.
Error 1053: The service did not respond to the start or control request in a
timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon, and set
it to disabled too.

It looks like there are alot of things there I would like to disable, but I
won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it is
unchecked to Allow REmote Assistance invitations to be sent from this
computer.
There was not another option listed.

Kim

Wesley Vogel said:
[[Remote Access Auto Connection Manager is on by default in Windows XP
Professional computers that are not members of a domain and in Windows XP
Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection Manager |
If the service is running, click the Stop button | When it has stopped,
under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop Help
Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from this computer
 Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
I have very very stramge entries in my registry and event viewer that
are adding up to no good.

I have talked with Microsoft today, and what we tried did not solve
the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection
manager is in the registry?
 
TxRose wrote:
I am running xp. It came installed with SP-2. My computer is an
Intel, and about 2 months old.
As of this past Thursday, I am using Road Runner.

I do have the installation disks that I have running on my system,
handy with their keys.

I use Nero 6 for my cd burning.
I use Zone Alarm for my firewall. But not before this trouble
started. I was using the Windows firewall, and doing the updates
automatically.

I have done the Panda scan, the MeAfee scan, Trend Micro, and the
eTrustEZ scans.
They find nothing.

I get my updates automatically from Windows Update, and have
installed a dozen or so patches in the last two months.
I also go into the catalog and look for patches I may need.

The computer came with the free version of AVG installed. That is the
anvirus I was using when about a month ago I got hit with a virus
called parser.class.

I have never been able to find out any info on the parser.class.

I do weekly updates with my programs such as SpySweeper, and AdAware,
things of that nature.

I was then told to call the FBI.
Which I did. That was 3 days ago.

In all honesty, I believe I have a two fold problem. A few nasty
worms, and a local hacker.

I believe the worms are remotely accessing my computer, and I keep
getting hits from a place in China, trying to penetrate different
ports.

We have caught our wonderful neighbor tapping our telephones. This is
to the point of even listening in on the conversations in the room
when the phone was on the hook. Yes, this is possible.
The FBI is investigating that too.
This wonderful neighbor has also been heard making personal threats
to his buddies in his driveway.

Okay, yes, I am scared. The phones have been unplugged for 3 weeks
now. The computer speakers are gone. The computer microphone is gone.

Yes, my local police are involved now too.

When I got hit with the parser.class, I had downloaded a file from the
internet into a new folder I made just for that purpose.
I then scanned it, and AVG said it was clean.
So, I proceeded to install it.
It was then that the box popped up (the one with the ugly gremlins)
saying I had been hit with parser.class.
AVG would not let me dlete it, repair it, or quarantine it. Nothing.
I was stuck.

I have since bought and installed Norton's Antivirus 2005. I have
always liked Nortons, and that is what I have used for years on my
98SE, and ME systems.

Okay, that was just a couple of weeks ago that I ditched the AVG, and
installed Norton's.

But, I was still having problems. So, I installed a antivirus I ran
across, called Avast!
It has found about 6 or 7 viruses in the last couple of days, that
Norton's has totally missed.

So, I have uninstalled Norton's. But, it is acting like a virus
itself, I can't get rid of all the files.

I have found so many strange entries in the registry, and .dll's Zone
Alarm has listed.
These are dll's that a remote program uses, and I am not able to
disable them. or remove them.

Let me explain why I think it is both the nasty worms and a local
hacker causing my problems.
Now, these problems started when I was using a local dial up ISP.

Let me start first with the local hacker.

In the properties of the Event Viewer on the Security listings, there
have been 55 Unknown user name or bad password attempts with in a 7
day period.

There are at least 50 warnings in the properties on the System
listings for TCP/IP has reached the security limit imposed on the
number of concurrent TCP connect attempts.
Some were listed as using the Log In name as anonymous.

It got to the point where it took me 12 times to dial up to get a
connection. When I did get connected, I would be bounced right back
off in a matter of seconds.
Over and over again.

So, I carried my computer to my ISP, and had them look at it,
thinking there was something wrong with my modem. They checked it
out, and were able to connect time and time again, with no problems
at all. They thought there was something wrong with my phone line
causing the problem.

The tech enter in a code in the modem properties, to stabalize things.
That worked great.
I didn't have that trouble again. Until a week ago.
It started again, even with the code entered.

Bear in mind, I have used this phone line for 15 years. For the last
5 of those years, I have made this line a dedicated computer line,
plugged into the back of my computer, and dialed up to the same ISP
daily.
I could tell when something was not right.

I am now with Road Runner, and these warning and such are still being
made to this day.
I have not cancelled my dial up account, thinking if I left it open,
it may help the authorities catch who ever is behind all this.
Also, I went with another provider, to stay out of the way of the
investigations.

Also way too many to count Remote Access connections.

This is where I had posted the question about the Remote Access
Connection Manager.
I did a search on that and came up with this:
https://www.gotomypc.com/tr/over/remote_access_connection_manager/g25Hbrdlp?Target=mm/g25Hbrdlp.tmpl

The ZoneAlarm had sent up alerts telling me things like it had
blocked my computer from sending out packets to a computer disguising
itself as my ISP.

This is the point where my server and I called in the FBI.

I have "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume
Information\_restore{3C87EDD3-CBF4-4856-90B0-93F337A97205}\RP12\A0003283.exe"
file.

I am by no means a computer genius, but I don't know how to or what
to do with that new info. Except maybe to cry. But, I know that won't
help either.

Okay, I think my story is about complete now, at least to give you an
idea of what the computer problems are.

Maybe I should just have it formatted and a clean install done?

Thank you for listening Shenan.

Okay - I snipped some, but left the majority. You do seem to have a few
issues here.

Here is what I would do for my peace of mind (at least with the computer) if
I was in your shoes.

I would purchase a DSL/Cable Modem router with Firewall. I suggest
something like this:
http://www.netgear.com/products/details/DG834.php
and install it. Be sure to change the username/password needed to access it
and be sure that remote administration on the device is turned OFF. Also,
some cable modems/dsl modems must be powered off for a number of minutes
before they will allow a different device (such as a router) to be connected
after you have already "registered" one system. Also - some places actually
make you call and register the device that will be connected to the modem
directly by he MAC address - do whatever your ISP requires.

I would then backup my critical documents to CD/DVD.. Word files, contacts,
excel spreadsheets, database files, email, etc..

At this point, I would collect all my cd/serial numbers and insallation
media (that may mean burning certain applications to CD for later install.)
I would also download and burn to CD the Windows XP Service Pack 2
installation file. Also - I would download and burn to CD my favorite
AntiVirus software and Firewall software along with the keys I need to use
them. With the antivirus software - I would also download the manual update
file for the definitions - so I could update my antivirus the first time
without connecting to the Internet.

I would then set a password to even turn ON the computer in the system BIOS.
You can set two different ones in most modern system BIOSes.. One to change
settings in the BIOS and one to even get past the BIOS and actually boot the
PC. If you are truly paranoid about physical access to the computer, then
turning it off when you are not around and having these two set can really
deter amatuer "hackers" - also make sure the machine is set to boot from
HARD DRIVE first - but only AFTER you do the following CLEAN INSTALLATION.
You need it to boot from the CD until you are done.

Then I would perform a clean installation on my computer by doing the
following.

- Disconnect from the Internet and any means to connect to the Internet.
- Using my Windows XP CD to boot (like I was doing an installation) - I
would continue through the installation prompts until it asked me which
partition to install on. I would then choose to delete all partitions and
create double the number of partitions I had before. (If I had one, I would
create two, if I had two, I would create four - so on.) Then use the tools
to further format these partitions (FULL NTFS format.) But I would NOT
continue the installation from here... This was merely to erradicate from
normal means of recovery - everything on the hard drive.
- Then again using the Windows XP CD - I would boot from it and continue
through the Installation. When it asked which partition to install on, I
would delete all partitions and create two partitions.. The first would be
8GB to 20GB in size. The second would be the remainder of the drive. I
would then format (FULL, not quick) the partitions and finish the
installation.
- Once the installation is completed (assuming my CD did not have SP2 on it)
I would then immediately - before doing anything else - install SP2.
Remember - you are still no where near an internet connecton - you are using
the CD you burned with the SP2 installation file on it.
- Then I would go through my user accounts and make sure they all have good
passwords. I would rename the administrator account to something TOTALLY
bizzare and make that password particularly difficult - over 14 characters
for sure. guest would be definitely disabled.
- I would also turn off any and all remote desktop/remote assistant
features.
- I would insure the Windows Firewall was on and there was NO exceptions
turned on.
(for now - you can turn off the Windows firewall and install your own
firewall later - but for now - this security is what you need.)
- I would then install the AntiVirus software of choice and update it using
the file I mentioned earlier. I would set it to auto-update daily after 3PM
and scan automatically once a week.
- Then I would go through my list of services and set to manual any that I
do not need/use. I would also do the same for other startups.
- I would also turn OFF Automatic Updates and set the Windows Security
Center not to tell me I have it off.

Now - finally - I would feel secure enough to connect to the Internet
through my properly configured firewall router. It gives my my private IP,
so the machine itself is not publically accessible from the Internet without
reconfiguring the router.

After connected to the Internet, I would visit this site:
http://windowsupdate.microsoft.com/
and download/install all updates there EXCEPT hrdware updates.

After (however many reboots the previous step takes) Windows Updates, I
would then download and install the latest HARDWARE drivers from my system.
Video, Network, Sound, Chipset, etc.

Then, as crazy as it may sound - I would download and install the Microsoft
AntiSpyware Beta. It is based off one of the best antispyware app out there
(Giant AntiSpyware) and it has good ACTIVE antispyware abilities. I would
also download and install/updte/scan with Lavasoft AdAware, Spybot Search
and Destroy (immunize as well), SpywareBlaster(immunization only) and
IE-SpyAd(immunization only.)

Now you are fairly secure and safe behind your hardware and software
firewalls as well as your AntiSpyware and AntiVirus applications and the
general knowledge you already seem to have.

You could install your preferred firewall application now - if you like.
However, for most I do not feel this is necessary - particularly wih the
hardware firewall in place. I do suggest using a software one even with the
hardware on - but the Windows XP one should be sufficient - as if they can
get through your hardware firewall, they can likely get through whatever
software one you throw at them.

If you also follow all the advice I gave previously (particularly about
passwords, etc) and maintain all the applications and patches and lock your
CDs/keys safely in a secured area - then you should be fairly safe from
intrusion and from most malware on the Internet - given you do not install
it yourself.

Install all of your applications - be careful about what you install -
search for it on the Internet and insure it is not a known carrier of
malware. If you want to install applications you previously downloaded,
then download them anew instead of using an older (and possibly compromised)
installation file. This also insures you have the latest versions!

Good luck to you with all of your issues!

PS.. Your system restore problem is fixed by turning off/back on the system
restore feature - cleaing it out.
 
Kim,

Reboot.

And then check on the Remote Access Connection Manager in Services, it
probably won't have started since you disabled it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did the
type set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I did
the type set to disabled.

The Remote Access Connection Manager would not allow me to stop it.
The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local Computer.
Error 1053: The service did not respond to the start or control
request in a timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon,
and set it to disabled too.

It looks like there are alot of things there I would like to disable,
but I won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it is
unchecked to Allow REmote Assistance invitations to be sent from this
computer.
There was not another option listed.

Kim

Wesley Vogel said:
[[Remote Access Auto Connection Manager is on by default in Windows
XP Professional computers that are not members of a domain and in
Windows XP Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection
Manager | If the service is running, click the Stop button | When it
has stopped, under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop
Help Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from this computer
 Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
I have very very stramge entries in my registry and event viewer
that are adding up to no good.

I have talked with Microsoft today, and what we tried did not solve
the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection
manager is in the registry?
 
Hi Wes,
Yes, it appears that did help.
It shows disabled, instead of being started.
I also see no entries listed of a remote access in the event viewer.
Whoo hoo..LOL

This entry in the event viewer looks good:
The Remote Access Connection Manager service was successfully sent a stop
control.
Thank you for helping me get that turned off.

However, when I just rebooted, I did see these, which do not look good in my
opinion, but I could be wrong:

The first one has been going on for a long time, and is still showing.

Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: OWNER-1E81AA74C
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: OWNER-1E81AA74C

The protected system file c:\windows\system32\racpldlg.dll could not be
verified as valid because Windows File Protection is terminating. Use the SFC
utility to verify the integrity of the file at a later time.

The TCP/IP NetBIOS Helper service depends on the AFD service which failed to
start because of the following error:
A device attached to the system is not functioning.

Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011099706B4. The
following error occurred:
The semaphore timeout period has expired. . Your computer will continue to
try and obtain an address on its own from the network address (DHCP) server.

Your computer has detected that the IP address 66.25.204.98 for the Network
Card with network address 0011099706B4 is already in use on the network. Your
computer will automatically attempt to obtain a different address.

Your computer has detected that the IP address 0.0.0.0 for the Network Card
with network address 0011099706B4 is already in use on the network. Your
computer will automatically attempt to obtain a different address.

Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011099706B4. The
following error occurred:
The semaphore timeout period has expired. . Your computer will continue to
try and obtain an address on its own from the network address (DHCP) server.

The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Looks like a fun time huh?

Kim

Wesley Vogel said:
Kim,

Reboot.

And then check on the Remote Access Connection Manager in Services, it
probably won't have started since you disabled it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did the
type set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I did
the type set to disabled.

The Remote Access Connection Manager would not allow me to stop it.
The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local Computer.
Error 1053: The service did not respond to the start or control
request in a timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon,
and set it to disabled too.

It looks like there are alot of things there I would like to disable,
but I won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it is
unchecked to Allow REmote Assistance invitations to be sent from this
computer.
There was not another option listed.

Kim

Wesley Vogel said:
[[Remote Access Auto Connection Manager is on by default in Windows
XP Professional computers that are not members of a domain and in
Windows XP Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection
Manager | If the service is running, click the Stop button | When it
has stopped, under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop
Help Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from this computer
 Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
I have very very stramge entries in my registry and event viewer
that are adding up to no good.

I have talked with Microsoft today, and what we tried did not solve
the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection
manager is in the registry?
 
Hi Shenan,
Wow, that sounds like a great plan. How soon can you be here?
LOL
Just kidding. I'm sorry, but I don't see how I could do all that. I'm not
that computer savvy. Those instructions went way over my head.
Did I mention I'm blonde?...LOL

I do agree with you though. It seems as a clean install would be my best bet.
I would have to pay someone to do those sorts of things for me, which I
don't mind doing at all. I'd rather be safe.

I really appreciate the help you've given me.
Kim
 
Hi Shenan,
Wow, that sounds like a great plan. How soon can you be here?
LOL
Just kidding. I'm sorry, but I don't see how I could do all that. I'm not
that computer savvy. Those instructions went way over my head.
Did I mention I'm blonde?...LOL

I do agree with you though. It seems as a clean install would be my best bet.
I would have to pay someone to do those sorts of things for me, which I
don't mind doing at all. I'd rather be safe.

I really appreciate the help you've given me.
Kim
 
Kim,

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the second
arrow (looks like two pages) [[Copies the details of the event to the
Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related Knowledge
Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example, Print)
and/or the Event code (for example, 20) into the ID field, then click the Go
button. Source and Event codes may be found in the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wes,
Yes, it appears that did help.
It shows disabled, instead of being started.
I also see no entries listed of a remote access in the event viewer.
Whoo hoo..LOL

This entry in the event viewer looks good:
The Remote Access Connection Manager service was successfully sent a
stop control.
Thank you for helping me get that turned off.

However, when I just rebooted, I did see these, which do not look
good in my opinion, but I could be wrong:

The first one has been going on for a long time, and is still
showing.

Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: OWNER-1E81AA74C
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: OWNER-1E81AA74C

The protected system file c:\windows\system32\racpldlg.dll could not
be verified as valid because Windows File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later
time.

The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error:
A device attached to the system is not functioning.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

Your computer has detected that the IP address 66.25.204.98 for the
Network Card with network address 0011099706B4 is already in use on
the network. Your computer will automatically attempt to obtain a
different address.

Your computer has detected that the IP address 0.0.0.0 for the
Network Card with network address 0011099706B4 is already in use on
the network. Your computer will automatically attempt to obtain a
different address.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Looks like a fun time huh?

Kim

Wesley Vogel said:
Kim,

Reboot.

And then check on the Remote Access Connection Manager in Services,
it probably won't have started since you disabled it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did the
type set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I did
the type set to disabled.

The Remote Access Connection Manager would not allow me to stop it.
The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local
Computer. Error 1053: The service did not respond to the start or
control request in a timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon,
and set it to disabled too.

It looks like there are alot of things there I would like to
disable, but I won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it is
unchecked to Allow REmote Assistance invitations to be sent from
this computer.
There was not another option listed.

Kim

:

[[Remote Access Auto Connection Manager is on by default in Windows
XP Professional computers that are not members of a domain and in
Windows XP Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection
Manager | If the service is running, click the Stop button | When
it has stopped, under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop
Help Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from this
computer  Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
I have very very stramge entries in my registry and event viewer
that are adding up to no good.

I have talked with Microsoft today, and what we tried did not
solve the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection
manager is in the registry?
 
Hi Wes,
Yes that information does help. Thank you.
I agree that the information of the Event ID & the Event Source are very
important.
To bad it wasn't you that I talked with while on the phone with Microsoft.

The Microsoft tech and I talked for hours on the phone yesterday, and I was
told that my computer is clean, and everything is fine. We tried all sorts of
things looking for viruses/worms. We purged the cache, cleared out SSL state,
ran scans, and cleaned out passwords, and even deleted a couple of folders in
the registry.
I ended up telling him I would just take my computer into the shop. I was
told it would be a waste of my money..LOL
He did not seem to care about the info of the Event ID & the Event Source.
I am still having way too many unknown user name/bad password entries.
I also do not like the successful ANONYMOUS LOGONs.

Maybe I'm crazy, but these two entires alone, do not look right to me, as
they are still happening.

Thanks for the links. Especially the one for events and errors help.

Kim

Wesley Vogel said:
Kim,

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the second
arrow (looks like two pages) [[Copies the details of the event to the
Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related Knowledge
Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example, Print)
and/or the Event code (for example, 20) into the ID field, then click the Go
button. Source and Event codes may be found in the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wes,
Yes, it appears that did help.
It shows disabled, instead of being started.
I also see no entries listed of a remote access in the event viewer.
Whoo hoo..LOL

This entry in the event viewer looks good:
The Remote Access Connection Manager service was successfully sent a
stop control.
Thank you for helping me get that turned off.

However, when I just rebooted, I did see these, which do not look
good in my opinion, but I could be wrong:

The first one has been going on for a long time, and is still
showing.

Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: OWNER-1E81AA74C
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: OWNER-1E81AA74C

The protected system file c:\windows\system32\racpldlg.dll could not
be verified as valid because Windows File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later
time.

The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error:
A device attached to the system is not functioning.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

Your computer has detected that the IP address 66.25.204.98 for the
Network Card with network address 0011099706B4 is already in use on
the network. Your computer will automatically attempt to obtain a
different address.

Your computer has detected that the IP address 0.0.0.0 for the
Network Card with network address 0011099706B4 is already in use on
the network. Your computer will automatically attempt to obtain a
different address.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Looks like a fun time huh?

Kim

Wesley Vogel said:
Kim,

Reboot.

And then check on the Remote Access Connection Manager in Services,
it probably won't have started since you disabled it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did the
type set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I did
the type set to disabled.

The Remote Access Connection Manager would not allow me to stop it.
The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local
Computer. Error 1053: The service did not respond to the start or
control request in a timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon,
and set it to disabled too.

It looks like there are alot of things there I would like to
disable, but I won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it is
unchecked to Allow REmote Assistance invitations to be sent from
this computer.
There was not another option listed.

Kim

:

[[Remote Access Auto Connection Manager is on by default in Windows
XP Professional computers that are not members of a domain and in
Windows XP Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection
Manager | If the service is running, click the Stop button | When
it has stopped, under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop
Help Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from this
computer  Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
I have very very stramge entries in my registry and event viewer
that are adding up to no good.

I have talked with Microsoft today, and what we tried did not
solve the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection
manager is in the registry?
 
Kim,

These??

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529

[[The event occurred on Windows XP if the machine environment meets the
following criteria:
- The machine is a member of a domain.
- The machine is using a machine local account.
- Logon failure auditing is enabled.
When the user logs off, Windows will write event ID 529 to the log file
because
the OS incorrectly tries to contact the domain controller (DC), despite the
fact that the machine is using a local account. Microsoft currently doesn't
provide a fix for this problem, but you can safely ignore this event ID.]]

Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/?kbid=811082

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wes,
Yes that information does help. Thank you.
I agree that the information of the Event ID & the Event Source are
very important.
To bad it wasn't you that I talked with while on the phone with
Microsoft.

The Microsoft tech and I talked for hours on the phone yesterday, and
I was told that my computer is clean, and everything is fine. We
tried all sorts of things looking for viruses/worms. We purged the
cache, cleared out SSL state, ran scans, and cleaned out passwords,
and even deleted a couple of folders in the registry.
I ended up telling him I would just take my computer into the shop. I
was told it would be a waste of my money..LOL
He did not seem to care about the info of the Event ID & the Event
Source.
I am still having way too many unknown user name/bad password entries.
I also do not like the successful ANONYMOUS LOGONs.

Maybe I'm crazy, but these two entires alone, do not look right to
me, as they are still happening.

Thanks for the links. Especially the one for events and errors help.

Kim

Wesley Vogel said:
Kim,

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the
second arrow (looks like two pages) [[Copies the details of the
event to the Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related
Knowledge Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example,
Print) and/or the Event code (for example, 20) into the ID field,
then click the Go button. Source and Event codes may be found in
the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wes,
Yes, it appears that did help.
It shows disabled, instead of being started.
I also see no entries listed of a remote access in the event viewer.
Whoo hoo..LOL

This entry in the event viewer looks good:
The Remote Access Connection Manager service was successfully sent a
stop control.
Thank you for helping me get that turned off.

However, when I just rebooted, I did see these, which do not look
good in my opinion, but I could be wrong:

The first one has been going on for a long time, and is still
showing.

Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: OWNER-1E81AA74C
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: OWNER-1E81AA74C

The protected system file c:\windows\system32\racpldlg.dll could not
be verified as valid because Windows File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later
time.

The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error:
A device attached to the system is not functioning.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

Your computer has detected that the IP address 66.25.204.98 for the
Network Card with network address 0011099706B4 is already in use on
the network. Your computer will automatically attempt to obtain a
different address.

Your computer has detected that the IP address 0.0.0.0 for the
Network Card with network address 0011099706B4 is already in use on
the network. Your computer will automatically attempt to obtain a
different address.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Looks like a fun time huh?

Kim

:

Kim,

Reboot.

And then check on the Remote Access Connection Manager in Services,
it probably won't have started since you disabled it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did
the type set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I
did the type set to disabled.

The Remote Access Connection Manager would not allow me to stop
it. The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local
Computer. Error 1053: The service did not respond to the start or
control request in a timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon,
and set it to disabled too.

It looks like there are alot of things there I would like to
disable, but I won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it
is unchecked to Allow REmote Assistance invitations to be sent
from this computer.
There was not another option listed.

Kim

:

[[Remote Access Auto Connection Manager is on by default in
Windows XP Professional computers that are not members of a
domain and in Windows XP Home Edition.]]

Open Services and disable Remote Access Auto Connection
Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection
Manager | If the service is running, click the Stop button | When
it has stopped, under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop
Help Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from
this computer  Allow users to connect remotely to this
computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
I have very very stramge entries in my registry and event viewer
that are adding up to no good.

I have talked with Microsoft today, and what we tried did not
solve the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access
connection manager is in the registry?
 
LOL Wes...

Actually I am now more confused.

I have checked out the articles at:

http://support.microsoft.com/?kbid=305822

http://support.microsoft.com/?kbid=811082

http://support.microsoft.com/?kbid=305822

Mine are similiar, but not the same. I am not sure if that matters or not.
There are always 4 failures in a row.

The first being:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: %computer name%
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: %user name%
Source Workstation: %computer name%
Error Code: 0xC000006A

Then

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: %computer name%
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: %user name%
Domain: %computer name%
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: %computer name%

Then

Both of the two errors above repeated once again.

What I got out of the MS articles is:

1. Disable the Welcome screen and use the classic logon screen
(which I don't know how to do)
2.This was supposed to be fixed with sp1. Guess what? It wasn't ...LOL
3.Turn off auditing of logon events.
To do this, the article on:
http://support.microsoft.com/?kbid=305822
tells me to:

To turn off auditing in the Microsoft Management Console (MMC) snap-in for
Group Policy:

1. Click Start, click Run, type gpedit.msc, and then click OK.

But

My computer stops me from going any farther, as I get an error saying my
computer can't find gpedit.msc.

2. In the left pane, expand the following items:• Local Computer Policy
• Computer Configuration
• Windows Settings
• Security Settings
• Local Policy
3. Click Audit Policy.
4. Double-click Audit Logon Events.
5. Click to clear the Success and Failure check boxes.
6. Click OK.
7. Close the Group Policy window.

Do you know why I would be getting this success event?

Date: Source: Security
Time: Category: Logon/Logoff
Type: Success A Event ID: 540
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: owner
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x2C33D)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

This is all getting to be too much. I just want to use my computer to have
fun, and enjoy myself.
All this spyware, adware, trojans, worms, yada yada yada is to the point of
being ridiculous.
If there is help on the way for us home computer users, it can't come soon
enough.

I don't ever remember having this many problems using 98, or ME. At least
not to my knowledge.
I'm sure they had their problems too,.....but everyday, I look at those
other 2 computers sitting there on the other side of the room, and my
thoughts are getting closer to swapping them out to use, instead of this XP
one..LOL

And, if those people in China and Korea don't stop pinging me, I think I'll
scream.

I just got probed by someone with the IP address of 205.98.250.77,
using the name:
SPACE AND NAVAL WARFARE SYSTEM COMMAND
City: WASHINGTON

Don't these people have anything better to do? And what's in it for them?

Thanks for the help Wes,

Kim

Wesley Vogel said:
Kim,

These??

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529

[[The event occurred on Windows XP if the machine environment meets the
following criteria:
- The machine is a member of a domain.
- The machine is using a machine local account.
- Logon failure auditing is enabled.
When the user logs off, Windows will write event ID 529 to the log file
because
the OS incorrectly tries to contact the domain controller (DC), despite the
fact that the machine is using a local account. Microsoft currently doesn't
provide a fix for this problem, but you can safely ignore this event ID.]]

Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/?kbid=811082

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wes,
Yes that information does help. Thank you.
I agree that the information of the Event ID & the Event Source are
very important.
To bad it wasn't you that I talked with while on the phone with
Microsoft.

The Microsoft tech and I talked for hours on the phone yesterday, and
I was told that my computer is clean, and everything is fine. We
tried all sorts of things looking for viruses/worms. We purged the
cache, cleared out SSL state, ran scans, and cleaned out passwords,
and even deleted a couple of folders in the registry.
I ended up telling him I would just take my computer into the shop. I
was told it would be a waste of my money..LOL
He did not seem to care about the info of the Event ID & the Event
Source.
I am still having way too many unknown user name/bad password entries.
I also do not like the successful ANONYMOUS LOGONs.

Maybe I'm crazy, but these two entires alone, do not look right to
me, as they are still happening.

Thanks for the links. Especially the one for events and errors help.

Kim

Wesley Vogel said:
Kim,

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the
second arrow (looks like two pages) [[Copies the details of the
event to the Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related
Knowledge Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example,
Print) and/or the Event code (for example, 20) into the ID field,
then click the Go button. Source and Event codes may be found in
the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
Hi Wes,
Yes, it appears that did help.
It shows disabled, instead of being started.
I also see no entries listed of a remote access in the event viewer.
Whoo hoo..LOL

This entry in the event viewer looks good:
The Remote Access Connection Manager service was successfully sent a
stop control.
Thank you for helping me get that turned off.

However, when I just rebooted, I did see these, which do not look
good in my opinion, but I could be wrong:

The first one has been going on for a long time, and is still
showing.

Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: OWNER-1E81AA74C
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: OWNER-1E81AA74C

The protected system file c:\windows\system32\racpldlg.dll could not
be verified as valid because Windows File Protection is terminating.
Use the SFC utility to verify the integrity of the file at a later
time.

The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error:
A device attached to the system is not functioning.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

Your computer has detected that the IP address 66.25.204.98 for the
Network Card with network address 0011099706B4 is already in use on
the network. Your computer will automatically attempt to obtain a
different address.

Your computer has detected that the IP address 0.0.0.0 for the
Network Card with network address 0011099706B4 is already in use on
the network. Your computer will automatically attempt to obtain a
different address.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Looks like a fun time huh?

Kim

:

Kim,

Reboot.

And then check on the Remote Access Connection Manager in Services,
it probably won't have started since you disabled it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did
the type set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I
did the type set to disabled.

The Remote Access Connection Manager would not allow me to stop
it. The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local
Computer. Error 1053: The service did not respond to the start or
control request in a timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon,
and set it to disabled too.

It looks like there are alot of things there I would like to
disable, but I won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it
is unchecked to Allow REmote Assistance invitations to be sent
from this computer.
There was not another option listed.

Kim

:

[[Remote Access Auto Connection Manager is on by default in
Windows XP Professional computers that are not members of a
domain and in Windows XP Home Edition.]]

Open Services and disable Remote Access Auto Connection
Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection
Manager | If the service is running, click the Stop button | When
it has stopped, under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop
Help Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be sent from
this computer  Allow users to connect remotely to this
computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
I have very very stramge entries in my registry and event viewer
that are adding up to no good.

I have talked with Microsoft today, and what we tried did not
solve the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access
connection manager is in the registry?
 
Kim,

My advice is to ignore Event ID 680 & 529. That's what I do. I get them
both quite often.

ID: 540 Source: Security

[[User Action
No user action is required.]]
http://www.microsoft.com/technet/su...indows+Operating+System&LCID=1033&ProdVer=5.0

After the novelty wears off you'll quit worrying about what the firewall
reports and just block every incoming. Although the SPACE AND NAVAL WARFARE
SYSTEM COMMAND is more interesting than anything I ever got. ;-) Maybe
they need some more computing power and heard about you. <LOL>

Keep having fun!

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
LOL Wes...

Actually I am now more confused.

I have checked out the articles at:

http://support.microsoft.com/?kbid=305822

http://support.microsoft.com/?kbid=811082

http://support.microsoft.com/?kbid=305822

Mine are similiar, but not the same. I am not sure if that matters or
not. There are always 4 failures in a row.

The first being:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: %computer name%
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: %user name%
Source Workstation: %computer name%
Error Code: 0xC000006A

Then

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: %computer name%
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: %user name%
Domain: %computer name%
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: %computer name%

Then

Both of the two errors above repeated once again.

What I got out of the MS articles is:

1. Disable the Welcome screen and use the classic logon screen
(which I don't know how to do)
2.This was supposed to be fixed with sp1. Guess what? It wasn't ...LOL
3.Turn off auditing of logon events.
To do this, the article on:
http://support.microsoft.com/?kbid=305822
tells me to:

To turn off auditing in the Microsoft Management Console (MMC)
snap-in for Group Policy:

1. Click Start, click Run, type gpedit.msc, and then click OK.

But

My computer stops me from going any farther, as I get an error
saying my computer can't find gpedit.msc.

2. In the left pane, expand the following items:• Local Computer
Policy • Computer Configuration
• Windows Settings
• Security Settings
• Local Policy
3. Click Audit Policy.
4. Double-click Audit Logon Events.
5. Click to clear the Success and Failure check boxes.
6. Click OK.
7. Close the Group Policy window.

Do you know why I would be getting this success event?

Date: Source: Security
Time: Category: Logon/Logoff
Type: Success A Event ID: 540
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: owner
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x2C33D)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

This is all getting to be too much. I just want to use my computer to
have fun, and enjoy myself.
All this spyware, adware, trojans, worms, yada yada yada is to the
point of being ridiculous.
If there is help on the way for us home computer users, it can't come
soon enough.

I don't ever remember having this many problems using 98, or ME. At
least not to my knowledge.
I'm sure they had their problems too,.....but everyday, I look at
those other 2 computers sitting there on the other side of the room,
and my thoughts are getting closer to swapping them out to use,
instead of this XP one..LOL

And, if those people in China and Korea don't stop pinging me, I
think I'll scream.

I just got probed by someone with the IP address of 205.98.250.77,
using the name:
SPACE AND NAVAL WARFARE SYSTEM COMMAND
City: WASHINGTON

Don't these people have anything better to do? And what's in it for
them?

Thanks for the help Wes,

Kim

Wesley Vogel said:
Kim,

These??

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529

[[The event occurred on Windows XP if the machine environment meets
the following criteria:
- The machine is a member of a domain.
- The machine is using a machine local account.
- Logon failure auditing is enabled.
When the user logs off, Windows will write event ID 529 to the log
file because
the OS incorrectly tries to contact the domain controller (DC),
despite the fact that the machine is using a local account.
Microsoft currently doesn't provide a fix for this problem, but you
can safely ignore this event ID.]]

Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/?kbid=811082

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
TxRose said:
Hi Wes,
Yes that information does help. Thank you.
I agree that the information of the Event ID & the Event Source are
very important.
To bad it wasn't you that I talked with while on the phone with
Microsoft.

The Microsoft tech and I talked for hours on the phone yesterday,
and I was told that my computer is clean, and everything is fine. We
tried all sorts of things looking for viruses/worms. We purged the
cache, cleared out SSL state, ran scans, and cleaned out passwords,
and even deleted a couple of folders in the registry.
I ended up telling him I would just take my computer into the shop.
I was told it would be a waste of my money..LOL
He did not seem to care about the info of the Event ID & the Event
Source.
I am still having way too many unknown user name/bad password
entries. I also do not like the successful ANONYMOUS LOGONs.

Maybe I'm crazy, but these two entires alone, do not look right to
me, as they are still happening.

Thanks for the links. Especially the one for events and errors help.

Kim

:

Kim,

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below
the second arrow (looks like two pages) [[Copies the details of the
event to the Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related
Knowledge Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/event_overview_01.mspx
This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example,
Print) and/or the Event code (for example, 20) into the ID field,
then click the Go button. Source and Event codes may be found in
the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033
--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
Hi Wes,
Yes, it appears that did help.
It shows disabled, instead of being started.
I also see no entries listed of a remote access in the event
viewer. Whoo hoo..LOL

This entry in the event viewer looks good:
The Remote Access Connection Manager service was successfully
sent a stop control.
Thank you for helping me get that turned off.

However, when I just rebooted, I did see these, which do not look
good in my opinion, but I could be wrong:

The first one has been going on for a long time, and is still
showing.

Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: OWNER-1E81AA74C
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: OWNER-1E81AA74C

The protected system file c:\windows\system32\racpldlg.dll could
not be verified as valid because Windows File Protection is
terminating. Use the SFC utility to verify the integrity of the
file at a later time.

The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error:
A device attached to the system is not functioning.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

Your computer has detected that the IP address 66.25.204.98 for
the Network Card with network address 0011099706B4 is already in
use on the network. Your computer will automatically attempt to
obtain a different address.

Your computer has detected that the IP address 0.0.0.0 for the
Network Card with network address 0011099706B4 is already in use
on the network. Your computer will automatically attempt to
obtain a different address.

Your computer was not able to renew its address from the network
(from the DHCP Server) for the Network Card with network address
0011099706B4. The following error occurred:
The semaphore timeout period has expired. . Your computer will
continue to try and obtain an address on its own from the network
address (DHCP) server.

The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Looks like a fun time huh?

Kim

:

Kim,

Reboot.

And then check on the Remote Access Connection Manager in
Services, it probably won't have started since you disabled it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did
the type set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I
did the type set to disabled.

The Remote Access Connection Manager would not allow me to stop
it. The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local
Computer. Error 1053: The service did not respond to the start
or control request in a timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary
logon, and set it to disabled too.

It looks like there are alot of things there I would like to
disable, but I won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it
is unchecked to Allow REmote Assistance invitations to be sent
from this computer.
There was not another option listed.

Kim

:

[[Remote Access Auto Connection Manager is on by default in
Windows XP Professional computers that are not members of a
domain and in Windows XP Home Edition.]]

Open Services and disable Remote Access Auto Connection
Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection
Manager | If the service is running, click the Stop button |
When
it has stopped, under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote
Desktop
Help Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
 Allow Remote Assistance invitations to be
sent from this computer  Allow users to
connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In TxRose <[email protected]> hunted and pecked:
I have very very stramge entries in my registry and event
viewer that are adding up to no good.

I have talked with Microsoft today, and what we tried did not
solve the problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access
connection manager is in the registry?
 
Back
Top