Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

POSSIBLE HACK...PLEASE, PLEASE HELP!

3 views
Skip to first unread message

Annie

unread,
Jul 20, 2008, 7:30:00 PM7/20/08
to
Three days ago, I had RoadRunner (cable internet connection) hooked up. The
tech turned off both my firewalls and DIDN'T tell me! (Shame on me for not
checking) Just a few minutes ago, while I was surfing, all my programs
opened up, one by one.

Was my computer hacked and did someone get all my personal information?!
I'm running my virus program right now. What else should I do? Please help.
I'm a nervous wreck right now!

Thanks,

Annie

PA Bear [MS MVP]

unread,
Jul 20, 2008, 8:06:24 PM7/20/08
to
Windows version (e.g., WinXP SP3; Vista SP1)?

What do you mean by "both firewalls"? You should only have one (1) firewall
enabled at a time, Annie.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Annie

unread,
Jul 20, 2008, 8:21:00 PM7/20/08
to
Windows firewall and Zone Alarm firewall. Which one do you recommend I keep
on?

Shenan Stanley

unread,
Jul 20, 2008, 8:28:37 PM7/20/08
to
Annie wrote:
> Windows firewall and Zone Alarm firewall. Which one do you
> recommend I keep on?

Given that you are asking - the Windows Firewall will be more than
sufficient and easier to use and keep updated.

My Suggestion: Uninstall Zone Alarm completely and just utilize the built in
Windows XP Firewall and an updated antivirus application. Occassionally run
an AntiSpyware application to see if you have been infested with anything
and/or purchase one. SuperAntiSpyware is a good free/for pay one. AVG
AntiVirus is a good Free AV application (8.0).

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


Shenan Stanley

unread,
Jul 20, 2008, 8:35:33 PM7/20/08
to
<snipped>

Annie wrote:
> Windows firewall and Zone Alarm firewall. Which one do you
> recommend I keep on?

Shenan Stanley wrote:
> Given that you are asking - the Windows Firewall will be more than
> sufficient and easier to use and keep updated.
>
> My Suggestion: Uninstall Zone Alarm completely and just utilize the
> built in Windows XP Firewall and an updated antivirus application.
> Occassionally run an AntiSpyware application to see if you have
> been infested with anything and/or purchase one. SuperAntiSpyware
> is a good free/for pay one. AVG AntiVirus is a good Free AV
> application (8.0).

Oh - are you on high-speed Internet (Cable Modem, DSL, etc) and if so - do
you have a router between you and the internet? (Do you connect directly to
the Internet and get an actual external IP address or an internal IP
address?)

If you are unsure - do the following..

1) Find out your IP address internally:
- Clcik on the Start button
- Select RUN
- Type in: cmd /k ipconfig
- Note the IP address...

2) Find out your external IP address:
- Open Internet Explorer
- Visit the following web page:
http://whatismyip.com
- Note the IP address...

Are they different? Is your internal IP address 10.x.x.x or 192.168.x.x?
If so - you are behind a router. Hopefully this router has been properly
configured and the administrator password on it changed.

Annie

unread,
Jul 20, 2008, 8:51:01 PM7/20/08
to
I'm using high-speed internet with a router. The tech brought their own so
it's brand new...Netgear. How could the password change after he configured
it? I'm lost.

Shenan Stanley

unread,
Jul 20, 2008, 9:12:16 PM7/20/08
to
<snipped>

Shenan Stanley wrote:
> Oh - are you on high-speed Internet (Cable Modem, DSL, etc) and if
> so - do you have a router between you and the internet? (Do you
> connect directly to the Internet and get an actual external IP
> address or an internal IP address?)
>
> If you are unsure - do the following..
>
> 1) Find out your IP address internally:
> - Clcik on the Start button
> - Select RUN
> - Type in: cmd /k ipconfig
> - Note the IP address...
>
> 2) Find out your external IP address:
> - Open Internet Explorer
> - Visit the following web page:
> http://whatismyip.com
> - Note the IP address...
>
> Are they different? Is your internal IP address 10.x.x.x or
> 192.168.x.x? If so - you are behind a router. Hopefully this
> router has been properly configured and the administrator password
> on it changed.

Annie wrote:
> I'm using high-speed internet with a router. The tech brought
> their own so it's brand new...Netgear. How could the password
> change after he configured it? I'm lost.

Annie wrote:
> I'm using high-speed internet with a router. The tech brought
> their own so it's brand new...Netgear. How could the password
> change after he configured it? I'm lost.

No - I said I *hoped* it had been changed fromt he DEFAULT... It comes from
the factory with a default password set that anyone with the same router (or
Internet access, or just guessing probably) could know.

If you have a router - you were probably not hacked unless the 'tech' did it
or that default password was not changed. By having a router - it makes you
virtually invisible to the outside world (public internet) and without
forwarding ports and services on the router itself - people are not going to
be likely to get onto your computer. Those routers do not *require* that
you change the password from default to work - nor do they usually require
any actual configuration - just plug them in and go.

Now - if the default (from the factory) password was not changed on your
Netgear router - it is possible you got infested/infected with something
that could give someone access to your computer despite the router being
there and/or change the router settings to allow more remote control.

If that router has been in place the whole time you were connected to the
Internet and it did have its default password changed to something only you
know (or your IT tech..) - then it is unlikely that you have been *hacked* -
however - you may have been infested with a Trojan, a worm or spyware or
adware. If so - that software could have easily sent out your information
and/or whatever it wanted to whatever address(es) it was programmed to do.
A software firewall *might* have helped in such a situation if it monitored
outgoing traffic - but then again - it might not - as it may have been
modified by the installation itself to allow for it to go unnoticed.

Annie

unread,
Jul 20, 2008, 9:41:05 PM7/20/08
to
The tech had me come up with a long password for the network key. Is that
the password you're talking about? He does know it and I'm not sure how to
change it on my own. (I'll figure that out later) If that's not what you're
talking about, I have no idea if he changed anything else from default.
Guess I'll have to call the BrightHouse tech tomorrow.

I ran my antivirus: no virus
I ran AdAware: about 200 cookies
I ran Spybot: fixed 68

Computer was taking forever to reboot so I manually turned it off (by the
button). I knew right there something was wrong. All files were modified
with today's date, too. ???

Thanks so much for the info.

Shenan Stanley

unread,
Jul 20, 2008, 9:56:50 PM7/20/08
to
Annie wrote:
> The tech had me come up with a long password for the network key.
> Is that the password you're talking about? He does know it and I'm
> not sure how to change it on my own. (I'll figure that out later)
> If that's not what you're talking about, I have no idea if he
> changed anything else from default. Guess I'll have to call the
> BrightHouse tech tomorrow.
>
> I ran my antivirus: no virus
> I ran AdAware: about 200 cookies
> I ran Spybot: fixed 68
>
> Computer was taking forever to reboot so I manually turned it off
> (by the button). I knew right there something was wrong. All
> files were modified with today's date, too. ???
>
> Thanks so much for the info.

No - the wireless password that he probably set for WEP, WPA or WPA2 is not
the same as the password for the router itself. (Well - I suppose they
could be set that way - but the WEP/WPA/WPA2 password for wireless
connectivity is not what we are concerned with here.)

When you did the IPCONFIG feom the earlier posting - what was the internat
IP you received? If I had to venture a guess - it would be 192.168.1.# (#
could be anything between 2 and 254...) If so (or something like that) -
then what you can do is test if the Netgear router configuration password
has been set.

Open your Internet Explorer on a machine connected to that router for
Internet service. For the address type the first three digits of the IP you
have and the last number will be a one (example - if your IP is 10.0.0.45,
type http://10.0.0.1/ and press enter. If your IP was 192.168.1.56, then
you would type http://192.168.1.1/ and press enter - etc.) It should come
up and ask you for a username and password. The username is "admin" (sans
the quotes) and the password - if still set to default - is "password" (sans
the quotes.) If the tech changed it - you will know because the default
admin/password will fail.

As for "files were modified with today's date" - dependent on where the
files were changed (which files exactly and which date (modified, created or
accessed) - that could mean nothing. Honestly - did you look at *all* the
files on your machine or in a particular directory - and what particular
directory?

If the machine is not connected to the Internet - it cannot send anything
else out.

Download and put SuperAntiSpyware on it - scan with it.
Get MultiAV and put it on it and run it per instructions.

(Google for those two products.)

Annie

unread,
Jul 20, 2008, 10:35:00 PM7/20/08
to
Hi Shenan,

I checked my internal and external IPs. They're different. I typed the
username and password as you said but got spooked when it said: Warning:
This server is requesting that your username and password be sent in an
insecure manner (basic authentication without a secure connection)....so I
just clicked cancel rather than OK. I got an 'unauthorized' page. Had I
clicked OK and it 'did' take me to the next page...I want to know where I'm
going before I get there. What would've come next?

When I did the search, I put a * in the search box and asked for any files
modified with today's date. Everything from Program Files to documents to
pictures were on that list. I can't say 'everything' was there, tho.

What's MultiAV? I already ran an anitvirus.

Sheesh...thanks for putting up with me. You're a great help in figuring
this out.

Dan

unread,
Jul 21, 2008, 7:05:00 AM7/21/08
to
Sorry, Shenan. I disagree. AVG Free 7.5 antivirus is a good program.
Unfortunately with Free AVG 8, the company apparently broke many of their own
rules and I cannot suggest AVG anymore unless a user is running the legacy
version with AVG 7.5 in which support supposedly is ending in August.

The reason is that AVG 8 has too many false positives on both my system and
my dad's machine when we tried it on XP Professional for me and XP Home for
him. I do not like to disagree with an MVP and please do not jump down my
throat and forgive me for stating my opinion. I am not overly happy with
Avast either if the user is using a 9x machine (such as Windows 98 Second
Edition) but if the machine is using a more modern operating system such as
Windows XP then I would suggest Microsoft's antivirus of Windows Live One
Care because I have not had issues with it so far except the stupid red
notification it gives me because I do not enable automatic updates since I
enjoy reading about every security update.

Dan

unread,
Jul 21, 2008, 7:16:01 AM7/21/08
to
Thanks for your feedback to Annie on this Milo. What would be your best
suggestions for cleaning the machine? Would Windows LiveOneCare be able to
clean it fully or would it take a combination method of this and perhaps
things like Spybot Search and Destoy which I see Annie already run. Annie
also apparently ran Adaware SE (shudder --- too many false positives --
wrecked a computer once when I ran it and applied the fixes without the
proper backups to that computer in place --- I know better now and learned my
lesson well and would never suggest anyone to use it in the future.) Annie,
I am changing your title, to lowercase because uppercase is like shouting in
the discussion newsgroup and the title based on Milo's expertise of the
situation that has come to light. Annie, which antivirus program did you
run. I also like 2 other tools which are cwshredder and HiJack This which
Annie will need to run. Once, we can get your machine cleaned then we can
help to offer the appropriate safeguards via safety and security of your
machine to help prevent such problems in the future.

"Milo" wrote:

> Annie the way you describe it alone but am not saying yet that you have one
> but you may have a PE infection ( Virus ) and well recently we have a what
> we call PE_Sality / PE_Patch infector that are being delivered by
> polymorphic malicious files Trojan and Downloaders with combo rootkit since
> it bypassed your Firewall.
>
> If it opened up all your program on their own that was stage 1 ( that would
> be in injecting itself already )
> taking too much time and almost all of the file was modified to the recent
> date ( it means injection compeleted file headers already modified )
>
> next time maybe you ought to invest on a better Anti-virus or/and Firewall.
>
>
> "Annie" <An...@discussions.microsoft.com> wrote in message
> news:1497AA21-C261-40C4...@microsoft.com...

Annie

unread,
Jul 21, 2008, 7:50:02 AM7/21/08
to
Thank you, Dan and Milo.

So what is the next step? I'm not going to turn on that computer just yet.
Where do I find the PE_Sality / PE_Patch at a safe site and should I download
that first before anything else? Should I then run the programs Dan
suggested...in that order?

I'm running Windows XP Home edition on that computer.

I checked my IP addresses per Shenan's advice, they're different. I tried
to login as 'admin' and put the default password in. I then got a 'warning'
screen' so just clicked cancel because I didn't know where that was going to
take me. Could I have clicked OK and then just closed the next page had it
submitted? I realize if I did go to the next page my password was 'not'
changed from the default which is bad. I just didn't know where to take it
from there.

Thank you so much for your help.

One more thing...if this was what Milo said it was..does someone out there
have all my personal data (documents, photos, passwords, etc.).

Tom [Pepper] Willett

unread,
Jul 21, 2008, 9:23:14 AM7/21/08
to
Support for AVG 7.5 doesn't end until December, not August.
"Dan" <D...@discussions.microsoft.com> wrote in message
news:1CB0C741-0BD5-420C...@microsoft.com...
: Sorry, Shenan. I disagree. AVG Free 7.5 antivirus is a good program.
: >
: >
: >


Dan

unread,
Jul 21, 2008, 9:24:01 AM7/21/08
to
I am actually posting this reply via the 98 Second Edition side of my
computer which was not hacked in 2007 after the APS network was hacked and
the XP Professional side was compromised, the 98 SE side rode through the
onslaught like a champ without noticing any problems despite the fact that it
was hooked up to the Internet. This is my main reason for my debate with
Steve Riley but I will discuss that later in the appropriate topic area of
this newsgroup. Identity Theft is really terrible. I want to rant and rave
about my problems but will not redirect to help you.

Okay, first come to grips with the worst case scenario although it might not
be the worst case, I feel it is better to get that over with first and then
try not to worry. Secondly, make sure the compromised portion (XP Home) side
of the PC is not connected to the Internet. I figure we are talking about a
single operating system and do not have to deal with Virtual Machines and or
Dual or Tri-Boots. Please correct me if I am wrong. Since the problem is
with Windows XP Home then I certainly would allow a copy of Windows Live One
Care to attempt to fix the problem. Unfortunately, for you this is a
terrible scenario but it will be useful for Microsoft and others to see how
effectively Windows Live One Care can fix your problem. This will make a
great test case to see the effectiveness of Windows Live One Care. Just so
you all know, I enjoy using Microsoft technology but will not limit myself to
a single software or hardware manufacturer. It must be all fully customized
for me to meet my needs and please sorry Annie but do not see me as
insensitive since your case may indeed help all users out.

1. Try to Install and Run Windows Live One Care --- use cd and make sure
your ethernet, usb or phone cord is not connected --- this is a critical step
as far as not being connected to the Internet with that machine or at least
within the compromised operating system (I presume broadband --- cable/dsl or
narrowband if dial-up) ---- access me and others with another non-compromised
machine at this Microsoft Newsgroup ---- Please let us know the results and I
will attempt to provide further assistant --- Milo, Steve Riley and others
are welcome to add their feedback to this case as well to help Annie.

Dan

unread,
Jul 21, 2008, 9:59:02 AM7/21/08
to
Thanks Tom for the correction. AVG must have extended the deadline. It will
be interesting as I have noted in the Windows 98 general newsgroup and MEB
and I have talked about this that Mozilla Firefox 2.0.0.x is set to expire in
December of 2008. Will the 10+ year anniversary of Windows 98 and almost the
10 year anniversary of Windows 98 Second Edition really end up putting the
operating system as truly dead or will there be new life somehow after that.
I am indeed petitioning Mozilla to continue to support Windows 98 Second
Edition with Mozilla Firefox 2 or at least update it to 2.5 and continue to
support legacy users such as myself for good safety reasons.

BTW, Tom have you seen the original Matrix movie and what about the 1980's
Sneakers movie with Robert Redford and how about It's a Wonderful Life with
Jimmy Stewart and Enemy of the State and The Game. These movies are just a
few that really make me think and reflect about life. I am one of those
movie goers who after seeing a really good movie will watch all the credits.
I will try and ask the movie personnel if there is an added extra at the end
because spending around $10 nowadays to see a new release is a real treat for
me. Unfortunately, I have been very disappointed with Hollywood recently
because I think the overall thought and intelligence in movies and the
quality is going way downhill.

PA Bear [MS MVP]

unread,
Jul 21, 2008, 11:03:46 AM7/21/08
to
Support for AVG v7.5 in Win9x ends in August.

PA Bear [MS MVP]

unread,
Jul 21, 2008, 11:05:21 AM7/21/08
to
I've read all replies to this thread as of this post.

Given the fact that you connect via a router, I agree with Shenan: Uninstall
ZA & enable the Windows Firewall.

======================================

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~PA Bear

Dan

unread,
Jul 21, 2008, 11:40:10 AM7/21/08
to
I agree with Robear as well. Please make sure you have the Windows Firewall
on and also please check the no exceptions box to allow nothing to get
through. You will indeed need to remove Zone Alarm Firewall and also please
let us know about programs that you don't recognize in Add/Remove Software.

However, it is useful to Google the software that you do not recognize and
then just read the results without clicking any web link because we don't
want your computer to have any more trash. I like McAfee Site Advisor.
Again, this needs to be done within another operating system or from another
PC and like I said it is best to keep the damaged PC off-line to limit damage
potential because you are in trouble if you keep a compromised computer
on-line until it is fully fixed and machines have been known to become part
of spy-bot networks when this is the case which is bad for all of us in the
World.

Robear, is tops when it comes to safety and security with Windows and he has
great advice.

Shenan Stanley

unread,
Jul 21, 2008, 12:07:10 PM7/21/08
to
Dan wrote:
> Sorry, Shenan. I disagree. AVG Free 7.5 antivirus is a good
> program. Unfortunately with Free AVG 8, the company apparently
> broke many of their own rules and I cannot suggest AVG anymore
> unless a user is running the legacy version with AVG 7.5 in which
> support supposedly is ending in August.
>
> The reason is that AVG 8 has too many false positives on both my
> system and my dad's machine when we tried it on XP Professional for
> me and XP Home for him. I do not like to disagree with an MVP and
> please do not jump down my throat and forgive me for stating my
> opinion. I am not overly happy with Avast either if the user is
> using a 9x machine (such as Windows 98 Second Edition) but if the
> machine is using a more modern operating system such as Windows XP
> then I would suggest Microsoft's antivirus of Windows Live One Care
> because I have not had issues with it so far except the stupid red
> notification it gives me because I do not enable automatic updates
> since I enjoy reading about every security update.

No worries, Dan.

I appreciate opinions - especially when presented with supporting evidence
and sound reasoning. After all - how else would any of us learn anything
about the hundreds upon hundreds of different products out there? While I
admittedly try all I can - there are only so many hours in a day and so many
things I can do to 'try' something before I move on to something else.

I had noticed posts about AVG 7.5 popping up - and not having had trouble
with the AVG 8.0 install *beyond* what I have noted in many posts (how to
get rid of the link scanner and not to install the email scanner) - I
couldn't really fathom why it (7.5) was still popping up. Your post has
brought some insight into this and something for me to look into further.
Thanks!

Dan

unread,
Jul 21, 2008, 2:43:05 PM7/21/08
to
You are most welcome. I am thankfully posting in Windows 98 Second Edition
because I went ahead and removed the extra memory from the computer and went
from 2 gigabytes back to 512 megabytes. I am doing this because I sincerely
believe in the safeness of the 9x source code with the proper security
protocol. Please see the biometrics debate back and forth between me, Steve
Riley and another Daniel and others if you are so interested in our opinions.
Chris Quirke, MVP was the one who really set me on the proper track of the
internal safety and external security approach.

Remember, if the foundation is built upon sand then no matter how powerful
the external foundation is then the foundation (kernel) will indeed crumble.
I read that this will be an issue within 20 years but I think it has come to
a head today with AVG 7.5 which I like and use on 98 Second Edition ending
support in August according to Robear and Mozilla Firefox 2.x ending support
for Windows 98 Second Edition in December. You must remember that Mozilla
Firefox provides 256 AES cipher strength within 98 Second Edition compared to
Internet Explorer which will only give you that cipher strength with Windows
Vista but not XP Professional or Home and I do not know about if it will give
you that strength with the server editions since I have not followed that
software.

Please see the secunia.com website about how vulnerabilities line up with
Windows 98 Second Edition compared to XP Home and Professional and you will
get an idea about my point. I actually now am starting to prefer Windows
2000 Professional to XP because it has more of the 98 Second Edition look and
feel which I enjoy and again less services so there is less surface area to
attack.

Annie

unread,
Jul 21, 2008, 4:56:01 PM7/21/08
to
Thank you everyone for trying to help. This is just too overwhelming for me.
I'm just going to take my computer in to the shop and have the reinstall the
OS and I'll have to reinstall all my other programs.

My router says it has a double firewall so I still don't know how all of
this could've happened eventho that guy turned my Windows firewall off.
Makes no sense to me.

Thanks again. I hope all these posts help anyone else who has this problem
and are a bit more experienced than myself.

PA Bear [MS MVP]

unread,
Jul 21, 2008, 5:20:45 PM7/21/08
to
Your router includes a hardware firewall. You should have a software
firewall (e.g., the Windows Firewall) enabled, too.

Milo

unread,
Jul 21, 2008, 10:06:33 PM7/21/08
to
Anne what you have in your system wasn't a hack but a possible virus / the
way you describe it program executing on their own and was modified recently
its very possible what you're experiencing is a PE_sality / PE_patch Virus
concern.... Sad to say on most occasion it modifies file headers of those
exe and scr files that they become useless.

Next time invest in a better Security Application / firewall alone is
useless to polymorphic and blended threats.

"Annie" <An...@discussions.microsoft.com> wrote in message

news:D05EAB4A-EE75-44C6...@microsoft.com...

Dan

unread,
Jul 22, 2008, 7:24:00 AM7/22/08
to
I think I see the source of the confusion now. Support for free AVG 7.5
currently ends in August 2007 but paid AVG 7.5 will allow you support until
December of 2007. Anyway, this information was lifted from the lockergnome
website via searching about AVG 7.5 in the Google Search Engine.

As far as the stability concerns I totally disagree with the assessment
given below about AVG 8 being stable because it is not stable in my opinion
if it gives it users too many false positives. Unfortunately, this is a
worrying trend with anti virus programs recently and I am not sure who is to
blame. Adaware SE suffered from too many false positives in my opinion.
Even Avast which is an alternative for Windows 98 Second Edition users like
myself has issues with being too overly sensitive like when it claimed
yahoo.com was infected when the website was fine.
I will probably buy AVG 7.5 just to have the support provided for it through
December 31, 2007 and so that still makes me hit a brick wall at the end of
the year with Mozilla Firefox 2.0.0.x and now AVG 7.5 paid version ending
support by the end of the year. As I have mentioned in the Microsoft Windows
98 General Newsgroup, the end of 2007 may indeed be another defining year
just like July 11, 2006 was when Microsoft ended safety and security updates
for Windows 98, Windows 98 Second Edition and Windows Millennium (yuk). I
currently like and am using the trial of Windows Live One Care and if anyone
else really likes an anti virus program that does not give false positives
then please let this newsgroup know.

However, people can still can a safe browsing and Internet Experience using
the proper programs and only using Internet Explorer in Windows 98 Second
Edition for Windows Updates. I am now proving this by using Windows 98
Second Edition and I currently am posting in the newsgroup via Hotmail
(LiveMail) within Mozilla Firefox while using Windows 98 Second Edition so
there I am trying to prove to all the security guys and professionals about
how safe 98 Second Edition is by supposedly putting my system at risk
although when my system was hacked via VPN from the APS Network in the middle
of 2007 the Windows 98 Second Edition side suffered no ill effects even when
connecting it via VPN at the same time. I have since removed the VPN access
from Microsoft Windows 98 Second Edition for logical reasons of course.

There was an attempt by a 98 Guy to break up Internet Explorer patches for
Windows 2000 to apply to Windows 98 Second Edition and I tried it as well but
came to the conclusion it was not worth the potential *.dll hell to have a
supposedly safer and more secure Internet Explorer when the likely
alternative of having 256 bit AES cipher strength with Mozilla Firefox
2.0.0.x in Windows 98 Second Edition was so appealing as well as not having
to deal with ActiveX Technologies that unfortunately while a great tool to
auto-update components is being taken advantage of by malicious users to try
and break the free will of computer users everywhere.

----------Here is the information provided and credit to the right
people---------

Monday, July 14th, 2008
by Ron Schenone

Reader DougCuk has posted a comment in which he states that AVG has a new
end date for support of AVG 7.5 free edition. He states that:

For anyone still hanging on to AVG Free v7.5 the end date has now been
changed - it is now August 31st. But as most sources always stated the Paid
For version will continue until December 31st.

AVG Free v8 now seems pretty stable - so only the diehard Windows 98
users are left to check out the alternative products.

From the AVG Free Forum
http://freeforum.avg.com/read.php?2,136697
IMPORTANT UPDATE
AVG 7.5 Free - Support ends 31st AUGUST 2008
Posted by: michaelhd - AVG Team (IP Logged)
Date: July 9, 2008 04:07PM

Support for AVG 7.5 Free Edition is planned to end on 31st August 2008.
No more virus updates are planned for after that date.
Note that no more ‘program’ updates are due!
Only virus updates will continue until the end date.
AVG 7.5 Paid version will be supported until 31/12/08.

Hopefully this will be the last notice we will be receiving from AVG. But
who knows. They have changed the end date so much, it is hard to really know
that the August 31, 2008 will hold true.

Comments welcome.

Thanks DougCuk.

-------------------------------------------------------------------------------

"PA Bear [MS MVP]" wrote:

Annie

unread,
Jul 22, 2008, 8:00:01 AM7/22/08
to
One more thing...how do I get a patch or how do I get rid of the virus if it
is indeed the PE virus? Is there anything else I can do so the headers
aren't changed.

I turned on the computer yesterday, disabled wireless, and it came on
normally. I'm afraid that if I go back online the trouble will start again.

Also, in my ZA log list, there were a couple of suspicious logs:

Protocol: UDP (all others say TCP)
Source IDs are different than mine
Direction: Routed (all other ones say Outgoing)
Source DNS: one is blank, other has a string of numbers and letters (all
others say Toshiba user)
Destination DNS: blank

What do you make of that?

Annie

unread,
Jul 22, 2008, 9:28:02 AM7/22/08
to
Dan, PABear, Milo, Shenan.....:)

I posted this a few posts ahead but I meant it to be down near the bottom of
the thread...so I'm copying it here:


One more thing...how do I get a patch or how do I get rid of the virus if it
is indeed the PE virus? Is there anything else I can do so the headers
aren't changed.

I turned on the computer yesterday, disabled wireless, and it came on
normally. I'm afraid that if I go back online the trouble will start again.

Also, in my ZA log list, there were a couple of suspicious logs:

Protocol: UDP (all others say TCP)
Source IDs are different than mine
Direction: Routed (all other ones say Outgoing)
Source DNS: one is blank, other has a string of numbers and letters (all

others say Toshiba user) ...is this the person who infected me?
Destination DNS: blank

What do you make of that?

Dan

unread,
Jul 22, 2008, 10:07:00 AM7/22/08
to
Annie, it is very difficult to discover who hacked you. This would include
tracing logs and other stuff that Steve Riley, MSFT has mentioned in the
Biometrics post. For example, a few years back I had Zone Alarm Professional
and hooked it up to see where port scans were coming from with Windows 98
Second Edition and did not use a hardware firewall purposely so I could allow
ZA to track and figure out where hack attempts were coming from and the
majority appeared to be from China but remember this is back in about 2003 or
so and so the data is not as relevant today and China was followed by the
U.S.A. and then followed by Russia.

How does it make you feel that the hacking may have even come from within
the States? In addition, you must remember as my friend Will, says that
individuals and especially governments have the ability to hide themselves
within other servers in other countries so it is extraordinary difficult to
see who hacked you.

Anyway, it even boggles my mind to think about it because hackers have the
ability to use different servers in different remote locations around the
world. You may want to watch the Jason B. series and Sneakers from the
1980's to get a small idea of this. I also liked the original Matrix and
although it is fiction, it allows one to have a taste of what potentially may
not be entirely fiction in the future.

Furthermore, I suggest a read of Animal Farm and 1984 by George Orwell as
well to kind of whet your appetite if you are so inclined. There are
numerous technical documents within Microsoft Tech net and if you think that
I am that good then I am not really that good. I am just good because of
hands-on-experience, some computer courses in college, lots of reading
articles on-line especially Chris Quirke, MVP from Africa who I completely
agree with and Chris is what helped make me think how I think today about
computers. In addition, I read PC World, 2600, Game Informer, etc. as well
as I am working slowly but surely through a large textbook about Ubuntu Linux.

Anyway, have you bought a copy of Windows Live One Care and attempted to let
Microsoft's Technology fix your problem? I would be most interested in the
results and Windows Live One Care is not that expensive. Here is a web-link
if you cannot find it in your local Best Buy, CompUSA, Wal-Mart, etc. BTW,
there is no guarantee Windows Live One Care will fix your problem but why not
give it a try. I await your results with great interest.

Please also enjoy the outdoors and do not let technology rule your life.
Perhaps you want to go for a swim, bike ride, walk, see some friends, read a
book and take a break for a day to three days and that is what I must do when
technology overwhelms my brain circuits.

http://onecare.live.com/standard/en-us/default.htm?mkt=en-us

Annie

unread,
Jul 22, 2008, 10:30:01 AM7/22/08
to
Dan,

I read up a little on One Care. Would I leave my current Antivirus,
Antispyware, etc. on my computer while I used their trial offer? I really
just want the computer checked out at this time. I supposed if I kept it I'd
just uninstall all those others and keep One Care.

When I enable my wireless connection, what would you suggest I do if things
start going crazy (like programs opening again)? Should I shut down
immediately, manually?

BTW...I loved Matrix! :) First one was the best.

Dan

unread,
Jul 22, 2008, 11:31:03 AM7/22/08
to
<snip>

Annie, please take a break. I must take a break as well and start the day
so please don't expect to hear back from me until this evening at the
earliest and it might not even be until Wednesday or later.

It is fine if you do indeed bring your computer in to be repaired but I ask
as a favor to me that you if you are willing to share with us any
unrecognized programs in add/remove programs of the Windows XP Home Control
Panel.

This would make a great test case and it would be invaluable in helping me
and others in diagnosing Internet Attacks. You of course can choose to do
what you would like to do. If you would rather have a friend or techie you
know do this and post here to us then it would be invaluable to me, Microsoft
and actually the whole world. In addition, please contact the Federal
Government about your identity theft. Here is a website to get the process
started.

http://www.justice.gov/criminal/cybercrime/reporting.htm

The reason I had wanted you to run Windows Live One Care was to see how good
a program it is and this would benefit all of us and let us all see how
Microsoft Technology holds up to competitors like AVG 7.5 anti virus program.
You also can run Spybot Search and Destroy to help eliminate baddies and
SpywareBlaster will help inoculate your machine in the future. Please get
these from reliable sources such as majorgeeks.com and you could just Google
Spybot Search and Destroy from majorgeeks to get it. Please click on any of
the downloads available there but watch out for the ads. Anyway, I download
and jump around with my downloading location and everything else to help keep
any potential follower from trying to fix a pattern to my behavior and that
is also where my learning disability helps greatly in not following the
standard operating procedure.

PA Bear [MS MVP]

unread,
Jul 22, 2008, 2:08:49 PM7/22/08
to
Have you posted your HijackThis log in an appropriate forum for review by an
expert in such matters yet? If not, you've gotta do that first...or format
& reinstall Windows.

PA Bear [MS MVP]

unread,
Jul 22, 2008, 2:11:50 PM7/22/08
to
1. Please get your dates right.

2. This is a not a Win9x-specific newsgroup. If you decide to post
Win9x-specific information, please state that fact in your posts, otherwise
you're just confusing matters further.

Thanks.

Dan wrote:
> I think I see the source of the confusion now. Support for free AVG 7.5
> currently ends in August 2007 but paid AVG 7.5 will allow you support
> until

> December of 2007...
<snip>

Dan

unread,
Jul 22, 2008, 3:31:08 PM7/22/08
to
Good Point, Robear. Annie after you post your HiJack This Log then please
tell this newsgroup where it is posted so we can analyze what happened to
your computer.

http://majorgeeks.com/download3155.html (for Hijack This --- shows what
is running and allows you to remove running processes)

http://majorgeeks.com/download2471.html (Spybot -- anti-spyware cleaning)

http://majorgeeks.com/download2859.html (SpywareBlaster when your machine

is clean)

and anti virus --- AVG 7.5 not 8 because it has too many false positives or
Windows Live One Care

That should help get you started.

Annie

unread,
Jul 22, 2008, 6:41:02 PM7/22/08
to
Dan and PABear,

I ran HJ and posted my logs here...http://aumha.net/viewforum.php?f=30
The subject is 'Several Programs Opened at Once'.

So far, everything seems to be running OK until I connect to the internet.
I then get several (!) alerts from ZA saying there are incoming packets. The
Source DNS and Destination DNS look similar to mine only with 4 added
numbers. I'm wondering if there's a conflict between ZA and one of my
programs or if this is part of the original problem. In an earlier post I
noted there was a suspicious entry...way out of sorts from all the rest.
This is when all the trouble started. Hopefully someone can figure it out
from my HJ logs.

A~

Dan

unread,
Jul 22, 2008, 8:01:03 PM7/22/08
to
Whoops. Sorry about that Robear. Thanks for letting me know. It can indeed
get confusing when I am going back and forth from the 98 general newsgroup
and the public security newsgroup. You are indeed right and I was referring
to Windows 98 Second Edition with support for free AVG 7.5 ending in August
2008 and with support for AVG 7.5 for users who bought AVG 7.5 ending at the
end of December 2008. I am glad you caught my huge mistake. Thank you.
<smile and should I say grin and bear it> You are right and great, imo for
what it is worth.

"PA Bear [MS MVP]" wrote:

Dan

unread,
Jul 22, 2008, 8:10:07 PM7/22/08
to
Please do not connect the compromised machine to the Internet. It will just
make things worse. Do you have any other machine you can use to post
feedback to this newsgroup. Perhaps a second computer or post at a friend's
house? In addition, Zone Alarm will need to be removed. BTW, are you
protected with a router, is the Windows software firewall enabled and has the
no exceptions box checked. What antivirus program are you using? Finally,
please listen to the experts within the aumha.net site. If I remember
correctly, are you running Windows XP Home? A machine is much easier to fix
once it is not connected to the Internet and I would be surprised if anyone
would disagree with that statement.

PA Bear [MS MVP]

unread,
Jul 22, 2008, 8:01:09 PM7/22/08
to
Link to your thread: http://aumha.net/viewtopic.php?f=30&t=34821

Annie wrote:
> Dan and PABear,
>
> I ran HJ and posted my logs here...http://aumha.net/viewforum.php?f=30
> The subject is 'Several Programs Opened at Once'.
>
> So far, everything seems to be running OK until I connect to the internet.
> I then get several (!) alerts from ZA saying there are incoming packets.
> The Source DNS and Destination DNS look similar to mine only with 4 added
> numbers. I'm wondering if there's a conflict between ZA and one of my
> programs or if this is part of the original problem. In an earlier post I
> noted there was a suspicious entry...way out of sorts from all the rest.
> This is when all the trouble started. Hopefully someone can figure it out
> from my HJ logs.

<snip>

Annie

unread,
Jul 22, 2008, 8:37:06 PM7/22/08
to
OK, now that I performed HJ, I won't connect anymore. I do have a second
computer to use.

Just wondering, why do I need to remove ZA? Can't I just make changes in
the settings? And if I do uninstall, what would I put in it's place for
security? I'm using ZA's firewall right now (compromised computer). I'm
thinking the tech made some changes to it and this is what caused all the
problems.

The new router has 2 firewalls. I use Avast Antivirus - yes, Windows XP
Home Edition. No one has replied to my HJ logs as of yet.

Dan

unread,
Jul 22, 2008, 9:38:03 PM7/22/08
to
<snipped --- way too long> <Annie please skip down to the numbers at the
bottom>

Sorry but I cannot answer these particular questions due to time constraints
on my end. Remember, I am a volunteer like Robear, MVP and Chris Quirke, MVP
but I do not have MVP status because I have not earned it. I just want to
help people.

I must now remain focused in fixing your compromised computer if we can and
I will try but remember this advice is given with a warning that now that
your computer is broken and our final step will be to do a clean install and
so I must ask you "Do you have a retail copy of Windows XP Home?"

We will indeed have to do a complete clean install in the end for the proper
safety and security protocol of a clean install and if you did not have
backups before then Windows Live One Care is a great place to get backups in
the future and you can put them on a few cds or dvds depending on how much
data you have to back up.

Microsoft even will give you a 90 day free trial which you can get after
your computer is working and I actually am currently using Windows Live One
Care on the XP Professional side of my computer and am coming around to the
conclusion that it is great.

I know there are people thinking that I am just pro-Microsoft but if you see
the Biometrics debate in this newsgroup you will see that Steve Riley, MSFT
and myself and Chris Quirke, MVP have radically different ideas as to the
future of computing and software in general and whether or not Microsoft will
take up this great and challenging role and be the light it once was back in
1998 and show us the pathway towards the future because I think they are the
only ones who can do it but I must convince them to change their ways. My
advice for what it is worth:

1. Remove Zone Alarm (compromised and software messed up)

2. Remove Avast (gives too many false positives -- I still do not like it)

What error messages are you getting and are you able to completely remove
this software. BTW, security and safety is now a non-issue since you are not
connected to the 'Net as long as you don't put any more compromised data onto
your pc via a flash drive, floppy disk, cd, etc.

<side note: All Caps is considered shouting and hard on the eyes at least my
eyes --- smile>

Milo

unread,
Jul 23, 2008, 2:27:44 AM7/23/08
to
Its better to prevent it than remove it to this day PE virus are very potent
and often destructive.

"Annie" <An...@discussions.microsoft.com> wrote in message

news:F0B9713A-20D0-4E7A...@microsoft.com...

Milo

unread,
Jul 23, 2008, 2:46:21 AM7/23/08
to
Add to what you just said it works well offline, possible backdoor and
trojan worms are the one causing you headaches
hopefully you're not yet infected by any PE infection.

Alright here you can try this for evaluating how bad it is in your system:
Microsoft Windows Defender www.microsoft.com
Kaspersky Anti-virus ( trial version ) www.kaspersky.com

I would recommend this 3 instances possibly there still a remedy before you
do a destructive install.

Give it a try call Microsoft Security Free Support ( 866-727 2338 )
US/CANADA only


"Annie" <An...@discussions.microsoft.com> wrote in message

news:F0B9713A-20D0-4E7A...@microsoft.com...

Root Kit

unread,
Jul 23, 2008, 4:19:36 AM7/23/08
to
On Mon, 21 Jul 2008 06:59:02 -0700, Dan
<D...@discussions.microsoft.com> wrote:

>BTW, Tom have you seen the original Matrix movie and what about the 1980's
>Sneakers movie with Robert Redford and how about It's a Wonderful Life with
>Jimmy Stewart and Enemy of the State and The Game. These movies are just a
>few that really make me think and reflect about life. I am one of those
>movie goers who after seeing a really good movie will watch all the credits.
>I will try and ask the movie personnel if there is an added extra at the end
>because spending around $10 nowadays to see a new release is a real treat for
>me. Unfortunately, I have been very disappointed with Hollywood recently
>because I think the overall thought and intelligence in movies and the
>quality is going way downhill.

Please keep your off topic private chit chat out of a security related
forum.

Root Kit

unread,
Jul 23, 2008, 5:18:22 AM7/23/08
to
On Sun, 20 Jul 2008 16:30:00 -0700, Annie
<An...@discussions.microsoft.com> wrote:

>Three days ago, I had RoadRunner (cable internet connection) hooked up. The
>tech turned off both my firewalls and DIDN'T tell me! (Shame on me for not
>checking) Just a few minutes ago, while I was surfing, all my programs
>opened up, one by one.

There could be more reasons for such behavior.

>Was my computer hacked and did someone get all my personal information?!

Impossible to tell from a distance.

>I'm running my virus program right now. What else should I do? Please help.
> I'm a nervous wreck right now!

Okay, let's sum up....

After reading through the entire thread I find no hard evidence that
you have been hacked, but it's impossible to tell from a distance. The
results from Spybot indicate that there are areas in which your
security could improve, though.

If you still feel uncomfortable, I suggest 2 options:

1) Take your computer to someone trustworthy who knows what he's doing
- and I'm not talking about the "tech guy" next door.

2) Revert your machine to a known clean state. This ultimately means
reinstalling from a restore media or eventually flatten and rebuild.
Unless you can get in contact with a very skilled person who is able
to declare your machine "clean", this unfortunately is the only way to
make sure you got rid of the nasty if your machine was in fact
compromised. All this "try this" and "try that" is senseless and may
only remove the symptom.

In either case first make sure to have backups of your important data
and have notes of your usernames and passwords for mails etc. in a
safe place. Also make sure to have all your license codes etc. ready
in case you need to re-install something.

Also, if you do suspect your router may have been hacked, hard reset
it and do the basic router securing (maybe get someone to help you do
it):

* change the default admin password
* make sure any administration access from the WAN side is turned off
* make sure UPnP is turned off
* encrypt your wireless connection with at least WPA and a long random
pass phrase


Then for the future you also need to educate yourself about safe hex.
The most important security measures being:

* Keep your system patched (this is true for both the OS as well as
applications you've installed).

* Use a restricted user account for daily use and use only the admin
account for what it was intended (software installation, configuration
changes and the like)

* Don't run or install software unless you fully trust it. Do not
install software from dubious sources.

* Use robust software and stay away from IE and OE unless you're
running Vista and can run IE in protected mode.

* Don't blindly open / run e-mail attachments.

* Don't click links in e-mails without thoroughly checking them.

* Turn the windows firewall on and stay away from 3rd party firewall
illusionware.

* Configure your router as described already

* Be skeptical and implement common sense.

Such precautions will keep you safe from the vast majority of
problems. There is no such thing as 100% security. You can add a good
anti-malware product as an extra level of protection, but anti-malware
is not something you should ever rely on. No anti-malware can protect
you from yourself.

Root Kit

unread,
Jul 23, 2008, 6:08:47 AM7/23/08
to
On Mon, 21 Jul 2008 11:43:05 -0700, Dan
<D...@discussions.microsoft.com> wrote:

>You are most welcome. I am thankfully posting in Windows 98 Second Edition
>because I went ahead and removed the extra memory from the computer and went
>from 2 gigabytes back to 512 megabytes.

Oh, you're using W98SE. Never mentioned that before.... How is this
related to Annie's problem?

>I am doing this because I sincerely believe in the safeness of the 9x source code

Some people believe in horoscopes.

>with the proper security protocol.

What security protocol would that be, if one may ask?

> Chris Quirke, MVP was the one who really set me on the proper track of the
>internal safety and external security approach.

You have generally too high thoughts about MVP's. Why is it, titles
seem to mean a lot to you?

Root Kit

unread,
Jul 23, 2008, 6:14:39 AM7/23/08
to
On Tue, 22 Jul 2008 07:07:00 -0700, Dan
<D...@discussions.microsoft.com> wrote:

>Annie, it is very difficult to discover who hacked you.

Indeed.

>This would include tracing logs and other stuff that Steve Riley, MSFT
>has mentioned in the Biometrics post.

If possible at all.

>For example, a few years back I had Zone Alarm Professional
>and hooked it up to see where port scans were coming from with Windows 98
>Second Edition and did not use a hardware firewall purposely so I could allow
>ZA to track and figure out where hack attempts were coming from and the
>majority appeared to be from China but remember this is back in about 2003 or
>so and so the data is not as relevant today and China was followed by the
>U.S.A. and then followed by Russia.
>
>How does it make you feel that the hacking may have even come from within
>the States?

How does it make you feel that most bad web sites originate from the
States?

Annie

unread,
Jul 23, 2008, 7:50:00 AM7/23/08
to
Thanks, Root Kit.

A response from the other site regarding my HJ logs said he thinks I'm
actually pretty clean at the time. No malware.

So now I'm thinking my issue is with ZA. Maybe I'll hold off on
reformatting/reinstalling. ?? Will try to figure out what would be
comparable to ZA in regards to security and try a new program.

I took off all personal data from my computer and backed everything up. I
do have the recovery disk if needed.

Thanks again.

Annie

unread,
Jul 24, 2008, 12:22:02 PM7/24/08
to
Just called BrightHouse and they had to reset my router. This seemed to take
care of my ZA messages. I think my computer is clean according to HJT
people...so...I'm logging off.

Thanks to everyone who helped. You guys are amazing!

Dan

unread,
Jul 24, 2008, 1:32:00 PM7/24/08
to
Annie, the key word you used is that you Think your Machine is Clean (TMC)
and unless you run anti-virus programs like Windows Live One Care, Spybot
Search and Destroy, Kaspersky, and AVG 7.5, and others then how will not be
sure. Please make sure only one antivirus program is installed at a time and
beware of false positives because anti-virus programs like Avast have gotten
much worse over time. For example, Avast Antivirus thought that Yahoo web
portal had malware when it did not.

Please take Milo's advice and also at least call Microsoft and let a tech
use easy assist to ensure your machine is indeed safe at a bare minimum if
you are unwilling to do a clean install. Actually, I would highly suggest
contacting Microsoft at their PC Safety Line. Please inform us what the
Microsoft technician tells you and try and get a knowledgeable one because
sometimes the less clever ones are not really helpful at least to me.

In addition, you must realize that if your machine was cleverly infected by
perhaps a Root Kit/Virus Combination then you might not be able to tell that
there ever was a problem. Trust Me Please because safety and security of
information technology is vital. Have a nice day and please don't just give
up and think it is all better when it may not be and your information may
have been compromised especially with what you told us about how Zone Alarm
informed you of your information being redirected. It is possible that
nothing happened but better safe than sorry. Have a nice day.

Annie

unread,
Jul 24, 2008, 1:32:01 PM7/24/08
to
post too long...deleted some.


Thought I had the problem fixed. No such luck.

ZA is still blocking to port 2869. Constant incoming alerts are driving me
crazy. Do I need to have this port open? If not, how do I close it? I
don't have anything networked such as wireless printers,
computer-to-computer, palm, etc. I do, however, have a router. Does this
make a difference?

Again...would love your advice. Maybe I should start a new thread?

Tom [Pepper] Willett

unread,
Jul 24, 2008, 2:46:07 PM7/24/08
to
http://www.wilderssecurity.com/archive/index.php/t-59493.html

"Annie" <An...@discussions.microsoft.com> wrote in message

news:5121917C-5F58-4F61...@microsoft.com...
: post too long...deleted some.

: > >
: > >
: >


Annie

unread,
Jul 24, 2008, 4:03:01 PM7/24/08
to
Thank you, Tom, but I still don't know how to disable the port. I'm not that
experienced a computer person. I want it disabled as long as it won't
interfere with my wireless internet connection.

Dan, I ran disk cleanup, defrag, Adaware, Spybot, Avast and HJT. I thought
HJT was supposed to be the one that told me if I had anything bad on my
computer. ??? If these programs don't pick up the RootKit/Virus combo,
you're saying Microsoft will?

The computer is running fine except for the incoming, from my IP, to my 2869
port. No outsiders. What will happen if I 'do' have a RootKit/Virus combo?
What should I look for in terms of odd behavior?

Tom [Pepper] Willett

unread,
Jul 24, 2008, 4:05:56 PM7/24/08
to
If it's in your modem, contact your ISP to find out how.

"Annie" <An...@discussions.microsoft.com> wrote in message

news:49799E98-B053-4FDF...@microsoft.com...
: Thank you, Tom, but I still don't know how to disable the port. I'm not

: > : > >
: > : >
: >
: >
: >


PA Bear [MS MVP]

unread,
Jul 24, 2008, 4:30:40 PM7/24/08
to
Stick with http://aumha.net/viewtopic.php?f=30&t=34821, Annie.

Annie wrote:
> post too long...deleted some.
>
> Thought I had the problem fixed. No such luck.
>
> ZA is still blocking to port 2869. Constant incoming alerts are driving
> me
> crazy. Do I need to have this port open? If not, how do I close it? I
> don't have anything networked such as wireless printers,
> computer-to-computer, palm, etc. I do, however, have a router. Does this
> make a difference?
>
> Again...would love your advice. Maybe I should start a new thread?
>

>> Just called BrightHouse and they had to reset my router. This seemed to
>> take care of my ZA messages. I think my computer is clean according to
>> HJT
>> people...so...I'm logging off.
>>
>> Thanks to everyone who helped. You guys are amazing!

<snip>

Shenan Stanley

unread,
Jul 24, 2008, 6:42:40 PM7/24/08
to
<snipped>

Annie wrote:
> post too long...deleted some.
>
> Thought I had the problem fixed. No such luck.
>
> ZA is still blocking to port 2869. Constant incoming alerts are
> driving me crazy. Do I need to have this port open? If not, how
> do I close it? I don't have anything networked such as wireless
> printers, computer-to-computer, palm, etc. I do, however, have a
> router. Does this make a difference?
>
> Again...would love your advice. Maybe I should start a new thread?

Personally - I think if you are going to continue trying to fix this
yourself - you are going to be better off backing up your important data
(documents, pictures, emails, contacts, etc) and wiping the computer and
installing from scratch.

I don't recommend that lightly - but...

http://groups.google.com/group/microsoft.public.security/browse_frm/thread/816467d0f856cd80/992fc976519c105d?lnk=st&q=#992fc976519c105d

and

http://groups.google.com/group/microsoft.public.security.homeusers/browse_frm/thread/da0dd51475df6b51/05fe465138260bcb?lnk=st&q=#05fe465138260bcb

Essentially you have gotten to a point where you are unsure what you have
and whether or not what you might have is good or bad. It is at that point
that the wisest thing to do is (IMHO) start afresh.

- Hook up some external hard disk drive or burn DVDs/CDs of your important
sstuff (keep that machine off the network.) Copy everything you need.
Pictures, documents, spreadsheets, images, emails, contacts, text files,
serial keys, installation files, etc. If you can - get an imaging
application (Norton Ghost, Acronis TrueImage, BootItNG, etc) and make a
complete image of your hard disk drive onto an external device and you can
go back later for anything you did not back up.

- Install Belarc Advisor on the machine (from an external drive or
something) and run it - print the results. That should have your Windows
Product Key, other software with Product keys that register on the machine,
a list of stuff you have installed and a list of the hardware installed on
your machine.

- Break out all of your installation media and keys/etc (Windows XP
installation CD, any office suites/products you have - etc...) Any program
you need to have installed on the computer, find its installation media
(even if it is an installation executable file and a text file with the
serial number in it) and get it onto media seperated from the machine so you
can install using it later.

- Now that you have everything backed up and everything ready to install...
Clean install Windows XP:
http://www.michaelstevenstech.com/cleanxpinstall.html

- Update the hardware drievrs...

- Get Windows XP SP3 from another computer onto CD or thumb drive or
somehting to the newly formatted drive... Install it.

- Install your other software (AV and such).

- THEN connect to the Internet and get updates from
http://windowsupdate.microsoft.com/ ...

Root Kit

unread,
Jul 24, 2008, 6:58:16 PM7/24/08
to
On Thu, 24 Jul 2008 09:22:02 -0700, Annie
<An...@discussions.microsoft.com> wrote:

>Just called BrightHouse and they had to reset my router.

So afterwards, did you make the basic router securing as suggested?

Root Kit

unread,
Jul 24, 2008, 7:06:31 PM7/24/08
to
On Thu, 24 Jul 2008 10:32:01 -0700, Annie
<An...@discussions.microsoft.com> wrote:

>post too long...deleted some.
>
>
>Thought I had the problem fixed. No such luck.
>
>ZA is still blocking to port 2869.

If it's blocked there's not that much to worry about.

> Constant incoming alerts are driving me crazy.

Yes, but you asked for that yourself by installing ZA.

> Do I need to have this port open? If not, how do I close it? I
>don't have anything networked such as wireless printers,
>computer-to-computer, palm, etc.

Any peer-to-peer app's?

Skype?

Anyway, download and run CurrPorts from NirSoft to try and identify if
some app is using the port mentioned.
http://www.nirsoft.net/utils/cports.html

Root Kit

unread,
Jul 24, 2008, 7:14:52 PM7/24/08
to
On Thu, 24 Jul 2008 13:03:01 -0700, Annie
<An...@discussions.microsoft.com> wrote:

>Thank you, Tom, but I still don't know how to disable the port.

I think Tom is suggesting that UPnP is enabled in your router. And he
may very well be right. Did you make the basic router securing as
suggested?

Root Kit

unread,
Jul 24, 2008, 7:16:49 PM7/24/08
to
On Thu, 24 Jul 2008 23:06:31 GMT, Root Kit <b__...@hotmail.com>
wrote:

>Yes, but you asked for that yourself by installing ZA.

Windows firewall would just have silently blocked it.

Root Kit

unread,
Jul 24, 2008, 7:28:09 PM7/24/08
to
On Thu, 24 Jul 2008 10:32:00 -0700, Dan
<D...@discussions.microsoft.com> wrote:

>Annie, the key word you used is that you Think your Machine is Clean (TMC)
>and unless you run anti-virus programs like Windows Live One Care, Spybot
>Search and Destroy, Kaspersky, and AVG 7.5, and others then how will not be
>sure.

The app's mentioned cannot in any way guarantee that a machine is
clean. Only a thorough comparison of relevant system files to a known
safe baseline can give a trustworthy hint about a systems state. This
is not a task for Joe Average.

>Please make sure only one antivirus program is installed at a time and
>beware of false positives because anti-virus programs like Avast have gotten
>much worse over time. For example, Avast Antivirus thought that Yahoo web
>portal had malware when it did not.

Anti-malware products often cause more problems than they solve.

Annie

unread,
Jul 25, 2008, 3:41:01 PM7/25/08
to
I disabled UPnP in the router settings. Also disabled UPnP and SSDP
Discovery Service on my computer. No more messages since I did this.
Everything seems to be running smoothly right now.

In doing this, I found a file I don't recognize. B's Recorder GOLD Library
General Service. bgsvcgen.exe Is this something that should be uninstalled?
(it's not in my add and remove folder) I have no idea what it's doing on my
machine.
The HJT guy said he didn't find any malware so I'm guessing it's OK to leave
on.

Root Kit

unread,
Jul 25, 2008, 4:04:14 PM7/25/08
to
On Fri, 25 Jul 2008 12:41:01 -0700, Annie
<An...@discussions.microsoft.com> wrote:

>In doing this, I found a file I don't recognize. B's Recorder GOLD Library
>General Service. bgsvcgen.exe Is this something that should be uninstalled?
> (it's not in my add and remove folder) I have no idea what it's doing on my
>machine.

http://www.neuber.com/taskmanager/process/bgsvcgen.exe.html

PA Bear [MS MVP]

unread,
Jul 25, 2008, 4:14:38 PM7/25/08
to
The "HJT guy" said:

<QP>
Port 2869 traffic is UPnP traffic, generated between your router and your
workstation. It is harmless, and certainly not coming from outside of your
computer system.

You can disable UPnP on the router, the client, or both, to stop the
traffic.
</QP>
Source: http://aumha.net/viewtopic.php?p=196621#p196621
--
~PA Bear


Annie wrote:
> I disabled UPnP in the router settings. Also disabled UPnP and SSDP
> Discovery Service on my computer. No more messages since I did this.
> Everything seems to be running smoothly right now.
>
> In doing this, I found a file I don't recognize. B's Recorder GOLD
> Library
> General Service. bgsvcgen.exe Is this something that should be
> uninstalled? (it's not in my add and remove folder) I have no idea what
> it's doing on my machine.
> The HJT guy said he didn't find any malware so I'm guessing it's OK to
> leave
> on.

<snip>

Annie

unread,
Jul 25, 2008, 5:00:12 PM7/25/08
to
That's not my issue anymore. I already posted I disabled UPnP on router and
computer...everything is fine. I said 'thank you', too. I really, really
appreciate everyone's help here. BTW, I won't name name's but one of those
'guys' at aum....was very rude. Read many posts and he's obviously upsetting
a lot of people. Why do they allow that? Unexperienced people with computer
problems are there for help. Not to be yelled at. One little mistake in a
post and man, he's all over me! Not just myself. I, for one, won't be going
back there. I'm sticking to Microsoft for help. If I'm bugging you guys,
Sorry. I don't mean to be. Sheeesh.

From my previous post: "In doing this, I found a file I don't recognize.

B's Recorder GOLD Library
>General Service. bgsvcgen.exe Is this something that should be uninstalled?
> (it's not in my add and remove folder) I have no idea what it's doing on my

>machine. " This is my issue. I'm just now reading the info from the link RootKit gave me.


"PA Bear [MS MVP]" wrote:

Tom [Pepper] Willett

unread,
Jul 25, 2008, 5:16:47 PM7/25/08
to
Google *is* your friend.

: From my previous post: "In doing this, I found a file I don't

: >
: >


PA Bear [MS MVP]

unread,
Jul 25, 2008, 5:46:59 PM7/25/08
to
Ya just gotta love...

<QP>
Pfft. I'm almost 13, and I know how to manipulate the registry easily.
</QP>
Source:
http://64.233.169.104/search?q=cache:d3bow2_Al10J:www.msghelp.net/showthread.php%3Ftid%3D73673+bgsvcgen.exe&hl=en&ct=clnk&cd=1&gl=us

<VBEG>


Tom [Pepper] Willett wrote:
> Google *is* your friend.
>
>>> From my previous post: "In doing this, I found a file I don't
>>> recognize.
>>> B's Recorder GOLD Library
>>> General Service. bgsvcgen.exe Is this something that should be
>>> uninstalled? (it's not in my add and remove folder) I have no idea what
>>> it's doing on my machine. " This is my issue. I'm just now reading the
>>> info from the link RootKit gave me.

<snip>

Tom [Pepper] Willett

unread,
Jul 25, 2008, 5:54:17 PM7/25/08
to
Yep. I Googled for it when she first brought it up. It's everywhere ;-)

"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message
news:uMHGpBq...@TK2MSFTNGP02.phx.gbl...
: Ya just gotta love...

:


~BD~

unread,
Jul 26, 2008, 5:03:25 AM7/26/08
to
You are obviously referring to Mr Castner, Annie. Ref:
http://aumha.net/viewtopic.php?p=196621#p196621

I, too, noticed that he upset/annoyed a lot of posters and at times I wondered if, in fact, there
was more than one individual providing 'solutions' under the guise of being
http://aumha.net/memberlist.php?mode=viewprofile&u=12522

Please don't fret though ........ 'he' was rude to me too! <wink>

I tried to find the answer to this question: If Mr Castner 'joined' AumHa 9/18/06, how come he was
giving answers to folk back in 2004? See here:
http://aumha.net/search.php?st=0&sk=t&sd=d&author_id=12522&start=8190

As the most profligate poster at AumHa, Robear Dyer (see
http://aumha.net/memberlist.php?mode=&sk=d&sd=d ) is here in this thread, perhaps he will explain
this apparent anomally to all of us.

Perhaps ...... maybe ........ all is not quite as it appears to be at first sight ............ 'over
there'!

Dave


"Annie" <An...@discussions.microsoft.com> wrote in message

news:AED76AE7-564B-42C8...@microsoft.com...


> That's not my issue anymore. I already posted I disabled UPnP on router and
> computer...everything is fine. I said 'thank you', too. I really, really
> appreciate everyone's help here. BTW, I won't name name's but one of those
> 'guys' at aum....was very rude. Read many posts and he's obviously upsetting
> a lot of people. Why do they allow that? Unexperienced people with computer
> problems are there for help. Not to be yelled at. One little mistake in a
> post and man, he's all over me! Not just myself. I, for one, won't be going
> back there. I'm sticking to Microsoft for help. If I'm bugging you guys,
> Sorry. I don't mean to be. Sheeesh.
>

<snip>


Annie

unread,
Jul 26, 2008, 8:14:00 AM7/26/08
to
You hit the nail on the head, Dave! Don't think he should be allowed to
treat people like that.

Anyway. I did get my port problem fixed. Thanks, everyone. I've disabled
the B's Recorder.....file. I'll leave it at that for the time being. Yes, it
was everywhere on Google, guys. ;) Just hadn't gotten that far in my
research yet. 13? Pretty good for 13!

I'm now working with Avast to clear up an updating problem. It's been one
thing after another since I connected with RoadRunner! Altho I love the
speed, the tech obviously made changes all over my computer without my
knowledge. Shoulda told me.

PA Bear [MS MVP]

unread,
Jul 26, 2008, 2:44:35 PM7/26/08
to
Annie, you should know that ~BD~ was banned from AumHa Forums, several other
forums, an ISP, and at least one Usenet server for his bizarre and sometimes
harrassing behavior. By jumping in here, he's taking advantage of you in an
effort to further his agenda, not to assist you.

@Annie only: Bill's AumHa profile was "horked" due to a server problem in
Sept-06. His posts from 18 Sept-06 and earlier were associated with the
"horked" profile. Bill is a well-respected, longtime MS MVP and has been an
AumHa VSOP and Moderator for many years; cf. http://aumha.org/vsop.htm.

Participation in many AumHa Forums requires a certain level of computer
proficiency but we attempt to assist all comers. (I did suggest other
forums to you.) You may find Computer Haven forums (where ~BD~ is also
/personna non grata/, I believe) more to your liking:
http://www.computerhaven.info/
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Annie wrote:
> You hit the nail on the head, Dave! Don't think he should be allowed to
> treat people like that.
>
> Anyway. I did get my port problem fixed. Thanks, everyone. I've
> disabled
> the B's Recorder.....file. I'll leave it at that for the time being. Yes,
> it was everywhere on Google, guys. ;) Just hadn't gotten that far in my
> research yet. 13? Pretty good for 13!
>
> I'm now working with Avast to clear up an updating problem. It's been one
> thing after another since I connected with RoadRunner! Altho I love the
> speed, the tech obviously made changes all over my computer without my
> knowledge. Shoulda told me.

<snip>

~BD~

unread,
Jul 27, 2008, 2:35:14 AM7/27/08
to
Answer below

"Annie" <An...@discussions.microsoft.com> wrote in message

news:B10E2E07-DA8A-4CDB...@microsoft.com...


> You hit the nail on the head, Dave! Don't think he should be allowed to
> treat people like that.
>
> Anyway. I did get my port problem fixed. Thanks, everyone. I've disabled
> the B's Recorder.....file. I'll leave it at that for the time being. Yes, it
> was everywhere on Google, guys. ;) Just hadn't gotten that far in my
> research yet. 13? Pretty good for 13!
>
> I'm now working with Avast to clear up an updating problem. It's been one
> thing after another since I connected with RoadRunner! Altho I love the
> speed, the tech obviously made changes all over my computer without my
> knowledge. Shoulda told me.

I'm really pleased to hear that you've succeeded in fixing things, Annie. :)

Robear is correct when he tells you I have been banned by AumHa - for asking difficult questions
............ and banned from Annexcafe.com for the very same reason. The folk at
hxxp://www.computerhaven.info/ have not (to my knowledge) banned me, but I noted that some were the
same as the 'helpers' on Aumha so haven't felt comfortable there.

I have NEVER been banned by 'an ISP, and at least one Usenet server' - that is a lie.

I posted this note in another thread recently:-

***************************************************

Hello PA Bear!

As you have dropped by, I wonder if you can tell me why it is that if I type www.Aumha.com into my
browser address bar I'm whisked off to this URL - http://downloadprograms.biz/?rid=544620

Many here will know that you are one of the resident experts at www.Aumha.net and that
www.Aumha.org is a well established site for helping those wishing to learn about PC's and security.
I find it surprising that the .com domain isn't 'owned' by Mr James E. Eshelman, a man of great
experience, as explained here: www.aumha.org/resume.htm

TIA

***************************************************

I didn't receive a reply! Perhaps someone else reading here will know the answer.

As far as a "horked" profile is concerned, I'd have thought that it would be easy for such clever
folk to correct the false information.

I used to trust people once!

Dave


Root Kit

unread,
Jul 28, 2008, 12:32:58 PM7/28/08
to
On Sat, 26 Jul 2008 10:03:25 +0100, "~BD~" <Boate...@nospam.invalid>
wrote:

>You are obviously referring to Mr Castner, Annie. Ref:
>http://aumha.net/viewtopic.php?p=196621#p196621

Honestly, based on this thread alone I see no sign of rudeness. He
answers a question (correctly) and reminds about forum rules. That's
not being rude unless one is too sensitive.

Bill Castner

unread,
Jul 28, 2008, 10:16:48 PM7/28/08
to
On Jul 28, 12:32 pm, Root Kit <b__n...@hotmail.com> wrote:
> On Sat, 26 Jul 2008 10:03:25 +0100, "~BD~" <BoaterD...@nospam.invalid>

> wrote:
>
> >You are obviously referring to Mr Castner, Annie. Ref:
> >http://aumha.net/viewtopic.php?p=196621#p196621
>
> Honestly, based on this thread alone I see no sign of rudeness. He
> answers a question (correctly) and reminds about forum rules. That's
> not being rude unless one is too sensitive.

One can always wish to have been nicer in retrospect; but the notion I
was being deliberately rude I honestly reject. AumHa, like many
sites, has several subForums. In the HijackThis Logs section where
Annie's issue first came to my attention, I did a careful analysis of
her log. While a HijackThis log cannot show everything, it was at
least clear to me that there were no obvious malware issues; and no
suggestion or hints, that her Zone Alarm log reports were malware
related.

I said so. I then suggested that to deal with any issues being
reported by Zone Alarm that troubled her, that she create a New Topic
in either the XP-related subForum, or in the Virus and firewall
specific subForum, but not again in HijackThis, as it dealt with
malware removal issues only.

She created a New Topic in HijackThis Logs despite this advice. That
is the one linked frequently earlier above to show I was rude.

I do not honestly believe I am rude. I certainly have no intention to
be so. I volunteer my time and efforts, as do the other folks on this
list, to genuinely share what I know and what I have learned with
other users. Note my signature at AumHa: Users Helping Users. I
believe in this deeply.

In that vein, I freely gave Annie the advice that she had no obvious
malware issues, after a very careful reading of her submitted
HijackThis log. In that vein, I quickly and affirmatively asserted
that here issues with Zone Alarm were due to her brand new router
having UPnP enabled, and that the resolution for this issue could be
had by disabling UPnP on the device, the client, or both. But the
"How To" disable UPnP is off-task and off-topic in the malware removal
portion of the Site. She rejected my suggestions that this would be
handled, and I assume nicely, in the more suitable and appropriate
subForums at AumHa that deal with this issue.

As someone with a great deal of experience in answering user requests
for help, in Newsgroups and in Forums, one thing I have learned to
avoid is to allow a discussion to get off-task. It helps nobody, if I
start and endless dialogue of computer problems with any poster. What
helps a Reader of this Newsgroup or any Forum, is that a specific
question is posed, and a specific answer is suggested, and a specific
resolution is obtained (hopefully). That has value to those using
Search Engines, and has value to any other incidental Reader of the
thread. What does not help is an inchoate mess of unrelated computer
questions and issues, and I affirmatively try to avoid that. In this
case, had Annie asked as a New Topic, as suggested originally, in
either of the two Forums that deal with configuring Zone Alarm,
routers, or XP as a client, she would have had an immediate answer to
how to disable UPnP. It was not something, however, that was suitable
for the HijackThis Logs subForum, and her second posting and my
response fully reflect my feelings in this regard. In all
likeliehood, I would have been the responder to show in detail how to
disable UPnP on her router, client, or both; or to configure Zone
Alarm to no longer pay attention to the issue. But I will not do so
in a subForum dedicated to completely other interests and issues. As
soon as I start doing that, the floodgates open for various computer
issues that have not a darn thing to do with malware. I would rather
not create an precedent for opening those floodgates, for any poster.

As for "BD", "BoaterDave", "Dave" or whatever alias he now uses; I
just find it amusing his continuing notion, of long standing, that I
must be a consortium of several individuals in order to answer
questions in as broad a range as I do, and as often. That I am a
group of folks, rather than an individual, and all of this is somehow
an AumHa/DTS-L/Computer Heaven conspiracy.

I have always allowed Microsoft to allow anyone access to my MVP
profile: https://mvp.support.microsoft.com/profile/Bill.Castner

Robear Dyer linked my profile at AumHa. A Google on "bcastner" or
"Bill Castner" should be sufficient to convince anyone that I am a
real live person.

A tip of my hat to all those who contributed in this thread to help
Annie. To me, this spirit of generosity of time and experience is
what makes the Internet such a unique gathering place of folks. I
sincerely apologize to Annie if she still feels I am rude; I am not a
prig nor a martinet. But to keep matters under control, there has to
be some Rules about what is acceptable, and to prevent any discussion
from getting out of control over issues that have nothing to do with
the original one posed. It is not always possible to wrap things up
in a tidy bundle that can be found by others with similar issues by a
Search Engine, or by other Readers of the Forum. But some effort has
to be made, and I do so.


My very best regards to all,
Bill Castner, MS-MVP, and AumHa Moderator and VSOP

0 new messages