Re: Help, I've been hacked

From: TxRose (TxRose_at_discussions.microsoft.com)
Date: 03/07/05 

Date: Sun, 6 Mar 2005 18:21:03 -0800

Hi Wes,
  Yes, it appears that did help.
It shows disabled, instead of being started.
I also see no entries listed of a remote access in the event viewer.
Whoo hoo..LOL

This entry in the event viewer looks good:
The Remote Access Connection Manager service was successfully sent a stop
control.
Thank you for helping me get that turned off.

However, when I just rebooted, I did see these, which do not look good in my
opinion, but I could be wrong:

 The first one has been going on for a long time, and is still showing.

Logon Failure:
  Reason: Unknown user name or bad password
  User Name: Owner
  Domain: OWNER-1E81AA74C
  Logon Type: 2
  Logon Process: Advapi
  Authentication Package: Negotiate
  Workstation Name: OWNER-1E81AA74C

The protected system file c:\windows\system32\racpldlg.dll could not be
verified as valid because Windows File Protection is terminating. Use the SFC
utility to verify the integrity of the file at a later time.

The TCP/IP NetBIOS Helper service depends on the AFD service which failed to
start because of the following error:
A device attached to the system is not functioning.

Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011099706B4. The
following error occurred:
The semaphore timeout period has expired. . Your computer will continue to
try and obtain an address on its own from the network address (DHCP) server.

Your computer has detected that the IP address 66.25.204.98 for the Network
Card with network address 0011099706B4 is already in use on the network. Your
computer will automatically attempt to obtain a different address.

Your computer has detected that the IP address 0.0.0.0 for the Network Card
with network address 0011099706B4 is already in use on the network. Your
computer will automatically attempt to obtain a different address.

Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011099706B4. The
following error occurred:
The semaphore timeout period has expired. . Your computer will continue to
try and obtain an address on its own from the network address (DHCP) server.

The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Looks like a fun time huh?

Kim

"Wesley Vogel" wrote:

> Kim,
>
> Reboot.
>
> And then check on the Remote Access Connection Manager in Services, it
> probably won't have started since you disabled it.
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> > Hi Wesley,
> > Here ae the results from what I just did in the services.msc.
> >
> > The Remote Access Auto Connection was already stopped, and I did the
> > type set to disabled.
> >
> > The Remote Desktop Help Session Manager, was also stopped, and I did
> > the type set to disabled.
> >
> > The Remote Access Connection Manager would not allow me to stop it.
> > The type set is set to Start, but I got an error saying :
> > Could not stop the Remote Access Connection Manager on Local Computer.
> > Error 1053: The service did not respond to the start or control
> > request in a timely fashion.
> > Anyway, I did the type set to Disabled.
> >
> > I am not sure if I should have, but I stopped the secondary logon,
> > and set it to disabled too.
> >
> > It looks like there are alot of things there I would like to disable,
> > but I won't without some kind of assistance first.
> >
> > Now, when I right click on my computer/properties/remote tab, it is
> > unchecked to Allow REmote Assistance invitations to be sent from this
> > computer.
> > There was not another option listed.
> >
> > Kim
> >
> > "Wesley Vogel" wrote:
> >
> >> [[Remote Access Auto Connection Manager is on by default in Windows
> >> XP Professional computers that are not members of a domain and in
> >> Windows XP Home Edition.]]
> >>
> >> Open Services and disable Remote Access Auto Connection Manager...
> >>
> >> Start | Run | Type: services.msc | Click OK |
> >> Scroll down to and double click: Remote Access Auto Connection
> >> Manager | If the service is running, click the Stop button | When it
> >> has stopped, under Startup
> >> type set to Disabled | Apply | OK |
> >>
> >> Do the same for Remote Access Connection Manager & Remote Desktop
> >> Help Session Manager.
> >>
> >> Right click My Computer | Properties | Remote tab |
> >> Make sure that both of these are UNChecked:
> >>  Allow Remote Assistance invitations to be sent from this computer
> >>  Allow users to connect remotely to this computer
> >>
> >> Turn on a firewall.
> >>
> >> --
> >> Hope this helps. Let us know.
> >>
> >> Wes
> >> MS-MVP Windows Shell/User
> >>
> >> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
> >> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> >>> I have very very stramge entries in my registry and event viewer
> >>> that are adding up to no good.
> >>>
> >>> I have talked with Microsoft today, and what we tried did not solve
> >>> the problem.
> >>> I really don't want to wait until Monday to call them back.
> >>>
> >>> Does anyone know where I might find where remote access connection
> >>> manager is in the registry?
>
>

Quantcast