Re: Help, I've been hacked

From: Wesley Vogel (123WVogel955_at_comcast.net)
Date: 03/07/05 

Date: Mon, 7 Mar 2005 07:39:25 -0700

Kim,

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the second
arrow (looks like two pages) [[Copies the details of the event to the
Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related Knowledge
Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/event_overview_01.mspx

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example, Print)
and/or the Event code (for example, 20) into the ID field, then click the Go
button. Source and Event codes may be found in the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20XP%20Professional&ProdName=Windows%20Operating%20System&MajorMinor=5.1&LCID=1033 

-- 
Hope this helps.  Let us know.
Wes
MS-MVP Windows Shell/User
In news:36B7EF3A-84CB-43FF-AE71-0809F24ED301@microsoft.com,
TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> Hi Wes,
>   Yes, it appears that did help.
> It shows disabled, instead of being started.
> I also see no entries listed of a remote access in the event viewer.
> Whoo hoo..LOL
>
> This entry in the event viewer looks good:
> The Remote Access Connection Manager service was successfully sent a
> stop control.
> Thank you for helping me get that turned off.
>
> However, when I just rebooted, I did see these, which do not look
> good in my opinion, but I could be wrong:
>
>  The first one has been going on for a long time, and is still
> showing.
>
> Logon Failure:
>   Reason:  Unknown user name or bad password
>   User Name: Owner
>   Domain:  OWNER-1E81AA74C
>   Logon Type: 2
>   Logon Process: Advapi
>   Authentication Package: Negotiate
>   Workstation Name: OWNER-1E81AA74C
>
> The protected system file c:\windows\system32\racpldlg.dll could not
> be verified as valid because Windows File Protection is terminating.
> Use the SFC utility to verify the integrity of the file at a later
> time.
>
> The TCP/IP NetBIOS Helper service depends on the AFD service which
> failed to start because of the following error:
> A device attached to the system is not functioning.
>
> Your computer was not able to renew its address from the network
> (from the DHCP Server) for the Network Card with network address
> 0011099706B4.  The following error occurred:
> The semaphore timeout period has expired. . Your computer will
> continue to try and obtain an address on its own from the network
> address (DHCP) server.
>
> Your computer has detected that the IP address 66.25.204.98 for the
> Network Card with network address 0011099706B4 is already in use on
> the network. Your computer will automatically attempt to obtain a
> different address.
>
> Your computer has detected that the IP address 0.0.0.0 for the
> Network Card with network address 0011099706B4 is already in use on
> the network. Your computer will automatically attempt to obtain a
> different address.
>
> Your computer was not able to renew its address from the network
> (from the DHCP Server) for the Network Card with network address
> 0011099706B4.  The following error occurred:
> The semaphore timeout period has expired. . Your computer will
> continue to try and obtain an address on its own from the network
> address (DHCP) server.
>
> The following boot-start or system-start driver(s) failed to load:
> Aavmker4
> AFD
> aswTdi
> Fips
> intelppm
> IPSec
> MRxSmb
> NetBIOS
> NetBT
> RasAcd
> Rdbss
> Tcpip
> vsdatant
>
> Looks like a fun time huh?
>
> Kim
>
> "Wesley Vogel" wrote:
>
>> Kim,
>>
>> Reboot.
>>
>> And then check on the Remote Access Connection Manager in Services,
>> it probably won't have started since you disabled it.
>>
>> --
>> Hope this helps.  Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>> Hi Wesley,
>>>  Here ae the results from what I just did in the services.msc.
>>>
>>> The Remote Access Auto Connection was already stopped, and I did the
>>> type set to disabled.
>>>
>>> The Remote Desktop Help Session Manager, was also stopped, and I did
>>> the type set to disabled.
>>>
>>> The Remote Access Connection Manager would not allow me to stop it.
>>> The type set is set to Start, but I got an error saying :
>>> Could not stop the Remote Access Connection Manager on Local
>>> Computer. Error 1053: The service did not respond to the start or
>>> control request in a timely fashion.
>>> Anyway, I did the type set to Disabled.
>>>
>>> I am not sure if I should have, but I stopped the secondary logon,
>>> and set it to disabled too.
>>>
>>> It looks like there are alot of things there I would like to
>>> disable, but I won't without some kind of assistance first.
>>>
>>> Now, when I right click on my computer/properties/remote tab, it is
>>> unchecked to Allow REmote Assistance invitations to be sent from
>>> this computer.
>>> There was not another option listed.
>>>
>>> Kim
>>>
>>> "Wesley Vogel" wrote:
>>>
>>>> [[Remote Access Auto Connection Manager is on by default in Windows
>>>> XP Professional computers that are not members of a domain and in
>>>> Windows XP Home Edition.]]
>>>>
>>>> Open Services and disable Remote Access Auto Connection Manager...
>>>>
>>>> Start | Run | Type:   services.msc   | Click OK |
>>>> Scroll down to and double click: Remote Access Auto Connection
>>>> Manager | If the service is running, click the Stop button | When
>>>> it has stopped, under Startup
>>>> type set to Disabled | Apply | OK |
>>>>
>>>> Do the same for Remote Access Connection Manager & Remote Desktop
>>>> Help Session Manager.
>>>>
>>>> Right click My Computer | Properties | Remote tab |
>>>> Make sure that both of these are UNChecked:
>>>>  Allow Remote Assistance invitations to be sent from this
>>>> computer  Allow users to connect remotely to this computer
>>>>
>>>> Turn on a firewall.
>>>>
>>>> --
>>>> Hope this helps.  Let us know.
>>>>
>>>> Wes
>>>> MS-MVP Windows Shell/User
>>>>
>>>> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>> I have very very stramge entries in my registry and event viewer
>>>>> that are adding up to no good.
>>>>>
>>>>> I have talked with Microsoft today, and what we tried did not
>>>>> solve the problem.
>>>>> I really don't want to wait until Monday to call them back.
>>>>>
>>>>> Does anyone know where I might find where remote access connection
>>>>> manager is in the registry?
Loading