is my pc hijacked?

[aubee60]

my pc has been opening windows and closing them on its own when I do a netstat it says it is connected to my husbands pc when he is on it but he says he isn't I don't know what is going on can someone help me to determine what is happening
# AdwCleaner v3.211 - Report created 30/05/2014 at 09:45:22
# Updated 26/05/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Administrator - AMCAMU-PC
# Running from : C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\81HB4BW9\adwcleaner_3.211.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : [x64] HKLM\SOFTWARE\Software

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041


-\\ Google Chrome v35.0.1916.114

[ File : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Extension] : dhdepfaagokllfmhfbcfmocaeigmoebo
Deleted [Extension] : hphibigbodkkohoglgfkddblldpfohjl
Deleted [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbej
Deleted [Extension] : kincjchfokkeneeofpeefomkikfkiedl
Deleted [Extension] : kkkeikdkpjenmoiicggnnodbkebafgpc
Deleted [Extension] : pgmfkblbflahhponhjmkcnpjinenhlnc

*************************

AdwCleaner[R0].txt - [1488 octets] - [30/05/2014 09:41:06]
AdwCleaner[S0].txt - [1427 octets] - [30/05/2014 09:45:22]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1487 octets] ##########

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/30/2014
Scan Time: 9:50:57 AM
Logfile: malware report.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.05.30.06
Rootkit Database: v2014.05.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 286976
Time Elapsed: 8 min, 21 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end) Results of screen317's Security Check version 0.99.83 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Norton Internet Security   
avast! Antivirus           
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 MVPS Hosts File 
 spydig     
 Panda Cloud Cleaner   
 Java 7 Update 60 
 Java version out of Date!
 Adobe Flash Player 13.0.0.214 
 Google Chrome 12.0.742.100 
 Google Chrome 35.0.1916.114 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Norton ccSvcHst.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast avastui.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````[/u]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
**********************************************
Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
• Copy and paste the contents of these two log files in your next reply.

[aubee60]

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.05.30.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17107
Administrator :: AMCAMU-PC [administrator]

5/30/2014 6:11:10 PM
mbar-log-2014-05-30 (18-11-10).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 282942
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Administrator on Fri 05/30/2014 at 17:59:04.51
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 05/30/2014 at 18:07:46.54
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17107

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.195000 GHz
Memory total: 4240293888, free: 2243051520

Downloaded database version: v2014.05.30.10
Downloaded database version: v2014.05.21.01
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: E38FF026

Partition information:

    Partition 0 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3072000
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3074048  Numsec = 947959808

    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 951033856  Numsec = 25739264
    Partition is not bootable
Hidden partition VBR is not infected.

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-2-951033856-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[aubee60]

ran scan twice it said nothing found but I couldn't find a saved report

[aubee60]

got up this morning turned on my pc opened my cmd to do a netstat and a black cmd screen pop up ran thru a lot of stuff very rapidily then the yellow cmd screen that I have mine set to popped up. what was all that with the black screen?C:\windows\system32>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    192.168.2.2:49160      r-061-042-234-077:http  ESTABLISHED
  TCP    192.168.2.2:49460      ord08s11-in-f19:http   TIME_WAIT
  TCP    192.168.2.2:49466      ord08s06-in-f3:http    TIME_WAIT
  TCP    192.168.2.2:49474      ord08s11-in-f19:https  TIME_WAIT
  TCP    192.168.2.2:49475      ord08s06-in-f26:http   TIME_WAIT
  TCP    192.168.2.2:49476      ord08s06-in-f25:http   TIME_WAIT
  TCP    192.168.2.2:49477      ord08s06-in-f25:http   TIME_WAIT
  TCP    192.168.2.2:49478      ord08s06-in-f20:http   TIME_WAIT
  TCP    192.168.2.2:49480      ord08s11-in-f19:http   TIME_WAIT
  TCP    192.168.2.2:49481      74.125.201.95:https    TIME_WAIT
  TCP    192.168.2.2:49482      74.125.201.95:https    TIME_WAIT
  TCP    192.168.2.2:49483      ord08s11-in-f2:http    TIME_WAIT
  TCP    192.168.2.2:49484      ord08s11-in-f19:http   TIME_WAIT
  TCP    192.168.2.2:49485      ord08s11-in-f19:http   TIME_WAIT
  TCP    192.168.2.2:49500      r-070-041-234-077:http  TIME_WAIT
  TCP    192.168.2.2:49503      ord08s07-in-f8:http    ESTABLISHED
  TCP    [::1]:2869             amcamu-PC:49493        ESTABLISHED
  TCP    [::1]:49493            amcamu-PC:icslap       ESTABLISHED

C:\windows\system32>

[SuperDave]

Does it continue to do that?

[aubee60]

I just did a netstat the first one that pop up was black and ran for quite awhile with a lot of established connections then just as quickly as it opened it closed before I could even copy it then I typed netstat again and my normal cmd screen which is yellow came up and this is what I got Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\System32>netstat

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    192.168.2.2:50158      ir2:https              TIME_WAIT
  TCP    192.168.2.2:50165      a:https                TIME_WAIT
  TCP    192.168.2.2:50167      ord08s07-in-f28:https  TIME_WAIT
  TCP    192.168.2.2:50188      74.122.143.31:https    TIME_WAIT
  TCP    192.168.2.2:50191      l3:https               TIME_WAIT
  TCP    192.168.2.2:50194      ord08s06-in-f20:http   TIME_WAIT
  TCP    192.168.2.2:50195      ord08s06-in-f20:https  TIME_WAIT
  TCP    192.168.2.2:50196      ord08s13-in-f14:http   TIME_WAIT
  TCP    192.168.2.2:50197      ord08s08-in-f23:https  TIME_WAIT
  TCP    192.168.2.2:50199      ord08s06-in-f20:https  TIME_WAIT
  TCP    192.168.2.2:50200      ord08s09-in-f23:https  TIME_WAIT
  TCP    192.168.2.2:50202      ord08s06-in-f8:http    TIME_WAIT
  TCP    192.168.2.2:50203      ord08s09-in-f0:http    TIME_WAIT
  TCP    192.168.2.2:50205      a23-74-9-91:http       ESTABLISHED
  TCP    192.168.2.2:50225      logan-PC:netbios-ssn   TIME_WAIT
  TCP    192.168.2.2:50227      logan-PC:netbios-ssn   TIME_WAIT
  TCP    192.168.2.2:50228      r-053-041-234-077:http  ESTABLISHED
  TCP    192.168.2.2:50229      logan-PC:netbios-ssn   ESTABLISHED
  TCP    192.168.2.2:50230      logan-PC:netbios-ssn   ESTABLISHED
  TCP    [::1]:5357             amcamu-PC:50226        TIME_WAIT
logan -pc is my husbands laptop but there should not be any connection to his pc so whats happeneing? he says he hasn't done anything to connect to mine so how are we connected?

[SuperDave]

Please download Farbar Service Scanner to the desktop and run it on the computer with the issue.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Make sure FRST is run under administrator privileges.
Make sure that the Whitelist section is checked.Otherwise, the log will be very long.
You Security programs may prevent the tool from running. If this happens, disable the security program until the scan is completed.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
  
• Press "Scan".
  
  
  
  
  
  
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
  

[aubee60]

Farbar Service Scanner Version: 21-05-2014
Ran by Administrator (administrator) on 01-06-2014 at 15:22:37
Running from "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8IXXUU2I"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

[SuperDave]

I noticed that you have two Av's active on your computer; Norton Internet Security and avast! Antivirus. Only one AV should be active on your computer at any time. You should disable/uninstall one of them.
There appears to be no problem with your network connection.

logan -pc is my husbands laptop but there should not be any connection to his pc so whats happeneing? he says he hasn't done anything to connect to mine so how are we connected?

Netstat is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.There doesn't appear to be any problems with your computer.The only way that your computer could be connected is if you allowed a remote connection.

[aubee60]

ok I don't think I have so how do I unconnect them and keep them un connected

[SuperDave]

Here is the procedure to connect one computer to another. If you didn't do this, then they are not connected. First, the other computer has to ask permission to connect. If you allow it, a one-time password is generated which will allow the computers to be connected. If you didn't do this, the computers are not connected.