I inadvertantly got some program that got through Windows Defender that opened 4 ports on my computer. Defender lists them in Globally Open Ports. I have no idea how they got there but when I delete them in firewall exceptions they come back after reboot in SERVICES. Computer running very slow since. Running Windows XP. I can't find the program culprit. Please help.1 person needs an answerI do too

Your computer is infected. Go through these general malware removal steps systematically - http://www.elephantboycomputers.com/page2.html#Removing_Malware Include scanning with David Lipman's Multi_AV and follow instructions to do all scans in Safe Mode. Please see the special Notes regarding using Multi_AV in Vista. http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions http://tinyurl.com/yoeru3 - download link and more instructions You can also check to see if there are targeted removal steps for your malware here: Bleeping Computer removal how-to's - http://www.bleepingcomputer.com/forums/forum55.html Or here: Malwarebytes malware removal guides - http://tinyurl.com/5xrpft When all else fails, get guided help. Choose one of the specialty forums listed at the first link. Register and read its posting FAQ. PLEASE DO NOT POST LOGS IN THE MS FORUMS. If you can't do the work yourself (and there is no shame in admitting this isn't your cup of tea), take the machine to a professional computer repair shop (not your local equivalent of BigComputerStore/GeekSquad). Please be aware that not all local shops are skilled at removing malware and even if they are, your computer may be so infested that Windows will need to be clean-installed. If possible, have all your data backed up before you take the machine into a shop.MS-MVP - Elephant Boy Computers - Don't Panic!

Hello Malkeleah Thank you for responding to my post. I haven't been at computer in awhile. Snow & other priorities. First of all, I just want to say, that before I try all the things in your generous reply, I wanted to explain a bit more on my problem. It was so weird. If I had it all over again I would've never went to that site.(If it even was a site problem) I was looking for a used VHS on e-bay & one showed an owner's manual to download. I went to download it & in the bottom taskbar area a box showed Update or Updater(can't remember which). When I went to click on the box to enlarge it on the screen it wouldn't let me. Then my computer locked up. Couldn't shut down properly so I just push the CPU button to turn it off. Here's where the fun started. When I turned it on, I got the blue screen saying Windows needs to check your disk because of shutting down improperly. (I've seen that a million times & no problem). Either let it check or push any key to not check it. Well I let it check it since that Updater thing looked weird, & I got like a million files shooting by(too fast to actually read) Tried to read them Something on truncated files. It took like 5 minutes to finish. Then everything was SLOW starting up. I went to Window Defender & history tab showed that 4 Globally Open Ports were put in by some unknown program. I was pissed. Why didn't Windows Defender ask me permission to install them since it says potentially dangerous. Well then I went to Windows Firewall & saw the 4 Services added to exceptions & checked. I deleted them & rebooted & they come back. Tried Process Explorer & Security Task Manager to locate it, but I can't seem to pinpoint it. I'm not computer illiterate but I really don't know much when it comes to any kind of program troubleshooting. I'm sorry this was so long, but I just wanted to tell the whole story to someone before I lose my mind. If this whole story didn't change any advise you gave me, then I guess I'm just another victim of idiots out there. I'm gonna start backing up till I hear from you. Thanks again

The whole story only confirms my advice to you. Although the smartest thing you could do based on your own assessment of your computer skills is to take the machine to a competent local professional, you can also back up your data and do a clean install of Windows yourself. http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What you will need on-hand MS-MVP - Elephant Boy Computers - Don't Panic!

Thank you for your advice & honesty. I'll get back to you later on how I did.

One more question. Years ago I updated from Windows98 to WindowsXP from a WindowsXP UPGRADE CD that I bought. Can I reinstall WindowsXP using this UPGRADE disk again ? (from XP to XP) or am I screwed

Yes, you can reinstall XP using the upgrade CD. At an early point in the installation you will be asked to put your Win98 disc in the drive. The XP install will check that you have qualifying media for the upgrade and then you'll be told to put the XP install CD back in.MS-MVP - Elephant Boy Computers - Don't Panic!

I am sorry. I am a real pain in the neck. I have one more question. I have no trouble getting Firefox to open to research all this. Like with you, the sites you gave me, etc. But I can't get Internet Explorer7 to open. The only way it opens is if I trick it in Windows Firewall Exceptions like Up&P Framework, File & Printer Sharing, Remote Desktop, & Remote Assistance. By clicking these off & on I can seem to get in once in awhile but it's rare. What should these be set at ? And again, is this part of the infection ? Plus I need I.E. to start gathering my Favoites, etc. list before reinstall.

Probably part of the infection. You don't need to start IE to get your favorites. Open My Computer and navigate to C:\Documents and Settings\your-user-account. You will see folders for your Favorites, Desktop, and My Documents. You are not being "a pain in the neck". I answer questions on these forums voluntarily because I like to help people. I'd much rather you asked a question first before plunging in and making an unhappy mistake. Even though we haven't met - and in all probability never will - I would still like you to be happy in your computing life and if I can help that, then perhaps I won't be turned into something slimy in my next life. ;-) MS-MVP - Elephant Boy Computers - Don't Panic!

You are a true humanitarian. I am home disabled from my job due to hip anf sciatica problems. The computer is a happy medium to get through some of the boredom of the day. I'll keeo you posted.

I'm trying to gather all the information I'll need to do a clean install of XP. I came across something in the many references you gave me about F.A.S.T. (File & Settings Transfer Wizard). It looked great since I don't have a real place to backup to. (No writable disk drive) But I am networked to our other computer. Can I backup to there or am I risking transfering the infection to there ? Plus back to my own computer. I would only be transferring Documents and settings and Outlook Express. This would save me a ton of leg work.

I don't think I'd use FAST to back up. Since you are networked, just copy your data and email to the other computer over the network. Save it somewhere logical in a folder called something useful like "backup from other computer". ;-) I don't think you'll have an issue with infection but there's nothing preventing you from scanning that data with the other computer's antivirus program either.MS-MVP - Elephant Boy Computers - Don't Panic!

Hello Malkeleah, Well I'm off & running with my new WindowsXP installation & so far no ports have been opened unauthorized. I had a couple of bumpy roads but mostly back to normal. I was all ready to celebrate & then my son's laptop got the Paladin Anti-virus fake virus. Boy was I mad. Any suggestion on the best thing to do for this ? Is there no end to the computer hijacking in this world ?.

No, there is no end to computer hijacking because it is a billion-dollar business. Here are removal instructions for the rogue security program your son picked up: http://www.bleepingcomputer.com/virus-removal/remove-paladin-antivirus And here are some links to help your son not get infected again: Safe Hex: http://www.getsafeonline.org/ https://www.mysecurecyberspace.com/ http://www.getnetwise.org/ http://www.elephantboycomputers.com/staying-safe.pdfMS-MVP - Elephant Boy Computers - Don't Panic!

Hello Malkeleah, We are in the process of removing Paladin. When we get to the Update Malwarebytes program before running it, we get this message. Should we run it without updates O.K. ?

No, you don't want to run it without updating it. Try going into Safe Mode with Networking and then updating MBAM from there. If you need more precise instructions to remove this malware, you might want to register at one of the specialty forums listed at the link below to get guided help. http://www.elephantboycomputers.com/page2.html#HJT-linksMS-MVP - Elephant Boy Computers - Don't Panic!

If the update works should we restart in regular mode before doing the scan ?

I would go ahead and run the full scan in Safe Mode. Then after MBAM is done, go ahead and get into Regular Mode and scan again.MS-MVP - Elephant Boy Computers - Don't Panic!

Hello Malkeleah, I think we are going to have to give up on my son's laptop. Nothing seems to work except rkill.com stops the tons of popups to try to do the next thing. When we try to get Malwarebytes to load it says we need a program to associate with it. In fact, everything on the laptop says this. I even tried a System Restore and it said I need a program association for that. I read in the places that you directed me to that the Paladin virus attacks programs too. I don't know, I may be doing something wrong, but I followed the instructions. We may have to reinstall this one too. Any other suggestions on the virus ? Also, some good news is that I'm up and running on my computer. But after I installed Windows Defender I keep getting this legitimate defender popup that a system change was made by a known application. (gotten shortly after every start up & only once) by MpCmdRun.exe. I read up on it & most people says it's nothing. That it's just defender checking for updating program signature definitions. One place said this though: You will see this message if: 1) you have a daily scan scheduled, and 2) you've checked the box to be notified of changes to the system by known applications. In this case, the known application is Windows Defender, and the change to the system is the re-scheduling of the scheduled task to do the daily scan. Such a change is significant--the scheduler has and will probably continue to be used by malware to reinfect over time. The only scan that I have scheduled is for defender on wednesday night 11:00 P.M. every week Also, should I worry about this malware to infect over time thing that they talk on ?

Wipe it. Restore it to factory condition and move on. Cheers.MS-MVP - Elephant Boy Computers - Don't Panic!

How about the second part of my last reply. Any advice on this ? This was on the computer I just fixed with clean install. (About the Windows Defender stuff). Should I worry on this or not

I don't recommend Windows Defender on XP systems. Since I don't use it or support it on XP, you would need to post any questions you have about it in its newsgroup. http://www.microsoft.com/windows/products/winfamily/defender/support.mspx http://www.microsoft.com/athome/security/spyware/software/newsgroups/default.mspx MS-MVP - Elephant Boy Computers - Don't Panic!