[A] Malwarebytes - blocked potently malicious website popup

Inactive
By HonestAbeLink
Jun 9, 2012
Topic Status:
Not open for further replies.
  1. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    I also believe I have some malicous drivers on the computer...

    dfdftdttdttdt.JPG

    this is from the security task manager you had me install on the computer...

    do you have a program that can examine my services and drivers
  2. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    Heres what happends according to the Event Viewer when I pull the Ethernet to my modem from my computer out, then plug it back in...

    Event Type:Information
    Event Source:Tcpip
    Event Category:None
    Event ID:4202
    Date:6/22/2012
    Time:8:26:40 PM
    User:N/A
    Computer:NONE-76AAAFB655
    Description:
    The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 02 00 50 00 ......P.
    0008: 00 00 00 00 6a 10 00 40 ....j..@
    0010: 02 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........


    Event Type:Warning
    Event Source:Dhcp
    Event Category:None
    Event ID:1003
    Date:6/22/2012
    Time:8:26:40 PM
    User:N/A
    Computer:NONE-76AAAFB655
    Description:
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0015F274321A. The following error occurred:
    The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: c7 04 00 00 Ç...


    Event Type:Information
    Event Source:Tcpip
    Event Category:None
    Event ID:4201
    Date:6/22/2012
    Time:8:26:50 PM
    User:N/A
    Computer:NONE-76AAAFB655
    Description:
    The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was connected to the network, and has initiated normal operation over the network adapter.
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 02 00 50 00 ......P.
    0008: 00 00 00 00 69 10 00 40 ....I..@
    0010: 02 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........


    Event Type:Information
    Event Source:Tcpip
    Event Category:None
    Event ID:4201
    Date:6/22/2012
    Time:8:26:54 PM
    User:N/A
    Computer:NONE-76AAAFB655
    Description:
    The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was connected to the network, and has initiated normal operation over the network adapter.
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 02 00 50 00 ......P.
    0008: 00 00 00 00 69 10 00 40 ....I..@
    0010: 02 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........


    Event Type:Information
    Event Source:Tcpip
    Event Category:None
    Event ID:4202
    Date:6/22/2012
    Time:8:27:50 PM
    User:N/A
    Computer:NONE-76AAAFB655
    Description:
    The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 02 00 50 00 ......P.
    0008: 00 00 00 00 6a 10 00 40 ....j..@
    0010: 02 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........


    Event Type:Warning
    Event Source:Dhcp
    Event Category:None
    Event ID:1003
    Date:6/22/2012
    Time:8:27:50 PM
    User:N/A
    Computer:NONE-76AAAFB655
    Description:
    Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0015F274321A. The following error occurred:
    The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: c7 04 00 00 Ç...


    and this cycle just repeats every time leaving me connected to the network but with no connection to the internet
  3. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    Heres the ANONYMOUS LOGON log

    Event Type:Success Audit
    Event Source:Security
    Event Category:Logon/Logoff
    Event ID:540
    Date:6/22/2012
    Time:11:53:18 PM
    User:NT AUTHORITY\ANONYMOUS LOGON
    Computer:NONE-76AAAFB655
    Description:
    Successful Network Logon:
    User Name:
    Domain:
    Logon ID:(0x0,0x1722E)
    Logon Type:3
    Logon Process:NtLmSsp
    Authentication Package:NTLM
    Workstation Name:
    Logon GUID:-

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  4. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    log on and off and special privileges

    Event Type:Success Audit
    Event Source:Security
    Event Category:Logon/Logoff
    Event ID:528
    Date:6/22/2012
    Time:11:53:17 PM
    User:NT AUTHORITY\NETWORK SERVICE
    Computer:NONE-76AAAFB655
    Description:
    Successful Logon:
    User Name:NETWORK SERVICE
    Domain:NT AUTHORITY
    Logon ID:(0x0,0x3E4)
    Logon Type:5
    Logon Process:Advapi
    Authentication Package:Negotiate
    Workstation Name:
    Logon GUID:-

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type:Success Audit
    Event Source:Security
    Event Category:privilege Use
    Event ID:576
    Date:6/22/2012
    Time:11:53:17 PM
    User:NT AUTHORITY\NETWORK SERVICE
    Computer:NONE-76AAAFB655
    Description:
    Special privileges assigned to new logon:
    User Name:NETWORK SERVICE
    Domain:NT AUTHORITY
    Logon ID:(0x0,0x3E4)
    Privileges:SeAuditPrivilege
    SeAssignPrimaryTokenPrivilege
    SeChangeNotifyPrivilege

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  5. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    the failed log on attempt by me (apparently when was already logged in)

    Event Type:Failure Audit
    Event Source:Security
    Event Category:Account Logon
    Event ID:680
    Date:6/22/2012
    Time:12:26:13 AM
    User:NT AUTHORITY\SYSTEM
    Computer:NONE-76AAAFB655
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: Owner
    Source Workstation: NONE-76AAAFB655
    Error Code: 0xC000006A


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Event Type:Failure Audit
    Event Source:Security
    Event Category:Logon/Logoff
    Event ID:529
    Date:6/22/2012
    Time:12:26:13 AM
    User:NT AUTHORITY\SYSTEM
    Computer:NONE-76AAAFB655
    Description:
    Logon Failure:
    Reason:Unknown user name or bad password
    User Name:Owner
    Domain:
    Logon Type:2
    Logon Process:Advapi
    Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Workstation Name:NONE-76AAAFB655
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    My user is right must be bad password
  6. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    LOTS OF THESE...

    Event Type:Information
    Event Source:MsiInstaller
    Event Category:None
    Event ID:11729
    Date:6/22/2012
    Time:5:49:48 PM
    User:NONE-76AAAFB655\Owner
    Computer:NONE-76AAAFB655
    Description:
    The description for Event ID ( 11729 ) in Source ( MsiInstaller ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Product: Java(TM) 7 Update 5 -- Configuration failed., (NULL), (NULL), (NULL), (NULL), , .
    Data:
    0000: 7b 32 36 41 32 34 41 45 {26A24AE
    0008: 34 2d 30 33 39 44 2d 34 4-039D-4
    0010: 43 41 34 2d 38 37 42 34 CA4-87B4
    0018: 2d 32 46 38 33 32 31 37 -2F83217
    0020: 30 30 35 46 46 7d 005FF}
  7. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    Hope this can help you maybe just understand how what ever is still on my computer is working if not help to get rid of it...

    like I said before I don't know if the things above are very normal or malicous... but my guess is you do. Tell me what you think and if there is anything in the mean time before I get that xp disc and all, that we can do that would be great.

    I'll pop on shortly like this tomorrow (if I my new EVIL DNS server lets me, I really dont now what I'm talking about), hope to catch you then...

    STEALING IT AGAIN...[​IMG]
  8. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    one last thing came to mind

    I have multiple spoolsv.exe on my computer

    4 to be exact

    mostly worried about this one

    it's located at - C:\WINDOWS\ERDNT\cache

    created Monday, June 11, 2012, 2:31:02 AM
    modifed Tuesday, August 17, 2010, 9:17:06 AM wtf
    accesed Today, June 23, 2012, 2:49:57 AM

    from the event viewer

    Event Type:Information
    Event Source:Service Control Manager
    Event Category:None
    Event ID:7035
    Date:6/23/2012
    Time:1:37:34 AM
    User:NT AUTHORITY\SYSTEM
    Computer:NONE-76AAAFB655
    Description:
    The Windows Image Acquisition (WIA) service was successfully sent a start control.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type:Information
    Event Source:Service Control Manager
    Event Category:None
    Event ID:7036
    Date:6/23/2012
    Time:1:37:35 AM
    User:N/A
    Computer:NONE-76AAAFB655
    Description:
    The Windows Image Acquisition (WIA) service entered the running state.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    In Windows XP, WIA runs in the LocalSystem context. Because of the security ramifications of running a service as LocalSystem whereby a buggy driver or malicious person would have unrestricted access to the system, the WIA service in Windows Server 2003 and Windows Vista operates in the LocalService context. This can result in compatibility issues when using a driver designed for Windows XP
  9. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    I can't really comment without seeing requested logs.
  10. HonestAbeLink

    HonestAbeLink Newcomer, in training Topic Starter Posts: 43

    Here's the update...

    Found someone that can most likely create the disc for me... Might be able to get the logs in a few days,

    Till then... see ya
  11. Broni

    Broni Malware Annihilator Posts: 46,388   +252

    Cool beans :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.