TechSpot

Might be infected?

By dasher
Nov 24, 2011
  1. Ok, i'm officially looking for help at this point, and this place seems pretty good at that.

    A quick background: My issues (As you'll see from my logs, I'm a bit of a gamer.) stretch back to the end of september. (This image was created approx 1 month prior). I've had multiple accounts compromised in that time (One account on 3 seperate occasions). Every single time I've run a gigantic gauntlet of scans, inventory cleans, and so on. Every single time everything I've done has come up clean as a whistle. Even firewall logs (I'm on windows PC, on a linux network. Hence the custom DNS settings) don't seem to show anything out of the ordinary, but after it happening yet again, I'm pretty convinced there's something up. Before finding this forum, I ran yet another set of scans and did some house cleaning (courtesy of Ccleaner), but I'm still not convinced I'm good, given recent results.

    I ran all the stuff in the sticky.... I've had malwarebytes installed for a while, so that was NP, and DDS ran just fine, but the 3rd one (Gmer?) Ran.... and produced a completely blank log file. Not sure what that's all about.

    I'll just drop the logs and see if anyone has anything to say about it that I've missed. (And obviously I've missed something because 3 months of this..... something HAS to be up).


    Oh, and as a small note, I normally run malwarebytes, and MS SE. I'm assuming you guys count that as an AV program.


    -----------------------------------------------------------------------------------------------------
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8226

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421

    11/24/2011 2:06:35 AM
    mbam-log-2011-11-24 (02-06-35).txt

    Scan type: Quick scan
    Objects scanned: 163906
    Time elapsed: 1 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)







    -----------------------------------------------------------------------------------------------------
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
    Run by whistler at 1:53:48 on 2011-11-24
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2599 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Logitech\SetPointP\SetPoint.exe
    C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
    C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
    C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
    C:\Program Files (x86)\Logitech\G930\G930.exe
    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit=userinit.exe
    mRun: [Logitech G930] C:\Program Files (x86)\Logitech\G930\G930.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: Interfaces\{7ED8AED5-5674-4E48-958B-3BC025FEF08F} : NameServer = 192.168.1.105,192.168.1.106
    mRun-x64: [Logitech G930] C:\Program Files (x86)\Logitech\G930\G930.exe
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\whistler\AppData\Roaming\Mozilla\Firefox\Profiles\ltks4wqz.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2&from=login
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 LADF_BakerCOnly;BakerC Filter Driver;C:\Windows\system32\DRIVERS\ladfBakerCamd64.sys --> C:\Windows\system32\DRIVERS\ladfBakerCamd64.sys [?]
    R3 LADF_BakerROnly;BakerR Filter Driver;C:\Windows\system32\DRIVERS\ladfBakerRamd64.sys --> C:\Windows\system32\DRIVERS\ladfBakerRamd64.sys [?]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-11-24 06:22:07 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{20FD7B48-D267-41BD-9DE0-520470D5CB3D}\mpengine.dll
    2011-11-24 05:29:24 -------- d-----w- C:\Program Files\CCleaner
    2011-11-23 20:47:48 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
    2011-11-23 18:08:23 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2011-11-23 18:08:23 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2011-11-23 18:00:39 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3A7FBB4E-A910-4F3C-A101-002D6E649E7B}\offreg.dll
    2011-11-23 12:57:23 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3A7FBB4E-A910-4F3C-A101-002D6E649E7B}\mpengine.dll
    2011-11-15 00:17:27 -------- d-----w- C:\Program Files (x86)\World of Warcraft Public Test
    2011-11-10 05:49:06 -------- d-----w- C:\Users\whistler\AppData\Roaming\Malwarebytes
    2011-11-10 05:49:01 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-11-10 05:48:57 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-11-10 05:48:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-10-25 16:48:16 -------- d-----w- C:\Program Files (x86)\SquareEnix
    2011-10-25 16:44:20 -------- d-----w- C:\Windows\SysWow64\directx
    .
    ==================== Find3M ====================
    .
    2011-11-06 01:30:47 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-10-31 16:16:07 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-05 21:13:34 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
    2011-09-10 15:32:10 44 ---h--w- C:\Program Files (x86)\8e37662e.tmp
    2011-08-26 22:22:30 28056 ----a-w- C:\Windows\System32\xfcodec64.dll
    .
    ============= FINISH: 1:54:08.30 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/24/2011 5:11:41 PM
    System Uptime: 11/23/2011 2:00:26 PM (11 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | EP45T-UD3P
    Processor: Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz | Socket 775 | 2834/333mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 298 GiB total, 152.626 GiB free.
    D: is FIXED (NTFS) - 149 GiB total, 62.231 GiB free.
    E: is FIXED (NTFS) - 932 GiB total, 643.834 GiB free.
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
    Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&2E680ECD&0&00E5
    Manufacturer: Realtek
    Name: Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
    PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_E0001458&REV_02\4&2E680ECD&0&00E5
    Service: RTL8167
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    ĀµTorrent
    Adobe Flash Player 11 Plugin
    eReg
    FINAL FANTASY XIV
    Fraps (remove only)
    Java Auto Updater
    Java(TM) 6 Update 29
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox 8.0 (x86 en-US)
    Mumble 1.2.3
    OpenOffice.org 3.3
    Spybot - Search & Destroy
    VLC media player 1.1.11
    WinRAR 4.01 (32-bit)
    World of Warcraft
    World of Warcraft Public Test
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/24/2011 1:20:08 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.115.2351.0).
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Windows Audio Endpoint Builder service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Superfetch service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Program Compatibility Assistant Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Offline Files service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Network Connections service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Human Interface Device Access service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/24/2011 1:17:35 AM, Error: Service Control Manager [7031] - The Desktop Window Manager Session Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    11/23/2011 1:40:15 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    11/23/2011 1:34:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    11/23/2011 1:34:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    11/23/2011 1:34:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    11/23/2011 1:34:03 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    11/23/2011 1:34:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/23/2011 1:33:56 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    11/23/2011 1:33:51 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/23/2011 1:33:50 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    11/23/2011 1:00:57 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    11/18/2011 7:53:53 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR4.
    11/17/2011 7:51:49 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\DR3.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! This is the leanest Win 7 I've seen!

    No home page, no search page, no toolbars, no BHOs, few processes running, no Restore Points, no Windows Updates> Install Date: 8/24/2011 Have you don a reformat/reinstall recently?

    I don't see processes for what I would consider a more "Normal" machine. I can check for malware, but I don't think malware is your problem
    =====================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===================================
    Download CKScanner and save to the desktop.
    • Double click CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify the file saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

    Please paste logs into next reply.
    ===============================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you, including a Registry Cleaner or make changes in the Registry.
      [o] Please Do not Attach logs or put in code boxes
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
     
  3. dasher

    dasher TS Rookie Topic Starter

    Yea, it's a fresh install. The install date is when I put it together.

    I don't use restore points (I have system restore turned off) I keep a single image on a backup drive of my fresh install just incase. (Plenty of reasons I haven't restored to it just yet).

    I used to do this type of stuff professionally (Virus/malware cleanup, etc), so I'm generally pretty good at keeping my own machine clean. That being said, It's something I haven't really been involved with in quite a few years, so there's plenty of stuff I haven't kept up on/don't know about anymore. Plus, given the amount of account compromises I've had in recent months, I'm convinced something is up. Windows updates not being applied is just me being lazy. I won't let them apply on their own and I more or less forgot to do it myself recently.

    I use firefox as my primary browser and only use IE for windows updates, so I keep about:blank there. My hompage/etc are all set for firefox. Although no, I make sure I keep BHOs out of there, and run hijackthis on a semi-frequent basis just to make sure they're gone. (A few programs have a habit of installing them, I get rid of them asap). I'm pretty comfortable with registry edits (I used to do them manually long before any of these cute programs existed), so I mess around with completely removing stuff from my system fairly often. That said, I came here for a second eye on all of this since I feel like there's SOMETHING I'm missing, so for the time being I'll refrain.


    But no, my machine isn't what you'd consider "Normal". The first time I had an account compromised I - after running a very large assortment of scans - told the company it had to be either a brute force attack or a security flaw on their end. I was pretty convinced of that at the time, tbh. After the 5th time though, on the 3rd different account, I started to question my own PC. at this point either I'm the unluckiest guy I know, or there is SOMETHING I'm missing.

    Just so you know: Prior to coming here, I ran MSE and Malwarebytes yet again, used Ccleaner to do a little registry cleanup, and removed all my temp files (As well as a free space wipe), installed and ran spybot S&D, ran Housecall, and ran a few things suspicious looking through virustotal.com. Everything came up clean then too. I ran all the stuff below. Eset came up with nothing, so no log there. The rest are uneventful to me but who knows.


    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.MN.11.KPLBCT
    ----- EOF -----



    ComboFix 11-11-24.01 - whistler 11/24/2011 16:30:23.2.4 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.3018 [GMT -5:00]
    Running from: c:\users\whistler\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-24 to 2011-11-24 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-24 21:37 . 2011-11-24 21:37 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E716B728-422F-48AB-87CF-EA07212AB430}\offreg.dll
    2011-11-24 21:36 . 2011-11-24 21:36 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-11-24 19:11 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E716B728-422F-48AB-87CF-EA07212AB430}\mpengine.dll
    2011-11-24 08:48 . 2011-11-24 08:48 -------- d-----w- c:\users\whistler\jagexcache
    2011-11-24 06:22 . 2011-10-18 06:27 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20FD7B48-D267-41BD-9DE0-520470D5CB3D}\mpengine.dll
    2011-11-24 05:29 . 2011-11-24 05:29 -------- d-----w- c:\program files\CCleaner
    2011-11-23 20:47 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
    2011-11-23 18:08 . 2011-11-24 05:31 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-11-23 18:08 . 2011-11-23 18:09 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2011-11-15 00:17 . 2011-11-24 03:23 -------- d-----w- c:\program files (x86)\World of Warcraft Public Test
    2011-11-10 05:49 . 2011-11-10 05:49 -------- d-----w- c:\users\whistler\AppData\Roaming\Malwarebytes
    2011-11-10 05:49 . 2011-11-10 05:49 -------- d-----w- c:\programdata\Malwarebytes
    2011-11-10 05:48 . 2011-11-10 05:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-11-10 05:48 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-11-06 01:30 . 2011-11-06 01:30 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-10-31 16:15 . 2011-10-31 16:15 -------- d-----w- c:\windows\system32\Macromed
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-06 01:30 . 2011-08-24 22:32 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-10-31 16:16 . 2011-08-25 00:19 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-10 23:00 . 2011-10-10 23:01 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8FC9F922-5D41-447E-AB0E-B3581C5F7DF4}\gapaengine.dll
    2011-10-07 04:16 . 2011-08-25 23:51 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-10-05 21:13 . 2011-10-05 21:13 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-09-10 15:32 . 2011-09-12 03:32 44 ---h--w- c:\program files (x86)\8e37662e.tmp
    2011-08-26 22:22 . 2011-08-26 22:22 28056 ----a-w- c:\windows\system32\xfcodec64.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-11-24_21.17.30 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-21 03:09 . 2011-11-24 21:26 21054 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-11-24 21:26 29432 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-11-24 21:23 . 2011-11-24 21:23 1604 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    + 2011-08-24 21:31 . 2011-11-24 21:26 3442 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4005073462-2462230681-520396952-1000_UserData.bin
    - 2011-11-24 21:17 . 2011-11-24 21:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-11-24 21:37 . 2011-11-24 21:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 02:36 . 2011-11-24 05:29 617222 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-11-24 21:29 617222 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-11-24 21:29 104496 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2011-11-24 05:29 104496 c:\windows\system32\perfc009.dat
    - 2009-07-14 05:01 . 2011-11-24 21:16 274036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-11-24 21:36 274036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-08-24 21:54 . 2011-11-24 21:36 17260096 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4005073462-2462230681-520396952-1000-8192.dat
    - 2011-08-24 21:54 . 2011-11-24 21:16 17260096 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4005073462-2462230681-520396952-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Logitech G930"="c:\program files (x86)\Logitech\G930\G930.exe" [2010-07-15 1488216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [x]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 LADF_BakerCOnly;BakerC Filter Driver;c:\windows\system32\DRIVERS\ladfBakerCamd64.sys [x]
    S3 LADF_BakerROnly;BakerR Filter Driver;c:\windows\system32\DRIVERS\ladfBakerRamd64.sys [x]
    S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [x]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1744152]
    "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-06-11 415816]
    "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-06-11 2413128]
    "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-06-11 4725320]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: Interfaces\{7ED8AED5-5674-4E48-958B-3BC025FEF08F}: NameServer = 192.168.1.105,192.168.1.106
    FF - ProfilePath - c:\users\whistler\AppData\Roaming\Mozilla\Firefox\Profiles\ltks4wqz.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2&from=login
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-11-24 16:39:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-24 21:39
    ComboFix2.txt 2011-11-24 21:21
    .
    Pre-Run: 165,734,420,480 bytes free
    Post-Run: 165,653,078,016 bytes free
    .
    - - End Of File - - 0B740E38FC12234E76981F29D8CCDCB1
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sounds like you may know more than me! I agree with many of your thoughts about things like TB, BHO, temp files and so on. But I would fight to the death about not having System Restore points! I cannot ever count how many times SR has saved my *** over the years. There are times when the only was into a system is through SR.

    Why would you want to re-image the system when a SR to day before a 'bad update' would handle it?

    The malware now is getting tougher to find, then harder to remove! Rootkits are the order of the day. They have no problem finding their way into a system after a successful exploit. And they sit quietly,without the 'noise' and fanfare created by some viruses and Worms. But when a rootkit is combined with a virus, it enhances the danger greatly. The combination can destroy the system. Malware writers have gotten very 'clever' with more use of this combination and thus it is getting harder to detect-and also prevent. Software exploits a plentiful. Vulnerabilities are hoarded by 'crackers.'And the Zero days is every day!
    ==========================================
    Okay, down to your problem:

    There are 2 entries in Combofix I need info on if you have it:
    1. This Directory: 2011-09-12 03:32 44 ---h--w- c:\program files (x86)\8e37662e.tmp
    I cannot ID 8e37662e.tmp

    2.Locked Registry key:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    I know what the CLSID is> but the rest of the entry is a mystery.

    Since there is so much customization of the system, I'm giving you a chance to ID the entries- or I remove them. There isn't much else in the Combofix log.
    =======================================

    Can you please explain this 'compromise.'[/B]
    =======================================
    I would like you to do this online virus scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  5. dasher

    dasher TS Rookie Topic Starter

    Sorry, guess you must have missed it. I did run ESET the first time around. It came up clean, so no log. Did take almost 2 hours though.


    By compromises.... As I said, I'm a gamer. I've had people log into my online game accounts, steal everything I had accumulated within the game, and in one instance rack up some charges on my credit card. (Which thankfully was refunded almost immediately).


    As for those 2 entries.... yea, IDK. They both come up "Clean" when scanned, but I have no idea what that tmp file is. No clue on the reg entry either. It's flash related, but beyond that I don't recognize it.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Dasher, do you still need help? I didn't get email feedback for you reply and thread went over to second page where I just found it! I am so sorry for the delay.

    Please let me know if problem still there and if you want to continue the help.
     
  7. dasher

    dasher TS Rookie Topic Starter

    Yes and no.

    On the one hand, I just finished building a new PC today. The old one is currently sitting on a shelf, awaiting my next move.

    That being said, I'd still like to find out what was going on with the old one, if for no other reason to prevent it from happening again.

    My best guess at the moment is some sort of rootkit that's very good at hiding.

    My next step was going to be to boot the system to a linux live disk, and see what I could find that way. But if you have any other ideas that might work out better, I'd be happy to hear them.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have reviewed all of the logs and the description of the problem. As I understand it, you have had multiple gaming accounts hacked several times. You think this is due to a rootkit and/or absence of Windows Updates.

    Here's what I see:
    1. . Very little security.
      [o]MSE does not do it all. In spite of the MVPs all recommending that the program is a 'do all' and all you need, it doesn't and it isn't.
      [o]You mention having Mbam on the system for while. If you purchased the full program with Real Time protection, that is good. If you keep the free scan to update and run occasionally, it has no RealTime protection and cannot be considered resident security.
      [o]Spybot was only installed 2011-11-23
    2. . Problems with Services:
      [o]Router?
      [o]DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
      [o]DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
      [o]Dependencies
      [o]Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
      [o]Workstatio depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
      [o]SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

      I recommend that you review all of your Services HERE.
      In my opinion, there is no better help and information regarding Services that what BlackViper offers with description, safe setting and dependencies. Scroll down to the chart.
    3. Use of Registry Clener:
      . I do not care for CCleaner, nor do I recommend any registry cleaner. Programs that dabble in the registry frequently mess up valid files. A system does not gain anything compared to the possible damage it can cause.
    4. File Sharing
      . You are using at least one file sharing program, uTorrent. Every time you use it, you put the system at risk.
    5. Questionable process:
    . I see only one questionable process. I would like you to submit to an online site for identification:
    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.
      Code:
      C:\Program Files (x86)\[B]8e37662e.tmp[/B]
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
    =================================
    I don't see anything in the current logs to indicate the presence of malware is compromising the system.(other than the possibility of the one unknown entry to be identified.
    Repeated attacks to your accounts would support the fact that your internal security settings may not be restrictive enough and may be allowing processes that have the potential to compromise the safety of the system.
    .
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...