Inactive [A] Malwarebytes - blocked potently malicious website popup

[HonestAbeLink]

I also believe I have some malicous drivers on the computer...



this is from the security task manager you had me install on the computer...

do you have a program that can examine my services and drivers

 

[HonestAbeLink]

Heres what happends according to the Event Viewer when I pull the Ethernet to my modem from my computer out, then plug it back in...

Event Type:Information
Event Source:Tcpip
Event Category:None
Event ID:4202
Date:6/22/2012
Time:8:26:40 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 6a 10 00 40 ....j..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


Event Type:Warning
Event Sourcehcp
Event Category:None
Event ID:1003
Date:6/22/2012
Time:8:26:40 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0015F274321A. The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...


Event Type:Information
Event Source:Tcpip
Event Category:None
Event ID:4201
Date:6/22/2012
Time:8:26:50 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was connected to the network, and has initiated normal operation over the network adapter.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 ....I..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


Event Type:Information
Event Source:Tcpip
Event Category:None
Event ID:4201
Date:6/22/2012
Time:8:26:54 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was connected to the network, and has initiated normal operation over the network adapter.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 ....I..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


Event Type:Information
Event Source:Tcpip
Event Category:None
Event ID:4202
Date:6/22/2012
Time:8:27:50 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 6a 10 00 40 ....j..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


Event Type:Warning
Event Sourcehcp
Event Category:None
Event ID:1003
Date:6/22/2012
Time:8:27:50 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0015F274321A. The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...


and this cycle just repeats every time leaving me connected to the network but with no connection to the internet

 

[HonestAbeLink]

Heres the ANONYMOUS LOGON log

Event Type:Success Audit
Event Source:Security
Event Category:Logon/Logoff
Event ID:540
Date:6/22/2012
Time:11:53:18 PM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:NONE-76AAAFB655
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID0x0,0x1722E)
Logon Type:3
Logon Process:NtLmSsp
Authentication Package:NTLM
Workstation Name:
Logon GUID:-

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

[HonestAbeLink]

log on and off and special privileges

Event Type:Success Audit
Event Source:Security
Event Category:Logon/Logoff
Event ID:528
Date:6/22/2012
Time:11:53:17 PM
User:NT AUTHORITY\NETWORK SERVICE
Computer:NONE-76AAAFB655
Description:
Successful Logon:
User Name:NETWORK SERVICE
Domain:NT AUTHORITY
Logon ID0x0,0x3E4)
Logon Type:5
Logon Process:Advapi
Authentication Package:Negotiate
Workstation Name:
Logon GUID:-

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:Success Audit
Event Source:Security
Event Categoryrivilege Use
Event ID:576
Date:6/22/2012
Time:11:53:17 PM
User:NT AUTHORITY\NETWORK SERVICE
Computer:NONE-76AAAFB655
Description:
Special privileges assigned to new logon:
User Name:NETWORK SERVICE
Domain:NT AUTHORITY
Logon ID0x0,0x3E4)
Privileges:SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

[HonestAbeLink]

the failed log on attempt by me (apparently when was already logged in)

Event Type:Failure Audit
Event Source:Security
Event Category:Account Logon
Event ID:680
Date:6/22/2012
Time:12:26:13 AM
User:NT AUTHORITY\SYSTEM
Computer:NONE-76AAAFB655
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Owner
Source Workstation: NONE-76AAAFB655
Error Code: 0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:Failure Audit
Event Source:Security
Event Category:Logon/Logoff
Event ID:529
Date:6/22/2012
Time:12:26:13 AM
User:NT AUTHORITY\SYSTEM
Computer:NONE-76AAAFB655
Description:
Logon Failure:
Reason:Unknown user name or bad password
User Name:Owner
Domain:
Logon Type:2
Logon Process:Advapi
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:NONE-76AAAFB655
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
My user is right must be bad password

 

[HonestAbeLink]

LOTS OF THESE...

Event Type:Information
Event Source:MsiInstaller
Event Category:None
Event ID:11729
Date:6/22/2012
Time:5:49:48 PM
User:NONE-76AAAFB655\Owner
Computer:NONE-76AAAFB655
Description:
The description for Event ID ( 11729 ) in Source ( MsiInstaller ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Product: Java(TM) 7 Update 5 -- Configuration failed., (NULL), (NULL), (NULL), (NULL), , .
Data:
0000: 7b 32 36 41 32 34 41 45 {26A24AE
0008: 34 2d 30 33 39 44 2d 34 4-039D-4
0010: 43 41 34 2d 38 37 42 34 CA4-87B4
0018: 2d 32 46 38 33 32 31 37 -2F83217
0020: 30 30 35 46 46 7d 005FF}

 

[HonestAbeLink]

Hope this can help you maybe just understand how what ever is still on my computer is working if not help to get rid of it...

like I said before I don't know if the things above are very normal or malicous... but my guess is you do. Tell me what you think and if there is anything in the mean time before I get that xp disc and all, that we can do that would be great.

I'll pop on shortly like this tomorrow (if I my new EVIL DNS server lets me, I really dont now what I'm talking about), hope to catch you then...

STEALING IT AGAIN...

 

[HonestAbeLink]

one last thing came to mind

I have multiple spoolsv.exe on my computer

4 to be exact

mostly worried about this one

it's located at - C:\WINDOWS\ERDNT\cache

created Monday, June 11, 2012, 2:31:02 AM
modifed Tuesday, August 17, 2010, 9:17:06 AM wtf
accesed Today, June 23, 2012, 2:49:57 AM

from the event viewer

Event Type:Information
Event Source:Service Control Manager
Event Category:None
Event ID:7035
Date:6/23/2012
Time:1:37:34 AM
User:NT AUTHORITY\SYSTEM
Computer:NONE-76AAAFB655
Description:
The Windows Image Acquisition (WIA) service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:Information
Event Source:Service Control Manager
Event Category:None
Event ID:7036
Date:6/23/2012
Time:1:37:35 AM
User:N/A
Computer:NONE-76AAAFB655
Description:
The Windows Image Acquisition (WIA) service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

[FONT=sans-serif]In Windows XP, WIA runs in the [/FONT][FONT=sans-serif]LocalSystem[/FONT][FONT=sans-serif] context. Because of the security ramification[/FONT][FONT=sans-serif]s of running a service as LocalSystem whereby a buggy driver or malicious person would have unrestricted access to the system, the WIA service in [/FONT][FONT=sans-serif]Windows Server 2003[/FONT][FONT=sans-serif] and [/FONT][FONT=sans-serif]Windows Vista[/FONT][FONT=sans-serif] operates in the [/FONT][FONT=sans-serif]LocalService[/FONT][FONT=sans-serif] context. This can result in compatibility issues when using a driver designed for Windows XP[/FONT]

 

[Broni]

I can't really comment without seeing requested logs.

 

[HonestAbeLink]

Here's the update...

Found someone that can most likely create the disc for me... Might be able to get the logs in a few days,

Till then... see ya

 

[Broni]

Cool beans