Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Account passwords changing, possible keylogger?


  • Please log in to reply
14 replies to this topic

#1 dudewillabide

dudewillabide

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 08 February 2010 - 07:21 PM

Greetings eveyone at BleepingComputer!

It has been a very long time since we've had a problem, but I know where to go and who to trust as you guys saved us in the past. Hate to bug you folks, but we need your help, and I promise to respond and stay involved....you are not wasting your time.

Initiating problem statement: WOW account password is changing daily which is unusual. Discussion with the WOW folks, yes on the phone, revealed that an IP address originating in China is/was the culprit. So, with that, I don't know the source of the problem. Is the hack originating from my kids pc, or did they hack the WOW server?? It appears that they stole all his chicken bones and wolf feathers too....WOW said they will restore that though..

Sequence of events and actions taken:
This past week I replaced the hard drive, as the old one appeared to have died. This is prior to any known problem.
I installed Vista 32 bit from DVD repair disk, and ran Windows Update.

At this time, I let the wife and kids take over, I got it up and running.... possible critical flaw!

Rather than take the time to install McAfee, and MBAM first..... they installed the following...

WOW, Curse Client, Steam/Valve products and played them. I am sure they went to Youtube and cruised the web too, but I know for a fact no adult sites etc..
The following day McAfee and MBAM were installed.

When attempting to log into WOW, access was denied due to password being changed. We called WOW and discovered that the account was hacked from an IP in China.

We ran MBAM and McAfee anti-virus and found nothing wrong.

Hmmmmm...........

Time to talk to the BleepingComputer folks.

I humbly await your instructions.

BC AdBot (Login to Remove)

 


#2 dudewillabide

dudewillabide
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 11 February 2010 - 05:56 PM

As an update, we have reset the WOW account password twice, and the account has been suspended for now. Wife on the phone again with Blizzard today.

I am more concerned about the PC being infected than the WOW account to be honest. In the last few days, I've seen my kid seem to enjoy "other things" beyond the PC.

With that said, it does appear that we've been hacked, as someone is using my kids name in chat channels as well. I know this because the wife learned it from Blizzard.

Look forward to getting to the bottom of this issue.

Just wanted to bring everyone up to date.

Thanks in advance....

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:34 AM

Posted 11 February 2010 - 06:20 PM

I am sure they went to Youtube and cruised the web too, but I know for a fact no adult sites etc..

Using MySpace & YouTube can be hazardous to your computer.

Researchers at the CA Security Advisor Research Blog have reported finding MySpace user pages carrying the dangerous Virut url. The Koobface Worm has beem found to attack both Facebook and MySpace users. YouTube users have been exploited by the Storm Worm. MSN Messenger, AIM and other Instant Messaging programs are also prone to malware attacks.

Gaming sites are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. They can lead to other sites containing malware which you can inadvertently download without knowledge. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. For these reasons gaming sites can put you at risk to fraud, phishing and theft of personal data. Even if the gaming site is a clean site, there is always the potential of some type of malware making its way there and then onto your system. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.

...Microsoft Security has issued a research report where it notifies that virus creators are continuously assaulting online video game players...a malicious family of software programs are seeking out popular online computer games such as World of Warcraft, Maple Story, Lineage and several others. According to Microsoft’s seventh Security Intelligence Report, cybercrooks use computer worm parasites for stealing confidential personal information from local computer users through online games, unsecured file sharing and removable disk drives...The most dangerous and prevalent malware involve Taterf and Conficker worms which have infected millions of computer systems worldwide...

Malware Makers Target Online Games to Spread Worms

Microsoft warned video game developers...that their PC games are now a target for criminals...Popular massively multiplayer online games, such as World of Warcraft, have created a market for valuable game identities...Using malware or software designed to infiltrate a computer system, hackers steal account information...

Microsoft warns game developers of cyber thieves

...Gaming sites are becoming a growth area for malware and other security threats. The newer threats are sophisticated and are designed to draw in unsuspecting users...

Game Sites Next Big Malware Target?

The design of online game architecture creates an open door for hackers...hackers and malware hoodlums go where the pickings are easy -- where the crowds gather. Thus, Internet security experts warn game players that they face a greater risk of attack playing games online because few protections exist....traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses...Online gaming sites are a major distribution vehicle for malware....

MMO Security: Are Players Getting Played?

...Moral of the story?
1. Do not allow online games
2. Block ports used by online games
3. Block sites related to these online games
4. Educate your users...

online game + online trade = Trojan Spy

Security researchers...poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection...Some Trojan Web sites have done what they can do to collect gamers' authentication information so they can loot their characters (and) accounts.

Real Flaws in Virtual Worlds: Exploiting Online Games

...a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just to name a few), but World of Warcraft and Valve’s Steam client are high on the hit-list too...

Taterf – all your drives are belong to me!

If your computer hacked and it was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Edited by quietman7, 11 February 2010 - 06:23 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 dudewillabide

dudewillabide
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 February 2010 - 10:46 AM

Thanks quietman7, that is a ton of good information.
By reading the post, it appears we've been lucky... and the luck ran out!

I look forward to working with you guys.

TH

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:34 AM

Posted 12 February 2010 - 01:43 PM

Not a problem.

Is your machine clean or do you still need help with disinfection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 dudewillabide

dudewillabide
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 February 2010 - 05:01 PM

We still need your assistance. The wife just got off the phone again with Blizzard, and they seem confident that there is a keylogger or something on our PC.

I am frustrated, I just got done talking to the wife and my son regarding safe and sensible PC use. I think they got the message..

The current situation is that there is a new hard drive with very little installed so far. Basically Vista 32, McAfee, Malware Bytes, and some games....and most likely some malicous unwanted virus/hack...

Would it be best to just re-format the hard drive and start over, or is it feasible that we can run some tests and determine if we can clean it up?

Your call, I'll do what is required.

Thank You
th

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:34 AM

Posted 12 February 2010 - 05:20 PM

Reformatting and starting over is always an option and ensures the system is clean...but at this point we really don't know what you are dealing with as its just speculation. If you want to investigate further, please do the following.

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete..
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 dudewillabide

dudewillabide
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 February 2010 - 07:55 PM

quietman7,

This post is coming from an alternate pc, not the one in question. I am thankful for a chair that swivels...LOL

The MBAM log is on the desktop of the other pc, came up clean and I will post it shortly.

The Dr. Web Cureit section has been challenging. The freedrweb link is not currently working, so I went to the alternate at Cnet. That particular download works, but the actual download you get is expired and doesn't scan as it says the license is expired.

I decided to try and update it, but was in safe mode. So, I copied the ftp info and downloaded the executable it was pointing at called launch.exe. It did start (Cureit) in Safe mode and ran, but we ended up getting a blue screen of death which was surprising. I captured the info to some degree, and can find and post it if needed.

Currently, we rebooted in normal mode, and unplugged the internet cable. The scan started using the launch.exe version of Cureit, but has been hung on a file named elxstor.sys, located in C:\windows\system32\drivers\elxstor.sys The pc is still hung on that one file now for at least 10 minutes. We are still in the Express mode of the program.

That is where we are at the moment. I will be checking back here regularly.

Hanging in there..

TH

Edited by dudewillabide, 12 February 2010 - 07:56 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:34 AM

Posted 12 February 2010 - 08:54 PM

elxstor.sys is a Storport Miniport Driver for LightPulse HBAs.

Cancel the scan and try one or both of these.

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to read all the information Norman provides on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Note: For usb flash drives and/or other removable drives to scan, use the Add button to browse to the drives location, click on the drive to highlight and choose Ok.

or

Please download the Kaspersky Virus Removal Tool save to your Desktop.
Be sure to print out and read the instructions provided in How to use Kaspersky virus removal tool.
  • Double-click the setup file (i.e. setup_7.0.0.290_24.06.2009_12-58.exe) to install the utility.
  • If using Vista, right-click on it and Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
    .
  • Click Next to continue.
  • It will install by default to your desktop folder. Click Next.
  • Click Ok at the prompt for scanning in Safe Mode if you booted into safe mode.
  • A box will open with a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
  • System Memory
  • Startup Objects
  • Disk Boot Sectors
  • My Computer
  • Any other drives (except CD-ROM drives)
  • Click on the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  • In the Scan window click the Reports button, name the report AVPT.txt and select Save to file.
  • This tool should uninstall when you close it so please save the report log before closing.
  • When done, close the Kaspersky Virus Removal Tool.
  • You will be prompted if you want to uninstall the program. Click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste only the first part of the report (Detected) in your next reply. Do not include the longer list marked Events.
-- If you cannot run the Kaspersky AVP Removal Tool in normal mode, then try using it in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 dudewillabide

dudewillabide
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 February 2010 - 09:07 PM

Ok, I'll get on that! Still posting from the clean PC as I don't want to log in to BC on the other one just yet.

MBAM report

Malwarebytes' Anti-Malware 1.44
Database version: 3731
Windows 6.0.6000
Internet Explorer 7.0.6000.16982

2/12/2010 3:42:14 PM
mbam-log-2010-02-12 (15-42-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207596
Time elapsed: 43 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------
BSOD # 1 from Safe Mode with CureIt

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 50
BCP1: 9AD44344
BCP2: 00000000
BCP3: 972EC5DA
BCP4: 00000000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini021210-01.dmp
C:\Users\Bradley\AppData\Local\Temp\WER-58890-0.sysdata.xml
C:\Users\Bradley\AppData\Local\Temp\WER188E.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409

------------------------------------------------
BSOD # 2 from Normal Mode internet cable unplugged CureIt

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 50
BCP1: AD0F2F41
BCP2: 00000000
BCP3: ABF6C5DA
BCP4: 00000000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini021210-02.dmp
C:\Users\Bradley\AppData\Local\Temp\WER-60824-0.sysdata.xml
C:\Users\Bradley\AppData\Local\Temp\WER972.tmp.version.txt

Light reading, not sure if it sheds any light at all.

Thanks again for your help, I'll go do the other tasks right now.

TH

#11 dudewillabide

dudewillabide
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 February 2010 - 10:35 PM

Kapersky came up with nothing, event started and ended nothing found.

Text from report:
Autoscan: completed 15 minutes ago (events: 2, objects: 331818, time: 00:28:48)
2/12/2010 6:29:29 PM Task started
2/12/2010 6:58:17 PM Task completed

I am currently running the Norman product....

#12 dudewillabide

dudewillabide
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 12 February 2010 - 11:30 PM

Norman results:

orman Malware Cleaner
Version 1.6.2
Copyright © 1990 - 2009, Norman ASA. Built 2010/02/11 23:09:08

Norman Scanner Engine Version: 6.04.08
Nvcbin.def Version: 6.04.00, Date: 2010/02/11 23:09:08, Variants: 5025805

Scan started: 12/02/2010 19:28:38

Running pre-scan cleanup routine:
Operating System: Microsoft Windows Vista 6.0.6000
Logged on user: Bradley-PC\Bradley


Scanning bootsectors...

Number of sectors found: 0
Number of sectors scanned: 0
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s


Scanning running processes and process memory...

Number of processes/threads found: 3894
Number of processes/threads scanned: 3894
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 1m 22s


Scanning file system...

Scanning: prescan

Scanning: C:\*.*

C:\System Volume Information\{1cbf97b2-183f-11df-9d63-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{2026193b-11ff-11df-bac9-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{20261944-11ff-11df-bac9-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{2026194a-11ff-11df-bac9-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{2082245b-12a9-11df-b3f2-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{4fe5ec8b-12b0-11df-9618-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{4fe5ec92-12b0-11df-9618-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{4fe5ec98-12b0-11df-9618-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{4fe5ec9f-12b0-11df-9618-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{4fe604ac-12b0-11df-9618-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{51527c1e-11fa-11df-8617-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{51527c24-11fa-11df-8617-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{54ffea48-1822-11df-9e63-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{55a92af7-136e-11df-bf40-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{55a92afd-136e-11df-bf40-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{55a92ba6-136e-11df-bf40-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{56b3e3be-129b-11df-9ca4-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{78b0f08c-1501-11df-ab30-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{9a33b03f-1413-11df-9a18-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{b0e35310-129d-11df-9ca4-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{bd24cdca-1824-11df-9e63-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{bd24cdd1-1824-11df-9e63-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{ec5e2df7-1348-11df-88aa-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{fcab9e5b-11f7-11df-a7c4-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{fcaba14a-11f7-11df-a7c4-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\System Volume Information\{fcaba15b-11f7-11df-a7c4-0019d1a855c4}{3808876b-c176-4e48-b7ae-04046e6cc752} (Error opening file: Access denied)

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl (Error opening file: Access denied)

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl (Error opening file: Access denied)

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl (Error opening file: Access denied)

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl (Error opening file: Access denied)

C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl (Error opening file: Access denied)

Scanning: postscan


Running post-scan cleanup routine:
Set TCP/IP autotuning to "normal" (or it was already "normal")

Number of files found: 135798
Number of archives unpacked: 349
Number of files scanned: 135746
Number of files not scanned: 52
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 52m 16s

I'm a bit baffled...

Shall I try anything else?

I appreciate your time.

TH

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:34 AM

Posted 13 February 2010 - 12:13 AM

I don't see any sign of infection on the computer. Usually when a machine is infected there will be other signs/symptoms...i.e. slow computer, poor performance, browser redirects.

However, there are other ways for attackers to get information when you're using the Internet. Please read How Malware Spreads - How did I get infected.

Edited by quietman7, 13 February 2010 - 12:14 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 dudewillabide

dudewillabide
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 13 February 2010 - 10:06 AM

Thanks quietman7,

I've been reading up on all this stuff....

We haven't seen a performance gap that I know of. If the account gets compromised again, I believe I will do a complete re-install. In fact, now that I think about the time I spent last night, I could have done a full re-load! HA!

One thing I didn't try was to boot from CD, then run the scans... I read about the rootkit stuff, and that seems like the most difficult to catch.. however, like you said.. no performance changes..

Ok, well the coffee pot seems to be making me some fresh brew...argghhhh so begins another day.

Just to play it safe, I am going to just spend a few hours doing a fresh re-install of the OS and then the protection software. That appears to be the only guarantee out there, and the PC hasn't been loaded up with tons of software yet.

If you don't mind, keep this thread open for another day or two. I'll post back if I find anything.

Thanks again..

th

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:34 AM

Posted 13 February 2010 - 11:18 AM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users