Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot get rid of this thing!!


  • Please log in to reply
11 replies to this topic

#1 bigrobifer

bigrobifer

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 04 July 2014 - 01:56 AM

So after a nuking with dban -twice actually with a total of 6 passes, and one round did a verify after each pass- I reinstall win7 and sho' nuff' i still got smb server activity and print spool coming out of disablement plus other stuff. I looked up one time and had a vpn going on Theres also blinking cursor on the top left of my screen during post and at bios esc. option when my computer starts. HP won't give me an answer nor windows now computrace. I ran unhide and show hidden and both came back with strange results. Ive gone through the malware forum here and it couldn't be resolved. Something is connecting to me using legit system services but starts doing things  i dont use or do, and it tricks the OS an everthing else i throw at it. I tried debugging the internal hypervisor but couldn't find the log file afterwards, can't find the log file for boot logs either. My quess is these are being erased and not simply hid. But i am able to make temporary changes which don't immediately go back  SO..

I downloaded visual studios an windows kernal debug tools. I have zero experience with writing code and would really appreciate it if someone takes an interest in whatever type of rootkit this is and what its doing and how, and hopefully help me figure out how i can remove it. 



BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,887 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:53 AM

Posted 04 July 2014 - 11:14 AM

 

Heres the logs what do i do about the zipped mbr log? theres also an mbr.dat that i didnt see before the random reboot just now.??

I got all the information I needed.

You can delete the zipped mbr log and the mrb.dat file.
You Master Boot record is good.

===

This computer is clean of malware.

 

 

In light of the above...I believe that you should stop asserting that malware is present.

 

This forum, the Win 7 forum, does not address malware issues...the chief forum which does address such here at BC...says there is no malware.  Continuously asserting that there is...just proves to be a distraction among the data which you post which is supposed to assist members in assisting you.

 

Follow the instructions as written, please...do not post any logs, etc. which you may be inclined to add.
 
Please download MiniToolBox  , save it to your desktop and run it.  Checkmark the following checkboxes:
  List last 10 Event Viewer log
  List Installed Programs
  List Users, Partitions and Memory size.
 
Click Go and paste the content into your next post.
 
Also...please Publish a Snapshot using Speccy - http://www.bleepingcomputer.com/forums/topic323892.html/page__p__1797792#entry1797792 , taking care to post the link of the snapshot in your next post.
 
Louis



#3 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 04 July 2014 - 12:26 PM

http://speccy.piriform.com/results/n7dAEXETw8QRGjcDutSoATI

 

MiniToolBox by Farbar  Version: 25-06-2014
Ran by Jenny (administrator) on 04-07-2014 at 00:01:48
Running from "C:\Users\Jenny\Desktop\Tools"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (07/03/2014 11:59:11 PM) (Source: PerfNet) (User: )
Description: 
 
Error: (07/03/2014 11:51:11 PM) (Source: PerfNet) (User: )
Description: 
 
Error: (07/03/2014 11:43:11 PM) (Source: PerfNet) (User: )
Description: 
 
Error: (07/03/2014 11:37:11 PM) (Source: PerfNet) (User: )
Description: 
 
Error: (07/03/2014 11:35:04 PM) (Source: PerfNet) (User: )
Description: 
 
Error: (07/03/2014 09:18:48 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/03/2014 05:00:29 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/03/2014 03:08:23 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/03/2014 11:58:02 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/03/2014 10:11:13 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (07/03/2014 11:11:33 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:11:33 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:11:33 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:09:25 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:09:25 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:09:25 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:04:25 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:04:25 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:04:25 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
Error: (07/03/2014 11:02:19 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1058
 
 
Microsoft Office Sessions:
=========================
Error: (07/03/2014 11:59:11 PM) (Source: PerfNet)(User: )
Description: 
 
Error: (07/03/2014 11:51:11 PM) (Source: PerfNet)(User: )
Description: 
 
Error: (07/03/2014 11:43:11 PM) (Source: PerfNet)(User: )
Description: 
 
Error: (07/03/2014 11:37:11 PM) (Source: PerfNet)(User: )
Description: 
 
Error: (07/03/2014 11:35:04 PM) (Source: PerfNet)(User: )
Description: 
 
Error: (07/03/2014 09:18:48 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/03/2014 05:00:29 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/03/2014 03:08:23 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/03/2014 11:58:02 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/03/2014 10:11:13 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
 
=========================== Installed Programs ============================
ActiveCheck component for HP Active Support Library (x32 Version: 3.0.0.3 - Hewlett-Packard) Hidden
Adobe Flash Player 10 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 10.2.152.26 - Adobe Systems Incorporated)
Adobe Reader X MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.0.0 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM-x32\...\{3B834B54-EC4B-48E2-BFC6-03FF5DA06F62}) (Version: 11.5.8.612 - Adobe Systems, Inc)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 4.15 - Piriform)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Energy Star Digital Logo (HKLM-x32\...\{BD1A34C9-4764-4F79-AE1F-112F8C89D3D4}) (Version: 1.0.1 - Hewlett-Packard)
ESU for Microsoft Windows 7 (HKLM-x32\...\{3877C901-7B90-4727-A639-B6ED2DD59D43}) (Version: 1.0.0 - Hewlett-Packard)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 35.0.1916.153 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
gpedt.msc 1.0 (HKLM-x32\...\{10B9C608-BF7C-4CCF-A658-C01D969DCA21}_is1) (Version:  - Richard)
HP Auto (Version: 1.0.12935.3667 - Hewlett-Packard Company) Hidden
HP Client Services (Version: 1.0.12656.3472 - Hewlett-Packard) Hidden
HP Customer Experience Enhancements (x32 Version: 6.0.1.7 - Hewlett-Packard) Hidden
HP Documentation (HKLM-x32\...\{212A6F92-4871-4BD9-8E4F-F876595DE899}) (Version: 1.1.0.0 - Hewlett-Packard)
HP On Screen Display (HKLM-x32\...\{124DB96E-CBF5-44FB-AB59-7D2444DEC777}) (Version: 1.0.7 - Hewlett-Packard Company)
HP Power Manager (HKLM-x32\...\{B97E3520-C726-475E-BC0C-7561952633AB}) (Version: 1.2.1 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{EB58480C-0721-483C-B354-9D35A147999F}) (Version: 2.3.6 - Hewlett-Packard Company)
HP Setup (HKLM-x32\...\{3B37422F-1A58-4138-AB02-0DD9035C02C6}) (Version: 8.6.4516.3597 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13155.3599 - Hewlett-Packard Company)
HP Software Framework (HKLM-x32\...\{97174E88-52F9-445A-A28E-704A45332D19}) (Version: 4.0.108.1 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{9FEFA8C2-80EB-4B7A-BDE0-E077D94C36C4}) (Version: 5.1.11.1 - Hewlett-Packard Company)
HP Wireless Assistant (HKLM\...\{13DCC2C7-454D-42F0-A892-E0E9A5DE4E67}) (Version: 4.0.10.0 - Hewlett-Packard Company)
HPAsset component for HP Active Support Library (x32 Version: 3.0.0.3 - Hewlett-Packard) Hidden
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2202 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.0.0.1046 - Intel Corporation)
Java 7 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217060FF}) (Version: 7.0.600 - Oracle)
Java Auto Updater (x32 Version: 2.1.60.19 - Oracle, Inc.) Hidden
Java™ 6 Update 22 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416022FF}) (Version: 6.0.220 - Oracle)
Java™ 6 Update 22 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216022FF}) (Version: 6.0.220 - Oracle)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (x32 Version: 3.0.5305.0 - Microsoft Corp.) Hidden
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.42.304.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6287 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7600.77 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{9D3D8C60-A55F-4123-B2B9-173F09590E16}) (Version: 1.00.10.0416 - REALTEK Semiconductor Corp.)
Recovery Manager (x32 Version: 1.0.22 - Hewlett-Packard) Hidden
Speccy (HKLM\...\Speccy) (Version: 1.22 - Piriform)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1026 - SUPERAntiSpyware.com)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics TouchPad Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.29.0 - Synaptics Incorporated)
Windows Resource Kit Tools - SubInAcl.exe (HKLM-x32\...\{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}) (Version: 5.2.3790.1164 - Microsoft Corporation)
WinRAR 5.01 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)
 
========================= Memory info: ===================================
 
Percentage of memory in use: 53%
Total physical RAM: 3001.89 MB
Available physical RAM: 1404.01 MB
Total Pagefile: 6001.96 MB
Available Pagefile: 4072.52 MB
Total Virtual: 4095.88 MB
Available Virtual: 3987.45 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:260.65 GB) (Free:227.15 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:13.92 GB) (Free:1.73 GB) NTFS
4 Drive f: (New Volume) (Fixed) (Total:23.22 GB) (Free:23.13 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\JENNY-HP
 
Administrator            Guest                    Jenny                    
 
 
**** End of log ****
 
 
 
Still can't upload files to this site. I was asking in my post for assistance in kernal debugging not malware. If i think malware is the root cause thats not the same. I have funny stuff going on, like the remote registry service coming out of disablement from time to time. Whatever it is is tricking everything i scan which isn't suprising since its even fooling the windows protection service.
Somehow (i admit it must be my own fault) something gained access to the unactivated lojack and i was asking for help in debugging the kernal with wsdk since i can't get any kind of boot logs. None of the scheduled activities inputed into task manager go through. There files which i normally wouldnt try to peek at with notepad but no matter what i do in taking ownership and changing permissions i'm still denied access, even if I try to temporarily deny the trusted installer or system admin, i can't get in some files.


#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,887 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:53 AM

Posted 04 July 2014 - 01:54 PM

Since this appears to be an HP laptop...why did you not simply use the restore-to-factory-defaults option?

 

What media did you use to install Win 7 from?

 

There appear to be no hardware situations contributing to your situation.

 

The fact that your install was done yesterday...IMO appoints to using a flawed method/media for reinstalling Win 7.

 

Louis



#5 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 05 July 2014 - 12:32 PM

This is what i did recently just before i started this thread. i called hp an since the os was preinstalled they did a courtesy and sent me a 3 disc reinstall package. 2 disc for the os and 1 for the hp drivers and programs. i ran show hidden right after the install with nothing downloaded/ installed but ccleaner speccy and google all three downloaded from prirform. Then i came here and downloaded alot off things but other than google and ccleaner nothing was installed not even antivirus and i still havent ran ccleaner so the registry was the same when i did this, still havent had reason to do this, i use ccleaner as an easy way to manage startup programs and unistalled some of the bloatware. I desconnected from the internet and ran show hidden. Please tell me if these results look normal.

The 100gig F drive was my doing also. There are some unusual arguments inside the task manager i can send you a screen shot if you want. And before the newly installed os. I booted into the alternate shell and ran these commands. tasklist ---taskkill/smss, this atempt to kill the session manager resulted in a warning that said the system process was child to it. I know the smss is needed and the system should've shut down the way it did when i tried other shutdowns like that but is it normal for the system to be child to another process?

 

Show Hidden by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
Show Hidden will display all hidden folders on your computer.
You can use the -f argument to display hidden files as well.
 
Program started at: 07/03/2014 12:06:05 PM
Windows Version: Windows 7
 
Please be patient while your hard drives are scanned.
 
Scanning the C:\ drive
 
 * C:\$Recycle.Bin
 * C:\$Recycle.Bin\S-1-5-21-1055453170-1101479307-87854894-500
 * C:\$Recycle.Bin\S-1-5-21-693182152-2382006718-139813664-1000
 * C:\$Recycle.Bin\S-1-5-21-693182152-2382006718-139813664-500
 * C:\boot
 * C:\HP
 * C:\Program Files\Uninstall Information
 * C:\Program Files (x86)\Common Files\Windows Live\.cache
 * C:\Program Files (x86)\InstallShield Installation Information
 * C:\Program Files (x86)\Temp
 * C:\Program Files (x86)\Uninstall Information
 * C:\ProgramData
 * C:\ProgramData\Microsoft\DRM\Server
 * C:\ProgramData\Microsoft\Windows\DRM
 * C:\ProgramData\Microsoft\Windows\DRM\Cache
 * C:\ProgramData\Microsoft\WwanSvc
 * C:\ProgramData\Microsoft\WwanSvc\Profiles
 * C:\Recovery
 * C:\System Volume Information
 * C:\SYSTEM.SAV
 * C:\Users\All Users\Microsoft\DRM\Server
 * C:\Users\All Users\Microsoft\Windows\DRM
 * C:\Users\All Users\Microsoft\Windows\DRM\Cache
 * C:\Users\All Users\Microsoft\WwanSvc
 * C:\Users\All Users\Microsoft\WwanSvc\Profiles
 * C:\Users\Default
 * C:\Users\Default\AppData
 * C:\Users\Jenny\AppData
 * C:\Users\Jenny\AppData\Local\EmieSiteList
 * C:\Users\Jenny\AppData\Local\EmieUserList
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache\00FAIHH2
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache\4HIQ0JUG
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache\7GLQ3O4K
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache\FKDPCUC7
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache\K6YFH4A5
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache\M9U8S7A7
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache\MSH914EX
 * C:\Users\Jenny\AppData\Local\Microsoft\Feeds Cache\UA7YFM9Z
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\AppCache
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\AppCache\Q5KZKUS5
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Burn\Burn
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\History
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012014070320140704
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\History\Low\History.IE5
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\48KBFURI
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEN2GAKL
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DKN0S8JY
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O3FKTKC6
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RUPIKHK6
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SI7MD0VK
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VAVTD305
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2AKOQ3V
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5Q09ONL4
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\60W07NK5
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\L1EU6C47
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NSWT4H0D
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
 * C:\Users\Jenny\AppData\Local\Microsoft\Windows\WebCache
 * C:\Users\Jenny\AppData\LocalLow\EmieSiteList
 * C:\Users\Jenny\AppData\LocalLow\EmieUserList
 * C:\Users\Jenny\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore
 * C:\Users\Jenny\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\16XWFM1E
 * C:\Users\Jenny\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\BPI6CGK6
 * C:\Users\Jenny\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\MDN3Y9RE
 * C:\Users\Jenny\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\R2Z07OOY
 * C:\Users\Jenny\AppData\LocalLow\Microsoft\Windows\AppCache
 * C:\Users\Jenny\AppData\LocalLow\Microsoft\Windows\AppCache\4C2OV0B4
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\Cookies\Low
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\DNTException
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\DNTException\Low
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\IECompatCache
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\IECompatUACache
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\IEDownloadHistory
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\IETldCache\Low
 * C:\Users\Jenny\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
 * C:\Users\Public\Desktop
 * C:\Users\Public\Favorites
 * C:\Users\Public\Libraries
 * C:\Windows\Globalization\MCT
 * C:\Windows\Installer
 * C:\Windows\Installer\$PatchCache$
 * C:\Windows\Installer\$PatchCache$\Managed
 * C:\Windows\Installer\$PatchCache$\Managed\1007C6B46D7C017319E3B52CF3EC196E
 * C:\Windows\Installer\$PatchCache$\Managed\1007C6B46D7C017319E3B52CF3EC196E\9.0.30729
 * C:\Windows\Installer\$PatchCache$\Managed\2C8AFEF9BE08A7B4DB0E0E779DC4634C
 * C:\Windows\Installer\$PatchCache$\Managed\2C8AFEF9BE08A7B4DB0E0E779DC4634C\5.1.11
 * C:\Windows\Installer\$PatchCache$\Managed\BE4EBED704B66673BB53C5BB3C58AD73
 * C:\Windows\Installer\$PatchCache$\Managed\BE4EBED704B66673BB53C5BB3C58AD73\4.5.50938
 * C:\Windows\Installer\$PatchCache$\Managed\CFD2C1F142D260E3CB8B271543DA9F98
 * C:\Windows\Installer\$PatchCache$\Managed\CFD2C1F142D260E3CB8B271543DA9F98\9.0.30729
 * C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100
 * C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0
 * C:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC
 * C:\Windows\Installer\$PatchCache$\Managed\EFEE0228DC83E77358593193D847A0EC\9.0.30729
 * C:\Windows\ServiceProfiles\LocalService\AppData
 * C:\Windows\ServiceProfiles\NetworkService\AppData
 * C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Media Player\Art Cache
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5
 * C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA
 * C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA
 * C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies
 * C:\Windows\winsxs\Temp\PendingDeletes
 
Finished scanning the C:\ drive. 127 hidden items found.
 
Scanning the D:\ drive
 
 * D:\$RECYCLE.BIN
 * D:\$RECYCLE.BIN\S-1-5-21-693182152-2382006718-139813664-1000
 * D:\boot
 * D:\FactoryUpdate
 * D:\hp
 * D:\preload
 * D:\recovery\system32
 * D:\recovery\system32\Recovery
 * D:\recovery\WindowsRE
 * D:\RM_Reserve
 * D:\System Volume Information
 
Finished scanning the D:\ drive. 11 hidden items found.
 
Scanning the F:\ drive
 
 * F:\$RECYCLE.BIN
 * F:\$RECYCLE.BIN\S-1-5-21-693182152-2382006718-139813664-1000
 * F:\System Volume Information
 
Finished scanning the F:\ drive. 3 hidden items found.
 
Program finished at: 07/03/2014 12:06:49 PM
Execution time: 0 hours(s), 0 minute(s), and 43 seconds(s)


#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,226 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 AM

Posted 05 July 2014 - 01:20 PM

The "The Computer Browser service depends on the Server service which failed to start because of the following error: %%1058" system error is occuring because a service that is set to automatically start is not starting. Is your computer connected to a workgroup? The Computer Browser service searches for workgroups and domains, and displays them when you open Windows Explorer.

Here's how to fix that: http://support.microsoft.com/default.aspx?scid=kb;[LN];241584

 

The 0x80041003 bugcheck under Application and Microsoft Office logs can be fixed here: http://support.microsoft.com/default.aspx?scid=kb;en-US;2545227

 

Other than that, I don't really see anything unusual.


Edited by sflatechguy, 05 July 2014 - 01:21 PM.


#7 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 05 July 2014 - 03:00 PM

I am currently using vhash with my own api key  to investigate legit files inside system32 and syswow64 folders. 

I am not supposed to be a part of any workgroups or homegroups, funny since both the homegroup services were starting on their own. I wrote a .bat file to disable uac reset permissions reset the cmd and load dos into high memory and delete computrace files. At the moment i am looking into the wbem folder. Will post anything i find. I have a question though about the windows protection module, if a windows file is modified so that it contains malicous or foreign code will that break its signature or will it still appear as legit? And if this be the case then could the service responsible for signature verification also be corrupted in same manner- like sfc?



#8 sflatechguy

sflatechguy

  • BC Advisor
  • 2,226 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 AM

Posted 05 July 2014 - 03:27 PM

System files are overwrite protected, which prevents them from being modified. Windows will only allow these files to be replaced by files that have authentic signatures. So it wouldn't affect system file scan. And if the file were to be modified somehow, that would change the file's signature.

 

Even if you aren't part of a homegroup, the default setting for Computer Browser is to start automatically. If you're worried about exposing your system, just turn off the file sharing feature.

 

if I read your post right, you've turned off User Account Control? That's never a good idea.

 

And how did Computrace end up on your system? It's used by companies to track devices and data.



#9 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 05 July 2014 - 10:02 PM

there's lojack code inside the bios. I knew this from the first but didn't think of it till i started reading about it when these things started happening. I never activated the lojack though so it shouldn't have been on . I was under the impression that the win32k.sys -the virus one that i was helped to remove- that was on here had activated the lojack and was using that as a means of persistance and detection aviodance. After further reading today i see there is a possibilty that its related to a recent ie 11 update whereby theres a domain created, which could be the source of the line of attack i was under Which is why and how i finally am at the point where the suspects are wbem and hpwmiscv. So i'm gonna unistall or perma disable ie and undo the updates for it. 

I only had the uac off while i ran the bat files rebooted and ran it again rebooted and then turned the uac back on. I did that because i got the impression at first that my user profile was being virtualized , by software since i dont have hardware ability for this. That was ruled out as the main culprit but since i haven't been able to access the cbs.log files and there was file sharing services starting - before i realized there were file sharing ports opened- and that i was continuously being placed as a homegroup provider against my user settings I was under the very distinct and strong impression of remote access happening. Added to the fact that the remote desktop services - 7 different services in all not counting the two i need to have running - and the print spool running and coming out of a disabled state ... What else am I supposed to think? I'm pretty sure the helper guys here at bleeping computer know what they are talking about when they say its not malware, and i know i've followed red herrings in searching this out as i'm not very skilled technically But at the same time i know the remote registry- one exapmle- shouldnt be coming on for any reason related to my activities.

Since i ran the bat file none of these mentioned services have come on. 



#10 sflatechguy

sflatechguy

  • BC Advisor
  • 2,226 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 AM

Posted 05 July 2014 - 10:26 PM

You seem to have a number of services and processes on your computer that are normally associated with corporate anti-theft and monitoring systems -- LoJack, Computrace, even WBEM (Web-based Enterprise Management).
The problem isn't malware -- malware wouldn't activate pre-existing LoJack code. The problem is all the anti-theft monitoring systems on the computer. Did you buy this system recently? Where did this computer come from?

#11 bigrobifer

bigrobifer
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:04:53 AM

Posted 06 July 2014 - 12:09 AM

I am so glad to finally have confirmation of what my suspicions were. After the initial tech guy here gave me the all clear, even while i was having some of the same problems, i kinda panicked a little. After sludging through all the muck about the anti theft systems i came to the conclusion, i see most likely as wrong, that the anti theft system came under remote control during the winsys infection. I really thought i had pushed it a little to much about insisting i had malware and would get blocked from the forum (to any mods thank you for your sites patience with me) I still dont entirely discount the option of this problem being taken advantage of by a malicous attcker but if so the solution isn't antimalware but disabling and removing legit stuff that i dont want and shouldn't have anyway for the way i use my computer.  There was a discussion about the advapi.exe being started automatically after the installation of a microsoft update KD2929437. heres the link on the ms community i found on this.

http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/erniesitelist-and-ernieuserlist/00407bd2-e349-423c-a8e5-cb6127840ea5

 As far as  " all the antitheft monitoring systems" i dont have clue. Lojack came preinstalled but i never used and as the links convo shows wbem came with that update. So after three weeks of this bs i find microsoft at the bootom of my problems lol. Or you could say its my fault for not knowing what h3ll i'm doing lol. Thanks for your help in explaining



#12 Twitterfollower

Twitterfollower

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 09 July 2014 - 12:02 PM

I would suggest you to try Norton Power Eraser - A free tool to remove virus. Visit the following link to know more about this, https://support.norton.com/sp/en/us/threat-removal-solutions/current/info






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users