Diab Soule
-
Posts
7 -
Joined
-
Last visited
Posts posted by Diab Soule
-
-
I have discovered that PUM.homepage has been screwing up my browser. Steps to remove this would be greatly appreciated. Thanks again
-
I ran rogue killer of the problem. Now I am unable to use security when I go in to properties. Trusted installer is locking me out of any kind of mod and/or regenerates itself hidden. Effectively keeping me from doing a complete re-install.with all traces removed. Tried taking ownership.........SURVEY SAYS.......baaaaah X. Changing Permissions..........SURVEY SAYS........baaaaaaaaaaaah X. Need a correct answer or strike 3. lol........Need any type of logs?
-
when I ran rogue killer it picked up some registry problems that were disabling things. Information I have gathered from others having same issues is that it may be registry edit virus and/or asterisk logger trying to nab my passwords. I am also getting the message: ERROR communicating with Kernel! I tried using eset's solution but it didn't help.
[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001..........................exampleToday when I log on Windows Media Center has made its way to my tray and is running.
starts in:%windir%\ehome
target:%windir%\ehome\ehshell.exe
Is this a known issue? I haven't done anything concerning windows media center and was not there last night. I am just trying to be thorough while learning as much as I can so please don't think I am not paying attention to what others with more knowledge than myself are saying.
-
Hello,
I have tried all I know to do before seeking help. My HIPS log contains the following:
8/12/2014 9:55:34 PM C:\Windows\System32\services.exe Modify startup settings HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TrustedInstaller\Start allowed Automatic mode
8/12/2014 10:03:36 PM C:\Windows\System32\services.exe Modify startup settings HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\efavdrv\Start allowed Automatic mode
8/12/2014 10:40:08 PM C:\Windows\System32\services.exe Modify startup settings HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MBAMSwissArmy\Start allowed Automatic mode
You get the idea I'm sure. ANY help greatly appreciated! Just direct me as to what I need to do on my end. Thanks in advance
-
thanks......all is good now
-
Ditto--------have received notice 5 times today
Hips Log Showing Something Trying To Modify Need Assistance
in Malware Finding and Cleaning
Posted
Here I have a combo fix log if that is needed to review first.
ComboFix 14-08-19.01 - Timelord 08/20/2014 19:06:54.13.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1900.852 [GMT -5:00]
Running from: c:\users\Timelord\Desktop\more ing time pent on security issues tuesday\ComboFix.exe
AV: ESET Smart Security 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
SP: ESET Smart Security 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2014-07-21 to 2014-08-21 )))))))))))))))))))))))))))))))
.
.
2014-08-21 00:19 . 2014-08-21 00:19 -------- d-----w- c:\users\Timelord\AppData\Local\temp
2014-08-21 00:19 . 2014-08-21 00:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-08-21 00:19 . 2014-08-21 00:19 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2014-08-21 00:19 . 2014-08-21 00:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-08-19 21:53 . 2014-08-20 14:17 -------- d-----w- c:\users\Timelord\AppData\Local\gtk-2.0
2014-08-17 08:02 . 2014-08-17 08:02 699568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-08-17 08:01 . 2014-08-17 08:01 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-08-16 20:19 . 2014-08-20 23:04 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-16 20:18 . 2014-05-12 12:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-08-16 20:18 . 2014-05-12 12:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-08-16 20:18 . 2014-05-12 12:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-08-16 20:18 . 2014-08-20 14:19 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-08-14 21:04 . 2014-08-20 01:08 -------- d-----w- c:\users\Timelord\Synfig
2014-08-14 20:57 . 2014-08-14 21:03 -------- d-----w- c:\program files (x86)\Synfig
2014-08-14 08:07 . 2014-08-14 08:07 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-08-14 08:06 . 2014-07-25 17:55 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-08-13 04:10 . 2014-03-09 21:48 171160 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-13 04:10 . 2014-03-09 21:48 1389208 ----a-w- c:\windows\system32\icardagt.exe
2014-08-13 04:10 . 2014-03-09 21:47 99480 ----a-w- c:\windows\SysWow64\infocardapi.dll
2014-08-13 04:10 . 2014-03-09 21:47 619672 ----a-w- c:\windows\SysWow64\icardagt.exe
2014-08-13 04:10 . 2014-06-30 22:24 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-13 04:10 . 2014-06-30 22:14 8856 ----a-w- c:\windows\SysWow64\icardres.dll
2014-08-13 04:09 . 2014-06-06 06:16 35480 ----a-w- c:\windows\SysWow64\TsWpfWrp.exe
2014-08-13 04:09 . 2014-06-06 06:12 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-08-13 04:06 . 2014-06-25 02:05 14175744 ----a-w- c:\windows\system32\shell32.dll
2014-08-13 03:11 . 2014-08-13 03:11 -------- d-----w- c:\program files (x86)\ESET
2014-08-10 14:59 . 2014-08-10 14:59 -------- d-----w- c:\program files\ESET
2014-08-07 00:30 . 2014-08-07 00:30 -------- d-----w- c:\program files (x86)\Common Files\Real
2014-08-06 08:17 . 2014-08-20 22:37 -------- d-----w- c:\windows\system32\wbem\repository
2014-08-01 00:19 . 2014-08-20 14:17 -------- d-----w- c:\windows\system32\catroot2
2014-07-30 23:52 . 2014-08-07 00:30 -------- d-----w- c:\program files (x86)\Best Buy Digital Music Store Powered by Rhapsody
2014-07-30 22:19 . 2014-07-31 21:55 -------- d-----w- c:\users\Timelord\AppData\Roaming\SanDisk
2014-07-30 22:09 . 2014-07-30 22:14 -------- d-----w- c:\program files (x86)\Best Buy Rhapsody
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-20 19:21 . 2014-07-16 20:04 36456 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-08-13 04:24 . 2012-03-05 02:39 99218768 ----a-w- c:\windows\system32\MRT.exe
2014-06-23 20:57 . 2012-06-13 23:09 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2014-06-23 20:57 . 2012-06-13 23:08 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2014-06-23 20:57 . 2012-06-13 23:08 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2014-06-18 02:18 . 2014-07-09 04:13 692736 ----a-w- c:\windows\system32\osk.exe
2014-06-18 01:51 . 2014-07-09 04:13 646144 ----a-w- c:\windows\SysWow64\osk.exe
2014-06-06 10:10 . 2014-07-09 04:13 624128 ----a-w- c:\windows\system32\qedit.dll
2014-06-06 09:44 . 2014-07-09 04:13 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2014-06-05 14:45 . 2014-07-09 04:09 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-06-05 14:26 . 2014-07-09 04:09 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-06-05 14:25 . 2014-07-09 04:09 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-06-03 06:28 . 2014-06-03 06:18 181064 ----a-w- c:\windows\PSEXESVC.EXE
2014-05-30 08:08 . 2014-07-09 04:13 210944 ----a-w- c:\windows\system32\wdigest.dll
2014-05-30 08:08 . 2014-07-09 04:13 86528 ----a-w- c:\windows\system32\TSpkg.dll
2014-05-30 08:08 . 2014-07-09 04:13 340992 ----a-w- c:\windows\system32\schannel.dll
2014-05-30 08:08 . 2014-07-09 04:13 314880 ----a-w- c:\windows\system32\msv1_0.dll
2014-05-30 08:08 . 2014-07-09 04:13 307200 ----a-w- c:\windows\system32\ncrypt.dll
2014-05-30 08:08 . 2014-07-09 04:13 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-05-30 08:08 . 2014-07-09 04:13 22016 ----a-w- c:\windows\system32\credssp.dll
2014-05-30 07:52 . 2014-07-09 04:13 172032 ----a-w- c:\windows\SysWow64\wdigest.dll
2014-05-30 07:52 . 2014-07-09 04:13 65536 ----a-w- c:\windows\SysWow64\TSpkg.dll
2014-05-30 07:52 . 2014-07-09 04:13 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2014-05-30 07:52 . 2014-07-09 04:13 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll
2014-05-30 07:52 . 2014-07-09 04:13 259584 ----a-w- c:\windows\SysWow64\msv1_0.dll
2014-05-30 07:52 . 2014-07-09 04:13 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-05-30 07:52 . 2014-07-09 04:13 17408 ----a-w- c:\windows\SysWow64\credssp.dll
2014-05-30 06:45 . 2014-07-09 04:13 497152 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2014-06-04 382608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DirMngr;DirMngr;c:\users\Timelord\Downloads\GnuPG\dirmngr.exe;c:\users\Timelord\Downloads\GnuPG\dirmngr.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 efavdrv;efavdrv;c:\windows\system32\drivers\efavdrv.sys;c:\windows\SYSNATIVE\drivers\efavdrv.sys [x]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys;c:\program files\PeerBlock\pbfilter.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfp.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys;c:\windows\SYSNATIVE\DRIVERS\EpfwLWF.sys [x]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]
S2 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]
S3 SystemExplorerHelpService;System Explorer Service;c:\program files (x86)\System Explorer\service\SystemExplorerService64.exe;c:\program files (x86)\System Explorer\service\SystemExplorerService64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-05-10 1831528]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2014-02-24 5581888]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://www.google.com
IE: Translate Selection - c:\program files (x86)\TGF Interactive\Translate Genius\ContextMenu.htm
Trusted Zone: rhapsody.com\rhap-app-4-0
Trusted Zone: rhapsody.com\rhapreg
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B3917305-A200-44C0-9D84-D55943D066B9}: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Timelord\AppData\Roaming\Mozilla\Firefox\Profiles\6qad75db.default\
FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
Completion time: 2014-08-20 19:24:38
ComboFix-quarantined-files.txt 2014-08-21 00:24
ComboFix2.txt 2014-08-13 01:08
ComboFix3.txt 2014-04-17 01:15
ComboFix4.txt 2014-03-26 02:56
ComboFix5.txt 2014-08-21 00:04
.
Pre-Run: 22,071,640,064 bytes free
Post-Run: 21,599,277,056 bytes free
.
- - End Of File - - F88DB7EEC22BF5A91767AF0E1A6ED71C