Hips Log Showing Something Trying To Modify Need Assistance

[Diab Soule 0]

Hello,

        I have tried all I know to do before seeking help. My HIPS log contains the following:

 

8/12/2014 9:55:34 PM    C:\Windows\System32\services.exe    Modify startup settings    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TrustedInstaller\Start    allowed    Automatic mode  

 

8/12/2014 10:03:36 PM    C:\Windows\System32\services.exe    Modify startup settings    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\efavdrv\Start    allowed    Automatic mode  

 

8/12/2014 10:40:08 PM    C:\Windows\System32\services.exe    Modify startup settings    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MBAMSwissArmy\Start    allowed    Automatic mode  

 

You get the idea I'm sure. ANY help greatly appreciated! Just direct me as to what I need to do on my end. Thanks in advance

[Arakasi 549]

Staring at the hips log will make you crazy and paranoid.

Those alerts look ok to me.

It appears to be a Mbam driver, ESET driver, and TrustedInstaller being set as Automatic at startup.

If you approve these changes, and HIPS is blocking. Try setting HIPS to learning mode for 1 logon. Then back to normal.

[Marcos 5,074]

Just disable these notifications in the advanced HIPS setup if you don't know how to interpret them.

[Diab Soule 0]

when I ran rogue killer it picked up some registry problems that were disabling things. Information I have gathered from others having same issues is that it may be registry edit virus and/or asterisk logger trying to nab my passwords. I am also getting the message: ERROR communicating with Kernel! I tried using eset's solution but it didn't help.

 

  [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001..........................example

 

Today when I log on Windows Media Center has made its way to my tray and is running.

starts in:%windir%\ehome

target:%windir%\ehome\ehshell.exe

 

Is this a known issue? I haven't done anything concerning windows media center and was not there last night. I am just trying to be thorough while learning as much as I can so please don't think I am not paying attention to what others with more knowledge than myself are saying. 
 

[Marcos 5,074]

when I ran rogue killer it picked up some registry problems that were disabling things. Information I have gathered from others having same issues is that it may be registry edit virus and/or asterisk logger trying to nab my passwords. I am also getting the message: ERROR communicating with Kernel! I tried using eset's solution but it didn't help.

 

If the error started to occur after running Rogue killer, it could be that it disabled ESET. Try installing v7 from scratch and see if works fine then.

[Diab Soule 0]

I ran rogue killer of the problem. Now I am unable to use security when I go in to properties. Trusted installer is locking me out of any kind of mod and/or  regenerates itself hidden. Effectively keeping me from doing a complete re-install.with all traces removed. Tried taking ownership.........SURVEY SAYS.......baaaaah X. Changing Permissions..........SURVEY SAYS........baaaaaaaaaaaah X. Need a correct answer or strike 3. lol........Need any type of logs?

[Arakasi 549]

Download the ESET Uninstaller and have it manually strip and remove ESET from your computer. This tool only works in Safemode for accurate removal.

Then boot to normal mode and test everything is working ok. If it is, then reinstall ESET from scratch as suggested by Marcos.

[Diab Soule 0]

I have  discovered that PUM.homepage has been screwing up my browser. Steps to remove this would be greatly appreciated. Thanks again

Edited August 20, 2014 by Diab Soule

[Diab Soule 0]

Here I have a combo fix log if that is needed to review first.

 

ComboFix 14-08-19.01 - Timelord 08/20/2014  19:06:54.13.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1900.852 [GMT -5:00]
Running from: c:\users\Timelord\Desktop\more ing time pent on security issues tuesday\ComboFix.exe
AV: ESET Smart Security 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
FW: ESET Personal firewall *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
SP: ESET Smart Security 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-21 to 2014-08-21  )))))))))))))))))))))))))))))))
.
.
2014-08-21 00:19 . 2014-08-21 00:19    --------    d-----w-    c:\users\Timelord\AppData\Local\temp
2014-08-21 00:19 . 2014-08-21 00:19    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-08-21 00:19 . 2014-08-21 00:19    --------    d-----w-    c:\users\DefaultAppPool\AppData\Local\temp
2014-08-21 00:19 . 2014-08-21 00:19    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-08-19 21:53 . 2014-08-20 14:17    --------    d-----w-    c:\users\Timelord\AppData\Local\gtk-2.0
2014-08-17 08:02 . 2014-08-17 08:02    699568    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-08-17 08:01 . 2014-08-17 08:01    71344    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-08-16 20:19 . 2014-08-20 23:04    122584    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-16 20:18 . 2014-05-12 12:26    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-08-16 20:18 . 2014-05-12 12:26    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-08-16 20:18 . 2014-05-12 12:25    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-08-16 20:18 . 2014-08-20 14:19    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-08-14 21:04 . 2014-08-20 01:08    --------    d-----w-    c:\users\Timelord\Synfig
2014-08-14 20:57 . 2014-08-14 21:03    --------    d-----w-    c:\program files (x86)\Synfig
2014-08-14 08:07 . 2014-08-14 08:07    --------    d-----w-    c:\program files (x86)\Common Files\Java
2014-08-14 08:06 . 2014-07-25 17:55    98216    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-08-13 04:10 . 2014-03-09 21:48    171160    ----a-w-    c:\windows\system32\infocardapi.dll
2014-08-13 04:10 . 2014-03-09 21:48    1389208    ----a-w-    c:\windows\system32\icardagt.exe
2014-08-13 04:10 . 2014-03-09 21:47    99480    ----a-w-    c:\windows\SysWow64\infocardapi.dll
2014-08-13 04:10 . 2014-03-09 21:47    619672    ----a-w-    c:\windows\SysWow64\icardagt.exe
2014-08-13 04:10 . 2014-06-30 22:24    8856    ----a-w-    c:\windows\system32\icardres.dll
2014-08-13 04:10 . 2014-06-30 22:14    8856    ----a-w-    c:\windows\SysWow64\icardres.dll
2014-08-13 04:09 . 2014-06-06 06:16    35480    ----a-w-    c:\windows\SysWow64\TsWpfWrp.exe
2014-08-13 04:09 . 2014-06-06 06:12    35480    ----a-w-    c:\windows\system32\TsWpfWrp.exe
2014-08-13 04:06 . 2014-06-25 02:05    14175744    ----a-w-    c:\windows\system32\shell32.dll
2014-08-13 03:11 . 2014-08-13 03:11    --------    d-----w-    c:\program files (x86)\ESET
2014-08-10 14:59 . 2014-08-10 14:59    --------    d-----w-    c:\program files\ESET
2014-08-07 00:30 . 2014-08-07 00:30    --------    d-----w-    c:\program files (x86)\Common Files\Real
2014-08-06 08:17 . 2014-08-20 22:37    --------    d-----w-    c:\windows\system32\wbem\repository
2014-08-01 00:19 . 2014-08-20 14:17    --------    d-----w-    c:\windows\system32\catroot2
2014-07-30 23:52 . 2014-08-07 00:30    --------    d-----w-    c:\program files (x86)\Best Buy Digital Music Store Powered by Rhapsody
2014-07-30 22:19 . 2014-07-31 21:55    --------    d-----w-    c:\users\Timelord\AppData\Roaming\SanDisk
2014-07-30 22:09 . 2014-07-30 22:14    --------    d-----w-    c:\program files (x86)\Best Buy Rhapsody
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-20 19:21 . 2014-07-16 20:04    36456    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-08-13 04:24 . 2012-03-05 02:39    99218768    ----a-w-    c:\windows\system32\MRT.exe
2014-06-23 20:57 . 2012-06-13 23:09    736952    ----a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2014-06-23 20:57 . 2012-06-13 23:08    2876528    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2014-06-23 20:57 . 2012-06-13 23:08    42168    ----a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2014-06-18 02:18 . 2014-07-09 04:13    692736    ----a-w-    c:\windows\system32\osk.exe
2014-06-18 01:51 . 2014-07-09 04:13    646144    ----a-w-    c:\windows\SysWow64\osk.exe
2014-06-06 10:10 . 2014-07-09 04:13    624128    ----a-w-    c:\windows\system32\qedit.dll
2014-06-06 09:44 . 2014-07-09 04:13    509440    ----a-w-    c:\windows\SysWow64\qedit.dll
2014-06-05 14:45 . 2014-07-09 04:09    1460736    ----a-w-    c:\windows\system32\lsasrv.dll
2014-06-05 14:26 . 2014-07-09 04:09    22016    ----a-w-    c:\windows\SysWow64\secur32.dll
2014-06-05 14:25 . 2014-07-09 04:09    96768    ----a-w-    c:\windows\SysWow64\sspicli.dll
2014-06-03 06:28 . 2014-06-03 06:18    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-05-30 08:08 . 2014-07-09 04:13    210944    ----a-w-    c:\windows\system32\wdigest.dll
2014-05-30 08:08 . 2014-07-09 04:13    86528    ----a-w-    c:\windows\system32\TSpkg.dll
2014-05-30 08:08 . 2014-07-09 04:13    340992    ----a-w-    c:\windows\system32\schannel.dll
2014-05-30 08:08 . 2014-07-09 04:13    314880    ----a-w-    c:\windows\system32\msv1_0.dll
2014-05-30 08:08 . 2014-07-09 04:13    307200    ----a-w-    c:\windows\system32\ncrypt.dll
2014-05-30 08:08 . 2014-07-09 04:13    728064    ----a-w-    c:\windows\system32\kerberos.dll
2014-05-30 08:08 . 2014-07-09 04:13    22016    ----a-w-    c:\windows\system32\credssp.dll
2014-05-30 07:52 . 2014-07-09 04:13    172032    ----a-w-    c:\windows\SysWow64\wdigest.dll
2014-05-30 07:52 . 2014-07-09 04:13    65536    ----a-w-    c:\windows\SysWow64\TSpkg.dll
2014-05-30 07:52 . 2014-07-09 04:13    247808    ----a-w-    c:\windows\SysWow64\schannel.dll
2014-05-30 07:52 . 2014-07-09 04:13    220160    ----a-w-    c:\windows\SysWow64\ncrypt.dll
2014-05-30 07:52 . 2014-07-09 04:13    259584    ----a-w-    c:\windows\SysWow64\msv1_0.dll
2014-05-30 07:52 . 2014-07-09 04:13    550912    ----a-w-    c:\windows\SysWow64\kerberos.dll
2014-05-30 07:52 . 2014-07-09 04:13    17408    ----a-w-    c:\windows\SysWow64\credssp.dll
2014-05-30 06:45 . 2014-07-09 04:13    497152    ----a-w-    c:\windows\system32\drivers\afd.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2014-06-04 382608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DirMngr;DirMngr;c:\users\Timelord\Downloads\GnuPG\dirmngr.exe;c:\users\Timelord\Downloads\GnuPG\dirmngr.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 efavdrv;efavdrv;c:\windows\system32\drivers\efavdrv.sys;c:\windows\SYSNATIVE\drivers\efavdrv.sys [x]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys;c:\program files\PeerBlock\pbfilter.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
R3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfp.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys;c:\windows\SYSNATIVE\DRIVERS\EpfwLWF.sys [x]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x]
S2 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]
S3 SystemExplorerHelpService;System Explorer Service;c:\program files (x86)\System Explorer\service\SystemExplorerService64.exe;c:\program files (x86)\System Explorer\service\SystemExplorerService64.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs    REG_MULTI_SZ       w3svc was
apphost    REG_MULTI_SZ       apphostsvc
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-05-10 1831528]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2014-02-24 5581888]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://www.google.com
IE: Translate Selection - c:\program files (x86)\TGF Interactive\Translate Genius\ContextMenu.htm
Trusted Zone: rhapsody.com\rhap-app-4-0
Trusted Zone: rhapsody.com\rhapreg
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B3917305-A200-44C0-9D84-D55943D066B9}: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Timelord\AppData\Roaming\Mozilla\Firefox\Profiles\6qad75db.default\
FF - prefs.js: browser.startup.homepage - hxxps://duckduckgo.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
Completion time: 2014-08-20  19:24:38
ComboFix-quarantined-files.txt  2014-08-21 00:24
ComboFix2.txt  2014-08-13 01:08
ComboFix3.txt  2014-04-17 01:15
ComboFix4.txt  2014-03-26 02:56
ComboFix5.txt  2014-08-21 00:04
.
Pre-Run: 22,071,640,064 bytes free
Post-Run: 21,599,277,056 bytes free
.
- - End Of File - - F88DB7EEC22BF5A91767AF0E1A6ED71C