Need suspicious files analyzed(network)

If someone in the know wouldn't mind looking at these files for me, it will be greatly appreciated!
This all started with a system crash a few days ago. What I thought was a crash due to OC parameters, seems to be something entirely different. I have found NUMEROUS signs of a virtualization of my system from an unknown source.
My registry has been altered, my entire file system changed ownership to (?). Programs I've been using regularly, cease to work(Outlook, MS Office, SAS)
My event viewer if FULL of errors and warning relating to files and programs being shut down and reinstalled with a "virtual". The only things I have installed pre-crash were PCtools firewall, and Opera. I booted into system via Winternals ERD. Great lil disk to have,BTW.
What I found there was a little unnerving. If there is an IT pro or someone familiar with this sort of thing who could take a look and see what's going on with my system,I'd be very grateful.
Thing about the files and such, is they have(for the most part) been restored, or at least released. I still have no email, and I cant boot to safe mode. ( nNo option for it anymore) Hence the use of ERD.
I know this is a rather vague description, but its been a long, information laden night. I'll attach what I haved so far in a zip. They are plain txt files.
Thanks......

Try running Malwarebytes' Anti-malware
download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.45 Download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

If you have infected files that you've zipped, I don't think any of us would venture to download and unzip :shock:

Jacee said:

Try running Malwarebytes' Anti-malware
download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.45 Download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

If you have infected files that you've zipped, I don't think any of us would venture to download and unzip :shock:

Click to expand...

No, the files are fine. Theyre txt w no code.I run Mbytes regularly,along w SAS. But SOMEthing is happening for sure. I cant access my email(Outlook 10), because...

"Log Name: Application
Source: Outlook
Date: 4/2/2010 3:32:04 PM
Event ID: 30
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: all_me-PC
Description:
Starting reconciliation for the store C:\Users\all_me\Documents\Outlook Files\[email protected] for the following reason: The store was last opened on a different machine.


Whats up with that???

wow, Here's a peach of a HijackThis log...sfc only found one error. Go figure. Going to look for a good online scanner now.\

Question. Does anyone know how to restore (or access) safe mode when its been disabled, short of another repair install. (it didnt restore it then)??

DreemWarrior said:

wow, Here's a peach of a HijackThis log...sfc only found one error. Go figure. Going to look for a good online scanner now.

Click to expand...

Good idea. Use a few different ones tho

For what its worth...

Question. Does anyone know how to restore (or access) safe mode when its been disabled, short of another repair install. (it didnt restore it then)??

Click to expand...

NM...I must be tired. MSCONFIG /boot safe /minimal

Your MBam log is clean and I don't see any suspicious files in the HJT log. There's a few things you don't need to have running in the background if you're not using them, though.

Jacee said:

Your MBam log is clean and I don't see any suspicious files in the HJT log. There's a few things you don't need to have running in the background if you're not using them, though.

Click to expand...

did you happen to peek at the other files?
Tells more of the issue
I just enabled the master Admin, tried to run MBAM and got an error stating please send this to support staff....it is disabled...as well as MOST services. I cant even get to internet. (using spare XP rig) And still cantg boot to safe mode..msconfig says it is in boot safe/minimal mode, but no joy. AARGG I really hate these things.And I tent to chase the offending file(Bad idea,I know)

*BTW, thanks Jacee for taking time to lend a hand..I can help others easier than I can my own.lol.

First, let's flush DNS cache and restore your original Hosts file:

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop.
Right click on the flush.bat, choose to run as Administrator, then run the batch file.

Next:

Download DDS from one of these links:

Mirror 1 Mirror 2 Mirror 3

• Disable any script blocking protection
• Double click the dds icon to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.
(You can copy and paste the .txt file if you want to.)

Could it be the Aurora exploit??
Here a free tool for corporation but works for others. Right click Run it as Admin it will run as elevated prompt cmd.

McAfee CSniffer
We have discovered that one of the exploits of the Aurora vulnerability is exfiltration of intellectual property via source code management tools like Perforce. McAfee CSniffer is a free tool which will scan your infrastructure to discover if you have unencrypted Perforce passwords which could be stolen and used to penetrate your source code library.

EDIT:
http://www.mcafee.com/us/enterprise/downloads/free_tools/index.html

Thanks Jacee for the .bat ! unfortunately, I've still had no luck getting the adapter to work. When I run <ipconfig /all> , it IS connected, even in perfmon I can se it connected. 100Mbps connection I even changed Ethernet cable for good measure....

OMG!! lol I'm going to bed. I just sat here and typed for like 10-15 min explaining the outcome of the past 16 hrs, and freaking swerved the wrong way or something and dumped it all...
Anyway, the 'final solution' was to say files be d*mned, followed up with a nice and clean new install of OS. Still not sure exactly what happened or how, but my entire system was corrupt. Nearly every service that could be turned off and still manage to keep Windows BARELY up was. The file system looked like a rednecks family tree....VERY few branches, and the ones that were there were useless dead ends. The Reg files were well done also. Most of which I noticed after getting OCD about the network adapters and spending WAY too much time determined to come to a solution.( I get like that)
BTW, I didnt loose anything I cant replace. Learned that lesson the hard way more that once. I have the Vista HDD from the Dell right next to my rig in a nice shiny black case for just such emergencies So now I need to fing a good free partitioning software that will part without formatting.(Gonna keep Vista just like it is, and use the rest of the HDD for imaging
Thanks again Jacee for the .bat and your time. Sure makes for less work. (Thats my next crash course,writing files I need) OK, I hear a pillow screaming my name.....or is that my wife.....
Cheers!.

DreemWarrior said:

Anyway, the 'final solution' was to say files be d*mned, followed up with a nice and clean new install of OS.

Click to expand...

an image back up would have done a world of good...

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 4/3/2010 8:49:43 PM
System Uptime: 4/3/2010 9:48:52 AM (1 hours ago)
Motherboard: ASUSTeK Computer INC. | | P7P55D DELUXE
Processor: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz | LGA1156 | 3074/146mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 931 GiB total, 912.738 GiB free.
D: is CDROM (UDF)
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1: 4/3/2010 7:13:09 AM - Installed Seagate DiscWizard
RP2: 4/3/2010 7:59:57 AM - Installed Intel Extreme Tuning Utility
RP3: 4/3/2010 8:11:15 AM - Installed Realtek 8136 8168 8169 Ethernet Driver
RP4: 4/3/2010 8:16:35 AM - Installed Realtek 8136 8168 8169 Ethernet Driver
RP5: 4/3/2010 8:51:43 AM - Installed Platform
RP6: 4/3/2010 9:04:38 AM - Installed Adobe Reader 9.1.
RP7: 4/3/2010 9:10:48 AM - avast! Free Antivirus Setup
RP8: 4/3/2010 9:25:46 AM - Installed Diagnostic Utility
RP9: 4/3/2010 9:32:29 AM - Windows Update
RP10: 4/3/2010 9:36:54 AM - Installed TurboV EVO
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
AMD DnD V1.0.20
avast! Free Antivirus
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help English
CCC Help Japanese
CCC Help Korean
CCC Help Thai
Diagnostic Utility
Intel Extreme Tuning Utility
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Realtek 8136 8168 8169 Ethernet Driver
The Lord of the Rings FREE Trial
TurboV EVO
==== Event Viewer Messages From Past Week ========
4/3/2010 8:49:44 PM, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147023781.
4/3/2010 8:49:44 PM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x8007045B.
==== End Of File ===========================


Wow. And all that junk from drivers and updates.That is a great lil program Jacee....Yours? Wish I coulda DL and used it last night. I think it will find its way to a thumb drive.

thathagat said:

DreemWarrior said:

Anyway, the 'final solution' was to say files be d*mned, followed up with a nice and clean new install of OS.

Click to expand...

an image back up would have done a world of good...

Click to expand...

I know... thats the downfall of larger HDDs...you a spare of equal size for backups, and until now I didnt....


And thanks Malexous. GParted it is.

That's not the enire DDS log ... there should be two parts to it. The program isn't mine, it was written by sUBs, an extremely, experienced 'malware fighter'.

Jacee said:

That's not the enire DDS log ... there should be two parts to it. The program isn't mine, it was written by sUBs, an extremely, experienced 'malware fighter'.

Click to expand...

Hmmm, only one log on desktop. But as I said, at that time windows was barely able to run. Most services were disabled.And a ^5 to the sub for that one. Good stuff. I still am having some issuews though. After I had finished reinstall, I transferred a few files from ext. drive, and when I woke up(late this afternoon lol) they were no where to be seen...on either drive. That, and my graphics are poor as well. Conflict w/ 7 and ATI maybe

Networked??

Ok. This is REALLY becoming an issue here. I hate to be a pest when I could be helping others, but this is not my area of expertise. That being said, I DO know enough about it to know this is serious.
Since reinstalling 7, resetting network adapters, flushing DNS, reinstalling the correct drivers,I felt I had secured my system fairly well. It seems that just made matters worse. Now All my files as well as programs and NEW drivers, are disappearing at a rapid pace. Registry files are being re-written. Even MBAM has gone! All but a few log files I managed to locate deep in the system. Event viewer shows NO entry's now. Luckily I have a separate program that logs my entire system, but even that program has underwent changes.I dont want to give info-overload, but I managed to save a few things on disk. ( Lest they vanish) I was able to trace an IP and get a computer name, and tried shutting down their system, but now I just get 'Command completed with errors" msg. I REALLY dont feel like reinstalling again(Probably need to), but more to the point, I would like to know how to fight fire WITH fire, and prevent this in the future. BTW NoN, I tried the Csniffer, but It just disappeared when I ran it, and nothing since. Anywy, heres a few SAFE logs, and some snipsThe everest file is quite long(EVENTS) so I took an excerpt of a few entries.