Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Need suspicious files analyzed(network)


02 Apr 2010   #1
DreemWarrior

Windows 7 ultimate X64
 
 
Need suspicious files analyzed(network)

If someone in the know wouldn't mind looking at these files for me, it will be greatly appreciated!
This all started with a system crash a few days ago. What I thought was a crash due to OC parameters, seems to be something entirely different. I have found NUMEROUS signs of a virtualization of my system from an unknown source.
My registry has been altered, my entire file system changed ownership to (?). Programs I've been using regularly, cease to work(Outlook, MS Office, SAS)
My event viewer if FULL of errors and warning relating to files and programs being shut down and reinstalled with a "virtual". The only things I have installed pre-crash were PCtools firewall, and Opera. I booted into system via Winternals ERD. Great lil disk to have,BTW.
What I found there was a little unnerving. If there is an IT pro or someone familiar with this sort of thing who could take a look and see what's going on with my system,I'd be very grateful.
Thing about the files and such, is they have(for the most part) been restored, or at least released. I still have no email, and I cant boot to safe mode. ( nNo option for it anymore) Hence the use of ERD.
I know this is a rather vague description, but its been a long, information laden night. I'll attach what I haved so far in a zip. They are plain txt files.
Thanks......




Attached Files
File Type: zip PC files.zip (421.8 KB, 33 views)
My System SpecsSystem Spec
02 Apr 2010   #2
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Try running Malwarebytes' Anti-malware
download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.45 Download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

If you have infected files that you've zipped, I don't think any of us would venture to download and unzip
My System SpecsSystem Spec
02 Apr 2010   #3
DreemWarrior

Windows 7 ultimate X64
 
 

Quote   Quote: Originally Posted by Jacee View Post
Try running Malwarebytes' Anti-malware
download Malwarebytes' Anti-Malware to your desktop
|MG| Malwarebytes Anti-Malware 1.45 Download
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

If you have infected files that you've zipped, I don't think any of us would venture to download and unzip
No, the files are fine. Theyre txt w no code.I run Mbytes regularly,along w SAS. But SOMEthing is happening for sure. I cant access my email(Outlook 10), because...

"Log Name: Application
Source: Outlook
Date: 4/2/2010 3:32:04 PM
Event ID: 30
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: all_me-PC
Description:
Starting reconciliation for the store C:\Users\all_me\Documents\Outlook Files\info@jadercorenovations.com.pst for the following reason: The store was last opened on a different machine.


Whats up with that???
My System SpecsSystem Spec
02 Apr 2010   #4
DreemWarrior

Windows 7 ultimate X64
 
 

wow, Here's a peach of a HijackThis log...sfc only found one error. Go figure. Going to look for a good online scanner now.\

Question. Does anyone know how to restore (or access) safe mode when its been disabled, short of another repair install. (it didnt restore it then)??


Attached Files
File Type: zip SFCDETAILS.zip (2.4 KB, 5 views)
File Type: log hijackthis.log (7.7 KB, 17 views)
My System SpecsSystem Spec
02 Apr 2010   #5
tw33k

Windows 7 Ultimate (x64) SP1
 
 

Quote   Quote: Originally Posted by DreemWarrior View Post
wow, Here's a peach of a HijackThis log...sfc only found one error. Go figure. Going to look for a good online scanner now.
Good idea. Use a few different ones tho
My System SpecsSystem Spec
02 Apr 2010   #6
DreemWarrior

Windows 7 ultimate X64
 
 

For what its worth...


Attached Files
File Type: txt mbam-log-2010-04-02 (07-16-51).txt (897 Bytes, 22 views)
My System SpecsSystem Spec
02 Apr 2010   #7
DreemWarrior

Windows 7 ultimate X64
 
 

Quote:
Question. Does anyone know how to restore (or access) safe mode when its been disabled, short of another repair install. (it didnt restore it then)??
NM...I must be tired. MSCONFIG /boot safe /minimal
My System SpecsSystem Spec
02 Apr 2010   #8
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Your MBam log is clean and I don't see any suspicious files in the HJT log. There's a few things you don't need to have running in the background if you're not using them, though.
My System SpecsSystem Spec
02 Apr 2010   #9
DreemWarrior

Windows 7 ultimate X64
 
 

Quote   Quote: Originally Posted by Jacee View Post
Your MBam log is clean and I don't see any suspicious files in the HJT log. There's a few things you don't need to have running in the background if you're not using them, though.
did you happen to peek at the other files?
Tells more of the issue
I just enabled the master Admin, tried to run MBAM and got an error stating please send this to support staff....it is disabled...as well as MOST services. I cant even get to internet. (using spare XP rig) And still cantg boot to safe mode..msconfig says it is in boot safe/minimal mode, but no joy. AARGG I really hate these things.And I tent to chase the offending file(Bad idea,I know)

*BTW, thanks Jacee for taking time to lend a hand..I can help others easier than I can my own.lol.
My System SpecsSystem Spec
02 Apr 2010   #10
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

First, let's flush DNS cache and restore your original Hosts file:

Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop.
Right click on the flush.bat, choose to run as Administrator, then run the batch file.

Next:

Download DDS from one of these links:

Mirror 1 Mirror 2 Mirror 3
  • Disable any script blocking protection
  • Double click the dds icon to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.
Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.
(You can copy and paste the .txt file if you want to.)
My System SpecsSystem Spec
Reply

 Need suspicious files analyzed(network)




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 11:31 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App