Lotofproblems- corrupt files D/L'd, folder access - farbar .txt inc

PunkNdrublik · 21 Aug 2014

Ive been suspicious of an attacker for over a year and recently I have issues downloading programs as they show corrupt especially windows fixit exe's. Frustration honed in when I had issues playing Magic Online ver 4.0 I would constantly have to relog from random disconnects, then I couldnt even log in as it would disconnect me as I logged in. uninstalled, deleted any temp files or folders for Wizards of the Coast and redownloaded and would get these types of messages after install
-
http://mtgoclientdepot.onlinegaming....GO.application resulted in exception. Following failure messages were detected:
+ File, client_M14.xml, has a different computed hash than specified in manifest.
-
everytime I retry after any new fix I think I find, its a different file but same error.
Recently I ran the TDDS scan and it did find an Ovula which I quarantined and removed but still same issues. Not sure on next steps and exhausted searching for what my exact problem is and how to fix (usually pretty good at this stuff) I can tell there are a lot of issues from the farbar scan .txt files but unsure how to read it. Posting them here and hope you guys can help. Cheers!

PunkNdrublik · 21 Aug 2014

When trying to access c:/windows/serviceprofiles/networkservice/appdata/local/microsoft/mediaplayer/artcache/localMLS
it said i didnt have priveleges, clicked OK to have administrator priv (im only user) and it starts to go in folder then stopped responding, started to again and has been trying to load files in folder for 10 minutes now still waiting.when finally finished only 4 jpg's inside avg size 50k?
Then I found this also in appdata/local in the temp folder
MPcmdrun text doc 2348Kb (attached) and mpsigstub text doc 206kb
also in folder is an application mpam-b8692784.exe 0kb

Lastly I looked in event viewer and saw a plethra of warnings and crashes but im not understanding how to fix or what exactly each one is telling me, can I post a copy somehow here as well?

PunkNdrublik · 21 Aug 2014

When trying to access c:/windows/serviceprofiles/networkservice/appdata/local/microsoft/mediaplayer/artcache/localMLS
it said i didnt have priveleges, clicked OK to have administrator priv (im only user) and it starts to go in folder then stopped responding, started to again and has been trying to load files in folder for 10 minutes now still waiting.when finally finished only 4 jpg's inside avg size 50k?
Then I found this also in appdata/local in the temp folder
MPcmdrun text doc 2348Kb (attached) and mpsigstub text doc 206kb
also in folder is an application mpam-b8692784.exe 0kb

There are NTuser logs in the network service folder and a notepad with only this :
regf* * ìLëOêøË ° f i l e s \ N e t w o r k S e r v i c e \ N T U S E R . D A T ¼ˆholÞ Íãì¼ˆholÞ Íãì ½ˆholÞ Íãìrmtm _8I§DIRTÿ ÿ ÿÿ ÿÿ w o r k \ m o u n t \ U s e r s \ A d m i n i s t r a t o r \ N T U S E R . D A T r o f i l e \ n t u s e r . d a t
EDIT - ive attached a few more files ive found that cause me to believe the system has been attacked via remote connections of some sort, i discovered these searching for fix to WMI stopped working and cannot reactivate service, error messages related to MSI corruptions (cant remember exactly what but trying to replicate)

Lastly I looked in event viewer and saw a plethra of warnings and crashes but im not understanding how to fix or what exactly each one is telling me, can I post a copy somehow here as well?

andrew129260 · 24 Aug 2014

1.) Download herdprotect: (choose the portable version)

Download herdProtect - Free Anti-Malware Platform

2.) Run the scan.

3.) When the scan finishes, save the results per the screenshot below. Then upload the log here.

DO NOT REMOVE ANYTHING YET. I will advise if anything needs removed when I receive the log.

Attached Images