SFC and Trusted Installer? Is this normal?

[Netlace]

Brit, I will have to run it again, I think I deleted but I will see.
Won't that access my pc?

 

[Netlace]

SF zip

Here it is..

 

[Britton30]

Brit, I will have to run it again, I think I deleted but I will see.
Won't that access my pc?

Nope, it is just a document of a special type. We can see the same info you see however.
Here's mine so you can see, just the msinfo.

View attachment Britton30.zip

 

[NoelDP]

There's a desktop.ini file for every folder - if you look closely enough It's created as soon as you vary any of the View settings in Windows Explorer.

The fact that there are two Default users present is odd - one of them should be named 'Default User' (note the 'User') and that one should be inaccessible, because it's only a hard link, rather than a real folder.
Likewise, the 'All Users' should be inaccessible for the same reason.

The Guest account isn't normally present unless at some time you've enabled the Guest account.


Looking at the logs, I can't see anything that jumps out at me. - but you cleared all the System Events on the 13th, so there's not a lot of history to go on.

There's one nasty error in the Application Events - lsm.exe stopped working on the 13th. This forced an immediate reboot. From what I can make out this may be caused by AV software.


Since you had a brush with lots of malware,

Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts.

Delete everything it finds (such as???)

 

[Netlace]

I didn't clear the logs. It may have been a program I ran? I used recuvia last night and brought them back. Then today I could not boot the pc. The pc did a restore of ? date, So now I am not sure if there still there. Going to find out.

 

[Netlace]

I need to remove 3 Legacy drivers for MBAMSWISSARMY. Malwarebytes will only run for 3 minutes for a full scan. I have tried the permissions. We have these drivers on all three infected laptops, some have never had it installed. any ideas?

 

[Britton30]

That is a driver for MalwareBytes. You can uninstall them and use the link below my sig to grab the latest version, free or paid which ever you have. For free there is a box to uncheck during unstall, "Start 30 day free trial"

 

[Netlace]

I need to un-install them and I can't. I am ok with them after I reinstall. But something is wrong with these. Any ideas on how?

 

[Netlace]

I just downloaded MB, it has expired certificates? I am running it. we will see. It flashed when starting and then had not responding. Everytime I get some headway on this pc it wont boot and suggest restore. I am not given a choice on what restore and then I am back to square one. I have hundreds of windows live in the registry. It no longer shows in the add/remove programs. I have lots of this type of things uninstalled and the reg is full but no way to remove except one by one. Is there a program I can use to help me delete them in the reg? I will let you know about MB.

 

[Britton30]

I just downloaded MBAM from my link and installed/ran it. It showed no expired certs for me.

I think running CCleaner's Registry cleaner would get rid of the unneeded reg entries. Link down there too.

 

[Netlace]

Whatever is on all of our computers has somehow affected the running of things. I know I need to clear the three Legacy drivers to stand a chance. I had the paid version and it blocked a OUTgoing to Korea and after that it said it was outdated by 253(or so) days. This is the same thing this said for 1st use. I have ccleaner and it is not doing right either. Whatever is on our computers is clever, and must appear normal to all programs. I am lost what to do...

 

[Layback Bear]

Reading through this thread again in my opinion you have infected computers. With what I don't know. Something is stopping you from using basic programs and installing security programs. Those are signs of a possible infection.
If they were my computers I would go to the Security section of our Forum and post. Let the security experts give you a hand.

System Security - Windows 7 Help Forums

 

[Netlace]

mbam/malwarebytes log

Here is a SystemLook of Mbam. Also one for Ccleaner
I cant believe how many special logons have took place today alone.

 

[carwiz]

I just joined the thread and was looking at previous posts. The -18, 19 and 20 are system services and normal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2452422238-2317045706-931954555-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2452422238-2317045706-931954555-501

These two SIDs are disturbing. The S-1-5-21-xxx-501 is a Guest Account that doesn't need a password. By default, Windows disables Guest Accounts.
I'm not sure what the SID S-1-5-21-xxx-1000 might be but it's assigned to the same domain (class). It could have Administrative rights to control a network group.

It sure looks like someone has a back door into your system. There's probably logging going on so I sure hope you don't use the PC for your personal business.

 

[Netlace]

I am glad someone see's a problem. I am so tired of people telling me my scans are clear. This has been going on for so long. This one I am on seems to be the one spreading things. I don't know what to do. I cant even delete things from the registry, and I am or was the admin. Java is out of control. When I start to get somewhere everything is renewed. We cant afford all new laptops. There has to be a way to find it. All I do all day is search and try to contain this beast. I am Disabled and tired. I just want to go online and enjoy. No luck!

 

[Netlace]

My Vista laptop, shows W7 in the services. I have re-installed the OS 4 times and it changes on first shutdown. That is before going online. So it has to be from the bios, or my disk has been added to. Or airborn!

 

[Britton30]

I did ask for some more help here Netlace and the thread has been moved to Security if you hadn't noticed.
Yes you definitely have some self replicating and spreading infection. I don't have the skill, but there are other here who do, they have helped me with a real bad one several months ago.

Are you able to delete the rogue account through Control Panel? I would suggest trying it with only one machine on the network if it works, go to the next one.

 

[NoelDP]

I just joined the thread and was looking at previous posts. The -18, 19 and 20 are system services and normal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2452422238-2317045706-931954555-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2452422238-2317045706-931954555-501

These two SIDs are disturbing. The S-1-5-21-xxx-501 is a Guest Account that doesn't need a password. By default, Windows disables Guest Accounts.
I'm not sure what the SID S-1-5-21-xxx-1000 might be but it's assigned to the same domain (class). It could have Administrative rights to control a network group.

.

-1000 is the original User/Admin account created at setup.

 

[Netlace]

Could someone with MWB tell me if they have this key?
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt
Default {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
Also on the properties via right click from programs, I have 2 build.conf and custom.conf that have old dates. Everything else has date I downloaded it.

 

[carwiz]

Not sure what you mean by "properties via right click from programs". I have the same value for MBAM. That's the shell extension that provides the right click menu for MBAM.