Please review Hijack This log. Increasingly worse issues*UPDATED WITH ASWMBR LOG

**Logs posted below

I’ve been having some issues lately, and they are getting worse. About 2 weeks ago all of my yahoo and gmail email accounts were hacked and sending spam to my contacts. It was about 3 in total, some of which I havent used in years. I ran Malwarebytes and found nothing. I ran a full system scan with Avast and found nothing, then I ran a Boot Scan with avast and found a Trojan which I deleted.

Everything was fine for a bit but then this past weekend I noticed that Google and Yahoo search results would suddenly change right before my eyes, with some of the links having weird names. Typing in the search field would be very slow as well. Ran another boot scan and found nothing. I then noticed that any file I had deleted over the past couple days were suddenly back on my computer! Awesome. I’ve purged all of my restore points.

I downloaded Hijack This and saved a log. I’m above average with tech, but Hijack This is above my level of knowledge.

I’ve looked at the Event Viewer in Administrator tools and found some things that concern me. Again I’ve never viewed info like this so it may be normal but it certainlky has me worried.

Looking at the Security logs in the Viewer, one in particular has me worried. Here’s the info on it:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/5/2011 8:22:38 AM
Event ID: 4672
Task Category: Special Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: MININT-EPL0OTI
Description:
Special privileges assigned to new logon.

Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0xe7810

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event Xml:



4672
0
0
12548
0
0x8020000000000000

13471


Security
MININT-EPL0OTI



S-1-5-18
SYSTEM
NT AUTHORITY
0xe7810
SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

****UPDATE

Ran the scan. Here’s the logs. Again this type of info is over my head but I’ll be able to follow any directions you give me. Thanks again fellas.

aswMBR version 0.9.7.705 Copyright(c) 2011 AVAST Software
Run date: 2011-07-05 13:13:50

13:13:50.096 OS Version: Windows x64 6.1.7600
13:13:50.096 Number of processors: 8 586 0x1E05
13:13:50.097 ComputerName: MININT-EPL0OTI UserName: Chris
13:14:13.491 Initialize success
13:14:13.657 AVAST engine defs: 11070500
13:14:36.486 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
13:14:36.489 Disk 0 Vendor: TOSHIBA_ MC00 Size: 610480MB BusType: 3
13:14:36.504 Disk 0 MBR read successfully
13:14:36.508 Disk 0 MBR scan
13:14:36.513 Disk 0 Windows 7 default MBR code
13:14:36.517 Service scanning
13:14:39.034 Disk 0 trace - called modules:
13:14:39.069 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys iaStor.sys hal.dll
13:14:39.076 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8006415060]
13:14:39.081 3 CLASSPNP.SYS[fffff8800103b43f] → nt!IofCallDriver → [0xfffffa8006414630]
13:14:39.087 5 stdcfltn.sys[fffff88001678c52] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8006304050]
13:14:40.644 AVAST engine scan C:\Windows
13:26:01.618 File: C:\Windows\System32\drivers\en-US\bfe.dll.mui SUSPICIOUS
13:26:02.452 File: C:\Windows\System32\drivers\en-US\ndiscap.sys.mui SUSPICIOUS
13:26:02.790 File: C:\Windows\System32\drivers\en-US\pacer.sys.mui SUSPICIOUS
13:26:02.969 File: C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui SUSPICIOUS
13:26:03.052 File: C:\Windows\System32\drivers\en-US\scfilter.sys.mui SUSPICIOUS
13:26:03.203 File: C:\Windows\System32\drivers\en-US\tcpip.sys.mui SUSPICIOUS
13:26:07.983 File: C:\Windows\System32\drivers\wimmount.sys SUSPICIOUS
13:40:41.424 AVAST engine scan C:\Users\Chris
13:44:43.212 AVAST engine scan C:\ProgramData
13:45:37.219 Scan finished successfully
13:45:59.028 Disk 0 MBR has been saved successfully to “C:\Users\Chris\Desktop\MBR.dat”
13:45:59.028 The log file has been saved successfully to “C:\Users\Chris\Desktop\aswMBR.txt”

F2 - REG:system.ini: UserInit=userinit.exe

Fix This in Hijack.

http://www.freedrweb.com/cureit/?lng=en
or
http://www.freedrweb.com/livecd/?lng=en
or
http://www.freedrweb.com/liveusb/?lng=en

Scan.

may be some adware on your pc or a rootkit cant say for sure

Are you haveing any redirection problems etc?
Are you usuing Comodo firewall?
Please download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply

I havent noticed any redirection, and I’m sure I would have (I hope). All I’ve seen so far are links I’ve never seen before as the top items for any Yahoo or Google search I run. New user accounts have been added to my computer and some of my permissions have changed. Starting to consider a complete restore.

Thank you for the link on the scan. Running it as we speak. I’ll update with the logs shortly

Forgot to add that I do use Comodo

13:26:01.618 File: C:\Windows\System32\drivers\en-US\bfe.dll.mui SUSPICIOUS
13:26:02.452 File: C:\Windows\System32\drivers\en-US\ndiscap.sys.mui SUSPICIOUS
13:26:02.790 File: C:\Windows\System32\drivers\en-US\pacer.sys.mui SUSPICIOUS
13:26:02.969 File: C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui SUSPICIOUS
13:26:03.052 File: C:\Windows\System32\drivers\en-US\scfilter.sys.mui SUSPICIOUS
13:26:03.203 File: C:\Windows\System32\drivers\en-US\tcpip.sys.mui SUSPICIOUS
13:26:07.983 File: C:\Windows\System32\drivers\wimmount.sys SUSPICIOUS

It’s the first time i see something like this.Essexboy is notified.

It may be to do with the way they are packed as they are legitimate files, or there could be a corruption in them

What problems are you experiencing currently ?