V
VeronicaCisneros
Hello,
I suspect there is unauthorized backdoor access to my computer. A few days ago, security essentials reported a backdoor malware file and deleted it.
However, is reporting many errors, and my browser history shows activity and pages visited while I am asleep.
I tried to do a third party full drive scan overnight. I expected to wake up to a diagnostics report, but computer had been rebooted. The third party software I saw had no log files.
I went to see my browser, and it showed activity to email url, and cloud drive url while I was asleep (I am the only user of this computer). Yesterday I changed all passwords, and requested a disconnect from all open sessions, so I am sure whoever tried to login to account was unable to do so.
How can I fix my computer? I have ran security essential but nothing shows up.
I deleted a file in C:/Windos/System32/drivers/lvuvc.hs which indicated it had been modified before I woke up. It had no content whatsoever.
Does Security Essentials looks for rootkit malware? How can I figure out if somebody is accessing my computer via a connection somehow?
I am exhausted. Please help me fix this
Here I post some of the errors shown in events viewer since last night (I deleted the meta data text chunks to make it easier to read):
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:20:37 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:20:24 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 4/1/2014 5:20:10 AM
Event ID: 219
Task Category: (212)
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SD#MMC&REV_1.00#058F63626476&0#.
Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 4/1/2014 5:20:10 AM
Event ID: 219
Task Category: (212)
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MS#MS-PRO&REV_1.03#058F63626476&3#.
Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 4/1/2014 5:20:09 AM
Event ID: 219
Task Category: (212)
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626476&1#.
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:19:10 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: Application
Source: Application Virtualization Client
Date: 4/1/2014 5:19:02 AM
Event ID: 3057
Task Category: (6)
Level: Warning
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
{tid=B64}
The Application Virtualization Client Core initialized correctly.
Installed Product:
Version: 4.6.2.22610
Install Path: C:\Program Files (x86)\Microsoft Application Virtualization Client
Global Data Directory: C:\ProgramData\Microsoft\Application Virtualization Client\
Machine Name: mycomputer
Operating System: Windows 7 64-bit Service Pack 1.0 Build 7601
OSD Command:
Log Name: Application
Source: Application Virtualization Client
Date: 4/1/2014 5:18:58 AM
Event ID: 3191
Task Category: (3)
Level: Warning
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
{tid=B64}
-------------------------------------------------------- Initialized client log (C:\ProgramData\Microsoft\Application Virtualization Client\sftlog.txt)
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:18:49 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: System
Source: Service Control Manager
Date: 4/1/2014 5:18:48 AM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
The lxdoCATSCustConnectService service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Log Name: System
Source: Service Control Manager
Date: 4/1/2014 5:18:48 AM
Event ID: 7009
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
A timeout was reached (30000 milliseconds) while waiting for the lxdoCATSCustConnectService service to connect.
Log Name: System
Source: Service Control Manager
Date: 4/1/2014 5:18:39 AM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
The AODDriver4.2 service failed to start due to the following error:
The system cannot find the file specified.
Log Name: Microsoft-Windows-Kernel-EventTracing/Admin
Source: Microsoft-Windows-Kernel-EventTracing
Date: 4/1/2014 5:18:25 AM
Event ID: 3
Task Category: Session
Level: Error
Keywords: Session
User: SYSTEM
Computer: mycomputer
Description:
Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:17:44 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:17:40 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 4/1/2014 5:17:36 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
7 user registry handles leaked from \Registry\User\S-1-5-21-2988337448-1510076473-2370736219-1000:
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Microsoft\Internet Explorer\Main
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Policies
Log Name: Application
Source: Microsoft-Windows-RestartManager
Date: 4/1/2014 5:01:21 AM
Event ID: 10010
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
Application 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' (pid 6140) cannot be restarted - Application SID does not match Conductor SID..
Log Name: Application
Source: VSS
Date: 4/1/2014 5:00:13 AM
Event ID: 12348
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{1c4e3884-5b4e-11e2-9350-ed94514e317e}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.
Operation:
Removing auto-release shadow copies
Loading provider
Context:
Execution Context: System Provider
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 2:42:50 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: Application
Source: VSS
Date: 3/31/2014 8:23:46 PM
Event ID: 12348
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{1c4e3884-5b4e-11e2-9350-ed94514e317e}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.
Operation:
Removing auto-release shadow copies
Loading provider
Continue reading...
I suspect there is unauthorized backdoor access to my computer. A few days ago, security essentials reported a backdoor malware file and deleted it.
However, is reporting many errors, and my browser history shows activity and pages visited while I am asleep.
I tried to do a third party full drive scan overnight. I expected to wake up to a diagnostics report, but computer had been rebooted. The third party software I saw had no log files.
I went to see my browser, and it showed activity to email url, and cloud drive url while I was asleep (I am the only user of this computer). Yesterday I changed all passwords, and requested a disconnect from all open sessions, so I am sure whoever tried to login to account was unable to do so.
How can I fix my computer? I have ran security essential but nothing shows up.
I deleted a file in C:/Windos/System32/drivers/lvuvc.hs which indicated it had been modified before I woke up. It had no content whatsoever.
Does Security Essentials looks for rootkit malware? How can I figure out if somebody is accessing my computer via a connection somehow?
I am exhausted. Please help me fix this
Here I post some of the errors shown in events viewer since last night (I deleted the meta data text chunks to make it easier to read):
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:20:37 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:20:24 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 4/1/2014 5:20:10 AM
Event ID: 219
Task Category: (212)
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SD#MMC&REV_1.00#058F63626476&0#.
Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 4/1/2014 5:20:10 AM
Event ID: 219
Task Category: (212)
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MS#MS-PRO&REV_1.03#058F63626476&3#.
Log Name: System
Source: Microsoft-Windows-Kernel-PnP
Date: 4/1/2014 5:20:09 AM
Event ID: 219
Task Category: (212)
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626476&1#.
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:19:10 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: Application
Source: Application Virtualization Client
Date: 4/1/2014 5:19:02 AM
Event ID: 3057
Task Category: (6)
Level: Warning
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
{tid=B64}
The Application Virtualization Client Core initialized correctly.
Installed Product:
Version: 4.6.2.22610
Install Path: C:\Program Files (x86)\Microsoft Application Virtualization Client
Global Data Directory: C:\ProgramData\Microsoft\Application Virtualization Client\
Machine Name: mycomputer
Operating System: Windows 7 64-bit Service Pack 1.0 Build 7601
OSD Command:
Log Name: Application
Source: Application Virtualization Client
Date: 4/1/2014 5:18:58 AM
Event ID: 3191
Task Category: (3)
Level: Warning
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
{tid=B64}
-------------------------------------------------------- Initialized client log (C:\ProgramData\Microsoft\Application Virtualization Client\sftlog.txt)
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:18:49 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: System
Source: Service Control Manager
Date: 4/1/2014 5:18:48 AM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
The lxdoCATSCustConnectService service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Log Name: System
Source: Service Control Manager
Date: 4/1/2014 5:18:48 AM
Event ID: 7009
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
A timeout was reached (30000 milliseconds) while waiting for the lxdoCATSCustConnectService service to connect.
Log Name: System
Source: Service Control Manager
Date: 4/1/2014 5:18:39 AM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
The AODDriver4.2 service failed to start due to the following error:
The system cannot find the file specified.
Log Name: Microsoft-Windows-Kernel-EventTracing/Admin
Source: Microsoft-Windows-Kernel-EventTracing
Date: 4/1/2014 5:18:25 AM
Event ID: 3
Task Category: Session
Level: Error
Keywords: Session
User: SYSTEM
Computer: mycomputer
Description:
Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:17:44 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 5:17:40 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 4/1/2014 5:17:36 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
7 user registry handles leaked from \Registry\User\S-1-5-21-2988337448-1510076473-2370736219-1000:
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Microsoft\Internet Explorer\Main
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2988337448-1510076473-2370736219-1000\Software\Policies
Log Name: Application
Source: Microsoft-Windows-RestartManager
Date: 4/1/2014 5:01:21 AM
Event ID: 10010
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: mycomputer
Description:
Application 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' (pid 6140) cannot be restarted - Application SID does not match Conductor SID..
Log Name: Application
Source: VSS
Date: 4/1/2014 5:00:13 AM
Event ID: 12348
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{1c4e3884-5b4e-11e2-9350-ed94514e317e}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.
Operation:
Removing auto-release shadow copies
Loading provider
Context:
Execution Context: System Provider
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 4/1/2014 2:42:50 AM
Event ID: 1012
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: mycomputer
Description:
There was an error while attempting to read the local hosts file.
Log Name: Application
Source: VSS
Date: 3/31/2014 8:23:46 PM
Event ID: 12348
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: mycomputer
Description:
Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{1c4e3884-5b4e-11e2-9350-ed94514e317e}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly. Check security on the volume, and try the operation again.
Operation:
Removing auto-release shadow copies
Loading provider
Continue reading...
