Rootkit activity???

[Corrine]

Panos, how old is the computer? 

[DR M]

Panos, how old is the computer?

I bought it in February 2012.

[Corrine]

Hi, Panos.  I've been thinking about this today.  I didn't think there was a problem with the "archive damaged" message in the ESET log and did some additional research and located this ESET KB article:  Blue "error opening" notifications in Computer scan log - ESET Knowledgebase so that should put your mind at ease.

Your laptop isn't that old but because of the slow startup, it wouldn't hurt to perform a SFC (System File Checker) scan which will check and fix any corrupted files on your system.

• Click Start, and then type cmd in the Start Search box.
  
• Right-click cmd in the Programs list, and then right-click Run as administrator.
  
• If you are prompted for an administrator password or confirmation, type your password or click Continue
  
• At the command prompt, type the following line, and then press ENTER:  sfc /scannow (note the space before the slash)
  
• When the scan is complete, if no errors are found, restart your computer and post back the results (hopefully, "Windows resource protection did not find any integrity violations")

Another option is to run the internal disk checker program. 

• Click Start and select "Computer"
  
• Right-click C:
  
• Select the "Tools" tab
  
• In the Error-checking area, click "Check Now"
  
• Click "Start"
  
• Check the option to "Automatically fix file system errors" and click Start.
  

You will receive a message that the operation cannot be performed while the system is in use and ask if you want to check when you restart your computer.  Click "Schedule disk check" and then restart the computer, allowing disk check to run at startup.

To find the disk check log that is produced please do the following:

Please download ListChkdskResult by SleepyDude to the desktop.

• Double-click on the icon and click Run
  
• The log will appear on your desktop as a .txt file and the notepad will open.
  

Please copy and paste the results in your next reply.

[DR M]

Good morning, Corrine and Forum.

SFC RESULTS:  Windows resource protection did not find any integrity violations

INTERNAL CHECK'S RESULTS: Wow! You can also see in there the results I had on Sunday, when the strange behavior started!  :smiley:

ListChkdskResult by SleepyDude v0.1.7 Beta | 21-09-2013

------< Log generate on 20/8/2014 10:26:55 πμ >------
Category: 0
Computer Name: DR-WHO
Event Code: 1001
Record Number: 119307
Source Name: Microsoft-Windows-Wininit
Time Written: 08-20-2014 @ 07:24:08
Event Type: Information
User:
Message:

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.


A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 3)...
  278016 file records processed.                                         

File verification completed.
  932 large file records processed.                                   

  0 bad file records processed.                                     

  0 EA records processed.                                           

  54 reparse records processed.                                     

CHKDSK is verifying indexes (stage 2 of 3)...
  350470 index entries processed.                                       

Index verification completed.
  0 unindexed files scanned.                                       

  0 unindexed files recovered.                                     

CHKDSK is verifying security descriptors (stage 3 of 3)...
  278016 file SDs/SIDs processed.                                       

Cleaning up 246 unused index entries from index $SII of file 0x9.
Cleaning up 246 unused index entries from index $SDH of file 0x9.
Cleaning up 246 unused security descriptors.
Security descriptor verification completed.
  36228 data files processed.                                           

CHKDSK is verifying Usn Journal...
  36923752 USN bytes processed.                                           

Usn Journal verification completed.
Windows has checked the file system and found no problems.

711987063 KB total disk space.
159544880 KB in 224901 files.
    124284 KB in 36229 indexes.
         0 KB in bad sectors.
    402943 KB in use by the system.
     65536 KB occupied by the log file.
551914956 KB available on disk.

      4096 bytes in each allocation unit.
177996765 total allocation units on disk.
137978739 allocation units available on disk.

Internal Info:
00 3e 04 00 15 fc 03 00 7c 17 07 00 00 00 00 00  .>......|.......
c3 16 00 00 36 00 00 00 00 00 00 00 00 00 00 00  ....6...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.

-----------------------------------------------------------------------
Category: 0
Computer Name: DR-WHO
Event Code: 1001
Record Number: 118460
Source Name: Microsoft-Windows-Wininit
Time Written: 08-17-2014 @ 07:46:10
Event Type: Information
User:
Message:

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 3)...
  278016 file records processed.                                         

File verification completed.
  939 large file records processed.                                   

  0 bad file records processed.                                     

  0 EA records processed.                                           

  73 reparse records processed.                                     

CHKDSK is verifying indexes (stage 2 of 3)...
The index bitmap $I30 in file 0x12e4a is incorrect.
Correcting error in index $I30 for file 77386.
  351240 index entries processed.                                       

Index verification completed.
CHKDSK is scanning unindexed files for reconnect to their original directory.
Recovering orphaned file SVCHOST.EXE-EC00EC4D.pf (3007) into directory file 3389.
Recovering orphaned file S-1-5-~1.DAT (55897) into directory file 77386.
Recovering orphaned file S-1-5-18-0-ntuser.dat (55897) into directory file 77386.
Recovering orphaned file S-1-5-~1.LO~ (55909) into directory file 77386.
Recovering orphaned file S-1-5-18-0-ntuser.dat.LOG1 (55909) into directory file 77386.
Recovering orphaned file S-1-5-~2.LO~ (61111) into directory file 77386.
Recovering orphaned file S-1-5-18-0-ntuser.dat.LOG2 (61111) into directory file 77386.
Recovering orphaned file S-1-5-~1.BLF (61146) into directory file 77386.
Recovering orphaned file S-1-5-18-0-ntuser.dat{d63a3b7d-25e0-11e4-bf7f-99b5dd60b5a9}.TM.blf (61146) into directory file 77386.
Recovering orphaned file S-1-5-~1.RE~ (61150) into directory file 77386.
Recovering orphaned file S-1-5-18-0-ntuser.dat{d63a3b7d-25e0-11e4-bf7f-99b5dd60b5a9}.TMContainer00000000000000000001.regtrans-ms (61150) into directory file 77386.
Recovering orphaned file S-1-5-~2.RE~ (61285) into directory file 77386.
Recovering orphaned file S-1-5-18-0-ntuser.dat{d63a3b7d-25e0-11e4-bf7f-99b5dd60b5a9}.TMContainer00000000000000000002.regtrans-ms (61285) into directory file 77386.
Recovering orphaned file S-1-5-~2.DAT (61392) into directory file 77386.
Recovering orphaned file S-1-5-19-0-ntuser.dat (61392) into directory file 77386.
Recovering orphaned file S-1-5-~3.LO~ (61711) into directory file 77386.
Recovering orphaned file S-1-5-19-0-ntuser.dat.LOG1 (61711) into directory file 77386.
Recovering orphaned file S-1-5-~4.LO~ (62105) into directory file 77386.
Recovering orphaned file S-1-5-19-0-ntuser.dat.LOG2 (62105) into directory file 77386.
Recovering orphaned file S-1-5-~2.BLF (62544) into directory file 77386.
Recovering orphaned file S-1-5-19-0-ntuser.dat{d63a3b83-25e0-11e4-bf7f-99b5dd60b5a9}.TM.blf (62544) into directory file 77386.
Recovering orphaned file S-1-5-~3.RE~ (62564) into directory file 77386.
Recovering orphaned file S-1-5-19-0-ntuser.dat{d63a3b83-25e0-11e4-bf7f-99b5dd60b5a9}.TMContainer00000000000000000001.regtrans-ms (62564) into directory file 77386.
Recovering orphaned file S-1-5-~4.RE~ (62565) into directory file 77386.
Recovering orphaned file S-1-5-19-0-ntuser.dat{d63a3b83-25e0-11e4-bf7f-99b5dd60b5a9}.TMContainer00000000000000000002.regtrans-ms (62565) into directory file 77386.
Recovering orphaned file S-1-5-~3.DAT (62573) into directory file 77386.
Recovering orphaned file S-1-5-20-0-ntuser.dat (62573) into directory file 77386.
Recovering orphaned file S-4666~1.LO~ (62586) into directory file 77386.
Recovering orphaned file S-1-5-20-0-ntuser.dat.LOG1 (62586) into directory file 77386.
Recovering orphaned file S-FB5B~1.LO~ (62590) into directory file 77386.
Recovering orphaned file S-1-5-20-0-ntuser.dat.LOG2 (62590) into directory file 77386.
Recovering orphaned file S-1-5-~3.BLF (62600) into directory file 77386.
Recovering orphaned file S-1-5-20-0-ntuser.dat{d63a3b89-25e0-11e4-bf7f-99b5dd60b5a9}.TM.blf (62600) into directory file 77386.
Recovering orphaned file S-C21B~1.RE~ (62651) into directory file 77386.
Recovering orphaned file S-1-5-20-0-ntuser.dat{d63a3b89-25e0-11e4-bf7f-99b5dd60b5a9}.TMContainer00000000000000000001.regtrans-ms (62651) into directory file 77386.
Recovering orphaned file S-81D5~1.RE~ (62669) into directory file 77386.
Recovering orphaned file S-1-5-20-0-ntuser.dat{d63a3b89-25e0-11e4-bf7f-99b5dd60b5a9}.TMContainer00000000000000000002.regtrans-ms (62669) into directory file 77386.
Recovering orphaned file S-1-5-~4.DAT (62673) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1000-0-ntuser.dat (62673) into directory file 77386.
Recovering orphaned file S-84EC~1.LO~ (62677) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1000-0-ntuser.dat.LOG1 (62677) into directory file 77386.
Recovering orphaned file S-6E4B~1.LO~ (62687) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1000-0-ntuser.dat.LOG2 (62687) into directory file 77386.
Recovering orphaned file S-1-5-~4.BLF (62692) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1000-0-ntuser.dat{760652a2-02b4-11e4-8e59-a7c05112d8b5}.TM.blf (62692) into directory file 77386.
Recovering orphaned file S-47B7~1.RE~ (62693) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1000-0-ntuser.dat{760652a2-02b4-11e4-8e59-a7c05112d8b5}.TMContainer00000000000000000001.regtrans-ms (62693) into directory file 77386.
Recovering orphaned file S-FB35~1.RE~ (62701) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1000-0-ntuser.dat{760652a2-02b4-11e4-8e59-a7c05112d8b5}.TMContainer00000000000000000002.regtrans-ms (62701) into directory file 77386.
Recovering orphaned file S-9782~1.DAT (62703) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1006-0-ntuser.dat (62703) into directory file 77386.
Recovering orphaned file S-FE25~1.LO~ (62705) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1006-0-ntuser.dat.LOG1 (62705) into directory file 77386.
Recovering orphaned file S-4930~1.LO~ (62706) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1006-0-ntuser.dat.LOG2 (62706) into directory file 77386.
Recovering orphaned file S-A4F9~1.BLF (62709) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1006-0-ntuser.dat{d63a3b93-25e0-11e4-bf7f-99b5dd60b5a9}.TM.blf (62709) into directory file 77386.
Recovering orphaned file S-8576~1.RE~ (62718) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1006-0-ntuser.dat{d63a3b93-25e0-11e4-bf7f-99b5dd60b5a9}.TMContainer00000000000000000001.regtrans-ms (62718) into directory file 77386.
Recovering orphaned file S-3AF3~1.RE~ (62749) into directory file 77386.
Recovering orphaned file S-1-5-21-1297263482-2230557874-2472846458-1006-0-ntuser.dat{d63a3b93-25e0-11e4-bf7f-99b5dd60b5a9}.TMContainer00000000000000000002.regtrans-ms (62749) into directory file 77386.
  32 unindexed files scanned.                                       

Recovering orphaned file {D7E27~1 (62764) into directory file 662.
Recovering orphaned file {D7E27251-B347-4EB2-8C69-DC69B8EC8BC1} (62764) into directory file 662.
  0 unindexed files recovered.                                     

CHKDSK is verifying security descriptors (stage 3 of 3)...
  278016 file SDs/SIDs processed.                                       

Cleaning up 3691 unused index entries from index $SII of file 0x9.
Cleaning up 3691 unused index entries from index $SDH of file 0x9.
Cleaning up 3691 unused security descriptors.
CHKDSK is compacting the security descriptor stream
  36613 data files processed.                                           

CHKDSK is verifying Usn Journal...
The remaining of an USN page at offset 0x1fdadc000 in file 0x90
should be filled with zeros.
Repairing Usn Journal file record segment.
  35511216 USN bytes processed.                                           

Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

711987063 KB total disk space.
156226456 KB in 222956 files.
    127304 KB in 36616 indexes.
         0 KB in bad sectors.
    401843 KB in use by the system.
     65536 KB occupied by the log file.
555231460 KB available on disk.

      4096 bytes in each allocation unit.
177996765 total allocation units on disk.
138807865 allocation units available on disk.

Internal Info:
00 3e 04 00 fd f5 03 00 07 0c 07 00 00 00 00 00  .>..............
9d 16 00 00 49 00 00 00 00 00 00 00 00 00 00 00  ....I...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.

-----------------------------------------------------------------------

Corrine, from yesterday I use the computer as I used to. I have uninstalled and re-installed a program, and I use my passwords when needed. If I must stop, please tell me.

[Corrine]

Have you had any other "consistency check" messages?  The main thing is that the log didn't show any bad sectors. 

So the only concern is the slow startup.  When did that begin?

[DR M]

Hi, Corrine.

No, it was the first time I had a "consistency check" message.

As for the slow start up, I realized that it is not occured always. Actually, it takes between 2-3 minutes, a little more than before Sunday (1,5-2 minutes).  And because I don't want to spend your time, please, let it there. For me, your word that the computer is not infected by anything is enough.

Thank you!!!  :rose:

[Corrine]

It is more than not being infected.  It is also that there are no bad sectors, which would indicate hard drive failure.  Regardless, be sure to keep important documents backed up.

Let's take care of removing the tools used:

Please download Delfix from here.

Ensure the following boxes are checked:

• Remove disinfection tools
  
• Create registry backup
  
• Purge system restore
  
  
• Click Run
  

Perhaps you should also reconsider allowing others to use your computer -- at least if you are not near by to know what they are doing. 

[DR M]

Perhaps you should also reconsider allowing others to use your computer -- at least if you are not near by to know what they are doing. 

Corrine, this is really a big problem... Sometimes I am the "small guy" who  must give all the help to older relatives (cousins, sister, brother in law etc...) and sometimes I am the "big guy" who must help his smaller relatives (sister's children). Unfortunately others cannot understand that using my computer, my wi-fi and so on is a problem... The only thing I can do is trying to train them, by saying what I know about all these...

Anyway, thank you very much, one more time.  :rose:

Additionally, I will dedicate to you a song.  :)  It is one of my favorites songs, and although is in Greek, it has English subtitles, so you can read the lyrics.

So, to Corrine!

https://www.youtube.com/watch?v=GObr3H3ztFE

[winchester73]

Couldn't you avoid some of these problems if you created a guest account for others to use?  This would allow someone to have temporary access to your computer, they could log onto a network, browse the Internet, etc ... but they'd be unable to install software or hardware and change settings.

Guest account users:

* Can use certain programs installed by others
* Cannot access personal or password protected files
* Cannot install or open certain programs

[DR M]

Couldn't you avoid some of these problems if you created a guest account for others to use?  This would allow someone to have temporary access to your computer, they could log onto a network, browse the Internet, etc ... but they'd be unable to install software or hardware and change settings.

Guest account users:

* Can use certain programs installed by others
* Cannot access personal or password protected files
* Cannot install or open certain programs

Till now, and especially the two last years, where I am extremely careful with my computer, I wanted things as simple as they could be. So, I didn't want to make other user's account, except of the admin's. But I think I will change my mind and create one now.

Thank you, Winchester73.  :smiley:

[Corrine]

I clicked the Preview button and what did I see?

Warning - while you were typing 2 new replies have been posted. You may wish to review your post.

Actually, it wasn't that I was typing, I was listening.

Love the mountains and the seas,
The known and the unknown sites,
The birds, the flowers, the clouds,
and really love the people.

Thank you, Panos.  :hug: It is a beautiful song and the images included with the video make it all the more powerful.

So, to reinforce the suggestion winchester73 made, I had the same suggestion, which I will leave rather than changing my reply:

I understand the situation and you are very fortunate to have close family members.  What you can do when they need to use your computer is have them use the "Guest Account".  This account does not have administrative privileges so files that could damage your computer cannot be downloaded, settings cannot be changed, etc.  Yes, it takes extra steps to activate the Guest Account and then turn it off when they are finished, but in the long run would be worth those extra steps.  Instructions here:  Turn the guest account on or off - Windows Help.

[winchester73]

Till now, and especially the two last years, where I am extremely careful with my computer, I wanted things as simple as they could be. So, I didn't want to make other user's account, except of the admin's. But I think I will change my mind and create one now.

Thank you, Winchester73.  :smiley:

In a "perfect world", none of us would have to give a second thought to letting a relative use our computer.   :D

[DR M]

Mission completed: a guest account has been just created.

Thank you, all.  :mitch:

[Corrine]

Good job, Panos.  Now, disable it when not in use and then activate it when your family needs it.

[DR M]

One more question, please:  :mitch:

Why the account must be disabled? What if I let it enabled all the time?