KitM

MBR, reformat, reinstall - absolutely. That would've been the fourth step I would have taken in this thread after 3 tries of some type of remediation. However, with a box which has the most recent BIOS available dated 2009, I'll wager Windows 10 would probably brick it faster than this current gnat (potential hornet). I now have to also trace constant (every 10 mins.) DCOM errors - I knew that I should have stayed away from Event Viewer. I do thank you for your help. Stay safe.

I've got these events(EventView_Security.jpg - below) that coincide with some of the entries in psswrd.log. The other two files (EventID_4625.txt & EventID_4723.txt) are the info. The notes in parentheses are mine. You'll notice on the first page of 4625, under the heading "Detailed Authentication Information:", there is the entry "Logon Process: Advapi". Now, there is a legitimate file "advapi32.dll" in /system32, but wouldn't that notation then be "Logon Process: Advapi32"? There is talk on the tubes about a "NetDevil" variant malware. Something named "advapi.dll". It appears that the way this "trigger system" is structured, it won't work for more than one reason. More than likely, it wouldn't work even if Admin. were operational. What do you think? EventID_4625.txt EventID_4723.txt

Thanks for staying with me. I'm in the middle of communications with my insurance company. I'm going to hold off on the router re-set until it's finished just in case I kludge something. It may take a couple of days.

Great. As I said, nothing happens until I initiate the LAN connection. It starts and then activates/scans every hour after until I'm off the LAN. As far as I know, I do nothing in my life as regularly as this, so it's not an action of mine. Two things right off the bat: 1. It's monitoring/activated by contact with the LAN 2. Guessing members is no big deal, but it does ask for a password change for a unique member (Capn Snappy). As long as the comm is open - every hour. I'm rooting around in Event Viewer trying to find things by matching time markers.

Thanks for all your help on this subject. I can't find anything addressed in my original question/situation that hasn't been addressed. No obvious problems. I'm thinking that we can close this and I'll probably start another thread on the password log. What so you think?

Windows Management Framework wasn't in the box in Windows 7 (etc.), but I did use 'cmd.exe' > 'net.exe /user' (admin) to get a list of three: 1. Administrator 2. Capn Snappy 3. Guest Please let me know if you need more info and I'll install Win. Mgt. Framework and use the Get-LocalUser command.

I don't know what happened, but I could not load Pics 4 & 5, but would load the same first three more than once, and it didn't show that it had attached more than just the three individual files. Sorry about that. Here are the other two. Interesting. Pic _4 is blank. Nothing. When I tried to upload _4 & _5, the page wouldn't take them. I opened _4, the completely blank on, and just put one space and saved it. They then all uploaded. I'm guessing when the file shows 0 KB, then it's not taken. PASSWD_LOG_2022_04_19_04.txt PASSWD_LOG_2022_04_19_05.txt

I had completely forgotten about JAVA. Very sloppy on my part. It's gone. Regarding the PASSWD.LOG file: it's located in the 'C:\Windows\debug' folder. It's behavior is unsettling. Pic _01 is start-up with LAN enabled and online for 3 hours. It hits at the same hour as the first hit for as long as you're on. Pic _2 is the same file whee I logged off and then back on - 13:42:24. Pic _03 is the file after restarting. Pic _04 (BLANK) is the file after restarting with the LAN disabled. Pic _05 is the file after enabling the LAN. NOTE: I'll have to send you the last 2 files when I can comment next. Thispage won't let me attach more than 3 files. Kit Massengill PASSWD_LOG_2022_04_19_01.txt PASSWD_LOG_2022_04_19_02.txt PASSWD_LOG_2022_04_19_03.txt PASSWD_LOG_2022_04_19_01.txt PASSWD_LOG_2022_04_19_02.txt PASSWD_LOG_2022_04_19_03.txt PASSWD_LOG_2022_04_19_01.txt PASSWD_LOG_2022_04_19_02.txt PASSWD_LOG_2022_04_19_03.txt

Here they are. Thanks. Addition.txt FRST.txt

Yikes. Nope ... too old. Both the machine and I. I know this is probably taking longer than necessary, but I would like to ask just two more questions if you wouldn't mind. 1. What is with the constant hourly "hitting" for changing 4 passwords indicated in the PSSWD.LOG file? It only happens when my internet is active. (this is why I brought up Win Def. Scan Offline) 2. Am I wrong to be concerned/paranoid by having my CPU unprotected when I do the FRST64 scan? Thanks for your patience. I'll try to finish this with this last scan.

I've mounted the ISO so that I can boot to it on startup. Isn't that the way to check for Rootkits?

Quick question: What do you think about my running Windows Defender Offline scan?

It's OK to leave the box open to the internet without protection during that MS hours long scan? Also, concerning the PASSWD.LOG, nothing happens until the moment I enable the LAN. Then, it hits every hour until I shut down. I'll redo the MS scan tonight naked (the cpu, not me).

Disabled both MalB & BitD & disabled my Net. Started the scan. Checked about 16 min. after start and saw that 77,000+ files had scanned and there was "1 file infected". I let it continue through the night. The next morning, it had completed, there was a notice (Safety_Scan) (paraphrasing) that there were no viruses and no problems. I apologize, but that concerned me so I jumped ahead. Next, I ran it as a quick scan and noticed that the "infected" file showed up in the 40,000+ count. After I saw the area of the problem, I canceled the scan. Again, the message "no problem". I ran the quick scan again and videoed it. I crawled the frames and found between file number 42861 and number 42865 - (pics) ....\AppData\ ... \adblockultimate@adblockultimate.net.xpi ...etc...etc. Removed the extension and checked for residuals (folders, etc.). Even if it's a false positive - I don't care. It's gone. Another thing - there was another file "PASSWD.LOG" in "debug". Don't know if it's part of the scan, but it does look important (attached). The "msert.log" is dated 4/14/2022 5:01 PM and the "PASSWRD.LOG" is dated 4/14/2022 5:42. It appears to have started at 2:24 PM and cycled each hour at the same time. And one more thing (please excuse). I've never had this happen ever. I've had to ask for a new password for the last three or four times I've logged in here. We'll see tomorrow. Hope I didn't foul things up. I'm going to run the full scan again tonight. Thanks. msert.log PASSWD.LOG

Well, the Firefox browser is certainly quicker. Also, when right clicking on a folder or a file in explorer, the menu comes up more quickly. Fixlog.txt

Oh, nutz ... just went ahead and submitted the above without the attachments ... .. and here they are ... FRST.txt Addition.txt

Well, this has certainly shown me how long it's been since I was M$ certified - my certification was with Windows NT. Yeah, that old. Please excuse my information omissions. 1. The original problem was the inability to scan or open "mlkumidi.log". After the first scan procedure, it scanned and opened with no problem. It is a true text log file for MIDI file procedures. 2. When I did the last scan (yesterday), I only "allowed" the app through both MalB and BitD and didn't close them completely. Obviously, that was a "user" mistake - how far I've fallen. The attached files are done with the correct protocols.

To make sure I'm doing this by the letter, you said to disable Bitdefender - do I then leave Malwarebytes alone running as is?

Here they are ... and, yeah, that BIOS does say 2009. Again, thanks for your trouble. FRST.txt Addition.txt

I ran the procedure. No hiccups until CHKDSK C: /F - See pic "No_CHKDSK_C.jpg". Loaded Windows repair disk, ran CHKDSK E: /F (Boot from CD - C: drive reassigned to E:) - See pic "Repair_CHKDSK_C.jpg". Also attached is the resultant "Fixlog.txt" - Check out the (to me) scary "周攠瑹灥映瑨攠晩汥...etc., etc., etc. - in two places - Yikes ... Fixlog.txt

Thanks. I'll get to it this weekend and get back to you by Monday. And thanks for the Oppenheimer quotes. Very prescient. And also, the Shatner Avatar. Very acty.

Thanks for the extremely quick response. I forgot to tell you that this problem happened after a few changes (There're also the BSODs of an unsigned Tascam driver - another story). I had done a "fsutil dirty querey C:", (boot on a sys repair disk and then full chkdsk on the unmounted C:). Just after that, during the usual daily update of MalBytes and BDefend, I had to reboot after one or the other's update. The DAW I use to compose with is still very jerky - its memory and disk access monitors don't show abnormal behavior. When I run Borderlands, the mouse sticks like a brick. Too much stuff to trace an exact through line, so I'm just hitnmissing this now. Thanks again for your trouble. Take a few days off away from tech talk. Enjoy the Holidays.

The setup is all 64Bit. All of the conditions that you enumerated had been done except for the TLS 1.1 & TLS 1.2 security settings and the KB4516065 update. I had to edit the registry for the two TLS protocols. Interestingly, the SSL 2 was set as - DisableByDefault: 1. With the addition of the 2 TLSs, I've kept it disabled. However, KB4516065 did not update. I got a "The update is not applicable to your computer" (attached). I also found an "Unknown Account" with security access to my Docs folder and a couple of others but not any system files or folders. By the way, thanks for your help. I was in IT for a decade or so and I do appreciate your time.

Stuff: Windows 7 Home Premium (yeah, yeah, I know) 64Bit. There's a file "mlkumidi.log" in the Windows folder that when I scan it with MBytes, it scanned it for 1 min. 22 secs. and came up "Items Scanned 0" with "0"s on all the other notifications. I tried to read it but even though I've got Admin security privs, I'm not the owner and it can't/won't tell me who is - thus, I can't open it to tread it. Bitdefender says it scanned something for 00:01 secs and all "0"s. I know that it's probably part of the MusicLab app, but, for me, it's strange that I have no control over it and can't at least read it. Both MBytes and BDefend are up to date. Thanks in advance for your time and trouble. Your software and servicing are fantastic.

All of these attempts happen when the program is open yet unused. They happen when I'm doing nothing. They happen surreptitiously - or, rather, would happen that way without Malbytes notifications - with "fdm.exe" open in the background not being used. They do stop when fdm.exe is closed.