Relics

I've reset everything and completed the steps you advised. Thank you for all the help.

SEP ran clean and didn't detect anything. Are there any other scans or have we come to the end of the road and things are "clean"?

The force of water is amazing...those are crazy images.

I have re-enabled SEP and am performing a full scan now. I will report back. Thank you,

The ESET scan ran clean this time, nothing detected. Is there anything further needed to ensure the system is clean?

Technically the tasks are still not running and the system is "clean" from that perspective. I'm running another ESET scan to see if that runs clean after I rebooted again. The scan itself takes about 8 hours to run, so I should know more in about 5.5 hours (it's been running for 2.5 and found 0 issues so far). Thanks for all the help to this point.

The results from ESET:

Eh...spoke too soon, it's finding things now...strange. I'll report back when it's done. There's about 1TB of disk in use on this system so it'll take a bit.

I am going to perform that scan now. I do want to mention though that I had previously (before I started this thread), ran the ESET scan and it did not report any issues (ran clean) so I have little faith that it will report anything about this problem (accurately) this time either. Running it now regarless.

I forgot to mention one thing...somewhat a side note. The running processes on this system now are at 69, before it was 72. I'm somewhat curious to know what those 3 missing ones are (or if they are random OS/application processes that just haven't spawned yet).

At this point the system load has stablized and the system has run (logged in) for several minutes without seeing any of the previously evil tasks having spawned. Please advise on anything further you would like to see or have done (your help has been GREATLY appriciated btw).

System requested a reboot to finish. Rebooted. OTL launched automatically and produced the following output: I am waiting for the system to fully finish loading software before I comment on if the "infected" issue is still visually present (ie: tasks spawning/etc)

From OTL.txt:

From Extras.txt:

I downloaded ComboFix.exe (renamed as instructed), but the program will not run. This is neither (see HJT log). Please advise.

Same as above, re-analysed with the following output: 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: rundll32.exe Submission date: 2011-03-13 00:11:13 (UTC) Current status: queued (#4) queued (#4) analysing finished Result: 0/ 43 (0.0%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2011.03.13.00 2011.03.12 - AntiVir 7.11.4.177 2011.03.12 - Antiy-AVL 2.0.3.7 2011.03.12 - Avast 4.8.1351.0 2011.03.12 - Avast5 5.0.677.0 2011.03.12 - AVG 10.0.0.1190 2011.03.12 - BitDefender 7.2 2011.03.13 - CAT-QuickHeal 11.00 2011.03.12 - ClamAV 0.96.4.0 2011.03.12 - Commtouch 5.2.11.5 2011.03.12 - Comodo 7958 2011.03.12 - DrWeb 5.0.2.03300 2011.03.12 - Emsisoft 5.1.0.2 2011.03.12 - eSafe 7.0.17.0 2011.03.10 - eTrust-Vet 36.1.8211 2011.03.11 - F-Prot 4.6.2.117 2011.03.12 - F-Secure 9.0.16440.0 2011.03.12 - Fortinet 4.2.254.0 2011.03.12 - GData 21 2011.03.12 - Ikarus T3.1.1.97.0 2011.03.12 - Jiangmin 13.0.900 2011.03.12 - K7AntiVirus 9.93.4087 2011.03.11 - Kaspersky 7.0.0.125 2011.03.12 - McAfee 5.400.0.1158 2011.03.13 - McAfee-GW-Edition 2010.1C 2011.03.12 - Microsoft 1.6603 2011.03.12 - NOD32 5948 2011.03.12 - Norman 6.07.03 2011.03.12 - nProtect 2011-02-10.01 2011.02.15 - Panda 10.0.3.5 2011.03.12 - PCTools 7.0.3.5 2011.03.11 - Prevx 3.0 2011.03.13 - Rising 23.48.05.03 2011.03.12 - Sophos 4.63.0 2011.03.12 - SUPERAntiSpyware 4.40.0.1006 2011.03.12 - Symantec 20101.3.0.103 2011.03.13 - TheHacker 6.7.0.1.149 2011.03.12 - TrendMicro 9.200.0.1012 2011.03.12 - TrendMicro-HouseCall 9.200.0.1012 2011.03.13 - VBA32 3.12.14.3 2011.03.12 - VIPRE 8685 2011.03.13 - ViRobot 2011.3.12.4354 2011.03.12 - VirusBuster 13.6.247.1 2011.03.12 - Additional information MD5 : 75139c5e6b968e39a5a35e7003fa7049 SHA1 : a3f6d44d6ea348f5ec183d54220ebea8bbcc3cda SHA256: a919ace1f0274f9f18c36a9dc78d206c4fa150d8bcd7cc884a84f07833bec869 The output from the AITA doesn't look great if my guess at reading those results is anywhere close to accurate.

replace "direction" with "directory" above... The file was previously uploaded to that site. I selected "re-analyse" and I'm not quite sure how to read the results: File name: Application Impact Telemetry Agent.exe Submission date: 2011-03-13 00:06:47 (UTC) Current status: queued (#2) queued (#2) analysing finished Result: 21/ 43 (48.8%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2011.03.13.00 2011.03.12 Malware/Win32.Generic AntiVir 7.11.4.177 2011.03.12 TR/Dropper.Gen Antiy-AVL 2.0.3.7 2011.03.12 - Avast 4.8.1351.0 2011.03.12 Win32:Malware-gen Avast5 5.0.677.0 2011.03.12 Win32:Malware-gen AVG 10.0.0.1190 2011.03.12 PSW.Generic8.AUOG BitDefender 7.2 2011.03.13 Trojan.Generic.KDV.151224 CAT-QuickHeal 11.00 2011.03.12 - ClamAV 0.96.4.0 2011.03.12 - Commtouch 5.2.11.5 2011.03.12 - Comodo 7958 2011.03.12 UnclassifiedMalware DrWeb 5.0.2.03300 2011.03.12 - Emsisoft 5.1.0.2 2011.03.12 Trojan-Dropper!IK eSafe 7.0.17.0 2011.03.10 Win32.TRDropper eTrust-Vet 36.1.8211 2011.03.11 - F-Prot 4.6.2.117 2011.03.12 - F-Secure 9.0.16440.0 2011.03.12 Trojan.Generic.KDV.151224 Fortinet 4.2.254.0 2011.03.12 - GData 21 2011.03.12 Trojan.Generic.KDV.151224 Ikarus T3.1.1.97.0 2011.03.12 Trojan-Dropper Jiangmin 13.0.900 2011.03.12 Trojan/Generic.dnrp K7AntiVirus 9.93.4087 2011.03.11 - Kaspersky 7.0.0.125 2011.03.12 - McAfee 5.400.0.1158 2011.03.13 Artemis!54C118C383E0 McAfee-GW-Edition 2010.1C 2011.03.12 Artemis!54C118C383E0 Microsoft 1.6603 2011.03.12 Worm:Win32/Rebhip.A NOD32 5948 2011.03.12 - Norman 6.07.03 2011.03.12 - nProtect 2011-02-10.01 2011.02.15 - Panda 10.0.3.5 2011.03.12 Generic Worm PCTools 7.0.3.5 2011.03.11 - Prevx 3.0 2011.03.13 - Rising 23.48.05.03 2011.03.12 - Sophos 4.63.0 2011.03.12 - SUPERAntiSpyware 4.40.0.1006 2011.03.12 - Symantec 20101.3.0.103 2011.03.12 WS.Reputation.1 TheHacker 6.7.0.1.149 2011.03.12 - TrendMicro 9.200.0.1012 2011.03.12 TROJ_GEN.R3EC2CA TrendMicro-HouseCall 9.200.0.1012 2011.03.13 TROJ_GEN.R3EC2CA VBA32 3.12.14.3 2011.03.12 - VIPRE 8685 2011.03.13 Trojan.Win32.Generic!BT ViRobot 2011.3.12.4354 2011.03.12 - VirusBuster 13.6.247.1 2011.03.12 - Additional informationShow all MD5 : 54c118c383e06c3e5b2dc4378bfa11e9 SHA1 : 3a04f46fa028e014c176c88b26b79bd71711d753 SHA256: 8e572e4f78e4982e5294873dc3ceab4899bc1204f5dc059194e973e04b273e87

I've been looking for this file forever and could never find it. My default settings in explorer are always to not hide anything (hidden, system, etc). I even tried to go into this path from a cmd shell and couldn't get there. I just went into the Application Data direction and re-checked the settings at that level and sure enough, hide protected operating system files was enabled again. I've reset that and uploaded that file.

Well...ummm... Not sure where I went wrong on that reply... I started off by talking about the credentials needed to access the passwords you've stored. Anything less than 2-factor is probably something attackable by brute-force. So, I won't assume anything here... http://en.wikipedia.org/wiki/Two-factor_authentication Most common implementation is RSA SecureID cards. You need a PIN, plus a auto-rotating time-based code (something you have, the card, something you know, the PIN). I guess the biggest concern I would have as a security-person is that the passwords are still stored in a single place by all the software I've ever seen. PCI compliance (credit card industry requirements) have something going for them by requiring key data be split on completely different systems. Compromising any 1 piece doesn't reveal enough to provide any good data...but I'm sort of out on the extreme maybe on this stuff.

Classic...simple...and funny

See...it wasn't Al Gore after all!

We all try to get that bill to be "$0" every year. So long as they don't start paying out refunds in that way I'm cool.

that's....strange...and interresting all at the same time.

Isn't that why most Karaoke bars are just that...Bars? It helps ensure that item holds true.

So true....