Jump to content

Is my computer clean?


drmattnd
 Share

Recommended Posts

Hello, and thanks for taking the time to read my post.  :)

I've been concerned about malware after a couple strange things happened.  Basically, I went to update windows, and the ActiveX control wouldn't run correctly.  Finally found a fix to get windows updated, and tried to turn auto updates back on, and it wouldn't work.  Found out I had an issue with the BITS registry entry. Trying to fix that, I learned that my user profile did not have administrator priveleges, and so had to create a new user account.  Now, everything appears fixed and updates seem to be working fine.

 

However- I'm wondering how my computer got in this state in the first place.   I understand that this might be due to some kind of malware.  However, I haven't been able to find anything serious.

 

I ran a complete scans from Norton Security Suite and Malicious Software Removal Tool, and all they came up with was PUM.Hijack.StartMenu.  However, I was having trouble getting rid of those.

So then I downloaded MBAM, which removed the problem and was clear on another scan.  I downloaded MBAR, and that was also clear.  Spybot Search & Destroy also reports clear.

 

However, after reading around on here and some other forums, it seems like those scans might not be enough.

 

So I ran RogueKiller, ComboFix, and AdwCleaner.  Except I haven't taken any action on them because I don't understand what the reports all mean.  I am hoping if I post them here that somebody can take a look at them and advise if there is any other action I should take, or if I can relax.

Here are the logs:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.28.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Matthew :: TENETN [administrator]

11/28/2013 2:31:32 PM
mbam-log-2013-11-28 (14-31-32).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 356278
Time elapsed: 2 hour(s), 47 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

****************************************************
 

RogueKiller V8.7.9 [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Matthew [Admin rights]
Mode : Scan -- Date : 11/29/2013 01:24:21
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x805D4C0C -> HOOKED (Unknown @ 0x86BA76A8)
[Address] SSDT[13] : NtAlertThread @ 0x805D4BBC -> HOOKED (Unknown @ 0x86B80650)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x805A8AEE -> HOOKED (Unknown @ 0x87411078)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805D66D0 -> HOOKED (Unknown @ 0x86BA1770)
[Address] SSDT[31] : NtConnectPort @ 0x805A4604 -> HOOKED (Unknown @ 0x86CE1358)
[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x873B9828)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x873B0C70)
[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x873CFDA0)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x86BA17C8)
[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x873D94D0)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805B2FE6 -> HOOKED (Unknown @ 0x873EB0B0)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x805F9362 -> HOOKED (Unknown @ 0x86BA47C0)
[Address] SSDT[91] : NtImpersonateThread @ 0x805D7890 -> HOOKED (Unknown @ 0x86BA7650)
[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x86D07490)
[Address] SSDT[108] : unknown @ 0x805B206E -> HOOKED (Unknown @ 0x873A3D68)
[Address] SSDT[114] : NtOpenEvent @ 0x8060F1E0 -> HOOKED (Unknown @ 0x86BA4748)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x873A16C8)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805EE030 -> HOOKED (Unknown @ 0x86BA4200)
[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x86BA4698)
[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8747F988)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x805B8452 -> HOOKED (Unknown @ 0x873C3888)
[Address] SSDT[206] : NtResumeThread @ 0x805D4A48 -> HOOKED (Unknown @ 0x86BB92C0)
[Address] SSDT[213] : NtSetContextThread @ 0x805D2C4A -> HOOKED (Unknown @ 0x86BA9650)
[Address] SSDT[228] : NtSetInformationProcess @ 0x805CDED0 -> HOOKED (Unknown @ 0x873C3B38)
[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x86BA1820)
[Address] SSDT[253] : NtSuspendProcess @ 0x805D4B10 -> HOOKED (Unknown @ 0x86BA46F0)
[Address] SSDT[254] : NtSuspendThread @ 0x805D4982 -> HOOKED (Unknown @ 0x86B81650)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x86BAA1F8)
[Address] SSDT[258] : unknown @ 0x805D2502 -> HOOKED (Unknown @ 0x86BAB650)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x805B2E7C -> HOOKED (Unknown @ 0x86B7F238)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x873C0D90)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x86B5B5A0)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x864C4C10)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x864C4BB8)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x86BE79B8)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x864CC340)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x864C4AC8)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x864C12A0)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x864C4B30)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x864C4708)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x86BE7A30)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9160827AS +++++
--- User ---
[MBR] d7c96ef368bfbe710d21c4c72410325f
[bSP] a288bcca227a6c8399f57cda6208f2db : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152624 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_11292013_012421.txt >>

 

***********************************************************************

ComboFix 13-11-27.01 - Matthew 11/29/2013   0:53.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1015.407 [GMT -5:00]
Running from: c:\documents and settings\Matthew\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
C:\NPE.exe
c:\program files\HP\HPBTWD.exe
c:\program files\Mozilla Firefox\components\AskHPRFF.js
c:\windows\IMAGE.EXE.LOG
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\FlashPlayerApp.exe
c:\windows\system32\SET17A.tmp
c:\windows\system32\SET1A3.tmp
c:\windows\system32\SET96.tmp
c:\windows\system32\SET99.tmp
c:\windows\system32\SET9A.tmp
c:\windows\system32\SET9B.tmp
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DEFAULTTABSEARCH
-------\Legacy_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-28 to 2013-11-29  )))))))))))))))))))))))))))))))
.
.
2013-11-29 05:47 . 2013-11-29 05:47    26624    ----a-w-    c:\windows\system32\TrueSight.sys
2013-11-27 04:21 . 2013-11-27 04:21    --------    d-----w-    C:\found.000
2013-11-26 15:18 . 2012-06-02 20:18    214256    ----a-w-    c:\windows\system32\muweb.dll
2013-11-26 15:18 . 2012-06-02 20:18    275696    ----a-w-    c:\windows\system32\mucltui.dll
2013-11-26 00:51 . 2013-11-27 18:17    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2013-11-26 00:51 . 2013-11-27 07:34    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2013-11-25 22:29 . 2013-11-25 23:17    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-11-25 22:28 . 2013-11-25 22:54    47064    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-11-25 21:55 . 2013-11-25 21:55    --------    d-----w-    c:\documents and settings\All Users\Application Data\SMR410
2013-11-25 19:37 . 2013-11-26 17:26    --------    d-----w-    c:\documents and settings\Matthew
2013-11-24 16:18 . 2013-11-24 16:18    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-11-23 23:03 . 2013-11-23 23:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\Cisco Systems
2013-11-23 21:39 . 2013-11-23 21:39    --------    d-----w-    c:\program files\Windows Resource Kits
2013-11-20 21:22 . 2013-11-21 15:59    --------    d-----w-    c:\program files\Mozilla Thunderbird
2013-11-15 14:08 . 2013-11-15 14:08    --------    d-----w-    c:\program files\IDT
2013-11-15 14:08 . 2009-08-13 22:09    467036    ----a-w-    c:\windows\sttray.exe
2013-11-15 14:08 . 2009-08-13 22:09    3743744    ----a-w-    c:\windows\system32\stlang.dll
2013-11-15 14:08 . 2009-08-13 22:09    221266    ----a-w-    c:\windows\system32\stacsv.exe
2013-11-15 14:08 . 2009-08-05 17:35    737280    ----a-w-    c:\windows\system32\AESTFltr.exe
2013-11-15 14:08 . 2009-02-13 05:02    253952    ----a-w-    c:\windows\system32\AESTCtrl.cpl
2013-11-14 17:53 . 2013-11-14 17:53    --------    d-----w-    c:\program files\Duplicate Cleaner
2013-11-14 15:21 . 2013-11-14 15:21    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2013-11-14 15:21 . 2013-11-14 15:22    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2013-11-14 15:21 . 2013-04-04 19:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-11-14 14:45 . 2013-11-14 16:26    114688    ----a-w-    c:\windows\system32\chg.exe
2013-11-14 02:49 . 2013-11-14 02:56    --------    d-----w-    c:\windows\system32\MRT
2013-11-10 18:02 . 2013-11-10 18:02    --------    d-----w-    c:\program files\Evernote
2013-11-09 16:49 . 2013-07-17 00:58    123008    ------w-    c:\windows\system32\dllcache\usbvideo.sys
2013-11-09 16:49 . 2013-07-17 00:58    60160    ------w-    c:\windows\system32\dllcache\usbaudio.sys
2013-11-09 16:49 . 2013-07-03 02:12    25088    ------w-    c:\windows\system32\dllcache\hidparse.sys
2013-11-09 16:49 . 2013-07-03 01:59    14976    ------w-    c:\windows\system32\dllcache\usbscan.sys
2013-11-09 16:49 . 2013-08-09 00:55    144128    ------w-    c:\windows\system32\dllcache\usbport.sys
2013-11-09 16:49 . 2013-08-09 00:55    32384    ------w-    c:\windows\system32\dllcache\usbccgp.sys
2013-11-09 16:49 . 2013-08-09 00:55    5376    ------w-    c:\windows\system32\dllcache\usbd.sys
2013-11-09 16:49 . 2009-03-18 11:02    30336    ------w-    c:\windows\system32\dllcache\usbehci.sys
2013-11-09 16:44 . 2013-02-12 00:32    12928    ------w-    c:\windows\system32\dllcache\usb8023x.sys
2013-11-09 16:44 . 2013-02-12 00:32    12928    ------w-    c:\windows\system32\dllcache\usb8023.sys
2013-11-09 16:35 . 2012-01-11 19:06    3072    ------w-    c:\windows\system32\iacenc.dll
2013-11-09 16:35 . 2012-01-11 19:06    3072    ------w-    c:\windows\system32\dllcache\iacenc.dll
2013-11-08 23:13 . 2013-11-28 16:50    --------    d-----w-    c:\windows\system32\CatRoot2
2013-11-08 23:06 . 2013-11-08 23:12    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2013-11-08 23:03 . 2013-11-08 23:03    --------    d-----w-    c:\program files\Tweaking.com
2013-11-08 21:52 . 2013-07-10 15:21    381440    ----a-w-    c:\windows\system32\wer.dll
2013-11-08 21:52 . 2004-01-24 08:17    25088    ----a-w-    c:\windows\system32\efsadu.dll
2013-11-08 21:51 . 2012-11-01 22:22    194048    ----a-w-    c:\windows\system32\IEShims.dll
2013-11-08 03:53 . 2013-10-13 07:25    522240    ------w-    c:\windows\system32\dllcache\jsdbgui.dll
2013-11-08 01:23 . 2013-11-08 01:26    --------    dc-h--w-    c:\windows\ie8
2013-11-08 00:59 . 2013-11-08 22:50    --------    d-----w-    C:\Downloads
2013-11-08 00:44 . 2013-11-24 16:18    --------    d-----w-    c:\documents and settings\Administrator
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-25 23:40 . 2011-12-07 21:22    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-13 07:25 . 2011-03-22 19:20    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-10-13 07:25 . 2011-03-22 19:20    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2011-03-22 19:20    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2009-03-08 08:33    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-10-13 06:57 . 2011-03-22 19:20    385024    ----a-w-    c:\windows\system32\html.iec
2013-10-12 15:56 . 2009-10-13 10:30    278528    ----a-w-    c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2008-10-23 12:36    287744    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2008-04-15 12:00    603136    ----a-w-    c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2010-08-26 12:52    7168    ----a-w-    c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-08-13 467036]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-01-15 452016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-03-15 2565520]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-15 110592]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-08-05 737280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"instanteyedropper"="c:\program files\InstantEyedropper\InstantEyedropper.exe" [2007-10-17 352256]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13    64592    ----a-w-    c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\UO\\Ultima Online - Excelsior Shard\\client.exe"=
"c:\\Program Files\\UOAM\\uoam.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"9000:TCP"= 9000:TCP:Logitech Media Server 9000 tcp (UI)
"9001:TCP"= 9001:TCP:Logitech Media Server 9001 tcp (UI)
"9002:TCP"= 9002:TCP:Logitech Media Server 9002 tcp (UI)
"9003:TCP"= 9003:TCP:Logitech Media Server 9003 tcp (UI)
"9004:TCP"= 9004:TCP:Logitech Media Server 9004 tcp (UI)
"9005:TCP"= 9005:TCP:Logitech Media Server 9005 tcp (UI)
"9006:TCP"= 9006:TCP:Logitech Media Server 9006 tcp (UI)
"9007:TCP"= 9007:TCP:Logitech Media Server 9007 tcp (UI)
"9008:TCP"= 9008:TCP:Logitech Media Server 9008 tcp (UI)
"9009:TCP"= 9009:TCP:Logitech Media Server 9009 tcp (UI)
"9010:TCP"= 9010:TCP:Logitech Media Server 9010 tcp (UI)
"9100:TCP"= 9100:TCP:Logitech Media Server 9100 tcp (UI)
"8000:TCP"= 8000:TCP:Logitech Media Server 8000 tcp (UI)
"10000:TCP"= 10000:TCP:Logitech Media Server 10000 tcp (UI)
"9090:TCP"= 9090:TCP:Logitech Media Server 9090 tcp (UI)
"3483:UDP"= 3483:UDP:Logitech Media Server 3483 udp
"3483:TCP"= 3483:TCP:Logitech Media Server 3483 tcp
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\1404000.028\symds.sys [7/16/2013 8:59 AM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\1404000.028\symefa.sys [7/16/2013 8:59 AM 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\BASHDefs\20131114.001\BHDrvx86.sys [11/19/2013 11:46 AM 1096280]
R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\N360\1404000.028\ccsetx86.sys [7/16/2013 8:59 AM 134744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\1404000.028\ironx86.sys [7/16/2013 8:59 AM 175264]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [4/5/2011 11:00 AM 12184]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\20.4.0.40\ccsvchst.exe [7/16/2013 8:59 AM 144368]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/21/2009 2:13 PM 113664]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/26/2013 10:23 PM 108120]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20131128.001\IDSXpx86.sys [11/29/2013 12:44 AM 380824]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/31/2009 11:11 AM 39424]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [8/24/2010 12:30 PM 42648]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [8/24/2010 12:30 PM 12184]
S3 ExpressAccountsService;Express Accounts;c:\program files\NCH Software\ExpressAccounts\expressaccounts.exe [7/12/2010 6:10 PM 2179076]
S3 ExpressInvoiceService;Express Invoice;c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [7/12/2010 6:09 PM 3153924]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [12/18/2010 2:50 PM 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [12/18/2010 2:50 PM 8320]
S3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [1/14/2012 6:54 PM 13440]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [5/7/2009 6:23 PM 160256]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 23:40]
.
2013-11-26 c:\windows\Tasks\expressinvoiceShakeIcon.job
- c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [2010-07-12 23:09]
.
2013-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-22 18:49]
.
2013-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-22 18:49]
.
.
------- Supplementary Scan -------
.


FF - ProfilePath - c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\jas4fhvy.default\
FF - ExtSQL: 2013-11-22 17:36; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\IPSFF
FF - ExtSQL: 2013-11-25 14:38; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn
FF - ExtSQL: 2013-11-25 16:44; support@lastpass.com; c:\documents and settings\Matthew\Application Data\Mozilla\Firefox\Profiles\jas4fhvy.default\extensions\support@lastpass.com
.
.
------- File Associations -------
.
.txt=bftxtfile
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
HKLM-Run-HP BTW Detect Program - c:\program files\HP\HPBTWD.exe
HKU-Default-Run-Google Update - c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-29 01:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\20.4.0.40\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1580)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2013-11-29  01:16:59 - machine was rebooted
ComboFix-quarantined-files.txt  2013-11-29 06:16
.
Pre-Run: 111,881,023,488 bytes free
Post-Run: 112,016,490,496 bytes free
.
- - End Of File - - 5FFF630DC87B878C696AC648AF906D59
D6762EA8C5783F09472AEBD5E1834208

 

*************************************************************************************

 

# AdwCleaner v3.013 - Report created 29/11/2013 at 01:31:21
# Updated 24/11/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Matthew - TENETN
# Running from : C:\Documents and Settings\Matthew\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Program Files\Mozilla Firefox\Components\AskSearch.js
Folder Found : C:\Documents and Settings\LocalService\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
Folder Found C:\Documents and Settings\All Users\Application Data\NCH Software
Folder Found C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Found C:\Program Files\NCH Software
Folder Found C:\Program Files\Viewpoint

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\NCH Software
Key Found : HKLM\Software\AskBarDis
Key Found : HKLM\SOFTWARE\Classes\AppID\{7ABBFE1C-E485-44AA-8F36-353751B4124D}
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B0DE3308-5D5A-470D-81B9-634FC078393B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4634804A-F0B0-4A74-A550-FC0EEF8A4362}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4C07EA4F-5F52-4222-B170-4CD9ED33BAEA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C44FEFF4-EF0C-4CF7-83D0-92B4266A32B9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F131923C-381D-4E4C-A472-4A17118FD742}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4B1C1E16-6B34-430E-B074-5928ECA4C150}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D2E5FA06-DCC7-46F9-BEFF-BFD06F69B9B2}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\DefaultTab
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
Key Found : HKLM\Software\InstallIQ
Key Found : HKLM\Software\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DefaultTab
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\hotspotshield
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Softonic
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Found : HKLM\Software\NCH Software
Key Found : HKLM\Software\Viewpoint

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Documents and Settings\Matthew\Application Data\Mozilla\Firefox\Profiles\jas4fhvy.default\prefs.js ]


[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\r24us0iz.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [4294 octets] - [29/11/2013 01:31:21]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4354 octets] ##########
 

 

Thanks again!

Link to post
Share on other sites

Oh I forgot one other strange thing... got an email from Comcast/Xfinity last week saying that my computer might be infected with a bot.   Customer service was generally unhelpful in telling me what, exactly, triggered that email.   What is odd is that I was out of town at the time, and had actually turned my modem and router off.  Is there something else I can do to detect if my computer is being recruited for a DDoS attack?

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.