Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Hijacked & Need Help Removing/Eradicating


  • This topic is locked This topic is locked
53 replies to this topic

#46 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:05:07 PM

Posted 10 January 2012 - 06:03 PM

HAPPY BIRTHDAY m0le!

Sounds good. Also, not sure if this means anything, or just a fluke, but I always unplug my usb from router to pc to disconnect connection when not in use. So this morning, I plugged back in, & forgot to notice when adapter icon showed re-connection. So I had loaded & was using browser, & had no problems being online, but then had looked down at one point, & noticed that the adapter status was still in "acquiring ip address" status. If that is the case, should I technically been able to pull up & use browser online without issues? I have adapter set w/manual/static ip, gateway & dns servers, net bios disabled. Set up is modem--->buffalo air station a&g wireless router (wireless disabled & only hardwired pc) ----> pc. Not sure if this is anything, but I disabled the adapter connex & re-enabled & all was fine.

I will go ahead & implement updates & will report back!

BC AdBot (Login to Remove)

 


#47 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:05:07 PM

Posted 10 January 2012 - 06:04 PM

PS: So you think that's a fluke w/OTL & not Winsock? I remember using OTL quite awhile back on same pc without that issue...

#48 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:05:07 PM

Posted 10 January 2012 - 08:05 PM

Ok, so Windows updates went smoothly... while I was at it, I checked Java & that reported to be up to date as well, & Firefox had v9.01 which I had updated as well, & I also checked & updated my addons & extensions... So should be good to go!

#49 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:07 AM

Posted 10 January 2012 - 08:49 PM

Yep, good to go. I think the OTL scan was just a fluke.

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir - though if you choose Avira you should make sure that you uncheck the box offering to install the Ask toolbar. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it CelestialAura, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#50 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:05:07 PM

Posted 11 January 2012 - 09:39 PM

Hello.. so, followed your steps to a t... went smoothly. Cleaned up any excess log files that were created that OTC didn't get. I then rebooted, ran CCleaner to clean up temp files, prefetch, browser garbage, general stuff that accumulated since I hadn't really been doing any maintenance during whole process. Downloaded fresh Avira Antivirus & Online Armour. Ran Avira, did it's quick scan during install & then once installed did complete system scan. Everything clean, except for the mention of these hidden objects:

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\DbgagD\1\value
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\display string
[NOTE] The registry entry is invisible.

Not sure if that means anything or not? So, I then installed Online Armour. Went fine, got to reboot stage, pc restarted, & a little into loading I received an Online Armour service cannot start error box. Opened security settings, noted that Windows Firewall was still active, turned WF off, went back to main dialog screen in Security, & it noted that Outpost Firewall was on & protecting system. So I went into Services, noted that I had no ability to start, stop Online Armour. So I opted to start Online Armour via start menu. It loaded, I went & adjusted settings. Now Security ctr. states that at least one of my firewalls is on & running (w/notation I shouldn't have more than one firewall product at a time, DUH!) So, I did Windows search via outpost & agnitum keywords, nada... Manually looked through program files, app data files, etc... nada. Figuring this would be in registry, I backed up registry, & attempted to perform search via registry. Registry finder won't work. The dialog box loads, I type in keyword, click "find", & the icon doesn't circle around indicating it's working, I waited awhile, & it was clearly not searching. So no working search function in registry. So I pulled up JV16 Power Tools. Do my search for outpost keywords via it's reg. finder. Nada. So I then browsed through the programs that JV16 listed as being in the registry. Nada. So I did a deep custom software removal scan via JV16.. nada. So I started to manually browse registry. Well, nothing apparent in any of the areas I am familiar with where it would have been. So cannot locate the remnants of Outpost. to prevent further conflict.

Which brings me to another question. Any idea what this would be, & if there would be any legit program on my pc that would be using it? :
HKEY_CLASSES_ROOT\WeOnlyDo.File Blob

For some reason, when I was manually scanning down in reg. to find the outpost keys that may be lurking, several of these, in a row, in root, caught my eye. They all refer to WeOnlyDo...several of them. I did a search online, & really just came up with indication that whatever this is, allows programs to install without registering. All the little info I could find, was all support for people trying to implement. Sounds like it allows remote access. Didn't sound too good to me, although I thought there still may be legit use for it. I then came upon this in an article:

[SA20361] wodSFTP ActiveX Component Arbitrary File Access Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2006-05-31

Description
Will Dormann has reported a vulnerability in WeOnlyDo wodSFTP, which can be exploited by malicious people to disclose sensitive information and potentially compromise a user's system.

The vulnerability is caused due to the wodSFTP ActiveX control being marked as "safe for scripting" via the IObjectSafety interface. This can be exploited to retrieve files from, or to download files onto the user's system via malicious script code in a HTML document.

Successful exploitation requires that the user is e.g. tricked into visiting a malicious web site.

The vulnerability has been reported in the latest version.


Solution
Disable the wodSFTP ActiveX control by setting the kill bit.


Provided and/or discovered by
Will Dormann, CERT/CC.

Original Advisory
US-CERT VU#378604:
http://www.kb.cert.org/vuls/id/378604

If you could shed some light, I'd appreciate it! Maybe I'm just being paranoid, but better to be safe than sorry ;)

One last thing.... When I went to pull the log just now, of Avira & the hidden files it detected, so I could post them in this message to you, I noticed these temp files... When installing Avira, (free), wants to know if I want the Ask Toolbar. Of course I opted out. Well, I pulled up these temp files, & here is what I found:

INFO 1/11/2012, 2:44:29 Proceed with checks. Cleanup not required
INFO 1/11/2012, 2:44:29 AVR-IDW
INFO 1/11/2012, 2:44:29 Checking for OS / browser support
INFO 1/11/2012, 2:44:29 OS supports toolbar installation
INFO 1/11/2012, 2:44:29 Default browser is allowed
INFO 1/11/2012, 2:44:29 Interim toolbar does not exist
INFO 1/11/2012, 2:44:29 CAP toolbar does not exist
INFO 1/11/2012, 2:44:29 Super toolbar does not exist
INFO 1/11/2012, 2:44:30 Set Registry "HKEY_CURRENT_USER\SOFTWARE\Ask.com.tmp\General" with value(s):
INFO 1/11/2012, 2:44:30 apn_dbr = "ff_9.0.1" Succeeded.
INFO 1/11/2012, 2:44:30 cbid = "LL" Succeeded.
INFO 1/11/2012, 2:44:30 client = "ic" Succeeded.
INFO 1/11/2012, 2:44:30 clientv = "5.1.0.0" Succeeded.
INFO 1/11/2012, 2:44:30 cr = "0" Succeeded.
INFO 1/11/2012, 2:44:30 crumb = "2012.01.11+00.45.26-toolbar002iad-US-TmFwZXJ2aWxsZSxJTCxVbml0ZWQgU3RhdGVz" Succeeded.
INFO 1/11/2012, 2:44:30 dbr = "2" Succeeded.
INFO 1/11/2012, 2:44:30 dot = "6" Succeeded.
INFO 1/11/2012, 2:44:30 dt = "1547" Succeeded.
INFO 1/11/2012, 2:44:30 dtid = "YYYYYYYYUS" Succeeded.
INFO 1/11/2012, 2:44:30 eichk = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&cb=LL&encb={incbid}&chk={ic_chk}&ts={random}&guid={guid}&dt={dt}&wft={wft}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&dot={dot}" Succeeded.
INFO 1/11/2012, 2:44:30 einst = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=einst&cb=LL&stb={wr_tbr}&ssa={wr_sa}&shpr={wr_hpr}&res={ci_res}&erc={ci_erc}&itime={itime}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&ts={random}&guid={guid}&wft={wft}&dot={dot}&inst={inst}&tb={tb}&dt={dt}&erd={erd}" Succeeded.
INFO 1/11/2012, 2:44:30 ewrap = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=ewrap&cb=LL&stb={wr_tbr}&ssa={wr_sa}&shpr={wr_hpr}&param={param}&ts={random}&guid={guid}&dt={dt}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&wft={wft}&dot={dot}&erd={erd}" Succeeded.
INFO 1/11/2012, 2:44:30 ff-max-version = "9.*" Succeeded.
INFO 1/11/2012, 2:44:30 fflu = "-2" Succeeded.
INFO 1/11/2012, 2:44:30 fv = "9.0.1 (en-US)" Succeeded.
INFO 1/11/2012, 2:44:30 guid = "b7744201-2444-44ba-9620-f07456a26ed5" Succeeded.
INFO 1/11/2012, 2:44:30 harch = "32" Succeeded.
INFO 1/11/2012, 2:44:30 hloc = "en-US" Succeeded.
INFO 1/11/2012, 2:44:30 homepageurl = "http://www.ask.com/?l=dis&o=APN10023&gct=hp" Succeeded.
INFO 1/11/2012, 2:44:30 hos = "5.1.1.sp3.x86" Succeeded.
INFO 1/11/2012, 2:44:30 iedis = "0" Succeeded.
INFO 1/11/2012, 2:44:30 ielu = "-2" Succeeded.
INFO 1/11/2012, 2:44:30 iev = "8.0.6001.18702" Succeeded.
INFO 1/11/2012, 2:44:30 inst = "200" Succeeded.
INFO 1/11/2012, 2:44:30 iv = "8.0.6001.18702" Succeeded.
INFO 1/11/2012, 2:44:30 l = "dis" Succeeded.
INFO 1/11/2012, 2:44:30 locale = "en_US" Succeeded.
INFO 1/11/2012, 2:44:30 location = "Naperville,IL,United States" Succeeded.
INFO 1/11/2012, 2:44:30 make-offer = "1" Succeeded.
INFO 1/11/2012, 2:44:30 o = "APN10023" Succeeded.
INFO 1/11/2012, 2:44:30 oi = "nop" Succeeded.
INFO 1/11/2012, 2:44:30 qsrc = "2871" Succeeded.
INFO 1/11/2012, 2:44:30 repurl = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&cb=LL&encb={incbid}&chk={ic_chk}&ts={random}&guid=" Succeeded.
INFO 1/11/2012, 2:44:30 same-partner = "0" Succeeded.
INFO 1/11/2012, 2:44:30 tb = "AVR-IDW" Succeeded.
INFO 1/11/2012, 2:44:30 tb-installer-path = "http://apnmedia.ask.com/media/toolbar/supertoolbar/avira/askToolbarInstaller-1.14.0.0.exe" Succeeded.
INFO 1/11/2012, 2:44:30 tb-version = "5.14.0.0" Succeeded.
INFO 1/11/2012, 2:44:30 to = "" Succeeded.
INFO 1/11/2012, 2:44:30 wft = "remote" Succeeded.
INFO 1/11/2012, 2:44:30 Set Registry "HKEY_CURRENT_USER\SOFTWARE\Ask.com.tmp\Installer" with value(s):
INFO 1/11/2012, 2:44:30 eichk = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&cb=LL&encb={incbid}&chk={ic_chk}&ts={random}&guid={guid}&dt={dt}&wft={wft}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&dot={dot}" Succeeded.
INFO 1/11/2012, 2:44:30 ff-max-version = "9.*" Succeeded.
INFO 1/11/2012, 2:44:30 guid = "b7744201-2444-44ba-9620-f07456a26ed5" Succeeded.
INFO 1/11/2012, 2:44:30 homepageurl = "http://www.ask.com/?l=dis&o=APN10023&gct=hp" Succeeded.
INFO 1/11/2012, 2:44:30 make-offer = "1" Succeeded.
INFO 1/11/2012, 2:44:30 oi = "nop" Succeeded.
INFO 1/11/2012, 2:44:30 repurl = "http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&cb=LL&encb={incbid}&chk={ic_chk}&ts={random}&guid=" Succeeded.
INFO 1/11/2012, 2:44:30 Set Registry "HKEY_CURRENT_USER\SOFTWARE\Ask.com.tmp\Macro" with value(s):
INFO 1/11/2012, 2:44:30 cbid = "LL" Succeeded.
INFO 1/11/2012, 2:44:30 crumb = "2012.01.11+00.45.26-toolbar002iad-US-TmFwZXJ2aWxsZSxJTCxVbml0ZWQgU3RhdGVz" Succeeded.
INFO 1/11/2012, 2:44:30 dtid = "YYYYYYYYUS" Succeeded.
INFO 1/11/2012, 2:44:30 l = "dis" Succeeded.
INFO 1/11/2012, 2:44:30 locale = "en_US" Succeeded.
INFO 1/11/2012, 2:44:30 location = "Naperville,IL,United States" Succeeded.
INFO 1/11/2012, 2:44:30 o = "APN10023" Succeeded.
INFO 1/11/2012, 2:44:30 qsrc = "2871" Succeeded.
INFO 1/11/2012, 2:44:30 to = "" Succeeded.
INFO 1/11/2012, 2:44:30 Install API Call - Success : HTTP Status Code - 200
INFO 1/11/2012, 2:44:30 Server returned makeoffer == 1
INFO 1/11/2012, 2:44:30 Proceed with installation offer
INFO 1/11/2012, 2:44:31 Whatzup reporting- Success
INFO 1/11/2012, 2:44:31 Whatzup reporting URL
INFO 1/11/2012, 2:44:31 http://img.apnanalytics.com/images/nocache/apn/tr.gif?ev=eichk&cb=LL&encb={incbid}&chk={ic_chk}&ts={random}&guid={guid}&dt={dt}&wft={wft}&inst={inst}&tb={tb}&hos={hos}&harch={harch}&hloc={hloc}&iv={iv}&fv={fv}&dbr={dbr}&vb={vb}&msi={msi}&dot={dot}
INFO 1/11/2012, 2:44:31 Return code = 0

(I know I shouldn't be posting w/out your permission, but again, executive decision as I'd like to wrap this up as quickly as possible, as I know we both have better things to do :) So is that indicating that it installed it anyway? Why is it writing crap about Ask & Toolbars to my registry? I don't see any toolbar in my browser right now, but just want to know why I am seeing reference to it, my registry, macros, etc...

& here is the second log, which also references toolbar, downloader & command line, etc...::

******************************Checking Session******************************
[(UTC) 11/01/2012 - 08:44:12:843]: OS = 5.1.1.sp3.x86
[(UTC) 11/01/2012 - 08:44:12:843]: CommandLine = "/tb=AVR-IDW"
[(UTC) 11/01/2012 - 08:44:12:843]: RequestLocal = 0, DefaultLocal = 0
[(UTC) 11/01/2012 - 08:44:12:843]: Begin downloading manifest:
RemoteManifestPath = "http://apnmedia.ask.com/media/toolbar/stub/1.0.0.0/ApnIC.dll?tb=AVR-IDW&version=1.0.0.0"
LocalManifestPath = "C:\DOCUME~1\Owner\LOCALS~1\Temp\AskSLib.dll"
CommandLine = "/tb=AVR-IDW /timeout=6"
[(UTC) 11/01/2012 - 08:44:19:671]: Downloader(BITS) : timeout = 6 seconds
[(UTC) 11/01/2012 - 08:44:26:875]: Downloader(BITS) : Exiting with state = 0, ElapsedTime = 6.00 seconds.
[(UTC) 11/01/2012 - 08:44:28:421]: Downloader(URL) : Downloading Succeeded! ElapsedTime = 1.55 seconds.
[(UTC) 11/01/2012 - 08:44:28:421]: End downloading manifest:
Boolean return = 1
CommandLine = "/tb=AVR-IDW /timeout=6 /downloadtime=1547"
[(UTC) 11/01/2012 - 08:44:29:046]: Validation of LocalManifest Digital Signature Succeeded
[(UTC) 11/01/2012 - 08:44:29:203]: Begin LocalManifest::CheckInstall():
CommandLine = "/tb=AVR-IDW /timeout=6 /downloadtime=1547 /debug"
[(UTC) 11/01/2012 - 08:44:31:156]: End LocalManifest::CheckInstall():
return code = 0
CommandLine = "/tb=AVR-IDW"
[(UTC) 11/01/2012 - 08:44:31:156]: Session exit with code = 0


Hope it's all nothing & just my paranoia... I TRULY APPRECIATE ALL OF YOUR ASSISTANCE!

Cheers to hopefully being well on the road to clean & secure computing!

#51 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:05:07 PM

Posted 12 January 2012 - 04:46 PM

Hmm, that's strange. I had a whole reply typed in here & came back to page after checking my router intrusion log, & the whole synopsis I had typed was gone... Well, starting all over again (forgive me as it's time consuming, so I am not going to pull everything back up to put in the full exact details, but will give you shortened run down version, & I'm sure you'll know what I mean). Not sure, but have indication that something malicious may still be happening. Firstly, still have sporadic mouse issues. So checked Device Mgr., nothing indicated as issue there. Went into desktop/display/advanced props to hardware accel, adjusted down from full to the setting just below which disables cursor & bitmap accelerations. This didn't have an effect on the issue. So, last night I had gotten Online Armour set up. This morning, after noticing the strange mouse behavior still happening, I checked my firewall activity & noticed system listening on port 445. Well, this shouldn't be as such, since I ALWAYS have Netbios disabled in TCP/IP settings. So I went to HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\TransportBindName & cleared out the value which was "Device" (did not delete key & have reg backed up). This fixed the issue with system listening on 445. (I also have 445 blocked via router). Not too long after this, I first noticed 2 instances of dllhost.exe loaded up in taskmgr., & right after noticing this I received notification from firewall that it was allowing rsmsink. Well, I have never before seen indication of rsmsink being used on this pc. I have not used my flash drive nor plugged it in recently, nor did I plug in or use any other device today or in recent days, so I thought this was rather odd. So I pull up firewall activity again, & it's now showing svchost.exe listening in on TCP 135. It's my understanding that certain worms & exploits will generally use 445, but if that isn't available, they will go to 135 as an alternative. So there was entry in firewall where it granted svchost 135 & 123 & 1900. I've since blocked all these, & the only thing that svchost is being allowed access to right now is TCP & UDP 53, & the firewall granted it use of port 1029, which is local port, so I don't believe that is anything malicious. Strangely enough now, though, I have Firefox loaded, & will generally see a svchost entry in active connex, & there is none. That may or may not be strange, but isn't that how DNS is resolved via 53? Right now, the ONLY active connex listed in firewall is Firefox, & it's via all local addresses & ports, & I am on this site as well as my router page & a google page. Shouldn't there be activity indicating Firefox is connected to these web addresses? Maybe I'm making too much out of all this, but need to go with gut instinct which tells me something may be afoul, as there is one last thing. I am on my router page now, which shows 7000 hits of IP SPOOF attacks, 20+ TCP SYN FLOOD attacks, as well as several SMURF attacks & a few invalid packets.

Also, yesterday about an hour after installing Online Armour, it blocked smss program : Windows NT Setup (user mode portion of character-based phase), 5.1.2600.2180, (5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)) C:\cmdcons\SYSTEM32\SMSS.EXE
Hash(MD5): DA5CF1C368B33D75602FD6B3A7F5E0C6

Another thing (that I am not familiar with). When I first noticed the dllhost(s) loaded into taskmgr., I went into Component Services console to see if I could investigate what was using & loading dllhost, & went to COM+ apps, didn't see anything there, & was going to browse in the DCOM folder, & when I clicked on DCOM to expand the folder, I received the following warning message:
The CLSID {........} item C:\WINDOWS\system32\wbem\wmiprvse.exe & title Microsoft WMI Provider Subsystem Secured Host has the named value AppID, but is not recorded under \\HKEY_CLASSES_ROOT\AppId. Do you wish to record it? (I chose no)

Sorry if I am being overly paranoid, but seeing all those router attacks, & some strange pc behavior I've never seen before, just wondering...

#52 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:07 AM

Posted 12 January 2012 - 05:55 PM

I can't go over everything you have covered here but nothing you have highlighted say that there is malware on the system.

A lot of the above is said with the proviso that "you are not sure how to read it" or "you have heard that..."

This is where people end up going mad looking for things that are not there. I personally believe that providing the sort of confusing information to users via port scanners is counterproductive.

The other thing you state is that you are getting a lot of attacks on the log. There's a world of difference between an attack and an intrusion and this depends on the sort of surfer you are.

What I would say is that if you are infected then you should be able to see something more visible now. The mouse being erratic is just not something that malware attacks. I would try a new mouse in the machine and see if that stops it. Is there anything else, other than the logs, which tell you that something is still there? (Most malware does not hide its presence completely and will let you know that it's there.)
Posted Image
m0le is a proud member of UNITE

#53 CelestialAura

CelestialAura
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Walnut, CA
  • Local time:05:07 PM

Posted 12 January 2012 - 06:15 PM

Nope, just took notice of some strange processes, in combo w/what my firewall & router logs were saying. Sorry, don't mean to be so paranoid, lol! Glad to hear that you do not think there is anything malicious going on... Will try new mouse & see what Secunia says about driver ;) Thank you so very much for all of your help & support! You may close thread now... ;)

CHEERS!

#54 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:07 AM

Posted 12 January 2012 - 06:59 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users