Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My computer seems fine but I worry about rootkits

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My computer seems fine but I worry about rootkits

Unread postby tomcat123 » September 25th, 2010, 1:51 am

Hello. My computer seems to be fine, but I worry about rootkits. If this is not a sufficient reason for you to assist me, I understand. I have run GMER, Sophos Antirootkit, RootRepeal, Rootkit Unhooker, RootkitRevealer, Panda Antirootkit, and F-Secure Blacklight at various times in the last half year. The only disturbing message has been at the end of the Rootkit Unhooker report saying that I possibly have a rootkit. My regular scans with the following free anti-malware programs have not reported any rootkits: AVG 9, Avira Antivir, Emsisoft Anti-malware, Spbot S&D, and MBAM.
I hope I can gain assurance by working with you. The required logs are below. Thank you, Tom
=================================================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:03:23 PM, on 9/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\HddLed\hddledd.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ModPS2Key.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [hddled.exe] C:\Program Files\HddLed\hddled.exe s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - Startup: Shortcut to TeaTimer.lnk = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} (Macromedia Flash Factory Object) -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: hddledd - Unknown owner - C:\Program Files\HddLed\hddledd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LKTY - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\LKTY.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: SC - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\SC.exe (file missing)
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft Sprocket Service (quickcare) (sprtsvc_quickcare) - SupportSoft, Inc. - C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (quickcare) (tgsrvc_quickcare) - SupportSoft, Inc. - C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe
O23 - Service: XM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Owner\LOCALS~1\Temp\XM.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11469 bytes
==================================================

7-Zip 4.65
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Agent Ransack 2010
Agere Systems PCI-SV92PP Soft Modem
AVG Free 9.0
Avira AntiVir Personal - Free Antivirus
Belarc Advisor 7.2
BlockNote.Net, version 1.8
Browser Address Error Redirector
CheckIt Diagnostics
COMODO Internet Security
Compatibility Pack for the 2007 Office system
Connection Keep Alive
Directory Snoop 5.03 (Trial Version)
Disk Checker
Disk Investigator 1.51
Diskeeper 2010
DiskExplorer for NTFS
DVD Suite
eMachines Connect
eMachines Games
Emsisoft Anti-Malware 5.0
ERUNT 1.1j
FlexHEX
FreeCommander 2009.02a
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet Printer Driver Software 9.0
HyperSnap 6
ICY Hexplorer (remove only)
InstallWatch Pro 2.5
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 21
Junk Mail filter update
Kingsoft Office 2010 (6.6.0.2477)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
mirkes.de Tiny Hexer
ModemTest V1.3
Mozilla Firefox (3.6.10)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Norton Cleanup
Norton SystemWorks
Norton SystemWorks (Symantec Corporation)
Norton Utilities
OpenOffice.org 3.2
Opera 10.62
PerformanceTest
Personal License Update Wizard for Windows Media Player
Power2Go 5.0
PowerDVD
PowerTools Lite
Prevx
PS2 Multimedia Keyboard Driver
Qwest QuickAssist Desktop Tools
Qwest Quickcare 2.7
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Registrar Registry Manager 6.52
RegVac Registry Cleaner 5.02 (Registered Version)
Revo Uninstaller 1.89
RootKit Hook Analyzer 3.02
Sandboxie 3.46
SanityCheck 2.01
Secunia PSI
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SequoiaView
Sophos Anti-Rootkit 1.5.4
SpaceMonger 2.1.1
Spybot - Search & Destroy
Stream Explorer 1.0.4
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Backup Utility
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinHex
tomcat123
Active Member
 
Posts: 9
Joined: September 25th, 2010, 12:08 am
Advertisement
Register to Remove

Re: My computer seems fine but I worry about rootkits

Unread postby askey127 » September 27th, 2010, 5:46 pm

Hi tomcat123,
You have too many Anti0virus programs on there. Maximum is ONE.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

McAfee Security Scan Plus
AVG Free 9.0

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------
Run, Update, Scan with Antivir
Double Click the Avira Antivir Installer on your desktop (Right click and choose "Run as administrator" in Vista/Win7), Install the program, Have it update itself, and run a full scan. Have it fix anything it finds.
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: My computer seems fine but I worry about rootkits

Unread postby tomcat123 » September 27th, 2010, 11:59 pm

Hello again. Thank you for your reply. I have followed your instructions.

I uninstalled AVG 9 though I never ran its real time guard simultaneously with the Avira guard. I also uninstalled the McAfee security applet.

I updated Avira Antivir and ran a scan. The three "hidden files" which it reports were visible immediately after the scan in Windows Explorer and in the MFT, via directory Snoop. Avira has sometimes reported hidden files and registry entries before, never more than three items in any one scan. The Avira log is below.
=============================================


Avira AntiVir Personal
Report file date: Monday, September 27, 2010 19:13

Scanning for 2881727 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : THOMAS

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 19:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 19:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 01:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 06:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 02:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 00:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 23:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 18:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 05:15:15
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 05:15:30
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 05:16:00
VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 15:32:41
VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 15:32:46
VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 15:32:46
VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 15:32:47
VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 15:32:48
VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 14:53:27
VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 15:43:25
VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 14:25:55
VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 13:11:14
VBASE017.VDF : 7.10.12.38 146944 Bytes 9/27/2010 15:22:28
VBASE018.VDF : 7.10.12.39 2048 Bytes 9/27/2010 15:22:28
VBASE019.VDF : 7.10.12.40 2048 Bytes 9/27/2010 15:22:28
VBASE020.VDF : 7.10.12.41 2048 Bytes 9/27/2010 15:22:28
VBASE021.VDF : 7.10.12.42 2048 Bytes 9/27/2010 15:22:29
VBASE022.VDF : 7.10.12.43 2048 Bytes 9/27/2010 15:22:29
VBASE023.VDF : 7.10.12.44 2048 Bytes 9/27/2010 15:22:29
VBASE024.VDF : 7.10.12.45 2048 Bytes 9/27/2010 15:22:30
VBASE025.VDF : 7.10.12.46 2048 Bytes 9/27/2010 15:22:30
VBASE026.VDF : 7.10.12.47 2048 Bytes 9/27/2010 15:22:30
VBASE027.VDF : 7.10.12.48 2048 Bytes 9/27/2010 15:22:30
VBASE028.VDF : 7.10.12.49 2048 Bytes 9/27/2010 15:22:30
VBASE029.VDF : 7.10.12.50 2048 Bytes 9/27/2010 15:22:31
VBASE030.VDF : 7.10.12.51 2048 Bytes 9/27/2010 15:22:31
VBASE031.VDF : 7.10.12.54 39936 Bytes 9/27/2010 01:11:29
Engineversion : 8.2.4.66
AEVDF.DLL : 8.1.2.1 106868 Bytes 7/30/2010 14:53:29
AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 9/17/2010 16:06:12
AESCN.DLL : 8.1.6.1 127347 Bytes 7/28/2010 05:16:26
AESBX.DLL : 8.1.3.1 254324 Bytes 7/28/2010 05:16:30
AERDL.DLL : 8.1.9.2 635252 Bytes 9/22/2010 14:45:01
AEPACK.DLL : 8.2.3.7 471413 Bytes 9/17/2010 16:05:13
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/28/2010 05:16:21
AEHEUR.DLL : 8.1.2.27 2933110 Bytes 9/24/2010 15:23:15
AEHELP.DLL : 8.1.13.4 242038 Bytes 9/24/2010 15:23:05
AEGEN.DLL : 8.1.3.22 401780 Bytes 9/17/2010 16:03:09
AEEMU.DLL : 8.1.2.0 393588 Bytes 7/28/2010 05:16:11
AECORE.DLL : 8.1.17.0 196982 Bytes 9/24/2010 15:23:04
AEBB.DLL : 8.1.1.0 53618 Bytes 7/28/2010 05:16:09
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 19:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 19:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 23:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 19:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 19:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 19:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 16:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 19:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 22:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 21:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 20:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 21:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Monday, September 27, 2010 19:13

Starting search for hidden objects.
c:\program files\outlook express\msimn.exe
c:\Program Files\Outlook Express\msimn.exe
[NOTE] The process is not visible.
c:\program files\comodo\comodo internet security\cfp.exe
c:\Program Files\COMODO\COMODO Internet Security\cfp.exe
[NOTE] The process is not visible.
c:\program files\internet explorer\iexplore.exe
c:\Program Files\Internet Explorer\iexplore.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'cidaemon.exe' - '32' Module(s) have been scanned
Scan process 'rsmsink.exe' - '31' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '61' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '71' Module(s) have been scanned
Scan process 'avcenter.exe' - '66' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '101' Module(s) have been scanned
Scan process 'taskmgr.exe' - '40' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '38' Module(s) have been scanned
Scan process 'tgsrvc.exe' - '25' Module(s) have been scanned
Scan process 'ctfmon.exe' - '30' Module(s) have been scanned
Scan process 'SbieCtrl.exe' - '35' Module(s) have been scanned
Scan process 'jusched.exe' - '23' Module(s) have been scanned
Scan process 'sprtsvc.exe' - '43' Module(s) have been scanned
Scan process 'avgnt.exe' - '54' Module(s) have been scanned
Scan process 'sprtlisten.exe' - '32' Module(s) have been scanned
Scan process 'hkcmd.exe' - '28' Module(s) have been scanned
Scan process 'SeaPort.exe' - '45' Module(s) have been scanned
Scan process 'ModPS2Key.exe' - '18' Module(s) have been scanned
Scan process 'RichVideo.exe' - '23' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '15' Module(s) have been scanned
Scan process 'igfxpers.exe' - '26' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '41' Module(s) have been scanned
Scan process 'NPROTECT.EXE' - '32' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'hddledd.exe' - '14' Module(s) have been scanned
Scan process 'DkService.exe' - '100' Module(s) have been scanned
Scan process 'cisvc.exe' - '32' Module(s) have been scanned
Scan process 'a2service.exe' - '49' Module(s) have been scanned
Scan process 'Explorer.EXE' - '116' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'sched.exe' - '47' Module(s) have been scanned
Scan process 'spoolsv.exe' - '59' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'SbieSvc.exe' - '29' Module(s) have been scanned
Scan process 'svchost.exe' - '164' Module(s) have been scanned
Scan process 'cmdagent.exe' - '70' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'avshadow.exe' - '27' Module(s) have been scanned
Scan process 'avguard.exe' - '55' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '29' Module(s) have been scanned
Scan process 'winlogon.exe' - '68' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '505' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\BIT1F2.tmp
[0] Archive type: CAB (Microsoft)
--> _sfx_0008._p
[WARNING] The file could not be written!
C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT1CF.tmp
[0] Archive type: CAB (Microsoft)
--> _sfx_0006._p
[WARNING] The file could not be written!
C:\WINDOWS\SoftwareDistribution\Download\e7d26e5776f9930c6ad9dff351940707\BIT1F5.tmp
[0] Archive type: CAB (Microsoft)
--> _sfx_0008._p
[WARNING] The file could not be written!
Begin scan in 'D:\' <RECOVERY>


End of the scan: Monday, September 27, 2010 20:10
Used time: 56:17 Minute(s)

The scan has been done completely.

10913 Scanned directories
543346 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
543346 Files not concerned
15984 Archives were scanned
3 Warnings
0 Notes
592721 Objects were scanned with rootkit scan
3 Hidden objects were found
tomcat123
Active Member
 
Posts: 9
Joined: September 25th, 2010, 12:08 am

Re: My computer seems fine but I worry about rootkits

Unread postby askey127 » September 28th, 2010, 7:53 am

tomcat123,
Don't ever run any program that purports to clean or optimize the registry.
If it's perfect, it won't do any good. If it's not, you can end up with an unbootable machine.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
COMODO Internet Security
Emsisoft Anti-Malware 5.0
Norton Cleanup
Norton SystemWorks
Norton SystemWorks (Symantec Corporation)
Registrar Registry Manager 6.52
RegVac Registry Cleaner 5.02 (Registered Version)

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
------------------------------------------------------------
Run Defence Inspector
Download the tool from this link: http://downloads.securitycadets.com/Def ... pector.exe
Once downloaded, double-click DefenceInspector to run it.
When presented with the option to begin the scan, please press any key to continue.
When DefenceInspector has finished scanning (this should not take longer than a minute or so), a log will appear.
Please post the entire contents of this log in a new topic in this forum, along with any additional information/questions you may have.
------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it shows any malware items, Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt
.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

New Post per Askey127: Defence Inspector and MBAM Logs

Unread postby tomcat123 » September 28th, 2010, 3:02 pm

Hello. Thank you again. This post continues the original, "My Computer Seems Fine, but I Worry About Rootkits."

I followed your directions, deleting the programs you specified. I was unable to delete one Norton folder, C:\Program Files\Symantec\LiveUpdate. It contains 10 files, including AluSchedulerSvc.exe. Access was denied using the cmd prompt and I could not boot to safe mode to use full priveleges. The difficulty with safe mode is not a new thing. It comes and goes. The many SSDT, Shadow SSDT, and Code hooks of Comodo are all gone.

Since Comodo scores highly in Matousec's firewall tests, I hope you are not recommending against it for the time after you are through with my computer. This is especially so because my other favorite, Online Armor, was incompatible with my other programs two months ago.

The Defence Inspector and MBAM Logs are below. I do not have Windows Defender now, but did in the past. Thank you again, Tom
===============================================
Defence Inspector (Build 26.09.10.1)
Log created at 12:02:49 on September 28, 2010

-= System =-
Windows XP (32-bit, Service Pack 3)
Windows Update: Notify before download
System Restore: ON (59 point(s) available)

-= User Accounts =-
Administrator (Admin)
ASPNET
Guest (Disabled)
HelpAssistant (Disabled)
Owner (Admin)
SUPPORT_388945a0 (Disabled)

-= Security Programs =-
Avira AntiVir
Malwarebytes' Anti-Malware
Spybot S&D
Windows Defender: Not found
Windows Firewall: Enabled

-= Other Programs =-
Adobe AIR 2.0.3.13070
Adobe Flash Player (Plugin) 10.1.85.3
Adobe Flash Player (ActiveX) 10.1.85.3
Internet Explorer 7.0.5730.13
Java 1.6.0_21
Mozilla Firefox 3.6.10 (en-US)

-= EOF =-
===============================================
Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4711

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/28/2010 12:10:54 PM
mbam-log-2010-09-28 (12-10-54).txt

Scan type: Quick scan
Objects scanned: 147671
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
tomcat123
Active Member
 
Posts: 9
Joined: September 25th, 2010, 12:08 am

Re: My computer seems fine but I worry about rootkits

Unread postby askey127 » September 29th, 2010, 6:21 pm

tomcat,
I cannot recommend Comodo to anyone.
It installs the ASK toolbar, which is a known adware/spyware purveyor, and it may try to install an Antivirus app as well.
This is kind of a disgusting corruption of the original purpose of a firewall.
If you are behind a router, you can get away with the Windows firewall, or you can buy one. Agnitum/Outpost is still good.
If you scan every week or so with Malwarebytes, you should be good.
------------------------------------------------------------
Please download OTM and save to your Desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista or Win7, right-click on the file and choose Run As Administrator).
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Do NOT copy the word "Code" :
Code: Select all
:Files
C:\Program Files\Symantec

:commands
[emptytemp]
  • Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next Reply.
  • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTM.
Note: the logs are saved in C:\_OTM\MovedFiles\ if you need to retrieve one.
------------------------------------------------
Reset System Restore Points
  • Click Start, All Programs, Accessories, System Tools, System Restore
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Click Start, Run and type Cleanmgr
  • Select the Windows drive (usually C:), then click OK.
  • After it scans, Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.

Reboot your machine to record the changes you have made.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware or changes in the Restore settings.

You should be good to go, and the Symantec folder will be gone.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: OTM and the Symantec Folder

Unread postby tomcat123 » September 29th, 2010, 7:08 pm

Hello. I'm afraid I've caused you some extra mental work by not telling you that I got into safe mode and removed that Symantec folder. I did not think it that important. I'm sorry. I will be sure to follow up on any such comments in the future. Extra mental work, but I know I haven't taxed your brain. Do you want me to run OTM and perform all of the instructions anyway? Thanks again, Tom
tomcat123
Active Member
 
Posts: 9
Joined: September 25th, 2010, 12:08 am

Re: My computer seems fine but I worry about rootkits

Unread postby askey127 » September 29th, 2010, 8:21 pm

No problem.
You don't need to run it if that folder is already gone.
Comments on Comodo still stand, and you should do the System Restore cleanup, however.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Deleted All but the Last Restore Point: Ready for the Next

Unread postby tomcat123 » September 29th, 2010, 9:22 pm

Hello and thanks again. I deleted all restore points except the last. I'm ready for your next move. -- Tom
tomcat123
Active Member
 
Posts: 9
Joined: September 25th, 2010, 12:08 am

Re: My computer seems fine but I worry about rootkits

Unread postby askey127 » September 30th, 2010, 7:49 am

I don't see any sign of infections on your machine. With all the security programs, your biggest difficulty has arisen from the conflicts between them. You should have exactly one active antivirus program, and a maximum of one active anti-spyware program running at a time.
Right now, I would recommend Malwarebytes paid version for the active anti-spyware app., based on its performance.
I would not run Windows Defender at the same time. If you want to run Windows defender, just use the free version of malwarebytes and use it to update and scan manually every week or so.

You can readily control startups and "what's running" with Winpatrol (Free or Plus).
http://www.winpatrol.com/

How is your system running?
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Answering Your Last Question

Unread postby tomcat123 » September 30th, 2010, 1:15 pm

Hi. To answer your last question, the machine is faster since all
the software removals. That is nice. But that was not my original
concern, of course. I have put a lot of faith in your site, Malware
Removal, and still trust it very much. I would be happy to post
some anti-rootkit logs, but perhaps you can see already that I do
not have a rootkit.

Rootrepeal shows 284 SSDT entries with 24 hooked. Four hooks
are by unknown modules and 20 are by the pxrts.sys file of Prevx.
(Previx has been disabled by disabling its service throughout the
whole time you have been working.) It shows 667 Shadow SSDT
entries, none hooked; no hidden services; no stealth objects; 48
processes, none hidden or locked; 171 drivers, none hidden; no
hidden or locked files.

Rootkit Unhooker shows very very similar information. It has a category which Rootrepeal does not -- Code Hooks. It shows 15 code hooks,
seven by an unknown code page, one by ntkmlpa.exe, and seven
by shimeng.dll. (It showed over three thousand code hooks, the majority by Comodo, before I contacted you.) It seems we are nearing the end. Do you have a verdict or do you want some more logs? In either case, I thank you again. --Tom
tomcat123
Active Member
 
Posts: 9
Joined: September 25th, 2010, 12:08 am

Re: My computer seems fine but I worry about rootkits

Unread postby askey127 » September 30th, 2010, 1:56 pm

tomcat,
There are a number of programs that create entries that will be detected by "rootkit" scanners, but are not harmful.
(Antivirus and firewall programs, for example.)

Your machine is clean, and we are done here.
Good luck.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

You Gave a Very PLeasing Verdict

Unread postby tomcat123 » September 30th, 2010, 3:40 pm

Hello, Askey127. A very nice verdict! Thank you and Malware Removal. I wish I could do what you do with malware threats. It is neat. As Emsisoft says, "Have a nice malware-free day." -- Tom
tomcat123
Active Member
 
Posts: 9
Joined: September 25th, 2010, 12:08 am

Re: My computer seems fine but I worry about rootkits

Unread postby askey127 » September 30th, 2010, 3:46 pm

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 66 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware