[SOLVED] Analyst attention is desired

[MikenandezNST]

It has been well almost two years now since my last install and I would like to have my logs reviewed just to make sure there is nothing boiling behind my back.

I have not noticed anything weird or nothing else like that but just like I say it has been about two years since install and just believe in better safe than sorry.

Below I will paste the DDS.txt and attach the other two zipped logs Thx.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Michael at 12:38:10.90 on Fri 06/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.316 [GMT -7:00]

AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Netropa\OSD.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl This BHO has been disabled by BHODemon.: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - JQSIEStartDetectorImpl Class
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [WinPatrol System Monitor] c:\program files\billp studios\winpatrol\WinPatroluac.exe
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9}
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\sfbufctd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: network.http.max-connections-per-server - 8

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-27 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-2-21 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-19 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090619.004\NAVENG.SYS [2009-6-19 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090619.004\NAVEX15.SYS [2009-6-19 876144]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\michael\locals~1\temp\aswarkrn.sys --> c:\docume~1\michael\locals~1\temp\aswArKrn.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]

=============== Created Last 30 ================

2009-06-11 22:21 <DIR> --d----- c:\docume~1\michael\applic~1\Malwarebytes
2009-06-11 22:21 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 22:21 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-11 22:21 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-11 22:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 20:03 <DIR> --d----- C:\Put them here
2009-06-11 17:06 <DIR> --d----- c:\docume~1\michael\applic~1\DVD Flick
2009-06-11 17:05 <DIR> --d----- c:\program files\DVD Flick
2009-06-10 22:32 3,248 a------- c:\windows\system32\wbem\Outlook_01c9ea560684bafe.mof
2009-06-09 10:47 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 10:47 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-01 21:22 1,645,320 a------- c:\windows\system32\gdiplus.dll
2009-06-01 21:21 <DIR> --d----- c:\program files\BurnAware Free

==================== Find3M ====================

2009-05-12 22:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-04 00:27 15,464 a------- c:\windows\system32\securable.sys
2009-04-30 14:22 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 14:22 11,064,832 a------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 14:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 14:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 14:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 04:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 05:26 1,847,168 -------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-05 00:42 2,328,832 a------- c:\windows\system32\TUKernel.exe
2009-03-30 05:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-16 22:50 10,752 a------- c:\documents and settings\michael\WhoisCL.exe

============= FINISH: 12:38:45.14 ===============


Thanks for the time and effort!!!

[tetonbob]

Hi MikenandezNST -

Have you intentionally brought this WhoIs tool onto your machine?

c:\documents and settings\michael\WhoisCL.exe

If so...then...it all looks fine to me.

[MikenandezNST]

Yes sir it is a handy little command line tool used for performing whois searches by domain name only.

[tetonbob]

By nirsoft.

Logs seem fine.

[MikenandezNST]

Thanks for the speedy responses!!!

My next question is would it be possible to have you look into a few suspicious registry keys?

[tetonbob]

What registry keys are those, and why do you think they are suspicious? Nothing in the logs so far is....

[MikenandezNST]

Well I thought they were suspicious because I recently performed a clean install on ones machine and compared a couple keys and could not make sense of them and also tried searching Google and found nothing and I can normally get some kind of lead for whatever I get suspicious about.

As far as the actual keys I will need a minute to back track my steps and then provide you with the keys I am weary about or post a screenshot for you which ever you prefer.

[tetonbob]

Still need help? However you provide the details of the registry keys in question is fine, I'm waiting on you.

[MikenandezNST]

Well I was not able to back track and find all the keys I was curious about or unsure of although I did remember wanting to know if these were all normal here is a screenshot for and again Thanks!

[tetonbob]

Those refer to mounted devices on the system.

http://technet.microsoft.com/en-us/l...75(WS.10).aspx

http://msdn.microsoft.com/en-us/library/ms802377.aspx

Yes, they're normal.

[MikenandezNST]

Thanks very much for the assistance I appreciate it very much guess we will close this one out here.

[tetonbob]

Glad to help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.