- Dec 17, 2006
- 3,331
- 26
- 91
I'm pretty safe. My router has a firewall and is up to date, and I frequently use Avira Antivir (resident), Superantispyware Pro (resident), Malwarebytes' Antimalware, COMODO System Cleaner, Secunia PSI, Ccleaner. IE set to recommended levels, and I'm very careful about what I open. Windows was up to date a few weeks ago when I started having DSL problems. Get the DSL problems fixed, then...
Couldn't install any Windows updates (even manually), used Combofix, it detected rootkit activity and removed two items (I think a folder and a registry key), then I could install the updates, ran Combofix a few more times, it keeps detecting rootkit activity, rootkit detecting section of the log keeps showing zero results. Ran a full 4+ hour scan with Avira, no detections.
I've heard SecuROM can act like a rootkit...could that be making Combofix think I still have an infection?
Here's the locked registry keys section of my latest Combofix log:
[HKEY_USERS\S-1-5-21-73586283-926492609-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:56,22,c6,0a,a9,48,6a,b1,a5,1f,8e,14,4d,94,e8,67,0a,b2,95,e7,6e,
26,6d,4e,b2,8e,67,01,12,5c,37,fd,a0,8b,a9,27,99,a0,7e,5b,c5,b6,43,50,52,ef,\
"rkeysecu"=hex:00,3b,8b,44,0b,11,5c,17,00,2a,6d,11,d1,b9,f5,17
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
Anything look suspicious? Thanks very much!
Couldn't install any Windows updates (even manually), used Combofix, it detected rootkit activity and removed two items (I think a folder and a registry key), then I could install the updates, ran Combofix a few more times, it keeps detecting rootkit activity, rootkit detecting section of the log keeps showing zero results. Ran a full 4+ hour scan with Avira, no detections.
I've heard SecuROM can act like a rootkit...could that be making Combofix think I still have an infection?
Here's the locked registry keys section of my latest Combofix log:
[HKEY_USERS\S-1-5-21-73586283-926492609-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:56,22,c6,0a,a9,48,6a,b1,a5,1f,8e,14,4d,94,e8,67,0a,b2,95,e7,6e,
26,6d,4e,b2,8e,67,01,12,5c,37,fd,a0,8b,a9,27,99,a0,7e,5b,c5,b6,43,50,52,ef,\
"rkeysecu"=hex:00,3b,8b,44,0b,11,5c,17,00,2a,6d,11,d1,b9,f5,17
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
Anything look suspicious? Thanks very much!
Facebook
Twitter