system
15
magna86, I’m so glad to see you again! I thought you might have had other business today.
When you ask if I have the logs, C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt , do I need to do anything to generate them, or should I use whatever I find in that location?
You may recall that you had asked for logs from a second run of zoek.exe yesterday that I managed to supply on a second attempt. I was looking through it and wondered if this was a concern.
==== Suspicious Entries Found ======================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
“3389:TCP”=“3389:TCP::Enabled:@xpsp2res.dll,-22009"
“1900:UDP”=“1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007”
“2869:TCP”=“2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
“9322:TCP”="9322:TCP::Enabled:EKDiscovery”
“5353:UDP”=“5353:UDP::Enabled:Bonjour Port 5353"
“3389:TCP”="3389:TCP::Enabled:@xpsp2res.dll,-22009”
“1900:UDP”=“1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007”
“2869:TCP”=“2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008”
“5985:TCP”="5985:TCP::Disabled:Windows Remote Management "
“80:TCP”="80:TCP::Disabled:Windows Remote Management - Compatibility Mode (HTTP-In) "
It also contained a long list of “other files” that I believe are where the infection may have originated.
Thanks for your help. I hope I don’t sound overly anxious, it’s just that I have a lot of important information stored on the computer in question. I admit that I’ll feel much relieved when I know it’s safe again.
JG