Trouble in paradise.. :( Apparent botnet activity!

I made the mistake of not logging out my admin account for one freaking day since i was doing a lot of admin related work, and i ended up with a pirated edition of office 2007 installed on my system by my brother only noticed today.
i was using 2010 beta previously and had just installed openoffice for some time till i got a 2010 license.

When i logged in to my open dns account, i was greeted by the message "Malware/Botnet Activity Detected" from my ip address from the day that the app was installed. It was on the 2nd apparently..
There is a whole list of domains that opendns blocked (84, thankfully), some of them below;

Now i have restored the system to before the app was installed, and there has been no such activity, looking at online armor free i just installed, i have since deleted all those restore point except the one i made after i got the restoration done. And i also removed all ms office related directories.. i did not check with OA with that app installed, since i was in a hurry to remove it from my system.

I have scanned with MBAM, Hitman Pro, checked all autorun entries by 'autoruns', OA apparently checked them upon its installtion as well, even checked with hijackthis, checked with GMER for any signs of rootkits; all have come out negative...

so should i stop freaking out now? I don't want an os reinstall... neither do i have a system image, yeah my bad..

Attached ss shows the rules OA made by itself... could not stop it from learning initially.

 

From the portion of the Firewall Ruleset you show, there are some dangers, where Ports 135, 137-139, 445 are permitted in. Those are the trojan/worm ports and should be closed unless you use file sharing, in which case specific addresses are usually indicated.

Also, additional protection can be obtained by having separate Browser rules for Ports 80 and 443. For Port 443 you can set up a group custom addresses for your secure sites. Any other attempt to use Port 443 will bring up an alert.

----
rich

 

in case you forget again, the screenshot...

Wonderful free software/recovery disk

 

Thanks for the tip wat0114. will do that.

Rmus, do you mean that those ports were opened by active malware on the system for the specific processes?? And does this mean i don't have a clean system?

i do have an external router with the fw enabled..with upnp port forwarding disabled... so i guess these won't be opened over there.

PS: The ss shows all the rules that oa created.

EDIT:
In the network activity, i can see the following; the 192 ip being the system's internal ip. But whats with the listening on so many ports..

 

I just commented on what I observed in your Rule Set, and you said that OA created the rules automatically. Nothing more can be determined without someone checking with the expertise to analyze what's going on.

You didn't indicate that in your first post, so probably everything I wrote isn't relevant.

----
rich

 

Is it bad to enable upnp port forwarding in router?

 

Well i disabled it cause my router began having problems with it rebooting every now and then... but yea it might offer some protection from malware related opening of ports but i am no expert.

ya i understand what you mean... so far apart from these listening connections/opened ports (on the software fw only) there has been no malicious activity over the internet or otherwise.

can you please throw some light on the default opened ports for the files pointed out above on windows 7 ultimate? and thanks a lot for your attention .

 

Sorry, I don't use Windows 7.

You might get good help in the Firewall Forum regarding ports, etc.

----
rich

 

Alright thanks Rmus...