Thread: SystemSecurity and others, HJT log included
View Single Post
  #7 (permalink)  
Old 26-06-2009, 01:56 AM
Sevyrd Sevyrd is offline
Junior Member
D-A-L Newbie
  
Join Date: Dec 2005
Posts: 23
Sevyrd Is a beginner here at D-A-L
Re: SystemSecurity and others, HJT log included
Hello again, here is my ComboFix log.

ComboFix 09-06-25.01 - Bridget 06/25/2009 20:38.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1013.101 [GMT -4:00]
Running from: c:\users\Bridget\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SKYNETgmupbstq.sys
c:\windows\system32\SKYNETnvmhxobn.dat
c:\windows\system32\SKYNETokyjnhsd.dat
c:\windows\system32\SKYNETqimeuonh.dll
c:\windows\system32\SKYNETwtbvoasd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETwueomjed


((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-26 00:46 . 2009-06-26 00:46 -------- d-----w- c:\users\Bridget\AppData\Local\temp
2009-06-23 04:30 . 2009-06-23 03:40 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-23 03:39 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-23 03:39 . 2009-06-23 03:40 -------- d-----w- c:\programdata\Lavasoft
2009-06-23 03:39 . 2009-06-23 03:39 -------- d-----w- c:\program files\Lavasoft
2009-06-22 20:50 . 2009-06-22 20:50 -------- d-----w- c:\users\Bridget\AppData\Roaming\Malwarebytes
2009-06-22 20:50 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 20:50 . 2009-06-22 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 20:50 . 2009-06-22 20:50 -------- d-----w- c:\programdata\Malwarebytes
2009-06-22 20:50 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 20:33 . 2009-06-22 20:33 -------- d-----w- c:\users\Bridget\AppData\Roaming\AVG8
2009-06-22 20:08 . 2009-06-23 03:39 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-21 23:00 . 2009-06-21 23:00 -------- d-----w- c:\program files\CCleaner
2009-06-21 22:38 . 2009-06-21 22:38 -------- d-----w- c:\users\Bridget\AppData\Local\Symantec
2009-06-21 15:14 . 2009-06-21 15:14 -------- d-----w- c:\users\Bridget\AppData\Local\Downloaded Installations
2009-06-21 15:14 . 2009-06-22 20:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-21 15:14 . 2009-06-22 20:32 -------- d-----w- c:\programdata\Symantec
2009-06-21 15:14 . 2009-06-22 20:32 -------- d-----w- c:\programdata\Norton
2009-06-21 15:09 . 2009-06-21 15:14 -------- d-----w- c:\programdata\NortonInstaller
2009-06-21 15:08 . 2009-06-21 15:11 -------- d-----w- c:\users\Bridget\AppData\Roaming\GetRightToGo
2009-06-20 02:06 . 2009-06-22 21:43 -------- d-----w- c:\programdata\94114846
2009-06-20 02:06 . 2009-06-22 21:43 -------- d-----w- c:\programdata\14104854
2009-06-13 15:06 . 2009-04-30 12:42 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-06-13 15:06 . 2009-04-30 12:06 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-13 15:06 . 2009-04-30 12:02 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-06-09 02:17 . 2009-06-09 02:17 758088 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll
2009-06-09 01:25 . 1998-10-02 23:00 327168 ----a-w- c:\windows\IsUninst.exe
2009-06-09 01:03 . 2009-06-09 01:05 -------- d-----w- c:\users\Bridget\.gimp-2.6
2009-06-09 01:02 . 2009-06-09 01:03 -------- d-----w- c:\users\Bridget\.gegl-0.0
2009-06-09 01:00 . 2009-06-22 22:01 -------- d-----w- c:\users\Bridget\AppData\Local\WeatherBug
2009-06-09 01:00 . 2009-06-09 01:00 -------- d-----w- c:\users\Bridget\AppData\Roaming\WeatherBug
2009-06-09 00:58 . 2009-06-09 00:58 -------- d-----w- c:\program files\Gimp-2.0
2009-06-09 00:57 . 2006-10-09 17:06 495616 ----a-w- c:\windows\system32\WINUTIL5.DLL
2009-06-09 00:57 . 2006-05-17 12:40 393216 ----a-w- c:\windows\system32\WINLCTL5.DLL
2009-06-09 00:57 . 2009-06-09 01:01 -------- d-----w- c:\programdata\Yahoo! Companion
2009-06-05 19:23 . 2009-06-05 19:23 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Brow se\NetTVResources.dll
2009-06-02 01:00 . 2009-06-02 01:00 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-26 00:35 . 2007-12-17 01:53 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-23 20:25 . 2009-03-05 23:35 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-22 20:41 . 2008-12-28 00:36 -------- d-----w- c:\program files\QuickTime
2009-06-22 02:29 . 2007-12-17 01:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 15:20 . 2007-12-17 02:05 -------- d-----w- c:\programdata\McAfee
2009-06-20 02:18 . 2007-12-17 02:09 -------- d-----w- c:\program files\Google
2009-06-09 00:59 . 2008-01-08 03:01 -------- d-----w- c:\program files\Yahoo!
2009-06-08 11:23 . 2008-02-03 22:59 680 ----a-w- c:\users\Bridget\AppData\Local\d3d9caps.dat
2009-06-06 14:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-19 05:36 . 2009-06-15 19:20 2884832 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 05:36 . 2009-06-15 19:20 28 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 05:36 . 2009-06-15 19:20 25 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 05:36 . 2009-06-15 19:20 1484856 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 05:36 . 2009-06-15 19:20 97072 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 05:36 . 2009-06-15 19:20 142040 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 05:36 . 2009-06-15 19:20 30512 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 05:36 . 2009-06-15 19:20 111920 ------w- c:\programdata\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-04-24 16:22 . 2009-06-10 08:53 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:14 . 2009-06-10 08:53 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-04-24 16:14 . 2009-06-10 08:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 16:11 . 2009-06-10 08:53 72704 ----a-w- c:\windows\system32\admparse.dll
2009-04-24 13:53 . 2009-06-10 08:53 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-24 12:25 . 2009-06-10 08:53 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-04-23 13:01 . 2009-06-10 08:53 788992 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:56 . 2009-06-10 08:53 696832 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 12:04 . 2009-06-10 08:53 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-04-19 16:00 . 2007-12-25 15:56 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-04-19 16:00 . 2007-12-25 15:56 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-04-19 16:00 . 2007-12-25 15:56 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-04-19 16:00 . 2007-12-25 15:56 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-04-19 16:00 . 2007-12-25 15:56 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-12-17 09:34 . 2007-12-17 09:19 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-12-18 50528]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-12-17 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-28 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-26 154136]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-09-26 129560]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-23 518488]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-16 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{D630A083-851D-4FDD-A224-876EFDBC9B45}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{C50C4214-EFFB-472F-8D46-A921DBD60710}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{E292CF8C-EC52-4E2E-B0E9-1C14F7131945}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{C8B72F99-0245-4D72-BD74-C0E834310796}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine. exe:Cyberlink Media Server Browser Engine
"{4824AEB0-8366-406D-B367-0396EBE6767A}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe: CyberLink Media Server
"{CE439947-2A3A-432F-99AE-316596DB9A3C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2F22316C-0CEB-4257-9A11-220530D9682A}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CF09F1AD-757C-4C88-8134-1E1F4D3E655C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D7C2F5AE-FE64-4272-BCC7-18AB7EF91E19}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{16A58F07-D94F-4876-9178-091511B344A4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6A0F73B1-FCDD-484F-836D-FDAA434B4D6F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{98C80F99-8E94-4975-80F3-5960377A1A00}"= Disabled:UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{5B42B0F5-2343-4B3C-88F1-DAFD1199FE84}"= Disabled:TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{EE88E786-24C9-426F-8874-436FDDEB7DB4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{ABA8CDEF-7E81-40D8-AE31-7B10AC786324}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [6/22/2009 11:40 PM 64160]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [12/16/2007 9:40 PM 73728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1003344]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [3/5/2009 7:36 PM 1153368]
S2 eac_notifysvc;eAcceleration Notification Service;"c:\program files\eAcceleration\Framework\eac_svc.exe" --> c:\program files\eAcceleration\Framework\eac_svc.exe [?]
S2 eac_productsvc;eAcceleration Product Manager Service;"c:\program files\eAcceleration\Framework\eac_productsvc.exe" --> c:\program files\eAcceleration\Framework\eac_productsvc.exe [?]
S4 StopSign Update Manager;StopSign Update Manager;"c:\program files\Common Files\eAcceleration\eacsvc.exe" --> c:\program files\Common Files\eAcceleration\eacsvc.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6071217
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Bridget\AppData\Roaming\Mozilla\Firefox\P rofiles\wyamwjcq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFFab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_sett ing", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&") ;
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&a ppver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-25 20:46
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-26 20:51
ComboFix-quarantined-files.txt 2009-06-26 00:51

Pre-Run: 43,433,660,416 bytes free
Post-Run: 43,343,392,768 bytes free

218 --- E O F --- 2009-06-26 00:50
Reply With Quote