Thread: Vundo Again
View Single Post
Old 12-11-2007, 07:46 AM   #3 (permalink)
mariuszca
Registered User
 
Join Date: Dec 2007
Posts: 4
OS: XP prof SP2


Re: Vundo Again
Hallo - I thank You very much for help at first.

1. I found only
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file)
O2 - BHO: (no name) - {3ED74DAC-C3E9-45D4-950A-BDD8EF574F62} - (no file)
O4 - HKLM\..\Run: [iyyuefcx] C:\ldckbrqw.bat
Hijackthis fix it.

2. PSI is a client for Jabber communicator.

3.Log from combofix:


ComboFix 07-12-09.1 - mariusz_User 2007-12-11 15:30:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.515 [GMT 1:00]
Running from: C:\Documents and Settings\mariusz_User\Pulpit\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-07 12:45 . 2007-12-07 12:45 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-12-06 13:48 . 2007-12-06 13:48 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Media Player Classic
2007-12-06 13:47 . 2007-12-06 13:48 <DIR> d-------- C:\Program Files\Real Alternative
2007-12-05 13:13 . 2007-12-05 13:21 <DIR> d-------- C:\Program Files\ABBYY FineReader 8.0 Professional Edition
2007-12-05 11:46 . 2007-12-05 11:46 <DIR> d-------- C:\Program Files\Cream Software
2007-12-05 11:46 . 2007-12-05 11:46 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Cream Software
2007-12-05 11:35 . 2007-12-05 11:35 <DIR> d-------- C:\Program Files\PWB
2007-12-04 11:50 . 2007-12-04 11:50 <DIR> d-------- C:\Deckard
2007-12-04 10:35 . 2007-12-04 10:35 <DIR> d-------- C:\ie-spyad_zo
2007-12-04 10:32 . 2007-12-04 10:35 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-04 09:22 . 2007-12-04 10:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-04 09:22 . 2007-12-04 09:22 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-04 09:22 . 2007-12-04 09:22 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-04 09:22 . 2007-12-04 09:22 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-03 16:40 . 2007-12-03 16:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 17:17 . 2007-12-02 17:17 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-29 18:35 . 2007-11-29 18:35 8 --a------ C:\WINDOWS\system32\success
2007-11-29 18:34 . 2007-11-29 18:34 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2007-11-29 18:34 . 2004-08-04 04:54 269,387 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2007-11-29 18:34 . 2004-08-04 04:50 135,168 --a------ C:\WINDOWS\system32\vpnapi.dll
2007-11-29 18:22 . 2007-11-29 18:24 1,592 --a------ C:\WINDOWS\VPNUnInstall.MIF
2007-11-29 14:29 . 2007-12-03 11:04 <DIR> d-------- C:\Program Files\HP Product Bulletin
2007-11-28 20:26 . 2007-03-21 13:33 1,257,566 -ra------ C:\WINDOWS\system32\dsa.dll
2007-11-27 09:56 . 2007-11-27 09:56 <DIR> d-------- C:\Documents and Settings\mariusz_User\.jpi_cache
2007-11-27 09:56 . 2007-11-27 09:56 <DIR> d-------- C:\Documents and Settings\mariusz_User\.java
2007-11-22 15:13 . 2007-11-22 15:14 <DIR> d-------- C:\LiteStep
2007-11-22 12:30 . 2007-11-23 13:53 6,444 ---h----- C:\treeinfo.wc
2007-11-22 12:16 . 2007-11-22 12:16 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-22 11:53 . 2007-11-22 12:04 <DIR> d-------- C:\Rustbfix
2007-11-22 11:11 . 2007-12-06 08:17 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-22 11:11 . 2007-11-22 11:11 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Simply Super Software
2007-11-22 11:11 . 2007-11-22 11:11 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Simply Super Software
2007-11-22 11:11 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-22 11:11 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-22 11:11 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-22 11:11 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-22 11:11 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-22 10:52 . 2004-08-04 22:00 108,544 --a------ C:\WINDOWS\system32\services.exe
2007-11-22 10:52 . 2004-08-04 22:00 33,080 --a------ C:\WINDOWS\system32\services.msc
2007-11-22 10:05 . 2007-12-04 20:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2007-11-22 10:05 . 2007-08-07 17:44 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione
2007-11-22 10:05 . 2007-08-07 15:53 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2007-11-22 10:05 . 2007-11-15 11:09 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2007-11-22 10:05 . 2007-08-07 17:44 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty
2007-11-22 10:05 . 2007-08-07 17:44 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2007-11-22 10:05 . 2007-08-07 17:44 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2007-11-22 09:54 . 2007-11-15 08:49 78,238,146 --a------ C:\rejestr15_11_2007.reg
2007-11-20 17:54 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2007-11-20 17:54 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2007-11-20 17:54 . 2001-10-26 16:46 23,936 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2007-11-20 17:54 . 2001-10-26 16:46 23,936 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2007-11-20 17:54 . 2001-08-17 21:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2007-11-20 17:54 . 2001-08-17 21:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2007-11-20 15:14 . 2007-12-05 13:06 <DIR> d-------- C:\Program Files\ABBYY FineReader 9.0
2007-11-20 15:14 . 2007-11-20 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ABBYY
2007-11-20 14:21 . 2007-12-11 15:23 <DIR> d-------- C:\Program Files\English Translator 3
2007-11-20 14:15 . 2007-11-20 14:15 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-20 08:44 . 2007-12-04 09:57 <DIR> d-------- C:\Program Files\MMTaskbar
2007-11-19 21:35 . 2007-11-19 21:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-11-19 19:57 . 2007-11-19 19:57 <DIR> d-------- C:\VundoFix Backups
2007-11-19 18:20 . 2007-11-22 08:29 894 --a------ C:\WINDOWS\system32\dexhsnac.ini.ren
2007-11-19 15:24 . 2007-11-22 08:51 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-11-19 15:18 . 2007-11-19 15:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Grisoft
2007-11-19 15:17 . 2007-11-19 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Grisoft
2007-11-19 15:17 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-19 15:10 . 2007-11-19 15:10 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-19 15:09 . 2007-11-19 15:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-11-19 12:55 . 2007-11-19 12:55 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\ABBYY
2007-11-19 12:20 . 2007-11-19 12:20 44,993 --a------ C:\nbhsamd.exe
2007-11-19 10:47 . 2007-11-19 10:48 678,280 --a------ C:\WINDOWS\system32\omglsoek.ini
2007-11-19 10:05 . 2007-08-20 11:01 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-19 10:05 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-19 10:05 . 2007-03-08 06:11 1,036,288 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-19 10:05 . 2007-08-20 11:01 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-19 10:05 . 2007-08-20 11:01 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-19 10:05 . 2007-08-20 11:01 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-19 10:05 . 2007-08-20 11:01 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-19 10:05 . 2007-08-20 11:01 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-19 10:05 . 2007-08-17 11:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-18 18:18 . 2007-11-18 18:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Sonic
2007-11-18 18:18 . 2007-11-18 18:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Leadertech
2007-11-18 12:07 . 2007-12-04 10:01 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-18 10:50 . 2007-11-19 10:24 678,220 --a------ C:\WINDOWS\system32\wtjdomxj.ini
2007-11-17 15:06 . 2007-11-17 16:23 <DIR> d-------- C:\Program Files\SkanerOnline
2007-11-17 07:26 . 2007-11-17 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2007-11-17 07:08 . 2007-11-19 18:16 <DIR> d-------- C:\quarantine
2007-11-17 07:05 . 2007-11-18 10:42 677,980 --a------ C:\WINDOWS\system32\ynagwywr.ini
2007-11-15 17:00 . 2005-09-22 20:28 163,896 --a------ C:\WINDOWS\sequencer.exe
2007-11-15 17:00 . 2005-12-19 13:23 602 --a------ C:\WINDOWS\uninst.seq
2007-11-15 16:59 . 2007-12-04 10:10 <DIR> d-------- C:\WINDOWS\system32\DLA
2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Sonic
2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Multimedia Center for Think Offerings
2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-11-15 16:59 . 2006-02-02 05:20 94,263 --a------ C:\WINDOWS\DLA.EXE
2007-11-15 16:59 . 2006-03-01 03:30 89,472 --a------ C:\WINDOWS\system32\drivers\DRVMCDB.SYS
2007-11-15 16:59 . 2006-02-02 05:20 61,500 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2007-11-15 16:59 . 2005-11-18 05:20 40,544 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2007-11-15 16:59 . 2005-11-18 12:02 22,684 --a------ C:\WINDOWS\system32\drivers\DLARTL_N.SYS
2007-11-15 16:59 . 2005-11-18 12:02 5,660 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2007-11-15 16:59 . 2007-11-17 10:17 320 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 16:05 --------- d-----w C:\Program Files\mariusz
2007-12-04 09:00 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software
2007-12-04 08:52 --------- d-----w C:\Program Files\Gadu-Gadu
2007-11-15 14:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-15 07:22 --------- d-----w C:\Documents and Settings\LocalService\Dane aplikacji\VMware
2007-11-15 07:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\VMware
2007-11-14 10:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-13 18:51 --------- d-----w C:\Program Files\ThinkPad
2007-11-13 12:56 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Network Associates
2007-11-13 01:41 --------- d-----w C:\Program Files\Network Associates
2007-11-13 01:41 --------- d-----w C:\Program Files\Common Files\Network Associates
2007-09-28 15:30 20,264 ----a-w C:\WINDOWS\system32\Sensor.DLL
2007-09-28 15:29 37,424 ----a-w C:\WINDOWS\system32\TPHDEXLG.exe
2007-09-28 12:28 492,840 ----a-w C:\WINDOWS\system32\TpShCPL.dll
2007-09-28 12:28 181,544 ----a-w C:\WINDOWS\system32\TpShocks.exe
2007-09-28 12:28 128,296 ----a-w C:\WINDOWS\system32\TpShEvUI.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-04_20.40.03.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 02:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe
+ 2007-12-08 02:32:45 141,824 ----a-w C:\WINDOWS\catchme.exe
- 2007-11-20 14:56:20 25,214 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ARPPRODUCTICON.exe
+ 2007-12-05 12:16:15 25,214 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ARPPRODUCTICON.exe
- 2007-11-20 14:56:20 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_FineReader.exe
+ 2007-12-05 12:16:15 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_FineReader.exe
+ 2007-12-05 12:16:16 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_ScreenshorReader.exe
- 2007-11-20 14:59:55 15,360 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2007-12-05 12:20:47 15,360 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2001-06-23 00:31:20 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
+ 1998-03-26 03:57:34 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
+ 1998-05-12 19:36:44 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
+ 2006-10-07 04:18:32 185,952 ----a-w C:\WINDOWS\system32\rmoc3260.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 08:39]
"TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2007-05-03 21:21]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44]
"NPDTRAY"="C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe" [2007-04-10 03:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2007-09-28 13:28 C:\WINDOWS\system32\TpShocks.exe]
"PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-08 16:48]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2004-02-19 12:07]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 15:06]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 01:19]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 14:49]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 02:33]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 01:19]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-03-23 02:02]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-22 11:08]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44]

C:\Documents and Settings\mariusz_User\Menu Start\Programy\Autostart\
Launcher.lnk - C:\Program Files\mariusz\sua.exe [2002-02-28 13:31:46]
Psi.lnk - C:\Program Files\Psi\psi.exe [2006-01-11 14:54:54]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 17:43:30]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-11-29 18:34:50]
MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [2007-11-20 08:44:50]
Zasobnik programu McAfee Desktop Firewall.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireTray.exe [2007-08-08 07:41:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\WINDOWS\system32\psqlpwd.dll 2007-03-08 17:08 89600 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=msjt3032Patch.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^SBW-Autoupdate.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\SBW-Autoupdate.lnk
backup=C:\WINDOWS\pss\SBW-Autoupdate.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VPN Client.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\VPN Client.lnk
backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2006-10-22 23:24 620152 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-09-13 10:12 139264 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2006-02-02 05:20 122940 --a------ C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-08-15 15:07 162328 --a------ C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-08-15 15:07 141848 --a------ C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-08-15 15:07 137752 --a------ C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2007-08-01 11:07 540672 --a------ C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"TVT Scheduler"=2 (0x2)
"TPHDEXLGSVC"=2 (0x2)
"SUService"=2 (0x2)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"IBMPMSVC"=2 (0x2)
"btwdins"=2 (0x2)
"WinDefend"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)

R0 FirePM;McAfee Desktop Firewall Policy Manager Driver;C:\WINDOWS\system32\Drivers\FirePM.sys
R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys
R1 FireTDI;McAfee Desktop Firewall TDI Driver;\??\C:\WINDOWS\system32\Drivers\FireTDI.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys
R2 FireHook;McAfee Desktop Firewall Network Driver;C:\WINDOWS\system32\DRIVERS\firehook.sys
R2 smihlp;SMI Helper Driver (smihlp);\??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 firelm01;firelm01;\??\C:\WINDOWS\system32\drivers\firelm01.sys
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys
S3 tpflhlp;tpflhlp;\??\C:\Program Files\Lenovo\System Update\session\7cuj22us\tpflhlp.sys
S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a901a06b-9185-11dc-9257-005056c00008}]
\Shell\AutoRun\command - K:\USBNB.exe

*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2007-11-22 19:42:19 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2007-11-22 10:20:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-11-19 09:24:17 C:\WINDOWS\Tasks\PMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\msjt3032Patch.dll
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
-> C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\msjt3032Patch.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\MMTaskbar\shellhook.dll
-> C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL
-> C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 15:32:03
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-11 15:32:57
C:\ComboFix2.txt ... 2007-12-04 20:41
.
--- E O F ---


4. This file is clean - C:\WINDOWS\system32\msjt3032Patch.dll

5. List the contents of this folder
C:\WINDOWS\system32 see attachment


Greeting
Mariusz
Attached Files
File Type: txt list.txt (114.2 KB, 1 views)
mariuszca is offline