|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
12-04-2007, 04:27 AM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 4
OS: XP prof SP2
|
Vundo Again
Hallo
My McAffe 8.0 found Vundo infection about 2 week ago. I used Symantec Trojan.Vundo Removal Tool and Windows Worms Door Cleaner to close ports and every thing seems good until yestarday. McAffe monit me: 2007-12-03 16:05:05 Usunięte ZARZĄDZANIE NT\SYSTEM svchost.exe C:\System Volume Information\_restore{95D5ED81-2D40-489E-8862-CD184F9A099D}\RP6\A0000834.dll Vundo (Koń trojański) 2007-12-03 18:35:44 Wersja aparatu skanowania = 5.2.00 2007-12-03 18:35:44 Wersja pliku DAT = 5176 2007-12-03 18:35:44 Liczba sygnatur wirusów w pliku EXTRA.DAT = Brak 2007-12-03 18:35:44 Nazwy wirusów, które można wykryć dzięki plikowi EXTRA.DAT = Brak 2007-12-03 19:07:13 Usunięte ZARZĄDZANIE NT\SYSTEM svchost.exe C:\System Volume Information\_restore{95D5ED81-2D40-489E-8862-CD184F9A099D}\RP6\A0000836.dll Vundo (Koń trojański) My system is WinXP prof SP2 with all updates from microsoft, I have install Spybot-SD too. I did all 5 steps that You recomended. Please help me with this. main.txt Deckard's System Scanner v20071014.68 Run by mariusz_User on 2007-12-04 11:51:21 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 9: 2007-12-04 10:51:36 UTC - RP9 - Deckard's System Scanner Restore Point 8: 2007-12-04 07:11:20 UTC - RP8 - Software Distribution Service 3.0 7: 2007-12-03 13:34:39 UTC - RP7 - Punkt kontrolny systemu 6: 2007-12-02 12:24:53 UTC - RP6 - Punkt kontrolny systemu 5: 2007-11-29 17:34:47 UTC - RP5 - Installed VPN Client -- First Restore Point -- 1: 2007-11-26 07:40:08 UTC - RP1 - Punkt kontrolny systemu Backed up registry hives. Performed disk cleanup. -- HijackThis (run as mariusz.exe) ---------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:54:22, on 2007-12-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireSvc.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\TpShocks.exe C:\Program Files\Network Associates\Common Framework\UdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\McTray.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\taskswitch.exe C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe C:\Program Files\TrueCrypt\TrueCrypt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireTray.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Psi\psi.exe C:\Program Files\MMTaskbar\MultiMon.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\mariusz_User\Pulpit\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\mariusz_User.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://firefox.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file) O2 - BHO: (no name) - {3ED74DAC-C3E9-45D4-950A-BDD8EF574F62} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [iyyuefcx] C:\ldckbrqw.bat O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NPDTRAY] C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Launcher.lnk = C:\Program Files\mariusz\sua.exe O4 - Startup: Psi.lnk = C:\Program Files\Psi\psi.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe O4 - Global Startup: Zasobnik programu McAfee Desktop Firewall.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0B47CC56-1AD0-4994-8EE2-CFB0848E1467} (ProtektorEnroll Control) - https://ra.mariusz.pl/ProtEnroll.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194918740328 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: msjt3032Patch.dll O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireSvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- End of file - 9581 bytes -- File Associations ----------------------------------------------------------- .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%* .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 FirePM (McAfee Desktop Firewall Policy Manager Driver) - c:\windows\system32\drivers\firepm.sys <Not Verified; Networks Associates Technology, Inc.; McAfee Desktop Firewall> R1 FireTDI (McAfee Desktop Firewall TDI Driver) - c:\windows\system32\drivers\firetdi.sys <Not Verified; Networks Associates Technology, Inc.; McAfee Desktop Firewall> R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan> R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product> R1 TPPWRIF - c:\windows\system32\drivers\tppwrif.sys R2 FireHook (McAfee Desktop Firewall Network Driver) - c:\windows\system32\drivers\firehook.sys <Not Verified; Networks Associates Technology, Inc.; McAfee Desktop Firewall> R2 VMnetBridge (VMware Bridge Protocol) - c:\windows\system32\drivers\vmnetbridge.sys <Not Verified; VMware, Inc.; VMware bridge driver (32-bit)> R2 VMnetuserif (VMware Network Application Interface) - c:\windows\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware network application interface driver (32-bit)> R2 vmx86 (VMware vmx86) - c:\windows\system32\drivers\vmx86.sys <Not Verified; VMware, Inc.; VMware kernel driver> R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept> R3 firelm01 - c:\windows\system32\drivers\firelm01.sys R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)> S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 acs (Atheros Configuration Service) - c:\windows\system32\acs.exe <Not Verified; Atheros; Atheros Configuration Service (ACS)> R2 FireSvc (McAfee Desktop Firewall Service) - "c:\program files\network associates\mcafee desktop firewall dla windows xp\firesvc.exe" <Not Verified; Networks Associates Technology, Inc.; McAfee Desktop Firewall> R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise> S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)> S4 SUService (System Update) - "c:\program files\lenovo\system update\suservice.exe" <Not Verified; Lenovo Group Limited; ThinkVantage System Update Service> S4 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module> S4 VMAuthdService (VMware Authorization Service) - c:\program files\vmware\vmware workstation\vmware-authd.exe <Not Verified; VMware, Inc.; VMware Workstation> S4 VMnetDHCP (VMware DHCP Service) - c:\windows\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Workstation> S4 VMware NAT Service - c:\windows\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Workstation> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} Description: Kontroler hosta Texas Instruments IEEE 1394 zgodny z OHCI Device ID: PCI\VEN_104C&DEV_803A&SUBSYS_202E17AA&REV_00\4&6B16D5B&0&01F0 Manufacturer: Texas Instruments Name: Kontroler hosta Texas Instruments IEEE 1394 zgodny z OHCI PNP Device ID: PCI\VEN_104C&DEV_803A&SUBSYS_202E17AA&REV_00\4&6B16D5B&0&01F0 Service: ohci1394 Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Device ID: ACPI\ATM1200\4&38462492&0 Manufacturer: Name: PNP Device ID: ACPI\ATM1200\4&38462492&0 Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA -- Scheduled Tasks ------------------------------------------------------------- 2007-11-22 20:42:19 120 --a------ C:\WINDOWS\Tasks\Critical Battery Alarm Program.job 2007-11-22 11:20:10 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job 2007-11-19 10:24:17 314 --a------ C:\WINDOWS\Tasks\PMTask.job -- Files created between 2007-11-04 and 2007-12-04 ----------------------------- 2007-12-04 10:35:40 0 d-------- C:\ie-spyad_zo 2007-12-04 10:32:56 0 d-------- C:\Program Files\SpywareBlaster 2007-12-04 09:22:23 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-12-04 08:11:27 0 d-------- C:\WINDOWS\LastGood 2007-12-03 16:40:46 0 d-------- C:\Program Files\Trend Micro 2007-12-02 17:17:21 0 d--h----- C:\WINDOWS\PIF 2007-11-29 18:35:41 8 --a------ C:\WINDOWS\system32\success 2007-11-29 18:34:50 135168 --a------ C:\WINDOWS\system32\vpnapi.dll 2007-11-29 18:34:48 0 d-------- C:\Program Files\Common Files\Deterministic Networks 2007-11-29 14:29:07 0 d-------- C:\Program Files\HP Product Bulletin 2007-11-28 20:27:34 376923 --a------ C:\WINDOWS\system32\wgapi.dll <Not Verified; Atheros; Atheros GUI API Library> 2007-11-28 20:27:34 344156 --a------ C:\WINDOWS\system32\wcapiU.dll <Not Verified; Atheros; Atheros Client API Library> 2007-11-28 20:27:34 364629 --a------ C:\WINDOWS\system32\acs.exe <Not Verified; Atheros; Atheros Configuration Service (ACS)> 2007-11-28 20:27:33 393216 --a------ C:\WINDOWS\system32\wcapi.dll <Not Verified; Atheros; Atheros Client API Library> 2007-11-28 20:27:33 147456 --a------ C:\WINDOWS\system32\ssleay32.dll 2007-11-28 20:27:33 90112 --a------ C:\WINDOWS\system32\oemres.dll <Not Verified; Atheros Communications, Inc.; oemres> 2007-11-28 20:27:33 651264 --a------ C:\WINDOWS\system32\libeay32.dll 2007-11-28 20:27:33 303199 --a------ C:\WINDOWS\system32\athcfg20U.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library> 2007-11-28 20:27:33 114792 --a------ C:\WINDOWS\system32\athcfg20resU.dll <Not Verified; Atheros Communications, Inc.; Atheros Configuration API Res Dynamic Link Library> 2007-11-28 20:27:33 114766 --a------ C:\WINDOWS\system32\athcfg20res.dll <Not Verified; Atheros Communications, Inc.; Atheros Configuration API Res Dynamic Link Library> 2007-11-28 20:27:33 237568 --a------ C:\WINDOWS\system32\athcfg20.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library> 2007-11-28 20:27:33 77824 --a------ C:\WINDOWS\system32\athcfg11res.dll <Not Verified; Atheros Communications, Inc.; Atheros Configuration API Res Dynamic Link Library> 2007-11-28 20:27:33 372736 --a------ C:\WINDOWS\system32\athcfg11.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library> 2007-11-28 20:26:39 249925 --a------ C:\WINDOWS\system32\wsimd.dll <Not Verified; Atheros Communications, Inc.; wsimd> 2007-11-28 20:26:39 254023 --a------ C:\WINDOWS\system32\wsfwDS.dll <Not Verified; Atheros Communications, Inc.; wsfwds> 2007-11-28 20:26:39 82017 -ra------ C:\WINDOWS\system32\dsaNac.dll <Not Verified; Devicescape, Inc.; Devicescape NAC Notify DLL> 2007-11-28 20:26:39 1257566 -ra------ C:\WINDOWS\system32\dsa.dll <Not Verified; Devicescape; Devicescape Windows WPA Supplicant (Core 0.4.3)> 2007-11-28 20:26:05 118784 --a------ C:\WINDOWS\system32\ATHCFG10.DLL <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library> 2007-11-22 15:13:26 0 d-------- C:\LiteStep 2007-11-22 12:16:08 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys 2007-11-22 11:53:03 0 d-------- C:\Rustbfix 2007-11-22 11:11:06 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2007-11-22 11:11:06 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2007-11-22 11:11:06 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System> 2007-11-22 11:11:06 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-11-22 11:11:06 75264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-11-22 11:11:03 0 d-------- C:\Program Files\Trojan Remover 2007-11-22 09:54:20 78238146 --a------ C:\rejestr15_11_2007.reg 2007-11-20 15:14:59 0 d-------- C:\Program Files\ABBYY FineReader 9.0 2007-11-20 14:21:52 0 d-------- C:\Program Files\English Translator 3 2007-11-20 14:15:09 0 d-------- C:\Program Files\Common Files\Macrovision Shared 2007-11-20 08:44:50 0 d-------- C:\Program Files\MMTaskbar 2007-11-19 21:35:09 0 d-------- C:\WINDOWS\system32\NtmsData 2007-11-19 19:57:56 0 d-------- C:\VundoFix Backups 2007-11-19 18:16:41 78195 --a------ C:\WINDOWS\system32\hfetxifh.dll 2007-11-19 15:09:21 0 d-------- C:\WINDOWS\SxsCaPendDel 2007-11-19 12:52:51 0 d-------- C:\Program Files\ABBYY FineReader 8.0 Professional Edition 2007-11-19 12:20:35 44993 --a------ C:\nbhsamd.exe 2007-11-19 10:47:50 85056 --a------ C:\WINDOWS\system32\keoslgmo.dll 2007-11-19 10:47:44 77255 --a------ C:\WINDOWS\system32\diigbujh.dll 2007-11-18 12:07:39 0 d-------- C:\Program Files\Windows Defender 2007-11-17 15  37 0 d-------- C:\Program Files\SkanerOnline2007-11-17 07:08:19 0 d-------- C:\quarantine 2007-11-17 07:08:07 78195 --a------ C:\WINDOWS\system32\lehftguj.dll 2007-11-15 17:00:14 163896 --a------ C:\WINDOWS\sequencer.exe 2007-11-15 16:59:37 0 d-------- C:\Program Files\Sonic 2007-11-15 16:59:37 0 d-------- C:\Program Files\Common Files\SureThing Shared 2007-11-15 16:59:15 0 d-------- C:\WINDOWS\system32\DLA 2007-11-15 16:59:13 0 d-------- C:\Program Files\Multimedia Center for Think Offerings 2007-11-15 16:55:06 0 d-------- C:\Program Files\Common Files\Sonic Shared 2007-11-15 11:51:13 1264 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-11-15 11:49:52 0 d-------- C:\Program Files\PowerQuest 2007-11-15 10:22:45 0 d-------- C:\Program Files\Microsoft Bootvis 2007-11-15 08:18:05 0 d--h----- C:\WINDOWS\$hf_mig$ 2007-11-14 18:49:54 0 d-------- C:\Program Files\Winamp 2007-11-14 15:52:26 0 d-------- C:\WINDOWS\Internet Logs 2007-11-14 15:47:36 0 d-------- C:\Program Files\Cisco Systems 2007-11-14 15:39:44 0 d-------- C:\WINDOWS\CCBAA1F7E5E148B29ED9A79C6A37CE78.TMP 2007-11-14 15:31:22 0 d-------- C:\WINDOWS\14FCFE7CAB86428A9D2EBFB6F5A7AA6E.TMP 2007-11-14 15:28:21 113596 --a------ C:\WINDOWS\system32\dneinobj.dll <Not Verified; Deterministic Networks, Inc.; > 2007-11-14 13:51:23 0 d-------- C:\Program Files\Mozilla Sunbird 2007-11-14 12:43:37 0 d-------- C:\Program Files\IBM Standalone Solutions Configuration Tool 2007-11-14 12:27:36 0 d-------- C:\IBM_config 2007-11-14 11:47:21 0 d-------- C:\FS_config 2007-11-14 11:46:43 0 d-------- C:\Program Files\MSXML 6.0 2007-11-14 11:42:48 0 d-------- C:\WINDOWS\system32\pl-pl 2007-11-14 11:40:12 0 d-------- C:\Program Files\Windows Media Connect 2 2007-11-14 11:38:38 0 d-------- C:\Trilogy 2007-11-14 11:38:38 0 d-------- C:\Program Files\Crystal Decisions 2007-11-14 11:38:38 0 d-------- C:\Program Files\Common Files\Crystal Decisions 2007-11-14 11:38:15 0 d-------- C:\Program Files\Java Web Start 2007-11-14 11:38:00 0 d-------- C:\Program Files\Java 2007-11-14 11:37:16 0 d-------- C:\WINDOWS\system32\LogFiles 2007-11-14 11:37:16 0 d-------- C:\WINDOWS\system32\drivers\UMDF 2007-11-14 11:35:01 0 d-------- C:\WINDOWS\l2schemas 2007-11-14 11:33:32 0 d-------- C:\WINDOWS\network diagnostic 2007-11-14 11:32:21 0 d-------- C:\hp_config 2007-11-14 11:28:58 0 d-------- C:\WINDOWS\ServicePackFiles 2007-11-14 11:26:13 0 d-------- C:\Program Files\CrazyPug Software 2007-11-14 11:23:37 0 d-------- C:\Program Files\MSBuild 2007-11-14 11:20:47 0 d-------- C:\WINDOWS\system32\XPSViewer 2007-11-14 11:20:02 0 d-------- C:\Program Files\Reference Assemblies 2007-11-14 11:08:35 0 d-------- C:\Program Files\HighMAT CD Writing Wizard 2007-11-14 11 52 0 d-------- C:\WINDOWS\system32\URTTEMP2007-11-14 10:59:15 0 d-------- C:\Program Files\AutoPatcher 2007-11-14 09:19:29 0 d-------- C:\Program Files\SubEdit-Player 2007-11-14 09:01:43 0 d-------- C:\Program Files\Psi 2007-11-14 08:35:04 0 d-------- C:\Program Files\Common Files\Sony Ericsson Shared 2007-11-14 08:34:55 0 d-------- C:\Program Files\Common Files\Teleca Shared 2007-11-14 08:34:53 0 d-------- C:\Program Files\Sony Ericsson 2007-11-14 08:34:43 0 d-------- C:\WINDOWS\Downloaded Installations 2007-11-13 19:51:02 188 --a------ C:\WINDOWS\x 2007-11-13 19:50:02 0 d-------- C:\Program Files\ThinkVantage 2007-11-13 19:49:23 16384 -----n--- C:\WINDOWS\PWMBTHLP.EXE 2007-11-13 19:49:22 4442 -----n--- C:\WINDOWS\system32\drivers\TPPWRIF.SYS 2007-11-13 18:59:31 0 d-------- C:\WINDOWS\system32\(null) 2007-11-13 18:59:25 0 d-------- C:\Program Files\Common Files\Lenovo 2007-11-13 18:15:59 53248 -----n--- C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl> 2007-11-13 18:15:59 1285632 -----n--- C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio> 2007-11-13 18:15:59 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp> 2007-11-13 18:15:59 0 d-------- C:\Program Files\Analog Devices 2007-11-13 18:15:58 45056 -----n--- C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp> 2007-11-13 14:59:31 0 d-------- C:\Program Files\Intel 2007-11-13 14:54:37 0 d-------- C:\WINDOWS\system32\ReinstallBackups 2007-11-13 14:44:02 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-11-13 14:43:53 0 d-------- C:\Program Files\Lenovo 2007-11-13 14:32:16 0 d-------- C:\WINDOWS\system32\Lang 2007-11-13 14:31:53 0 d-------- C:\Intel 2007-11-13 14:21:49 0 d-------- C:\WINDOWS\system32\appmgmt 2007-11-13 13:56:22 58048 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan> 2007-11-13 13:56:21 108256 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)> 2007-11-13 03:39:25 0 d-------- C:\Program Files\Mozilla Thunderbird 2007-11-13 03:16:26 0 d-------- C:\Program Files\TrueCrypt 2007-11-13 02:47:09 0 d-------- C:\Program Files\MSXML 4.0 2007-11-13 02:40:59 0 d-------- C:\WINDOWS\pss 2007-11-13 02:40:23 1495552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk> 2007-11-13 02:17:53 0 d-------- C:\Program Files\Common Files\Cisco Systems -- Find3M Report --------------------------------------------------------------- 2007-12-04 10:00:52 0 d-------- C:\Program Files\ThinkVantage Fingerprint Software 2007-12-04 09:52:10 0 d-------- C:\Program Files\Gadu-Gadu 2007-11-29 18:48:25 497126 --a------ C:\WINDOWS\system32\perfh015.dat 2007-11-29 18:48:25 88794 --a------ C:\WINDOWS\system32\perfc015.dat 2007-11-29 18:34:48 0 d-------- C:\Program Files\Common Files 2007-11-22 11:11:03 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Simply Super Software 2007-11-19 21:19:23 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Adobe 2007-11-19 15:18:49 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Grisoft 2007-11-19 12:55:22 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\ABBYY 2007-11-18 18:18:50 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Sonic 2007-11-18 18:18:29 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Leadertech 2007-11-15 15:01:59 0 d-------- C:\Program Files\Common Files\Adobe 2007-11-15 12:01:03 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Ahead 2007-11-14 18:50:07 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Winamp 2007-11-14 14:02:11 0 d-------- C:\Program Files\mariusz 2007-11-14 13:51:29 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Mozilla 2007-11-14 11:39:05 0 d-------- C:\Program Files\Common Files\InstallShield 2007-11-14 11 09 0 d-------- C:\Program Files\Messenger2007-11-14 10:12:43 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\TrueCrypt 2007-11-14 08:40:29 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Teleca 2007-11-14 08:39:43 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Sony Ericsson 2007-11-13 19:51:05 0 d-------- C:\Program Files\ThinkPad 2007-11-13 03:46:51 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Thunderbird 2007-11-13 02:41:08 0 d-------- C:\Program Files\Network Associates 2007-11-13 02:41:08 0 d-------- C:\Program Files\Common Files\Network Associates -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ED74DAC-C3E9-45D4-950A-BDD8EF574F62}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2007-09-28 13:28 C:\WINDOWS\system32\TpShocks.exe] "PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-08 16:48] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2004-02-19 12:07] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 15:06] "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 01:19] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11] "TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 14:49] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 02:33] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 01:19] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50] "CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30] "LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-03-23 02:02] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-22 11:08] "iyyuefcx"="C:\ldckbrqw.bat" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 08:39] "TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2007-05-03 21:21] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44] "NPDTRAY"="C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe" [2007-04-10 03:03] C:\Documents and Settings\mariusz_User\Menu Start\Programy\Autostart\ Launcher.lnk - C:\Program Files\mariusz\sua.exe [2002-02-28 13:31:46] Psi.lnk - C:\Program Files\Psi\psi.exe [2006-01-11 14:54:54] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 17:43:30] Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-11-29 18:34:50] MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [2007-11-20 08:44:50] Zasobnik programu McAfee Desktop Firewall.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireTray.exe [2007-08-08 07:41:59] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLowDiskSpaceChecks"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] C:\WINDOWS\system32\psqlpwd.dll 2007-03-08 17:08 89600 C:\WINDOWS\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=msjt3032Patch.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjh.dll "Notification Packages"= scecli psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Synchronizer.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^SBW-Autoupdate.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\SBW-Autoupdate.lnk backup=C:\WINDOWS\pss\SBW-Autoupdate.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VPN Client.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "C:\Program Files\Winamp\winampa.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "VMware NAT Service"=2 (0x2) "VMnetDHCP"=2 (0x2) "VMAuthdService"=2 (0x2) "TVT Scheduler"=2 (0x2) "TPHDEXLGSVC"=2 (0x2) "SUService"=2 (0x2) "ose"=3 (0x3) "idsvc"=3 (0x3) "IBMPMSVC"=2 (0x2) "btwdins"=2 (0x2) "WinDefend"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a901a06b-9185-11dc-9257-005056c00008}] AutoRun\command- K:\USBNB.exe *Newly Created Service* - ENTDRV51 -- Hosts ----------------------------------------------------------------------- 127.0.0.1 007guard.com 127.0.0.1 www.007guard.com 127.0.0.1 008i.com 127.0.0.1 008k.com 127.0.0.1 www.008k.com 127.0.0.1 00hq.com 127.0.0.1 www.00hq.com 127.0.0.1 010402.com 127.0.0.1 032439.com 127.0.0.1 www.032439.com 7489 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2007-12-04 11:56:35 ------------ |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
12-07-2007, 09:28 AM
|
#2 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,646
OS: xp
|
Re: Vundo Again
Welcome to the forum
Start Hijackthis Scan and place a check next to these items If there. F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe (this item is legit just written a bit wrong, hijackthis will correct it) O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file) O2 - BHO: (no name) - {3ED74DAC-C3E9-45D4-950A-BDD8EF574F62} - (no file) O4 - HKLM\..\Run: [iyyuefcx] C:\ldckbrqw.bat ==================================== Hit fix checked and close Hijackthis. when spybots tea timer alerts click allow the changes can you tell me what this program is ? C:\Program Files\Psi\ Post a combofix log 1. Download this file - combofix.exe to your desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe alternate link http://www.forospyware.com/sUBs/ComboFix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. If you already have combofix re-download please as it is updated often. also: submit this file at virustotal C:\WINDOWS\system32\msjt3032Patch.dll http://www.virustotal.com/ List the contents of this folder C:\WINDOWS\system32\(null) Last edited by LonnyRJones; 12-07-2007 at 09:31 AM. |
|
|
|
|
12-11-2007, 07:46 AM
|
#3 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 4
OS: XP prof SP2
|
Re: Vundo Again
Hallo - I thank You very much for help at first.
1. I found only O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file) O2 - BHO: (no name) - {3ED74DAC-C3E9-45D4-950A-BDD8EF574F62} - (no file) O4 - HKLM\..\Run: [iyyuefcx] C:\ldckbrqw.bat Hijackthis fix it. 2. PSI is a client for Jabber communicator. 3.Log from combofix: ComboFix 07-12-09.1 - mariusz_User 2007-12-11 15:30:56.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.515 [GMT 1:00] Running from: C:\Documents and Settings\mariusz_User\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 ))))))))))))))))))))))))))))))) . 2007-12-07 12:45 . 2007-12-07 12:45 <DIR> d-------- C:\Program Files\Common Files\SWF Studio 2007-12-06 13:48 . 2007-12-06 13:48 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Media Player Classic 2007-12-06 13:47 . 2007-12-06 13:48 <DIR> d-------- C:\Program Files\Real Alternative 2007-12-05 13:13 . 2007-12-05 13:21 <DIR> d-------- C:\Program Files\ABBYY FineReader 8.0 Professional Edition 2007-12-05 11:46 . 2007-12-05 11:46 <DIR> d-------- C:\Program Files\Cream Software 2007-12-05 11:46 . 2007-12-05 11:46 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Cream Software 2007-12-05 11:35 . 2007-12-05 11:35 <DIR> d-------- C:\Program Files\PWB 2007-12-04 11:50 . 2007-12-04 11:50 <DIR> d-------- C:\Deckard 2007-12-04 10:35 . 2007-12-04 10:35 <DIR> d-------- C:\ie-spyad_zo 2007-12-04 10:32 . 2007-12-04 10:35 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-12-04 09:22 . 2007-12-04 10:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-04 09:22 . 2007-12-04 09:22 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-04 09:22 . 2007-12-04 09:22 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-04 09:22 . 2007-12-04 09:22 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-03 16:40 . 2007-12-03 16:40 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-02 17:17 . 2007-12-02 17:17 <DIR> d--h----- C:\WINDOWS\PIF 2007-11-29 18:35 . 2007-11-29 18:35 8 --a------ C:\WINDOWS\system32\success 2007-11-29 18:34 . 2007-11-29 18:34 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks 2007-11-29 18:34 . 2004-08-04 04:54 269,387 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys 2007-11-29 18:34 . 2004-08-04 04:50 135,168 --a------ C:\WINDOWS\system32\vpnapi.dll 2007-11-29 18:22 . 2007-11-29 18:24 1,592 --a------ C:\WINDOWS\VPNUnInstall.MIF 2007-11-29 14:29 . 2007-12-03 11:04 <DIR> d-------- C:\Program Files\HP Product Bulletin 2007-11-28 20:26 . 2007-03-21 13:33 1,257,566 -ra------ C:\WINDOWS\system32\dsa.dll 2007-11-27 09:56 . 2007-11-27 09:56 <DIR> d-------- C:\Documents and Settings\mariusz_User\.jpi_cache 2007-11-27 09:56 . 2007-11-27 09:56 <DIR> d-------- C:\Documents and Settings\mariusz_User\.java 2007-11-22 15:13 . 2007-11-22 15:14 <DIR> d-------- C:\LiteStep 2007-11-22 12:30 . 2007-11-23 13:53 6,444 ---h----- C:\treeinfo.wc 2007-11-22 12:16 . 2007-11-22 12:16 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys 2007-11-22 11:53 . 2007-11-22 12:04 <DIR> d-------- C:\Rustbfix 2007-11-22 11:11 . 2007-12-06 08:17 <DIR> d-------- C:\Program Files\Trojan Remover 2007-11-22 11:11 . 2007-11-22 11:11 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Simply Super Software 2007-11-22 11:11 . 2007-11-22 11:11 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Simply Super Software 2007-11-22 11:11 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2007-11-22 11:11 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-11-22 11:11 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2007-11-22 11:11 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-11-22 11:11 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll 2007-11-22 10:52 . 2004-08-04 22:00 108,544 --a------ C:\WINDOWS\system32\services.exe 2007-11-22 10:52 . 2004-08-04 22:00 33,080 --a------ C:\WINDOWS\system32\services.msc 2007-11-22 10:05 . 2007-12-04 20:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne 2007-11-22 10:05 . 2007-08-07 17:44 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione 2007-11-22 10:05 . 2007-08-07 15:53 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony 2007-11-22 10:05 . 2007-11-15 11:09 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit 2007-11-22 10:05 . 2007-08-07 17:44 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty 2007-11-22 10:05 . 2007-08-07 17:44 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start 2007-11-22 10:05 . 2007-08-07 17:44 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji 2007-11-22 09:54 . 2007-11-15 08:49 78,238,146 --a------ C:\rejestr15_11_2007.reg 2007-11-20 17:54 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys 2007-11-20 17:54 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys 2007-11-20 17:54 . 2001-10-26 16:46 23,936 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys 2007-11-20 17:54 . 2001-10-26 16:46 23,936 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys 2007-11-20 17:54 . 2001-08-17 21:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys 2007-11-20 17:54 . 2001-08-17 21:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys 2007-11-20 15:14 . 2007-12-05 13:06 <DIR> d-------- C:\Program Files\ABBYY FineReader 9.0 2007-11-20 15:14 . 2007-11-20 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ABBYY 2007-11-20 14:21 . 2007-12-11 15:23 <DIR> d-------- C:\Program Files\English Translator 3 2007-11-20 14:15 . 2007-11-20 14:15 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2007-11-20 08:44 . 2007-12-04 09:57 <DIR> d-------- C:\Program Files\MMTaskbar 2007-11-19 21:35 . 2007-11-19 21:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2007-11-19 19:57 . 2007-11-19 19:57 <DIR> d-------- C:\VundoFix Backups 2007-11-19 18:20 . 2007-11-22 08:29 894 --a------ C:\WINDOWS\system32\dexhsnac.ini.ren 2007-11-19 15:24 . 2007-11-22 08:51 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-19 15:18 . 2007-11-19 15:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Grisoft 2007-11-19 15:17 . 2007-11-19 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Grisoft 2007-11-19 15:17 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-11-19 15:10 . 2007-11-19 15:10 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-11-19 15:09 . 2007-11-19 15:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-11-19 12:55 . 2007-11-19 12:55 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\ABBYY 2007-11-19 12:20 . 2007-11-19 12:20 44,993 --a------ C:\nbhsamd.exe 2007-11-19 10:47 . 2007-11-19 10:48 678,280 --a------ C:\WINDOWS\system32\omglsoek.ini 2007-11-19 10:05 . 2007-08-20 11:01 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-11-19 10:05 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-11-19 10:05 . 2007-03-08 06:11 1,036,288 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2007-11-19 10:05 . 2007-08-20 11:01 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-11-19 10:05 . 2007-08-20 11:01 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-11-19 10:05 . 2007-08-20 11:01 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-11-19 10:05 . 2007-08-20 11:01 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2007-11-19 10:05 . 2007-08-20 11:01 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-11-19 10:05 . 2007-08-17 11:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-11-18 18:18 . 2007-11-18 18:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Sonic 2007-11-18 18:18 . 2007-11-18 18:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Leadertech 2007-11-18 12:07 . 2007-12-04 10:01 <DIR> d-------- C:\Program Files\Windows Defender 2007-11-18 10:50 . 2007-11-19 10:24 678,220 --a------ C:\WINDOWS\system32\wtjdomxj.ini 2007-11-17 15:06 . 2007-11-17 16:23 <DIR> d-------- C:\Program Files\SkanerOnline 2007-11-17 07:26 . 2007-11-17 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2007-11-17 07:08 . 2007-11-19 18:16 <DIR> d-------- C:\quarantine 2007-11-17 07:05 . 2007-11-18 10:42 677,980 --a------ C:\WINDOWS\system32\ynagwywr.ini 2007-11-15 17:00 . 2005-09-22 20:28 163,896 --a------ C:\WINDOWS\sequencer.exe 2007-11-15 17:00 . 2005-12-19 13:23 602 --a------ C:\WINDOWS\uninst.seq 2007-11-15 16:59 . 2007-12-04 10:10 <DIR> d-------- C:\WINDOWS\system32\DLA 2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Sonic 2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Multimedia Center for Think Offerings 2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared 2007-11-15 16:59 . 2006-02-02 05:20 94,263 --a------ C:\WINDOWS\DLA.EXE 2007-11-15 16:59 . 2006-03-01 03:30 89,472 --a------ C:\WINDOWS\system32\drivers\DRVMCDB.SYS 2007-11-15 16:59 . 2006-02-02 05:20 61,500 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL 2007-11-15 16:59 . 2005-11-18 05:20 40,544 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS 2007-11-15 16:59 . 2005-11-18 12:02 22,684 --a------ C:\WINDOWS\system32\drivers\DLARTL_N.SYS 2007-11-15 16:59 . 2005-11-18 12:02 5,660 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS 2007-11-15 16:59 . 2007-11-17 10:17 320 --a------ C:\WINDOWS\wininit.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-06 16:05 --------- d-----w C:\Program Files\mariusz 2007-12-04 09:00 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software 2007-12-04 08:52 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-15 14:01 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-15 07:22 --------- d-----w C:\Documents and Settings\LocalService\Dane aplikacji\VMware 2007-11-15 07:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\VMware 2007-11-14 10:39 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-13 18:51 --------- d-----w C:\Program Files\ThinkPad 2007-11-13 12:56 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Network Associates 2007-11-13 01:41 --------- d-----w C:\Program Files\Network Associates 2007-11-13 01:41 --------- d-----w C:\Program Files\Common Files\Network Associates 2007-09-28 15:30 20,264 ----a-w C:\WINDOWS\system32\Sensor.DLL 2007-09-28 15:29 37,424 ----a-w C:\WINDOWS\system32\TPHDEXLG.exe 2007-09-28 12:28 492,840 ----a-w C:\WINDOWS\system32\TpShCPL.dll 2007-09-28 12:28 181,544 ----a-w C:\WINDOWS\system32\TpShocks.exe 2007-09-28 12:28 128,296 ----a-w C:\WINDOWS\system32\TpShEvUI.exe . ((((((((((((((((((((((((((((( snapshot@2007-12-04_20.40.03.17 ))))))))))))))))))))))))))))))))))))))))) . - 2007-11-27 02:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe + 2007-12-08 02:32:45 141,824 ----a-w C:\WINDOWS\catchme.exe - 2007-11-20 14:56:20 25,214 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ARPPRODUCTICON.exe + 2007-12-05 12:16:15 25,214 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ARPPRODUCTICON.exe - 2007-11-20 14:56:20 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_FineReader.exe + 2007-12-05 12:16:15 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_FineReader.exe + 2007-12-05 12:16:16 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_ScreenshorReader.exe - 2007-11-20 14:59:55 15,360 ----a-w C:\WINDOWS\system32\BASSMOD.dll + 2007-12-05 12:20:47 15,360 ----a-w C:\WINDOWS\system32\BASSMOD.dll + 2001-06-23 00:31:20 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll + 1998-03-26 03:57:34 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll + 1998-05-12 19:36:44 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll + 2006-10-07 04:18:32 185,952 ----a-w C:\WINDOWS\system32\rmoc3260.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 08:39] "TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2007-05-03 21:21] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44] "NPDTRAY"="C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe" [2007-04-10 03:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2007-09-28 13:28 C:\WINDOWS\system32\TpShocks.exe] "PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-08 16:48] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2004-02-19 12:07] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 15:06] "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 01:19] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11] "TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 14:49] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 02:33] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 01:19] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50] "CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30] "LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-03-23 02:02] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-22 11:08] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44] C:\Documents and Settings\mariusz_User\Menu Start\Programy\Autostart\ Launcher.lnk - C:\Program Files\mariusz\sua.exe [2002-02-28 13:31:46] Psi.lnk - C:\Program Files\Psi\psi.exe [2006-01-11 14:54:54] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 17:43:30] Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-11-29 18:34:50] MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [2007-11-20 08:44:50] Zasobnik programu McAfee Desktop Firewall.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireTray.exe [2007-08-08 07:41:59] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] C:\WINDOWS\system32\psqlpwd.dll 2007-03-08 17:08 89600 C:\WINDOWS\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=msjt3032Patch.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Synchronizer.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^SBW-Autoupdate.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\SBW-Autoupdate.lnk backup=C:\WINDOWS\pss\SBW-Autoupdate.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VPN Client.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] 2006-10-22 23:24 620152 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 2006-09-13 10:12 139264 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] C:\Program Files\DAEMON Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA] 2006-02-02 05:20 122940 --a------ C:\WINDOWS\System32\DLA\DLACTRLW.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-08-15 15:07 162328 --a------ C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-08-15 15:07 141848 --a------ C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-08-15 15:07 137752 --a------ C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy] 2007-08-01 11:07 540672 --a------ C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "VMware NAT Service"=2 (0x2) "VMnetDHCP"=2 (0x2) "VMAuthdService"=2 (0x2) "TVT Scheduler"=2 (0x2) "TPHDEXLGSVC"=2 (0x2) "SUService"=2 (0x2) "ose"=3 (0x3) "idsvc"=3 (0x3) "IBMPMSVC"=2 (0x2) "btwdins"=2 (0x2) "WinDefend"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) R0 FirePM;McAfee Desktop Firewall Policy Manager Driver;C:\WINDOWS\system32\Drivers\FirePM.sys R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys R1 FireTDI;McAfee Desktop Firewall TDI Driver;\??\C:\WINDOWS\system32\Drivers\FireTDI.sys R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys R2 FireHook;McAfee Desktop Firewall Network Driver;C:\WINDOWS\system32\DRIVERS\firehook.sys R2 smihlp;SMI Helper Driver (smihlp);\??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys R3 firelm01;firelm01;\??\C:\WINDOWS\system32\drivers\firelm01.sys R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys S3 tpflhlp;tpflhlp;\??\C:\Program Files\Lenovo\System Update\session\7cuj22us\tpflhlp.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a901a06b-9185-11dc-9257-005056c00008}] \Shell\AutoRun\command - K:\USBNB.exe *Newly Created Service* - ENTDRV51 . Contents of the 'Scheduled Tasks' folder "2007-11-22 19:42:19 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job" "2007-11-22 10:20:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2007-11-19 09:24:17 C:\WINDOWS\Tasks\PMTask.job" - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\msjt3032Patch.dll -> C:\Program Files\Lenovo\HOTKEY\tphklock.dll -> C:\Program Files\Lenovo\HOTKEY\notifyf2.dll PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180] -> C:\WINDOWS\system32\msjt3032Patch.dll PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156] -> C:\Program Files\MMTaskbar\shellhook.dll -> C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL -> C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL . ************************************************************************** catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-11 15:32:03 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-11 15:32:57 C:\ComboFix2.txt ... 2007-12-04 20:41 . --- E O F --- 4. This file is clean - C:\WINDOWS\system32\msjt3032Patch.dll 5. List the contents of this folder C:\WINDOWS\system32 see attachment Greeting Mariusz |
|
|
|
|
12-11-2007, 08:39 AM
|
#4 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,646
OS: xp
|
Re: Vundo Again
I was curious of this folders contents not the system32
C:\WINDOWS\system32\(null) Submit this file at virus total C:\nbhsamd.exe http://www.virustotal.com/ Manualy delete these files C:\WINDOWS\system32\wtjdomxj.ini C:\WINDOWS\system32\ynagwywr.ini C:\WINDOWS\system32\omglsoek.ini C:\WINDOWS\system32\dexhsnac.ini.ren Are there any current problems ? any questions ? |
|
|
|
|
12-11-2007, 12:17 PM
|
#6 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,646
OS: xp
|
Re: Vundo Again
Go ahead and delete it. keep an eye out for a few days to see if the file comes back .
Think Prevention: Put in place a good hosts file http://www.mvps.org/winhelp2002/hosts.htm How To Download and Extract the HOSTS file: http://www.mvps.org/winhelp2002/hosts2.htm Repeat that proccess about once or twice a month PC Safety and Security--What Do I Need? To help avoid reinfection see "So how did I get infected in the first place?" http://castlecops.com/postlite7736-.html |
|
|
|
| Thread Tools | |
|
|
