|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
12-04-2007, 03:27 AM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 4
OS: XP prof SP2
|
Vundo Again
Hallo
My McAffe 8.0 found Vundo infection about 2 week ago. I used Symantec Trojan.Vundo Removal Tool and Windows Worms Door Cleaner to close ports and every thing seems good until yestarday. McAffe monit me: 2007-12-03 16:05:05 Usunięte ZARZĄDZANIE NT\SYSTEM svchost.exe C:\System Volume Information\_restore{95D5ED81-2D40-489E-8862-CD184F9A099D}\RP6\A0000834.dll Vundo (Koń trojański) 2007-12-03 18:35:44 Wersja aparatu skanowania = 5.2.00 2007-12-03 18:35:44 Wersja pliku DAT = 5176 2007-12-03 18:35:44 Liczba sygnatur wirusów w pliku EXTRA.DAT = Brak 2007-12-03 18:35:44 Nazwy wirusów, które można wykryć dzięki plikowi EXTRA.DAT = Brak 2007-12-03 19:07:13 Usunięte ZARZĄDZANIE NT\SYSTEM svchost.exe C:\System Volume Information\_restore{95D5ED81-2D40-489E-8862-CD184F9A099D}\RP6\A0000836.dll Vundo (Koń trojański) My system is WinXP prof SP2 with all updates from microsoft, I have install Spybot-SD too. I did all 5 steps that You recomended. Please help me with this. main.txt Deckard's System Scanner v20071014.68 Run by mariusz_User on 2007-12-04 11:51:21 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 9: 2007-12-04 10:51:36 UTC - RP9 - Deckard's System Scanner Restore Point 8: 2007-12-04 07:11:20 UTC - RP8 - Software Distribution Service 3.0 7: 2007-12-03 13:34:39 UTC - RP7 - Punkt kontrolny systemu 6: 2007-12-02 12:24:53 UTC - RP6 - Punkt kontrolny systemu 5: 2007-11-29 17:34:47 UTC - RP5 - Installed VPN Client -- First Restore Point -- 1: 2007-11-26 07:40:08 UTC - RP1 - Punkt kontrolny systemu Backed up registry hives. Performed disk cleanup. -- HijackThis (run as mariusz.exe) ---------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:54:22, on 2007-12-04 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\acs.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireSvc.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\TpShocks.exe C:\Program Files\Network Associates\Common Framework\UdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\McTray.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\taskswitch.exe C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe C:\Program Files\TrueCrypt\TrueCrypt.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireTray.exe C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\Zoom\TpScrex.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Psi\psi.exe C:\Program Files\MMTaskbar\MultiMon.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\mariusz_User\Pulpit\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\mariusz_User.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://firefox.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file) O2 - BHO: (no name) - {3ED74DAC-C3E9-45D4-950A-BDD8EF574F62} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [iyyuefcx] C:\ldckbrqw.bat O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a favorites O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NPDTRAY] C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Launcher.lnk = C:\Program Files\mariusz\sua.exe O4 - Startup: Psi.lnk = C:\Program Files\Psi\psi.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe O4 - Global Startup: Zasobnik programu McAfee Desktop Firewall.lnk = ? O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Wyślij do urządzenia &Bluetooth... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0B47CC56-1AD0-4994-8EE2-CFB0848E1467} (ProtektorEnroll Control) - https://ra.mariusz.pl/ProtEnroll.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194918740328 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - AppInit_DLLs: msjt3032Patch.dll O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireSvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe -- End of file - 9581 bytes -- File Associations ----------------------------------------------------------- .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%* .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 FirePM (McAfee Desktop Firewall Policy Manager Driver) - c:\windows\system32\drivers\firepm.sys <Not Verified; Networks Associates Technology, Inc.; McAfee Desktop Firewall> R1 FireTDI (McAfee Desktop Firewall TDI Driver) - c:\windows\system32\drivers\firetdi.sys <Not Verified; Networks Associates Technology, Inc.; McAfee Desktop Firewall> R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan> R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product> R1 TPPWRIF - c:\windows\system32\drivers\tppwrif.sys R2 FireHook (McAfee Desktop Firewall Network Driver) - c:\windows\system32\drivers\firehook.sys <Not Verified; Networks Associates Technology, Inc.; McAfee Desktop Firewall> R2 VMnetBridge (VMware Bridge Protocol) - c:\windows\system32\drivers\vmnetbridge.sys <Not Verified; VMware, Inc.; VMware bridge driver (32-bit)> R2 VMnetuserif (VMware Network Application Interface) - c:\windows\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware network application interface driver (32-bit)> R2 vmx86 (VMware vmx86) - c:\windows\system32\drivers\vmx86.sys <Not Verified; VMware, Inc.; VMware kernel driver> R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept> R3 firelm01 - c:\windows\system32\drivers\firelm01.sys R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)> S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 acs (Atheros Configuration Service) - c:\windows\system32\acs.exe <Not Verified; Atheros; Atheros Configuration Service (ACS)> R2 FireSvc (McAfee Desktop Firewall Service) - "c:\program files\network associates\mcafee desktop firewall dla windows xp\firesvc.exe" <Not Verified; Networks Associates Technology, Inc.; McAfee Desktop Firewall> R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise> S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)> S4 SUService (System Update) - "c:\program files\lenovo\system update\suservice.exe" <Not Verified; Lenovo Group Limited; ThinkVantage System Update Service> S4 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module> S4 VMAuthdService (VMware Authorization Service) - c:\program files\vmware\vmware workstation\vmware-authd.exe <Not Verified; VMware, Inc.; VMware Workstation> S4 VMnetDHCP (VMware DHCP Service) - c:\windows\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Workstation> S4 VMware NAT Service - c:\windows\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Workstation> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} Description: Kontroler hosta Texas Instruments IEEE 1394 zgodny z OHCI Device ID: PCI\VEN_104C&DEV_803A&SUBSYS_202E17AA&REV_00\4&6B16D5B&0&01F0 Manufacturer: Texas Instruments Name: Kontroler hosta Texas Instruments IEEE 1394 zgodny z OHCI PNP Device ID: PCI\VEN_104C&DEV_803A&SUBSYS_202E17AA&REV_00\4&6B16D5B&0&01F0 Service: ohci1394 Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Device ID: ACPI\ATM1200\4&38462492&0 Manufacturer: Name: PNP Device ID: ACPI\ATM1200\4&38462492&0 Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA -- Scheduled Tasks ------------------------------------------------------------- 2007-11-22 20:42:19 120 --a------ C:\WINDOWS\Tasks\Critical Battery Alarm Program.job 2007-11-22 11:20:10 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job 2007-11-19 10:24:17 314 --a------ C:\WINDOWS\Tasks\PMTask.job -- Files created between 2007-11-04 and 2007-12-04 ----------------------------- 2007-12-04 10:35:40 0 d-------- C:\ie-spyad_zo 2007-12-04 10:32:56 0 d-------- C:\Program Files\SpywareBlaster 2007-12-04 09:22:23 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-12-04 08:11:27 0 d-------- C:\WINDOWS\LastGood 2007-12-03 16:40:46 0 d-------- C:\Program Files\Trend Micro 2007-12-02 17:17:21 0 d--h----- C:\WINDOWS\PIF 2007-11-29 18:35:41 8 --a------ C:\WINDOWS\system32\success 2007-11-29 18:34:50 135168 --a------ C:\WINDOWS\system32\vpnapi.dll 2007-11-29 18:34:48 0 d-------- C:\Program Files\Common Files\Deterministic Networks 2007-11-29 14:29:07 0 d-------- C:\Program Files\HP Product Bulletin 2007-11-28 20:27:34 376923 --a------ C:\WINDOWS\system32\wgapi.dll <Not Verified; Atheros; Atheros GUI API Library> 2007-11-28 20:27:34 344156 --a------ C:\WINDOWS\system32\wcapiU.dll <Not Verified; Atheros; Atheros Client API Library> 2007-11-28 20:27:34 364629 --a------ C:\WINDOWS\system32\acs.exe <Not Verified; Atheros; Atheros Configuration Service (ACS)> 2007-11-28 20:27:33 393216 --a------ C:\WINDOWS\system32\wcapi.dll <Not Verified; Atheros; Atheros Client API Library> 2007-11-28 20:27:33 147456 --a------ C:\WINDOWS\system32\ssleay32.dll 2007-11-28 20:27:33 90112 --a------ C:\WINDOWS\system32\oemres.dll <Not Verified; Atheros Communications, Inc.; oemres> 2007-11-28 20:27:33 651264 --a------ C:\WINDOWS\system32\libeay32.dll 2007-11-28 20:27:33 303199 --a------ C:\WINDOWS\system32\athcfg20U.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library> 2007-11-28 20:27:33 114792 --a------ C:\WINDOWS\system32\athcfg20resU.dll <Not Verified; Atheros Communications, Inc.; Atheros Configuration API Res Dynamic Link Library> 2007-11-28 20:27:33 114766 --a------ C:\WINDOWS\system32\athcfg20res.dll <Not Verified; Atheros Communications, Inc.; Atheros Configuration API Res Dynamic Link Library> 2007-11-28 20:27:33 237568 --a------ C:\WINDOWS\system32\athcfg20.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library> 2007-11-28 20:27:33 77824 --a------ C:\WINDOWS\system32\athcfg11res.dll <Not Verified; Atheros Communications, Inc.; Atheros Configuration API Res Dynamic Link Library> 2007-11-28 20:27:33 372736 --a------ C:\WINDOWS\system32\athcfg11.dll <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library> 2007-11-28 20:26:39 249925 --a------ C:\WINDOWS\system32\wsimd.dll <Not Verified; Atheros Communications, Inc.; wsimd> 2007-11-28 20:26:39 254023 --a------ C:\WINDOWS\system32\wsfwDS.dll <Not Verified; Atheros Communications, Inc.; wsfwds> 2007-11-28 20:26:39 82017 -ra------ C:\WINDOWS\system32\dsaNac.dll <Not Verified; Devicescape, Inc.; Devicescape NAC Notify DLL> 2007-11-28 20:26:39 1257566 -ra------ C:\WINDOWS\system32\dsa.dll <Not Verified; Devicescape; Devicescape Windows WPA Supplicant (Core 0.4.3)> 2007-11-28 20:26:05 118784 --a------ C:\WINDOWS\system32\ATHCFG10.DLL <Not Verified; Atheros; Atheros Configuration API Dynamic Link Library> 2007-11-22 15:13:26 0 d-------- C:\LiteStep 2007-11-22 12:16:08 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys 2007-11-22 11:53:03 0 d-------- C:\Rustbfix 2007-11-22 11:11:06 162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2007-11-22 11:11:06 77312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2007-11-22 11:11:06 69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System> 2007-11-22 11:11:06 153088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-11-22 11:11:06 75264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-11-22 11:11:03 0 d-------- C:\Program Files\Trojan Remover 2007-11-22 09:54:20 78238146 --a------ C:\rejestr15_11_2007.reg 2007-11-20 15:14:59 0 d-------- C:\Program Files\ABBYY FineReader 9.0 2007-11-20 14:21:52 0 d-------- C:\Program Files\English Translator 3 2007-11-20 14:15:09 0 d-------- C:\Program Files\Common Files\Macrovision Shared 2007-11-20 08:44:50 0 d-------- C:\Program Files\MMTaskbar 2007-11-19 21:35:09 0 d-------- C:\WINDOWS\system32\NtmsData 2007-11-19 19:57:56 0 d-------- C:\VundoFix Backups 2007-11-19 18:16:41 78195 --a------ C:\WINDOWS\system32\hfetxifh.dll 2007-11-19 15:09:21 0 d-------- C:\WINDOWS\SxsCaPendDel 2007-11-19 12:52:51 0 d-------- C:\Program Files\ABBYY FineReader 8.0 Professional Edition 2007-11-19 12:20:35 44993 --a------ C:\nbhsamd.exe 2007-11-19 10:47:50 85056 --a------ C:\WINDOWS\system32\keoslgmo.dll 2007-11-19 10:47:44 77255 --a------ C:\WINDOWS\system32\diigbujh.dll 2007-11-18 12:07:39 0 d-------- C:\Program Files\Windows Defender 2007-11-17 15  37 0 d-------- C:\Program Files\SkanerOnline2007-11-17 07:08:19 0 d-------- C:\quarantine 2007-11-17 07:08:07 78195 --a------ C:\WINDOWS\system32\lehftguj.dll 2007-11-15 17:00:14 163896 --a------ C:\WINDOWS\sequencer.exe 2007-11-15 16:59:37 0 d-------- C:\Program Files\Sonic 2007-11-15 16:59:37 0 d-------- C:\Program Files\Common Files\SureThing Shared 2007-11-15 16:59:15 0 d-------- C:\WINDOWS\system32\DLA 2007-11-15 16:59:13 0 d-------- C:\Program Files\Multimedia Center for Think Offerings 2007-11-15 16:55:06 0 d-------- C:\Program Files\Common Files\Sonic Shared 2007-11-15 11:51:13 1264 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-11-15 11:49:52 0 d-------- C:\Program Files\PowerQuest 2007-11-15 10:22:45 0 d-------- C:\Program Files\Microsoft Bootvis 2007-11-15 08:18:05 0 d--h----- C:\WINDOWS\$hf_mig$ 2007-11-14 18:49:54 0 d-------- C:\Program Files\Winamp 2007-11-14 15:52:26 0 d-------- C:\WINDOWS\Internet Logs 2007-11-14 15:47:36 0 d-------- C:\Program Files\Cisco Systems 2007-11-14 15:39:44 0 d-------- C:\WINDOWS\CCBAA1F7E5E148B29ED9A79C6A37CE78.TMP 2007-11-14 15:31:22 0 d-------- C:\WINDOWS\14FCFE7CAB86428A9D2EBFB6F5A7AA6E.TMP 2007-11-14 15:28:21 113596 --a------ C:\WINDOWS\system32\dneinobj.dll <Not Verified; Deterministic Networks, Inc.; > 2007-11-14 13:51:23 0 d-------- C:\Program Files\Mozilla Sunbird 2007-11-14 12:43:37 0 d-------- C:\Program Files\IBM Standalone Solutions Configuration Tool 2007-11-14 12:27:36 0 d-------- C:\IBM_config 2007-11-14 11:47:21 0 d-------- C:\FS_config 2007-11-14 11:46:43 0 d-------- C:\Program Files\MSXML 6.0 2007-11-14 11:42:48 0 d-------- C:\WINDOWS\system32\pl-pl 2007-11-14 11:40:12 0 d-------- C:\Program Files\Windows Media Connect 2 2007-11-14 11:38:38 0 d-------- C:\Trilogy 2007-11-14 11:38:38 0 d-------- C:\Program Files\Crystal Decisions 2007-11-14 11:38:38 0 d-------- C:\Program Files\Common Files\Crystal Decisions 2007-11-14 11:38:15 0 d-------- C:\Program Files\Java Web Start 2007-11-14 11:38:00 0 d-------- C:\Program Files\Java 2007-11-14 11:37:16 0 d-------- C:\WINDOWS\system32\LogFiles 2007-11-14 11:37:16 0 d-------- C:\WINDOWS\system32\drivers\UMDF 2007-11-14 11:35:01 0 d-------- C:\WINDOWS\l2schemas 2007-11-14 11:33:32 0 d-------- C:\WINDOWS\network diagnostic 2007-11-14 11:32:21 0 d-------- C:\hp_config 2007-11-14 11:28:58 0 d-------- C:\WINDOWS\ServicePackFiles 2007-11-14 11:26:13 0 d-------- C:\Program Files\CrazyPug Software 2007-11-14 11:23:37 0 d-------- C:\Program Files\MSBuild 2007-11-14 11:20:47 0 d-------- C:\WINDOWS\system32\XPSViewer 2007-11-14 11:20:02 0 d-------- C:\Program Files\Reference Assemblies 2007-11-14 11:08:35 0 d-------- C:\Program Files\HighMAT CD Writing Wizard 2007-11-14 11 52 0 d-------- C:\WINDOWS\system32\URTTEMP2007-11-14 10:59:15 0 d-------- C:\Program Files\AutoPatcher 2007-11-14 09:19:29 0 d-------- C:\Program Files\SubEdit-Player 2007-11-14 09:01:43 0 d-------- C:\Program Files\Psi 2007-11-14 08:35:04 0 d-------- C:\Program Files\Common Files\Sony Ericsson Shared 2007-11-14 08:34:55 0 d-------- C:\Program Files\Common Files\Teleca Shared 2007-11-14 08:34:53 0 d-------- C:\Program Files\Sony Ericsson 2007-11-14 08:34:43 0 d-------- C:\WINDOWS\Downloaded Installations 2007-11-13 19:51:02 188 --a------ C:\WINDOWS\x 2007-11-13 19:50:02 0 d-------- C:\Program Files\ThinkVantage 2007-11-13 19:49:23 16384 -----n--- C:\WINDOWS\PWMBTHLP.EXE 2007-11-13 19:49:22 4442 -----n--- C:\WINDOWS\system32\drivers\TPPWRIF.SYS 2007-11-13 18:59:31 0 d-------- C:\WINDOWS\system32\(null) 2007-11-13 18:59:25 0 d-------- C:\Program Files\Common Files\Lenovo 2007-11-13 18:15:59 53248 -----n--- C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl> 2007-11-13 18:15:59 1285632 -----n--- C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio> 2007-11-13 18:15:59 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp> 2007-11-13 18:15:59 0 d-------- C:\Program Files\Analog Devices 2007-11-13 18:15:58 45056 -----n--- C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp> 2007-11-13 14:59:31 0 d-------- C:\Program Files\Intel 2007-11-13 14:54:37 0 d-------- C:\WINDOWS\system32\ReinstallBackups 2007-11-13 14:44:02 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-11-13 14:43:53 0 d-------- C:\Program Files\Lenovo 2007-11-13 14:32:16 0 d-------- C:\WINDOWS\system32\Lang 2007-11-13 14:31:53 0 d-------- C:\Intel 2007-11-13 14:21:49 0 d-------- C:\WINDOWS\system32\appmgmt 2007-11-13 13:56:22 58048 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan> 2007-11-13 13:56:21 108256 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)> 2007-11-13 03:39:25 0 d-------- C:\Program Files\Mozilla Thunderbird 2007-11-13 03:16:26 0 d-------- C:\Program Files\TrueCrypt 2007-11-13 02:47:09 0 d-------- C:\Program Files\MSXML 4.0 2007-11-13 02:40:59 0 d-------- C:\WINDOWS\pss 2007-11-13 02:40:23 1495552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk> 2007-11-13 02:17:53 0 d-------- C:\Program Files\Common Files\Cisco Systems -- Find3M Report --------------------------------------------------------------- 2007-12-04 10:00:52 0 d-------- C:\Program Files\ThinkVantage Fingerprint Software 2007-12-04 09:52:10 0 d-------- C:\Program Files\Gadu-Gadu 2007-11-29 18:48:25 497126 --a------ C:\WINDOWS\system32\perfh015.dat 2007-11-29 18:48:25 88794 --a------ C:\WINDOWS\system32\perfc015.dat 2007-11-29 18:34:48 0 d-------- C:\Program Files\Common Files 2007-11-22 11:11:03 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Simply Super Software 2007-11-19 21:19:23 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Adobe 2007-11-19 15:18:49 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Grisoft 2007-11-19 12:55:22 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\ABBYY 2007-11-18 18:18:50 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Sonic 2007-11-18 18:18:29 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Leadertech 2007-11-15 15:01:59 0 d-------- C:\Program Files\Common Files\Adobe 2007-11-15 12:01:03 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Ahead 2007-11-14 18:50:07 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Winamp 2007-11-14 14:02:11 0 d-------- C:\Program Files\mariusz 2007-11-14 13:51:29 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Mozilla 2007-11-14 11:39:05 0 d-------- C:\Program Files\Common Files\InstallShield 2007-11-14 11 09 0 d-------- C:\Program Files\Messenger2007-11-14 10:12:43 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\TrueCrypt 2007-11-14 08:40:29 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Teleca 2007-11-14 08:39:43 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Sony Ericsson 2007-11-13 19:51:05 0 d-------- C:\Program Files\ThinkPad 2007-11-13 03:46:51 0 d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Thunderbird 2007-11-13 02:41:08 0 d-------- C:\Program Files\Network Associates 2007-11-13 02:41:08 0 d-------- C:\Program Files\Common Files\Network Associates -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ED74DAC-C3E9-45D4-950A-BDD8EF574F62}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2007-09-28 13:28 C:\WINDOWS\system32\TpShocks.exe] "PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-08 16:48] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2004-02-19 12:07] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 15:06] "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 01:19] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11] "TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 14:49] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 02:33] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 01:19] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50] "CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30] "LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-03-23 02:02] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-22 11:08] "iyyuefcx"="C:\ldckbrqw.bat" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 08:39] "TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2007-05-03 21:21] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44] "NPDTRAY"="C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe" [2007-04-10 03:03] C:\Documents and Settings\mariusz_User\Menu Start\Programy\Autostart\ Launcher.lnk - C:\Program Files\mariusz\sua.exe [2002-02-28 13:31:46] Psi.lnk - C:\Program Files\Psi\psi.exe [2006-01-11 14:54:54] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 17:43:30] Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-11-29 18:34:50] MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [2007-11-20 08:44:50] Zasobnik programu McAfee Desktop Firewall.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireTray.exe [2007-08-08 07:41:59] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoLowDiskSpaceChecks"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] C:\WINDOWS\system32\psqlpwd.dll 2007-03-08 17:08 89600 C:\WINDOWS\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=msjt3032Patch.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjh.dll "Notification Packages"= scecli psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Synchronizer.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^SBW-Autoupdate.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\SBW-Autoupdate.lnk backup=C:\WINDOWS\pss\SBW-Autoupdate.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VPN Client.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "C:\Program Files\Winamp\winampa.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "VMware NAT Service"=2 (0x2) "VMnetDHCP"=2 (0x2) "VMAuthdService"=2 (0x2) "TVT Scheduler"=2 (0x2) "TPHDEXLGSVC"=2 (0x2) "SUService"=2 (0x2) "ose"=3 (0x3) "idsvc"=3 (0x3) "IBMPMSVC"=2 (0x2) "btwdins"=2 (0x2) "WinDefend"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a901a06b-9185-11dc-9257-005056c00008}] AutoRun\command- K:\USBNB.exe *Newly Created Service* - ENTDRV51 -- Hosts ----------------------------------------------------------------------- 127.0.0.1 007guard.com 127.0.0.1 www.007guard.com 127.0.0.1 008i.com 127.0.0.1 008k.com 127.0.0.1 www.008k.com 127.0.0.1 00hq.com 127.0.0.1 www.00hq.com 127.0.0.1 010402.com 127.0.0.1 032439.com 127.0.0.1 www.032439.com 7489 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2007-12-04 11:56:35 ------------ |
|
     |
| Sponsored Links |
|
12-07-2007, 08:28 AM
|
#2 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Vundo Again
Welcome to the forum
Start Hijackthis Scan and place a check next to these items If there. F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe (this item is legit just written a bit wrong, hijackthis will correct it) O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file) O2 - BHO: (no name) - {3ED74DAC-C3E9-45D4-950A-BDD8EF574F62} - (no file) O4 - HKLM\..\Run: [iyyuefcx] C:\ldckbrqw.bat ==================================== Hit fix checked and close Hijackthis. when spybots tea timer alerts click allow the changes can you tell me what this program is ? C:\Program Files\Psi\ Post a combofix log 1. Download this file - combofix.exe to your desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe alternate link http://www.forospyware.com/sUBs/ComboFix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. If you already have combofix re-download please as it is updated often. also: submit this file at virustotal C:\WINDOWS\system32\msjt3032Patch.dll http://www.virustotal.com/ List the contents of this folder C:\WINDOWS\system32\(null) Last edited by LonnyRJones; 12-07-2007 at 08:31 AM. |
|
|
|
|
12-11-2007, 06:46 AM
|
#3 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 4
OS: XP prof SP2
|
Re: Vundo Again
Hallo - I thank You very much for help at first.
1. I found only O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file) O2 - BHO: (no name) - {3ED74DAC-C3E9-45D4-950A-BDD8EF574F62} - (no file) O4 - HKLM\..\Run: [iyyuefcx] C:\ldckbrqw.bat Hijackthis fix it. 2. PSI is a client for Jabber communicator. 3.Log from combofix: ComboFix 07-12-09.1 - mariusz_User 2007-12-11 15:30:56.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.515 [GMT 1:00] Running from: C:\Documents and Settings\mariusz_User\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 ))))))))))))))))))))))))))))))) . 2007-12-07 12:45 . 2007-12-07 12:45 <DIR> d-------- C:\Program Files\Common Files\SWF Studio 2007-12-06 13:48 . 2007-12-06 13:48 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Media Player Classic 2007-12-06 13:47 . 2007-12-06 13:48 <DIR> d-------- C:\Program Files\Real Alternative 2007-12-05 13:13 . 2007-12-05 13:21 <DIR> d-------- C:\Program Files\ABBYY FineReader 8.0 Professional Edition 2007-12-05 11:46 . 2007-12-05 11:46 <DIR> d-------- C:\Program Files\Cream Software 2007-12-05 11:46 . 2007-12-05 11:46 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Cream Software 2007-12-05 11:35 . 2007-12-05 11:35 <DIR> d-------- C:\Program Files\PWB 2007-12-04 11:50 . 2007-12-04 11:50 <DIR> d-------- C:\Deckard 2007-12-04 10:35 . 2007-12-04 10:35 <DIR> d-------- C:\ie-spyad_zo 2007-12-04 10:32 . 2007-12-04 10:35 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-12-04 09:22 . 2007-12-04 10:09 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-04 09:22 . 2007-12-04 09:22 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-04 09:22 . 2007-12-04 09:22 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-04 09:22 . 2007-12-04 09:22 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-03 16:40 . 2007-12-03 16:40 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-02 17:17 . 2007-12-02 17:17 <DIR> d--h----- C:\WINDOWS\PIF 2007-11-29 18:35 . 2007-11-29 18:35 8 --a------ C:\WINDOWS\system32\success 2007-11-29 18:34 . 2007-11-29 18:34 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks 2007-11-29 18:34 . 2004-08-04 04:54 269,387 --a------ C:\WINDOWS\system32\drivers\CVPNDRVA.sys 2007-11-29 18:34 . 2004-08-04 04:50 135,168 --a------ C:\WINDOWS\system32\vpnapi.dll 2007-11-29 18:22 . 2007-11-29 18:24 1,592 --a------ C:\WINDOWS\VPNUnInstall.MIF 2007-11-29 14:29 . 2007-12-03 11:04 <DIR> d-------- C:\Program Files\HP Product Bulletin 2007-11-28 20:26 . 2007-03-21 13:33 1,257,566 -ra------ C:\WINDOWS\system32\dsa.dll 2007-11-27 09:56 . 2007-11-27 09:56 <DIR> d-------- C:\Documents and Settings\mariusz_User\.jpi_cache 2007-11-27 09:56 . 2007-11-27 09:56 <DIR> d-------- C:\Documents and Settings\mariusz_User\.java 2007-11-22 15:13 . 2007-11-22 15:14 <DIR> d-------- C:\LiteStep 2007-11-22 12:30 . 2007-11-23 13:53 6,444 ---h----- C:\treeinfo.wc 2007-11-22 12:16 . 2007-11-22 12:16 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys 2007-11-22 11:53 . 2007-11-22 12:04 <DIR> d-------- C:\Rustbfix 2007-11-22 11:11 . 2007-12-06 08:17 <DIR> d-------- C:\Program Files\Trojan Remover 2007-11-22 11:11 . 2007-11-22 11:11 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Simply Super Software 2007-11-22 11:11 . 2007-11-22 11:11 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Simply Super Software 2007-11-22 11:11 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2007-11-22 11:11 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-11-22 11:11 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2007-11-22 11:11 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-11-22 11:11 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll 2007-11-22 10:52 . 2004-08-04 22:00 108,544 --a------ C:\WINDOWS\system32\services.exe 2007-11-22 10:52 . 2004-08-04 22:00 33,080 --a------ C:\WINDOWS\system32\services.msc 2007-11-22 10:05 . 2007-12-04 20:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne 2007-11-22 10:05 . 2007-08-07 17:44 <DIR> d-------- C:\Documents and Settings\Administrator\Ulubione 2007-11-22 10:05 . 2007-08-07 15:53 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony 2007-11-22 10:05 . 2007-11-15 11:09 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit 2007-11-22 10:05 . 2007-08-07 17:44 <DIR> d-------- C:\Documents and Settings\Administrator\Moje dokumenty 2007-11-22 10:05 . 2007-08-07 17:44 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start 2007-11-22 10:05 . 2007-08-07 17:44 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji 2007-11-22 09:54 . 2007-11-15 08:49 78,238,146 --a------ C:\rejestr15_11_2007.reg 2007-11-20 17:54 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys 2007-11-20 17:54 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys 2007-11-20 17:54 . 2001-10-26 16:46 23,936 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys 2007-11-20 17:54 . 2001-10-26 16:46 23,936 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys 2007-11-20 17:54 . 2001-08-17 21:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys 2007-11-20 17:54 . 2001-08-17 21:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys 2007-11-20 15:14 . 2007-12-05 13:06 <DIR> d-------- C:\Program Files\ABBYY FineReader 9.0 2007-11-20 15:14 . 2007-11-20 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ABBYY 2007-11-20 14:21 . 2007-12-11 15:23 <DIR> d-------- C:\Program Files\English Translator 3 2007-11-20 14:15 . 2007-11-20 14:15 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2007-11-20 08:44 . 2007-12-04 09:57 <DIR> d-------- C:\Program Files\MMTaskbar 2007-11-19 21:35 . 2007-11-19 21:35 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2007-11-19 19:57 . 2007-11-19 19:57 <DIR> d-------- C:\VundoFix Backups 2007-11-19 18:20 . 2007-11-22 08:29 894 --a------ C:\WINDOWS\system32\dexhsnac.ini.ren 2007-11-19 15:24 . 2007-11-22 08:51 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2007-11-19 15:18 . 2007-11-19 15:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Grisoft 2007-11-19 15:17 . 2007-11-19 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Grisoft 2007-11-19 15:17 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-11-19 15:10 . 2007-11-19 15:10 143 --a------ C:\WINDOWS\system32\mcrh.tmp 2007-11-19 15:09 . 2007-11-19 15:11 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-11-19 12:55 . 2007-11-19 12:55 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\ABBYY 2007-11-19 12:20 . 2007-11-19 12:20 44,993 --a------ C:\nbhsamd.exe 2007-11-19 10:47 . 2007-11-19 10:48 678,280 --a------ C:\WINDOWS\system32\omglsoek.ini 2007-11-19 10:05 . 2007-08-20 11:01 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-11-19 10:05 . 2007-04-17 10:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-11-19 10:05 . 2007-03-08 06:11 1,036,288 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui 2007-11-19 10:05 . 2007-08-20 11:01 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-11-19 10:05 . 2007-08-20 11:01 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-11-19 10:05 . 2007-08-20 11:01 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-11-19 10:05 . 2007-08-20 11:01 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll 2007-11-19 10:05 . 2007-08-20 11:01 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-11-19 10:05 . 2007-08-17 11:20 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-11-18 18:18 . 2007-11-18 18:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Sonic 2007-11-18 18:18 . 2007-11-18 18:18 <DIR> d-------- C:\Documents and Settings\mariusz_User\Dane aplikacji\Leadertech 2007-11-18 12:07 . 2007-12-04 10:01 <DIR> d-------- C:\Program Files\Windows Defender 2007-11-18 10:50 . 2007-11-19 10:24 678,220 --a------ C:\WINDOWS\system32\wtjdomxj.ini 2007-11-17 15:06 . 2007-11-17 16:23 <DIR> d-------- C:\Program Files\SkanerOnline 2007-11-17 07:26 . 2007-11-17 10:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2007-11-17 07:08 . 2007-11-19 18:16 <DIR> d-------- C:\quarantine 2007-11-17 07:05 . 2007-11-18 10:42 677,980 --a------ C:\WINDOWS\system32\ynagwywr.ini 2007-11-15 17:00 . 2005-09-22 20:28 163,896 --a------ C:\WINDOWS\sequencer.exe 2007-11-15 17:00 . 2005-12-19 13:23 602 --a------ C:\WINDOWS\uninst.seq 2007-11-15 16:59 . 2007-12-04 10:10 <DIR> d-------- C:\WINDOWS\system32\DLA 2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Sonic 2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Multimedia Center for Think Offerings 2007-11-15 16:59 . 2007-11-15 16:59 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared 2007-11-15 16:59 . 2006-02-02 05:20 94,263 --a------ C:\WINDOWS\DLA.EXE 2007-11-15 16:59 . 2006-03-01 03:30 89,472 --a------ C:\WINDOWS\system32\drivers\DRVMCDB.SYS 2007-11-15 16:59 . 2006-02-02 05:20 61,500 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL 2007-11-15 16:59 . 2005-11-18 05:20 40,544 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS 2007-11-15 16:59 . 2005-11-18 12:02 22,684 --a------ C:\WINDOWS\system32\drivers\DLARTL_N.SYS 2007-11-15 16:59 . 2005-11-18 12:02 5,660 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS 2007-11-15 16:59 . 2007-11-17 10:17 320 --a------ C:\WINDOWS\wininit.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-06 16:05 --------- d-----w C:\Program Files\mariusz 2007-12-04 09:00 --------- d-----w C:\Program Files\ThinkVantage Fingerprint Software 2007-12-04 08:52 --------- d-----w C:\Program Files\Gadu-Gadu 2007-11-15 14:01 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-15 07:22 --------- d-----w C:\Documents and Settings\LocalService\Dane aplikacji\VMware 2007-11-15 07:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\VMware 2007-11-14 10:39 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-11-13 18:51 --------- d-----w C:\Program Files\ThinkPad 2007-11-13 12:56 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Network Associates 2007-11-13 01:41 --------- d-----w C:\Program Files\Network Associates 2007-11-13 01:41 --------- d-----w C:\Program Files\Common Files\Network Associates 2007-09-28 15:30 20,264 ----a-w C:\WINDOWS\system32\Sensor.DLL 2007-09-28 15:29 37,424 ----a-w C:\WINDOWS\system32\TPHDEXLG.exe 2007-09-28 12:28 492,840 ----a-w C:\WINDOWS\system32\TpShCPL.dll 2007-09-28 12:28 181,544 ----a-w C:\WINDOWS\system32\TpShocks.exe 2007-09-28 12:28 128,296 ----a-w C:\WINDOWS\system32\TpShEvUI.exe . ((((((((((((((((((((((((((((( snapshot@2007-12-04_20.40.03.17 ))))))))))))))))))))))))))))))))))))))))) . - 2007-11-27 02:58:11 140,288 ----a-w C:\WINDOWS\catchme.exe + 2007-12-08 02:32:45 141,824 ----a-w C:\WINDOWS\catchme.exe - 2007-11-20 14:56:20 25,214 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ARPPRODUCTICON.exe + 2007-12-05 12:16:15 25,214 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ARPPRODUCTICON.exe - 2007-11-20 14:56:20 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_FineReader.exe + 2007-12-05 12:16:15 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_FineReader.exe + 2007-12-05 12:16:16 65,536 ----a-r C:\WINDOWS\Installer\{AAF80000-22B9-4CE9-98D6-2CCF359BAC07}\ICON_ScreenshorReader.exe - 2007-11-20 14:59:55 15,360 ----a-w C:\WINDOWS\system32\BASSMOD.dll + 2007-12-05 12:20:47 15,360 ----a-w C:\WINDOWS\system32\BASSMOD.dll + 2001-06-23 00:31:20 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll + 1998-03-26 03:57:34 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll + 1998-05-12 19:36:44 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll + 2006-10-07 04:18:32 185,952 ----a-w C:\WINDOWS\system32\rmoc3260.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 08:39] "TrueCrypt"="C:\Program Files\TrueCrypt\TrueCrypt.exe" [2007-05-03 21:21] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:44] "NPDTRAY"="C:\PROGRA~1\Lenovo\NPDIRECT\NPDTray.exe" [2007-04-10 03:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2007-09-28 13:28 C:\WINDOWS\system32\TpShocks.exe] "PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-08 16:48] "McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 03:06] "Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2004-02-19 12:07] "ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00] "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 15:06] "PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 01:19] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11] "TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 14:49] "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 02:33] "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 01:19] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50] "CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30] "LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [2007-03-23 02:02] "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-11-22 11:08] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:44] C:\Documents and Settings\mariusz_User\Menu Start\Programy\Autostart\ Launcher.lnk - C:\Program Files\mariusz\sua.exe [2002-02-28 13:31:46] Psi.lnk - C:\Program Files\Psi\psi.exe [2006-01-11 14:54:54] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-02-27 17:43:30] Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-11-29 18:34:50] MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe [2007-11-20 08:44:50] Zasobnik programu McAfee Desktop Firewall.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall dla Windows XP\FireTray.exe [2007-08-08 07:41:59] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] C:\WINDOWS\system32\psqlpwd.dll 2007-03-08 17:08 89600 C:\WINDOWS\system32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] C:\Program Files\Lenovo\HOTKEY\notifyf2.dll 2006-09-06 16:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] C:\Program Files\Lenovo\HOTKEY\tphklock.dll 2006-12-14 11:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=msjt3032Patch.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Acrobat Synchronizer.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Acrobat Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^SBW-Autoupdate.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\SBW-Autoupdate.lnk backup=C:\WINDOWS\pss\SBW-Autoupdate.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^VPN Client.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] 2006-10-22 23:24 620152 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] 2006-09-13 10:12 139264 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] C:\Program Files\DAEMON Tools\daemon.exe -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA] 2006-02-02 05:20 122940 --a------ C:\WINDOWS\System32\DLA\DLACTRLW.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-08-15 15:07 162328 --a------ C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-08-15 15:07 141848 --a------ C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2006-01-12 15:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] 2007-08-15 15:07 137752 --a------ C:\WINDOWS\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7] C:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exe /r [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy] 2007-08-01 11:07 540672 --a------ C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Program Files\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "VMware NAT Service"=2 (0x2) "VMnetDHCP"=2 (0x2) "VMAuthdService"=2 (0x2) "TVT Scheduler"=2 (0x2) "TPHDEXLGSVC"=2 (0x2) "SUService"=2 (0x2) "ose"=3 (0x3) "idsvc"=3 (0x3) "IBMPMSVC"=2 (0x2) "btwdins"=2 (0x2) "WinDefend"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) R0 FirePM;McAfee Desktop Firewall Policy Manager Driver;C:\WINDOWS\system32\Drivers\FirePM.sys R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys R1 FireTDI;McAfee Desktop Firewall TDI Driver;\??\C:\WINDOWS\system32\Drivers\FireTDI.sys R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys R2 FireHook;McAfee Desktop Firewall Network Driver;C:\WINDOWS\system32\DRIVERS\firehook.sys R2 smihlp;SMI Helper Driver (smihlp);\??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys R3 firelm01;firelm01;\??\C:\WINDOWS\system32\drivers\firelm01.sys R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE2Emdfl.sys S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE2Emdm.sys S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\SE2Emgmt.sys S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se2End5.sys S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\SE2Eobex.sys S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se2Eunic.sys S3 tpflhlp;tpflhlp;\??\C:\Program Files\Lenovo\System Update\session\7cuj22us\tpflhlp.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a901a06b-9185-11dc-9257-005056c00008}] \Shell\AutoRun\command - K:\USBNB.exe *Newly Created Service* - ENTDRV51 . Contents of the 'Scheduled Tasks' folder "2007-11-22 19:42:19 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job" "2007-11-22 10:20:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2007-11-19 09:24:17 C:\WINDOWS\Tasks\PMTask.job" - C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\msjt3032Patch.dll -> C:\Program Files\Lenovo\HOTKEY\tphklock.dll -> C:\Program Files\Lenovo\HOTKEY\notifyf2.dll PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180] -> C:\WINDOWS\system32\msjt3032Patch.dll PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156] -> C:\Program Files\MMTaskbar\shellhook.dll -> C:\PROGRA~1\ThinkPad\UTILIT~1\US\PWRMGRRT.DLL -> C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRIF.DLL . ************************************************************************** catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-11 15:32:03 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-11 15:32:57 C:\ComboFix2.txt ... 2007-12-04 20:41 . --- E O F --- 4. This file is clean - C:\WINDOWS\system32\msjt3032Patch.dll 5. List the contents of this folder C:\WINDOWS\system32 see attachment Greeting Mariusz |
|
|
|
|
12-11-2007, 07:39 AM
|
#4 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Vundo Again
I was curious of this folders contents not the system32
C:\WINDOWS\system32\(null) Submit this file at virus total C:\nbhsamd.exe http://www.virustotal.com/ Manualy delete these files C:\WINDOWS\system32\wtjdomxj.ini C:\WINDOWS\system32\ynagwywr.ini C:\WINDOWS\system32\omglsoek.ini C:\WINDOWS\system32\dexhsnac.ini.ren Are there any current problems ? any questions ? |
|
|
|
|
12-11-2007, 11:17 AM
|
#6 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Vundo Again
Go ahead and delete it. keep an eye out for a few days to see if the file comes back .
Think Prevention: Put in place a good hosts file http://www.mvps.org/winhelp2002/hosts.htm How To Download and Extract the HOSTS file: http://www.mvps.org/winhelp2002/hosts2.htm Repeat that proccess about once or twice a month PC Safety and Security--What Do I Need? To help avoid reinfection see "So how did I get infected in the first place?" http://castlecops.com/postlite7736-.html |
|
|
|
| Thread Tools | |
|
|
