Vitumonde infection [Archive] - Safer-Networking Forums

pdragonfly

2008-03-30, 19:42

Please advise next steps. Thanks so much!!

Following steps from another post here are my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:56 AM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
E:\ESET\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Roboform\RoboTaskBarIcon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\ESET\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
E:\FireFox\firefox.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eggs-pysanky.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dragonfly
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [acea525f] rundll32.exe "C:\WINDOWS\system32\njhwovox.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA7343] command /c del "C:\WINDOWS\system32\mljjj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6489] cmd /c del "C:\WINDOWS\system32\mljjj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6410] command /c del "C:\WINDOWS\system32\njhwovox.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3383] cmd /c del "C:\WINDOWS\system32\njhwovox.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6297] command /c del "C:\WINDOWS\system32\tufhhwyq.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3017] cmd /c del "C:\WINDOWS\system32\tufhhwyq.dll_old"
O4 - HKCU\..\Run: [RoboForm] "E:\Roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8232] command /c del "C:\WINDOWS\system32\mljjj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4282] cmd /c del "C:\WINDOWS\system32\mljjj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7794] command /c del "C:\WINDOWS\system32\njhwovox.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6384] cmd /c del "C:\WINDOWS\system32\njhwovox.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7980] command /c del "C:\WINDOWS\system32\tufhhwyq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2868] cmd /c del "C:\WINDOWS\system32\tufhhwyq.dll_old"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://E:\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://E:\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B811CA-4458-4EC9-B255-3EC64FCF7EEF}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\ESET\ekrn.exe

--
End of file - 5901 bytes

Username "Dragonfly" - 03/30/2008 12:01:14 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"systray"="C:\\Program Files\\Dell\\Dell Mobile Broadband\\systray.exe"
"SigmatelSysTrayApp"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,53,69,\
67,6d,61,54,65,6c,5c,43,2d,4d,61,6a,6f,72,20,41,75,64,69,6f,5c,57,44,4d,5c,\
73,74,73,79,73,74,72,61,2e,65,78,65,00
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"egui"="\"E:\\ESET\\egui.exe\" /hide /waitservice"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"SpybotSnD"="\"E:\\Spybot - Search & Destroy\\Spybot - Search & Destroy\\SpybotSD.exe\""
"acea525f"="rundll32.exe \"C:\\WINDOWS\\system32\\njhwovox.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="\"E:\\Roboform\\RoboTaskBarIcon.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:34 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\ESET\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\ESET\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe
E:\Roboform\RoboTaskBarIcon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Digital Line Detect\DLG.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eggs-pysanky.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dragonfly
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20CC6076-D7FE-46BB-9CF0-D80014D3BD0B} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\vturonn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O2 - BHO: (no name) - {B34A017C-651D-4162-BB5F-C2A7EFE0E245} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {B5D55D95-6AF6-4F4E-B0BD-C33006804600} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - C:\WINDOWS\TinyBHO.dll
O2 - BHO: (no name) - {D270F3C8-81B4-4E7E-9C6F-215BBB4F7220} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {FC723391-F488-4168-B46A-6447E304E742} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [acea525f] rundll32.exe "C:\WINDOWS\system32\njhwovox.dll",b
O4 - HKCU\..\Run: [RoboForm] "E:\Roboform\RoboTaskBarIcon.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://E:\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://E:\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B811CA-4458-4EC9-B255-3EC64FCF7EEF}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O20 - Winlogon Notify: vturonn - C:\WINDOWS\SYSTEM32\vturonn.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\ESET\ekrn.exe

--
End of file - 5978 bytes

VundoFix V7.0.3

Scan started at 12:21:41 PM 3/30/2008

Listing files found while scanning....

C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini2
C:\windows\system32\vturq.dll

Beginning removal...

Attempting to delete C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini Has been deleted!

Attempting to delete C:\windows\system32\qrutv.ini2
C:\windows\system32\qrutv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vturq.dll
C:\windows\system32\vturq.dll Has been deleted!

Performing Repairs to the registry.
Done!
rest is in next post because it was too many characters.

pdragonfly

2008-03-30, 19:43

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:25 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\ESET\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Roboform\RoboTaskBarIcon.exe
E:\FireFox\firefox.exe
E:\HijackThis\HijackThis.exe
E:\ESET\ekrn.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eggs-pysanky.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dragonfly
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20CC6076-D7FE-46BB-9CF0-D80014D3BD0B} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\vturonn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O2 - BHO: (no name) - {9FECE869-0BD4-4863-9A62-F47973D741CB} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: (no name) - {B34A017C-651D-4162-BB5F-C2A7EFE0E245} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {B5D55D95-6AF6-4F4E-B0BD-C33006804600} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - C:\WINDOWS\TinyBHO.dll
O2 - BHO: {a02da872-b1a3-1b2a-a7e4-0f0821bd0e9c} - {c9e0db12-80f0-4e7a-a2b1-3a1b278ad20a} - C:\WINDOWS\system32\bxondnyh.dll
O2 - BHO: (no name) - {D270F3C8-81B4-4E7E-9C6F-215BBB4F7220} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {FC723391-F488-4168-B46A-6447E304E742} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [acea525f] rundll32.exe "C:\WINDOWS\system32\nimycjxt.dll",b
O4 - HKCU\..\Run: [RoboForm] "E:\Roboform\RoboTaskBarIcon.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://E:\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://E:\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B811CA-4458-4EC9-B255-3EC64FCF7EEF}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O20 - Winlogon Notify: vturonn - C:\WINDOWS\SYSTEM32\vturonn.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\ESET\ekrn.exe

--
End of file - 6225 bytes

pdragonfly

2008-03-30, 21:37

ComboFix 08-03-30.2 - Dragonfly 2008-03-30 14:30:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1531 [GMT -5:00]
Running from: G:\ComboFix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqoli.dll
C:\WINDOWS\system32\cbxyywx.dll
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\dhfddqgh.dll
C:\WINDOWS\system32\hgqddfhd.ini
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\pmnmlkj.dll
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\vturonn.dll
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\x64
C:\WINDOWS\system32\xxywutr.dll
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 13:46 . 2008-03-30 13:46 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-30 13:42 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-30 13:42 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-30 13:42 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-30 13:42 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-30 13:42 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-30 12:33 . 2008-03-30 12:33 414 --ahs---- C:\WINDOWS\system32\kgulmtre.ini
2008-03-30 12:21 . 2008-03-30 12:21 <DIR> d-------- C:\VundoFix Backups
2008-03-30 12:17 . 2008-03-30 12:28 354 --ahs---- C:\WINDOWS\system32\txjcymin.ini
2008-03-30 12:01 . 2008-03-30 12:11 <DIR> d-------- C:\fixwareout
2008-03-30 11:27 . 2008-03-30 11:45 294 --ahs---- C:\WINDOWS\system32\xovowhjn.ini
2008-03-29 23:42 . 2008-03-30 13:49 711 --a------ C:\WINDOWS\wininit.ini
2008-03-29 17:09 . 2008-03-29 17:12 32,764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-03-29 16:37 . 2008-03-29 16:37 <DIR> d-------- C:\Program Files\uTorrent
2008-03-29 16:37 . 2008-03-29 20:16 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\uTorrent
2008-03-29 15:56 . 2008-03-29 15:56 <DIR> dr------- C:\Documents and Settings\Dragonfly\Application Data\Brother
2008-03-29 15:48 . 2008-03-29 15:48 <DIR> d-------- C:\WINDOWS\Twain32
2008-03-29 15:43 . 2008-03-29 15:43 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-29 15:43 . 2008-03-29 15:43 0 --a------ C:\WINDOWS\NSREX.INI
2008-03-29 15:42 . 2008-03-29 15:42 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-29 15:42 . 2008-03-29 15:42 <DIR> d-------- C:\Program Files\Snapshot Viewer
2008-03-29 15:20 . 2007-08-21 03:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-03-29 15:19 . 2008-03-29 15:19 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-29 15:19 . 2008-03-29 15:20 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-03-27 18:53 . 2006-09-12 17:04 319,267 --a------ C:\WINDOWS\sound1.mp3
2008-03-27 09:04 . 2008-03-27 09:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-25 23:25 . 2007-11-21 18:38 103 --a------ C:\WINDOWS\system32\privacy.xml
2008-03-25 23:13 . 2008-03-28 19:31 121 --a------ C:\WINDOWS\bdagent.INI
2008-03-25 22:44 . 2008-03-25 22:53 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-03-25 09:14 . 2008-03-25 09:14 <DIR> d---s---- C:\Documents and Settings\Dragonfly\UserData
2008-03-24 22:05 . 2008-03-24 22:05 <DIR> d-------- C:\Documents and Settings\Dragonfly\Config
2008-03-24 20:04 . 2008-03-24 20:39 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2008-03-24 20:04 . 2008-03-24 20:04 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\Intuit
2008-03-24 20:04 . 2007-07-26 17:13 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2008-03-24 20:04 . 2007-07-26 17:13 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2008-03-24 20:03 . 2008-03-24 20:03 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software
2008-03-24 20:03 . 2008-03-24 20:03 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-03-24 20:03 . 2008-03-24 20:40 151 --a------ C:\WINDOWS\QUICKEN.INI
2008-03-24 20:01 . 2008-03-24 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-03-23 22:26 . 2008-03-23 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-03-23 22:25 . 2008-03-23 22:25 <DIR> d-------- C:\Program Files\Siber Systems
2008-03-23 21:48 . 2008-03-23 21:48 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\Simple Star
2008-03-23 21:48 . 2004-07-13 15:47 421,888 --a------ C:\WINDOWS\Nero PhotoShow.scr
2008-03-23 21:46 . 2008-03-23 21:46 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\Ahead
2008-03-23 21:44 . 2004-09-22 17:00 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-03-23 21:44 . 2004-09-22 17:00 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-03-23 21:44 . 2004-09-22 17:00 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-03-23 21:44 . 2004-09-22 17:00 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-03-23 21:44 . 2004-09-22 17:00 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-03-23 21:44 . 2004-09-22 17:00 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-23 21:44 . 2004-09-22 17:00 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-03-23 21:43 . 2008-03-23 21:46 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-23 21:43 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-23 20:29 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-23 20:29 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-23 20:29 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-23 20:29 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-23 19:06 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-23 19:06 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-23 19:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-23 19:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-23 19:01 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-23 19:01 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-23 17:10 . 2008-03-23 17:10 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-23 16:23 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\WinAmp
2008-03-23 15:28 . 2008-03-23 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 15:14 . 2008-03-23 15:14 146 --a------ C:\WINDOWS\BRVIDEO.INI
2008-03-23 15:14 . 2008-03-23 15:14 40 --a------ C:\WINDOWS\BRDIAG.INI
2008-03-23 15:14 . 2008-03-23 15:14 23 --a------ C:\WINDOWS\Brownie.ini
2008-03-23 15:13 . 2008-03-23 15:13 <DIR> d-------- C:\Program Files\Brownie
2008-03-23 15:13 . 2008-03-23 15:13 <DIR> d-------- C:\Program Files\Brother
2008-03-23 01:32 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-23 01:29 . 2008-03-23 01:29 <DIR> d-------- C:\Program Files\Skype
2008-03-23 01:29 . 2008-03-29 15:07 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\Skype
2008-03-23 01:27 . 2008-03-23 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-23 01:18 . 2008-03-23 01:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-23 01:11 . 2008-03-23 01:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-23 01:03 . 2008-03-23 00:05 <DIR> d-------- C:\Program Files\Broadcom
2008-03-23 01:03 . 2006-11-21 04:25 45,568 --------- C:\WINDOWS\system32\drivers\bcm4sbxp.sys
2008-03-23 01:02 . 2008-03-23 00:15 <DIR> d-------- C:\Program Files\Intel
2008-03-23 01:02 . 2008-03-23 01:02 <DIR> d-------- C:\Intel
2008-03-23 01:01 . 2008-03-23 00:18 <DIR> d-------- C:\Program Files\Dell
2008-03-23 01:00 . 2008-03-23 01:00 <DIR> d-------- C:\Program Files\Digital Line Detect
2008-03-23 01:00 . 2008-03-23 01:00 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\InstallShield
2008-03-22 16:00 . 2008-03-22 16:00 1,580,544 --a------ C:\WINDOWS\system32\sfcfiles.dll
2008-03-22 15:59 . 2007-05-16 18:14 5,707,744 --------- C:\WINDOWS\system32\drivers\igxpmp32.sys
2008-03-22 15:59 . 2008-03-22 15:59 2,556,928 --a------ C:\WINDOWS\system32\igxpdx32.dll
2008-03-22 15:59 . 2008-03-22 15:59 1,612,480 --a------ C:\WINDOWS\system32\igxpdv32.dll
2008-03-22 15:59 . 2007-05-16 18:14 910,304 --a------ C:\WINDOWS\system32\igmedkrn.dll
2008-03-22 15:59 . 2008-03-22 15:59 204,800 --a------ C:\WINDOWS\system32\igfxCoIn_v4831.dll
2008-03-22 15:59 . 2008-03-22 15:59 149,504 --a------ C:\WINDOWS\system32\igxpgd32.dll
2008-03-22 15:59 . 2008-03-22 15:59 57,344 --a------ C:\WINDOWS\system32\igxprd32.dll
2008-03-22 15:59 . 2007-05-16 20:15 25,504 --a------ C:\WINDOWS\system32\igxpxs32.vp
2008-03-22 15:59 . 2007-05-16 16:46 2,096 --a------ C:\WINDOWS\system32\igxpxk32.vp
2008-03-22 15:56 . 2008-03-22 15:56 202,912 --------- C:\WINDOWS\system32\drivers\SynTP.sys
2008-03-22 15:56 . 2008-03-22 15:56 196,608 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-03-22 15:56 . 2008-03-22 15:56 163,840 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-03-22 15:56 . 2008-03-22 15:56 143,360 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-03-22 15:56 . 2008-03-22 15:56 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll
2008-03-22 15:55 . 2007-05-10 10:24 1,222,840 --------- C:\WINDOWS\system32\drivers\sthda.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 01:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-23 20:13 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-23 18:23 --------- d--h--w C:\Documents and Settings\Dragonfly\Application Data\GTek
2008-03-23 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gtek
2008-03-23 05:59 --------- d-----w C:\Program Files\CONEXANT
2008-03-23 05:58 --------- d-----w C:\Program Files\Sigmatel
2008-03-23 05:46 --------- d-----w C:\Documents and Settings\Dragonfly\Application Data\vlc
2008-03-23 05:46 --------- d-----w C:\Documents and Settings\Dragonfly\Application Data\dvdcss
2008-03-23 05:28 --------- d-----w C:\Program Files\Symantec
2008-03-23 05:22 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-23 05:19 5 ------w C:\WINDOWS\system32\drivers\DELL_XPS_Vostro 1500 .MRK
2008-03-23 05:19 5 ------w C:\WINDOWS\system32\drivers\1028_DELL_XPS_Vostro 1500 .MRK
2008-03-23 05:15 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-03-23 05:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-03-23 05:15 --------- d-----w C:\Documents and Settings\Dragonfly\Application Data\Intel
2008-03-23 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-03-23 05:12 --------- d-----w C:\Documents and Settings\Dragonfly\Application Data\Dell
2008-03-23 05:10 --------- d-----w C:\Program Files\Common Files\Zeepe Framework 7
2008-03-23 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Novatel Wireless
2008-03-23 00:14 --------- d-----w C:\Program Files\Synaptics
2008-03-22 20:55 405,504 ----a-w C:\WINDOWS\stsystra.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="E:\Roboform\RoboTaskBarIcon.exe" [2008-03-23 22:31 160592]
"HijackThis startup scan"="E:\HijackThis\HijackThis.exe" [2008-03-30 11:40 396288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-22 15:56 851968]
"systray"="C:\Program Files\Dell\Dell Mobile Broadband\systray.exe" [2007-06-23 14:28 331851]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-22 15:55 405504]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"egui"="E:\ESET\egui.exe" [2008-02-20 11:06 1443072]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 14:01 1037736]
"SpybotSnD"="E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-03-23 01:00:26 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 E:\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 17:54 37376 E:\WinAmp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"wltrysvc"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"EvtEng"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"NI.UGA6P_0001_N122M2802"="C:\DOCUME~1\DRAGON~1\LOCALS~1\Temp\winvsnet.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-06-01 13:57]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-05-30 16:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 14:32:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\ESET\ekrn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-30 14:35:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-30 19:35:20
Pre-Run: 34,009,452,544 bytes free
Post-Run: 34,085,556,224 bytes free

pdragonfly

2008-03-30, 22:09

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
E:\ESET\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Roboform\RoboTaskBarIcon.exe
E:\ESET\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eggs-pysanky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [RoboForm] "E:\Roboform\RoboTaskBarIcon.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - file://E:\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://E:\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206902494671
O17 - HKLM\System\CCS\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B811CA-4458-4EC9-B255-3EC64FCF7EEF}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\ESET\ekrn.exe

--
End of file - 5091 bytes