Vitumonde infection

P

pdragonfly

New member
Please advise next steps. Thanks so much!!

Following steps from another post here are my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:56 AM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
E:\ESET\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Roboform\RoboTaskBarIcon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\ESET\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
E:\FireFox\firefox.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eggs-pysanky.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dragonfly
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [acea525f] rundll32.exe "C:\WINDOWS\system32\njhwovox.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA7343] command /c del "C:\WINDOWS\system32\mljjj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6489] cmd /c del "C:\WINDOWS\system32\mljjj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6410] command /c del "C:\WINDOWS\system32\njhwovox.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3383] cmd /c del "C:\WINDOWS\system32\njhwovox.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6297] command /c del "C:\WINDOWS\system32\tufhhwyq.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3017] cmd /c del "C:\WINDOWS\system32\tufhhwyq.dll_old"
O4 - HKCU\..\Run: [RoboForm] "E:\Roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8232] command /c del "C:\WINDOWS\system32\mljjj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4282] cmd /c del "C:\WINDOWS\system32\mljjj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7794] command /c del "C:\WINDOWS\system32\njhwovox.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6384] cmd /c del "C:\WINDOWS\system32\njhwovox.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7980] command /c del "C:\WINDOWS\system32\tufhhwyq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2868] cmd /c del "C:\WINDOWS\system32\tufhhwyq.dll_old"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://E:\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://E:\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B811CA-4458-4EC9-B255-3EC64FCF7EEF}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\ESET\ekrn.exe

--
End of file - 5901 bytes

Username "Dragonfly" - 03/30/2008 12:01:14 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"systray"="C:\\Program Files\\Dell\\Dell Mobile Broadband\\systray.exe"
"SigmatelSysTrayApp"=hex(2):25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,53,69,\
67,6d,61,54,65,6c,5c,43,2d,4d,61,6a,6f,72,20,41,75,64,69,6f,5c,57,44,4d,5c,\
73,74,73,79,73,74,72,61,2e,65,78,65,00
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"egui"="\"E:\\ESET\\egui.exe\" /hide /waitservice"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"SpybotSnD"="\"E:\\Spybot - Search & Destroy\\Spybot - Search & Destroy\\SpybotSD.exe\""
"acea525f"="rundll32.exe \"C:\\WINDOWS\\system32\\njhwovox.dll\",b"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="\"E:\\Roboform\\RoboTaskBarIcon.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:34 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\ESET\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\ESET\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe
E:\Roboform\RoboTaskBarIcon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Digital Line Detect\DLG.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eggs-pysanky.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dragonfly
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20CC6076-D7FE-46BB-9CF0-D80014D3BD0B} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\vturonn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O2 - BHO: (no name) - {B34A017C-651D-4162-BB5F-C2A7EFE0E245} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {B5D55D95-6AF6-4F4E-B0BD-C33006804600} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - C:\WINDOWS\TinyBHO.dll
O2 - BHO: (no name) - {D270F3C8-81B4-4E7E-9C6F-215BBB4F7220} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {FC723391-F488-4168-B46A-6447E304E742} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [acea525f] rundll32.exe "C:\WINDOWS\system32\njhwovox.dll",b
O4 - HKCU\..\Run: [RoboForm] "E:\Roboform\RoboTaskBarIcon.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://E:\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://E:\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B811CA-4458-4EC9-B255-3EC64FCF7EEF}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O20 - Winlogon Notify: vturonn - C:\WINDOWS\SYSTEM32\vturonn.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\ESET\ekrn.exe

--
End of file - 5978 bytes


VundoFix V7.0.3

Scan started at 12:21:41 PM 3/30/2008

Listing files found while scanning....

C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini2
C:\windows\system32\vturq.dll

Beginning removal...

Attempting to delete C:\windows\system32\qrutv.ini
C:\windows\system32\qrutv.ini Has been deleted!

Attempting to delete C:\windows\system32\qrutv.ini2
C:\windows\system32\qrutv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vturq.dll
C:\windows\system32\vturq.dll Has been deleted!

Performing Repairs to the registry.
Done!
rest is in next post because it was too many characters.
 
Last HJ


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:25 PM, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\ESET\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Roboform\RoboTaskBarIcon.exe
E:\FireFox\firefox.exe
E:\HijackThis\HijackThis.exe
E:\ESET\ekrn.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eggs-pysanky.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dragonfly
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20CC6076-D7FE-46BB-9CF0-D80014D3BD0B} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\vturonn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O2 - BHO: (no name) - {9FECE869-0BD4-4863-9A62-F47973D741CB} - C:\WINDOWS\system32\vturq.dll (file missing)
O2 - BHO: (no name) - {B34A017C-651D-4162-BB5F-C2A7EFE0E245} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {B5D55D95-6AF6-4F4E-B0BD-C33006804600} - C:\WINDOWS\system32\gebyv.dll (file missing)
O2 - BHO: SBBho Class - {c9803b12-f0a0-11dc-95ff-0800200c9a66} - C:\WINDOWS\TinyBHO.dll
O2 - BHO: {a02da872-b1a3-1b2a-a7e4-0f0821bd0e9c} - {c9e0db12-80f0-4e7a-a2b1-3a1b278ad20a} - C:\WINDOWS\system32\bxondnyh.dll
O2 - BHO: (no name) - {D270F3C8-81B4-4E7E-9C6F-215BBB4F7220} - C:\WINDOWS\system32\awvtu.dll (file missing)
O2 - BHO: (no name) - {FC723391-F488-4168-B46A-6447E304E742} - C:\WINDOWS\system32\jkhfc.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [acea525f] rundll32.exe "C:\WINDOWS\system32\nimycjxt.dll",b
O4 - HKCU\..\Run: [RoboForm] "E:\Roboform\RoboTaskBarIcon.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Customize Menu - file://E:\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://E:\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B811CA-4458-4EC9-B255-3EC64FCF7EEF}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O20 - Winlogon Notify: vturonn - C:\WINDOWS\SYSTEM32\vturonn.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\ESET\ekrn.exe

--
End of file - 6225 bytes
 
Combofix log

ComboFix 08-03-30.2 - Dragonfly 2008-03-30 14:30:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1531 [GMT -5:00]
Running from: G:\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqoli.dll
C:\WINDOWS\system32\cbxyywx.dll
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\dhfddqgh.dll
C:\WINDOWS\system32\hgqddfhd.ini
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\llkkj.ini2
C:\WINDOWS\system32\pmnmlkj.dll
C:\WINDOWS\system32\rqstv.ini
C:\WINDOWS\system32\rqstv.ini2
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\vturonn.dll
C:\WINDOWS\system32\vybeg.ini
C:\WINDOWS\system32\vybeg.ini2
C:\WINDOWS\system32\x64
C:\WINDOWS\system32\xxywutr.dll
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 13:46 . 2008-03-30 13:46 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-30 13:42 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-03-30 13:42 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-30 13:42 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-30 13:42 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-30 13:42 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-30 12:33 . 2008-03-30 12:33 414 --ahs---- C:\WINDOWS\system32\kgulmtre.ini
2008-03-30 12:21 . 2008-03-30 12:21 <DIR> d-------- C:\VundoFix Backups
2008-03-30 12:17 . 2008-03-30 12:28 354 --ahs---- C:\WINDOWS\system32\txjcymin.ini
2008-03-30 12:01 . 2008-03-30 12:11 <DIR> d-------- C:\fixwareout
2008-03-30 11:27 . 2008-03-30 11:45 294 --ahs---- C:\WINDOWS\system32\xovowhjn.ini
2008-03-29 23:42 . 2008-03-30 13:49 711 --a------ C:\WINDOWS\wininit.ini
2008-03-29 17:09 . 2008-03-29 17:12 32,764 --a------ C:\WINDOWS\17PHolmes572.exe
2008-03-29 16:37 . 2008-03-29 16:37 <DIR> d-------- C:\Program Files\uTorrent
2008-03-29 16:37 . 2008-03-29 20:16 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\uTorrent
2008-03-29 15:56 . 2008-03-29 15:56 <DIR> dr------- C:\Documents and Settings\Dragonfly\Application Data\Brother
2008-03-29 15:48 . 2008-03-29 15:48 <DIR> d-------- C:\WINDOWS\Twain32
2008-03-29 15:43 . 2008-03-29 15:43 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-29 15:43 . 2008-03-29 15:43 0 --a------ C:\WINDOWS\NSREX.INI
2008-03-29 15:42 . 2008-03-29 15:42 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-29 15:42 . 2008-03-29 15:42 <DIR> d-------- C:\Program Files\Snapshot Viewer
2008-03-29 15:20 . 2007-08-21 03:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-03-29 15:19 . 2008-03-29 15:19 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-29 15:19 . 2008-03-29 15:20 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-03-27 18:53 . 2006-09-12 17:04 319,267 --a------ C:\WINDOWS\sound1.mp3
2008-03-27 09:04 . 2008-03-27 09:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-25 23:25 . 2007-11-21 18:38 103 --a------ C:\WINDOWS\system32\privacy.xml
2008-03-25 23:13 . 2008-03-28 19:31 121 --a------ C:\WINDOWS\bdagent.INI
2008-03-25 22:44 . 2008-03-25 22:53 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-03-25 09:14 . 2008-03-25 09:14 <DIR> d---s---- C:\Documents and Settings\Dragonfly\UserData
2008-03-24 22:05 . 2008-03-24 22:05 <DIR> d-------- C:\Documents and Settings\Dragonfly\Config
2008-03-24 20:04 . 2008-03-24 20:39 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 5.0
2008-03-24 20:04 . 2008-03-24 20:04 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\Intuit
2008-03-24 20:04 . 2007-07-26 17:13 3,518,464 --a------ C:\WINDOWS\system32\cdintf300.dll
2008-03-24 20:04 . 2007-07-26 17:13 1,843,200 --a------ C:\WINDOWS\system32\acXMLParser.dll
2008-03-24 20:03 . 2008-03-24 20:03 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software
2008-03-24 20:03 . 2008-03-24 20:03 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-03-24 20:03 . 2008-03-24 20:40 151 --a------ C:\WINDOWS\QUICKEN.INI
2008-03-24 20:01 . 2008-03-24 20:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2008-03-23 22:26 . 2008-03-23 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-03-23 22:25 . 2008-03-23 22:25 <DIR> d-------- C:\Program Files\Siber Systems
2008-03-23 21:48 . 2008-03-23 21:48 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\Simple Star
2008-03-23 21:48 . 2004-07-13 15:47 421,888 --a------ C:\WINDOWS\Nero PhotoShow.scr
2008-03-23 21:46 . 2008-03-23 21:46 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\Ahead
2008-03-23 21:44 . 2004-09-22 17:00 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2008-03-23 21:44 . 2004-09-22 17:00 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2008-03-23 21:44 . 2004-09-22 17:00 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2008-03-23 21:44 . 2004-09-22 17:00 364,544 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-03-23 21:44 . 2004-09-22 17:00 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2008-03-23 21:44 . 2004-09-22 17:00 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-03-23 21:44 . 2004-09-22 17:00 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-03-23 21:43 . 2008-03-23 21:46 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-23 21:43 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-23 20:29 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-23 20:29 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-23 20:29 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-23 20:29 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-23 19:06 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-23 19:06 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-23 19:02 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-23 19:02 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-23 19:01 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-23 19:01 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-23 17:10 . 2008-03-23 17:10 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-23 16:23 . 2008-03-23 20:51 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\WinAmp
2008-03-23 15:28 . 2008-03-23 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 15:14 . 2008-03-23 15:14 146 --a------ C:\WINDOWS\BRVIDEO.INI
2008-03-23 15:14 . 2008-03-23 15:14 40 --a------ C:\WINDOWS\BRDIAG.INI
2008-03-23 15:14 . 2008-03-23 15:14 23 --a------ C:\WINDOWS\Brownie.ini
2008-03-23 15:13 . 2008-03-23 15:13 <DIR> d-------- C:\Program Files\Brownie
2008-03-23 15:13 . 2008-03-23 15:13 <DIR> d-------- C:\Program Files\Brother
2008-03-23 01:32 . 2004-08-04 00:56 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-03-23 01:29 . 2008-03-23 01:29 <DIR> d-------- C:\Program Files\Skype
2008-03-23 01:29 . 2008-03-29 15:07 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\Skype
2008-03-23 01:27 . 2008-03-23 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-03-23 01:18 . 2008-03-23 01:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-23 01:11 . 2008-03-23 01:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-03-23 01:03 . 2008-03-23 00:05 <DIR> d-------- C:\Program Files\Broadcom
2008-03-23 01:03 . 2006-11-21 04:25 45,568 --------- C:\WINDOWS\system32\drivers\bcm4sbxp.sys
2008-03-23 01:02 . 2008-03-23 00:15 <DIR> d-------- C:\Program Files\Intel
2008-03-23 01:02 . 2008-03-23 01:02 <DIR> d-------- C:\Intel
2008-03-23 01:01 . 2008-03-23 00:18 <DIR> d-------- C:\Program Files\Dell
2008-03-23 01:00 . 2008-03-23 01:00 <DIR> d-------- C:\Program Files\Digital Line Detect
2008-03-23 01:00 . 2008-03-23 01:00 <DIR> d-------- C:\Documents and Settings\Dragonfly\Application Data\InstallShield
2008-03-22 16:00 . 2008-03-22 16:00 1,580,544 --a------ C:\WINDOWS\system32\sfcfiles.dll
2008-03-22 15:59 . 2007-05-16 18:14 5,707,744 --------- C:\WINDOWS\system32\drivers\igxpmp32.sys
2008-03-22 15:59 . 2008-03-22 15:59 2,556,928 --a------ C:\WINDOWS\system32\igxpdx32.dll
2008-03-22 15:59 . 2008-03-22 15:59 1,612,480 --a------ C:\WINDOWS\system32\igxpdv32.dll
2008-03-22 15:59 . 2007-05-16 18:14 910,304 --a------ C:\WINDOWS\system32\igmedkrn.dll
2008-03-22 15:59 . 2008-03-22 15:59 204,800 --a------ C:\WINDOWS\system32\igfxCoIn_v4831.dll
2008-03-22 15:59 . 2008-03-22 15:59 149,504 --a------ C:\WINDOWS\system32\igxpgd32.dll
2008-03-22 15:59 . 2008-03-22 15:59 57,344 --a------ C:\WINDOWS\system32\igxprd32.dll
2008-03-22 15:59 . 2007-05-16 20:15 25,504 --a------ C:\WINDOWS\system32\igxpxs32.vp
2008-03-22 15:59 . 2007-05-16 16:46 2,096 --a------ C:\WINDOWS\system32\igxpxk32.vp
2008-03-22 15:56 . 2008-03-22 15:56 202,912 --------- C:\WINDOWS\system32\drivers\SynTP.sys
2008-03-22 15:56 . 2008-03-22 15:56 196,608 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-03-22 15:56 . 2008-03-22 15:56 163,840 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-03-22 15:56 . 2008-03-22 15:56 143,360 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-03-22 15:56 . 2008-03-22 15:56 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll
2008-03-22 15:55 . 2007-05-10 10:24 1,222,840 --------- C:\WINDOWS\system32\drivers\sthda.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 01:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-23 20:13 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-23 18:23 --------- d--h--w C:\Documents and Settings\Dragonfly\Application Data\GTek
2008-03-23 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Gtek
2008-03-23 05:59 --------- d-----w C:\Program Files\CONEXANT
2008-03-23 05:58 --------- d-----w C:\Program Files\Sigmatel
2008-03-23 05:46 --------- d-----w C:\Documents and Settings\Dragonfly\Application Data\vlc
2008-03-23 05:46 --------- d-----w C:\Documents and Settings\Dragonfly\Application Data\dvdcss
2008-03-23 05:28 --------- d-----w C:\Program Files\Symantec
2008-03-23 05:22 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-23 05:19 5 ------w C:\WINDOWS\system32\drivers\DELL_XPS_Vostro 1500 .MRK
2008-03-23 05:19 5 ------w C:\WINDOWS\system32\drivers\1028_DELL_XPS_Vostro 1500 .MRK
2008-03-23 05:15 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Intel
2008-03-23 05:15 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Intel
2008-03-23 05:15 --------- d-----w C:\Documents and Settings\Dragonfly\Application Data\Intel
2008-03-23 05:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-03-23 05:12 --------- d-----w C:\Documents and Settings\Dragonfly\Application Data\Dell
2008-03-23 05:10 --------- d-----w C:\Program Files\Common Files\Zeepe Framework 7
2008-03-23 05:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Novatel Wireless
2008-03-23 00:14 --------- d-----w C:\Program Files\Synaptics
2008-03-22 20:55 405,504 ----a-w C:\WINDOWS\stsystra.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="E:\Roboform\RoboTaskBarIcon.exe" [2008-03-23 22:31 160592]
"HijackThis startup scan"="E:\HijackThis\HijackThis.exe" [2008-03-30 11:40 396288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-22 15:56 851968]
"systray"="C:\Program Files\Dell\Dell Mobile Broadband\systray.exe" [2007-06-23 14:28 331851]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-22 15:55 405504]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"egui"="E:\ESET\egui.exe" [2008-02-20 11:06 1443072]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 14:01 1037736]
"SpybotSnD"="E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2008-03-23 01:00:26 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 E:\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 17:54 37376 E:\WinAmp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"wltrysvc"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"CiSvc"=3 (0x3)
"WLANKEEPER"=2 (0x2)
"EvtEng"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"Persistence"=C:\WINDOWS\system32\igfxpers.exe
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"NI.UGA6P_0001_N122M2802"="C:\DOCUME~1\DRAGON~1\LOCALS~1\Temp\winvsnet.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2007-06-01 13:57]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2007-05-30 16:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 14:32:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\ESET\ekrn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-30 14:35:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-30 19:35:20
Pre-Run: 34,009,452,544 bytes free
Post-Run: 34,085,556,224 bytes free
 
Latest HT - I think its ok

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07, on 3/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
E:\ESET\egui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\Roboform\RoboTaskBarIcon.exe
E:\ESET\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
E:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eggs-pysanky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Roboform\roboform.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "E:\ESET\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpybotSnD] "E:\Spybot - Search & Destroy\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [RoboForm] "E:\Roboform\RoboTaskBarIcon.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - file://E:\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://E:\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Roboform\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1206902494671
O17 - HKLM\System\CCS\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{33B811CA-4458-4EC9-B255-3EC64FCF7EEF}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1358E145-6882-4B59-B489-372E82A183DD}: NameServer = 68.237.161.12,71.250.0.12
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\ESET\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\ESET\ekrn.exe

--
End of file - 5091 bytes
 
You must log in or register to reply here.
Back
Top