PDA

View Full Version : "Windows Security Center"



KrisReizer
2008-04-06, 04:00
I was the victim of an infection including smitfraud, zlob, and virtumonde, as well as various rogues. Smitrem and smitfraudfix proved to be ineffective on restart, Rogueremover removed most of the excess programs, superantispyware took care of zlob, and spybot finally managed to get rid of smitfraud and virtumonde. The only thing left, it seems, is an annoying piece of adware that titles itself as "Windows Security Center" and provides links to Ultimate Cleaner and the like. How can I remove this? My HJT log follows.

KrisReizer
2008-04-06, 09:49
Logfile of HijackThis v1.99.1
Scan saved at 7:44:35 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner.lapdawg\Desktop\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~2.CPL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [c4cf0baf] rundll32.exe "C:\WINDOWS\system32\bhuaykje.dll",b
O4 - HKLM\..\Run: [BMc7fc3833] Rundll32.exe "C:\WINDOWS\system32\jiprusqe.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A98DF8F-2E4F-4E88-8E5D-96C6977A4823}: NameServer = 68.94.156.1 68.94.157.1
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddccCTmk - ddccCTmk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winldd32 - winldd32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: ComponentService - {631f7f2d-b799-49c9-b0e9-70ea1e194f22} - C:\WINDOWS\Installer\{631f7f2d-b799-49c9-b0e9-70ea1e194f22}\ComponentService.dll (file missing)
O21 - SSODL: AvpSetup - {895e50c2-aaa2-4747-8e56-f23073f90dbc} - C:\WINDOWS\Installer\{895e50c2-aaa2-4747-8e56-f23073f90dbc}\AvpSetup.dll (file missing)
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~2.CPL
O21 - SSODL: RamKernel - {a5e83139-4d41-4fdf-9a6b-7c6c66d55cc0} - C:\WINDOWS\Installer\{a5e83139-4d41-4fdf-9a6b-7c6c66d55cc0}\RamKernel.dll (file missing)
O21 - SSODL: CDComponent - {3947cb6b-1b3c-471f-bda6-45656f86a359} - C:\WINDOWS\Installer\{3947cb6b-1b3c-471f-bda6-45656f86a359}\CDComponent.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

random/random
2008-04-13, 16:04
First of all, you are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download the HijackThis Installer:

Save HJTInstall.exe to your desktop.
Double-click on HJTInstall.exe to run the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in Notepad.
Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
Come back here to this thread and paste the log in your next reply.
Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


You may delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.

KrisReizer
2008-04-14, 06:27
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:52 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\explorer.exe
C:\Program Files\GIMPshop\lib\gimp\2.0\plug-ins\script-fu.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner.lapdawg\Desktop\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~2.CPL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKLM\..\Run: [c4cf0baf] rundll32.exe "C:\WINDOWS\system32\bhuaykje.dll",b
O4 - HKLM\..\Run: [BMc7fc3833] Rundll32.exe "C:\WINDOWS\system32\jiprusqe.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [9Zuux9F8B1] C:\WINDOWS\TEMP\win3B0.exe
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A98DF8F-2E4F-4E88-8E5D-96C6977A4823}: NameServer = 68.94.156.1 68.94.157.1
O20 - AppInit_DLLs: iSecurity.cpl
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddccCTmk - ddccCTmk.dll (file missing)
O20 - Winlogon Notify: winldd32 - winldd32.dll (file missing)
O21 - SSODL: ComponentService - {631f7f2d-b799-49c9-b0e9-70ea1e194f22} - C:\WINDOWS\Installer\{631f7f2d-b799-49c9-b0e9-70ea1e194f22}\ComponentService.dll (file missing)
O21 - SSODL: AvpSetup - {895e50c2-aaa2-4747-8e56-f23073f90dbc} - C:\WINDOWS\Installer\{895e50c2-aaa2-4747-8e56-f23073f90dbc}\AvpSetup.dll (file missing)
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - C:\WINDOWS\system32\ISECUR~2.CPL
O21 - SSODL: RamKernel - {a5e83139-4d41-4fdf-9a6b-7c6c66d55cc0} - C:\WINDOWS\Installer\{a5e83139-4d41-4fdf-9a6b-7c6c66d55cc0}\RamKernel.dll (file missing)
O21 - SSODL: CDComponent - {3947cb6b-1b3c-471f-bda6-45656f86a359} - C:\WINDOWS\Installer\{3947cb6b-1b3c-471f-bda6-45656f86a359}\CDComponent.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 8934 bytes

random/random
2008-04-14, 13:35
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post the combofix log and a new HijackThis log as a reply to this topic.

KrisReizer
2008-04-15, 06:39
In reading the instructions, I noticed that the boot disk option for the installation of the recovery console only goes up to XP professional SP 2. I'm running Media Center. What should I do?

random/random
2008-04-15, 12:25
The media centre edition of Windows XP is based upon Windows XP professional, so please use that download.

KrisReizer
2008-04-20, 06:15
ComboFix 08-04-18.3 - Owner 2008-04-19 21:55:02.1 - NTFSx86

Running from: C:\Documents and Settings\Owner.lapdawg\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Austin\Application Data\ultra
C:\Documents and Settings\Austin\Application Data\ultra\uninstall.bat
C:\Documents and Settings\Owner.lapdawg\Desktopvirii
C:\Program Files\iSecurity
C:\Program Files\iSecurity\iSecurity.dat
C:\Program Files\iSecurity\syscleaner.bmp
C:\Program Files\iSecurity\syscleanerinstalled.bmp
C:\Program Files\iSecurity\systemdefender.bmp
C:\Program Files\iSecurity\systemdefenderinstalled.bmp
C:\Program Files\iSecurity\winifixer.bmp
C:\Program Files\iSecurity\winifixerinstalled.bmp
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\BMc7fc3833.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\Installer\{3947cb6b-1b3c-471f-bda6-45656f86a359}\CDComponent.dll
C:\WINDOWS\Installer\{631f7f2d-b799-49c9-b0e9-70ea1e194f22}\ComponentService.dll
C:\WINDOWS\Installer\{895e50c2-aaa2-4747-8e56-f23073f90dbc}\AvpSetup.dll
C:\WINDOWS\Installer\{a5e83139-4d41-4fdf-9a6b-7c6c66d55cc0}\RamKernel.dll
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\PerfInfo
C:\WINDOWS\ppqvmpqr
C:\WINDOWS\ppqvmpqr\1.png
C:\WINDOWS\ppqvmpqr\2.png
C:\WINDOWS\ppqvmpqr\3.png
C:\WINDOWS\ppqvmpqr\4.png
C:\WINDOWS\ppqvmpqr\5.png
C:\WINDOWS\ppqvmpqr\6.png
C:\WINDOWS\ppqvmpqr\bottom-rc.gif
C:\WINDOWS\ppqvmpqr\content.png
C:\WINDOWS\ppqvmpqr\download.gif
C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif
C:\WINDOWS\ppqvmpqr\frame-h1bg.gif
C:\WINDOWS\ppqvmpqr\head.png
C:\WINDOWS\ppqvmpqr\indexuc.html
C:\WINDOWS\ppqvmpqr\indexud.html
C:\WINDOWS\ppqvmpqr\main.css
C:\WINDOWS\ppqvmpqr\net.png
C:\WINDOWS\ppqvmpqr\pc-mag.gif
C:\WINDOWS\ppqvmpqr\pc.gif
C:\WINDOWS\ppqvmpqr\poloska1.png
C:\WINDOWS\ppqvmpqr\poloska2.png
C:\WINDOWS\ppqvmpqr\poloska3.png
C:\WINDOWS\ppqvmpqr\promouc1.html
C:\WINDOWS\ppqvmpqr\promouc2.html
C:\WINDOWS\ppqvmpqr\promouc3.html
C:\WINDOWS\ppqvmpqr\promouc4.html
C:\WINDOWS\ppqvmpqr\promouc5.html
C:\WINDOWS\ppqvmpqr\promoud1.html
C:\WINDOWS\ppqvmpqr\promoud2.html
C:\WINDOWS\ppqvmpqr\promoud3.html
C:\WINDOWS\ppqvmpqr\promoud4.html
C:\WINDOWS\ppqvmpqr\promoud5.html
C:\WINDOWS\ppqvmpqr\reg.png
C:\WINDOWS\ppqvmpqr\repair.png
C:\WINDOWS\ppqvmpqr\scr-1.png
C:\WINDOWS\ppqvmpqr\scr-2.png
C:\WINDOWS\ppqvmpqr\styles.css
C:\WINDOWS\ppqvmpqr\Thumbs.db
C:\WINDOWS\ppqvmpqr\top-rc.gif
C:\WINDOWS\ppqvmpqr\vline.gif
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ajebjjdx.ini
C:\WINDOWS\system32\bLnorBeg.ini
C:\WINDOWS\system32\bLnorBeg.ini2
C:\WINDOWS\system32\blwjvwjj.ini
C:\WINDOWS\system32\cbXqolME.dll
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\cfhkj.tmp
C:\WINDOWS\system32\cvbmpwlu.ini
C:\WINDOWS\system32\cylqroef.ini
C:\WINDOWS\system32\dbxkbafk.ini
C:\WINDOWS\system32\ebaxgceh.ini
C:\WINDOWS\system32\ejkyauhb.ini
C:\WINDOWS\system32\fanjpkns.ini
C:\WINDOWS\system32\FNpYaccf.ini
C:\WINDOWS\system32\FNpYaccf.ini2
C:\WINDOWS\system32\fpixxdin.ini
C:\WINDOWS\system32\gbtkwebs.ini
C:\WINDOWS\system32\gbvuhbqb.ini
C:\WINDOWS\system32\gmfvrmhg.ini
C:\WINDOWS\system32\gwdfrsts.ini
C:\WINDOWS\system32\gyhrenod.ini
C:\WINDOWS\system32\hhdncpdr.ini
C:\WINDOWS\system32\icbnsmdp.ini
C:\WINDOWS\system32\ifpyfpqd.ini
C:\WINDOWS\system32\irhirxfe.ini
C:\WINDOWS\system32\iSecurity.cpl
C:\WINDOWS\system32\jcdsksge.ini
C:\WINDOWS\system32\jcmpdnvp.ini
C:\WINDOWS\system32\jjomcmct.ini
C:\WINDOWS\system32\kUwHjRqr.ini
C:\WINDOWS\system32\kUwHjRqr.ini2
C:\WINDOWS\system32\lbqdvnfy.ini
C:\WINDOWS\system32\lcduodhn.ini
C:\WINDOWS\system32\ljdxlpdy.ini
C:\WINDOWS\system32\ndaTqsVqrX.dll
C:\WINDOWS\system32\neneyjso.ini
C:\WINDOWS\system32\nhjjajab.ini
C:\WINDOWS\system32\nibmiiys.ini
C:\WINDOWS\system32\nnnNGXqO.dll
C:\WINDOWS\system32\npbrhqiy.ini
C:\WINDOWS\system32\nqwdkfoy.ini
C:\WINDOWS\system32\nvirqgvf.ini
C:\WINDOWS\system32\ofepxiic.ini
C:\WINDOWS\system32\olvnenxa.ini
C:\WINDOWS\system32\opnooNfC.dll
C:\WINDOWS\system32\othqitbw.ini
C:\WINDOWS\system32\pdixgxot.ini
C:\WINDOWS\system32\phccqvnb.ini
C:\WINDOWS\system32\psahachn.ini
C:\WINDOWS\system32\qqkgrevq.ini
C:\WINDOWS\system32\qwwcijpq.ini
C:\WINDOWS\system32\rfsgfntr.ini
C:\WINDOWS\system32\rgmilwlw.ini
C:\WINDOWS\system32\rosahpny.ini
C:\WINDOWS\system32\saokhhyh.ini
C:\WINDOWS\system32\skjivkgr.ini
C:\WINDOWS\system32\ssqRjHab.dll
C:\WINDOWS\system32\tjgactya.ini
C:\WINDOWS\system32\uncertou.ini
C:\WINDOWS\system32\upxcfejj.ini
C:\WINDOWS\system32\urqQjjig.dll
C:\WINDOWS\system32\vlbbwyyv.ini
C:\WINDOWS\system32\wkobduhm.ini
C:\WINDOWS\system32\xnqajkwr.ini
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32Rundl1.exe
C:\WINDOWS\system32smp
C:\WINDOWS\system32smp\msrc.exe
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Legacy_NTLOAD


((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-15 20:32 . 2008-04-15 20:32 <DIR> d-------- C:\Program Files\Blender Foundation
2008-04-15 20:32 . 2008-04-15 20:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 20:32 . 2008-04-15 20:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 20:57 . 2008-04-13 21:19 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\.gimp-2.4
2008-04-13 20:56 . 2008-04-13 20:56 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-09 18:39 . 2008-04-09 18:41 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 14:37 . 2007-12-29 15:50 6,854,656 --a--c--- C:\hellgate_sp_dx9_x86.exe
2008-04-04 20:47 . 2008-04-04 20:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-04 20:47 . 2008-04-05 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 00:07 . 2008-04-04 00:52 <DIR> d-------- C:\Program Files\DominateGame
2008-04-02 00:35 . 2008-04-02 22:18 <DIR> d-------- C:\Program Files\Rheingold3D
2008-04-01 21:40 . 2008-04-01 21:40 <DIR> d-------- C:\Program Files\Uniblue
2008-04-01 20:23 . 2008-04-01 20:24 1,600,027 ---hs---- C:\WINDOWS\system32\qpbmkhyq.ini
2008-04-01 09:21 . 2008-04-01 09:21 3,914 --a------ C:\WINDOWS\system32\ofxihahf.dll
2008-04-01 09:18 . 2008-04-01 09:18 3,914 --a------ C:\WINDOWS\system32\fsnadiof.dll
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\Application Data\SUPERAntiSpyware.com
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-31 23:19 . 2008-03-31 23:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 21:28 . 2008-04-04 17:59 4,678 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-31 21:25 . 2008-03-31 21:25 18,944 --a------ C:\WINDOWS\system32\drvbin.dll
2008-03-30 23:40 . 2008-03-30 23:40 3,914 --a------ C:\WINDOWS\system32\uobdtxlj.dll
2008-03-30 23:37 . 2008-03-30 23:37 3,914 --a------ C:\WINDOWS\system32\euuwkpkc.dll
2008-03-30 00:32 . 2008-03-30 00:32 18,944 --a------ C:\WINDOWS\system32\drvsew.dll
2008-03-29 23:35 . 2008-03-31 23:28 1,584,057 ---hs---- C:\WINDOWS\system32\tkhwjyrg.ini
2008-03-29 22:39 . 2008-04-01 18:04 <DIR> d----c--- C:\!KillBox
2008-03-29 21:11 . 2008-03-29 21:11 18,944 --a------ C:\WINDOWS\system32\drvses.dll
2008-03-29 20:23 . 2008-03-29 20:24 <DIR> d-------- C:\Program Files\DancingGorilla
2008-03-29 18:51 . 2008-03-29 18:51 <DIR> d----c--- C:\67597b168ad9622978893c1ec50d8205
2008-03-29 17:18 . 2008-03-29 17:18 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-29 17:06 . 2008-03-29 18:41 1,583,937 ---hs---- C:\WINDOWS\system32\uluetamf.ini
2008-03-29 16:59 . 2008-03-29 16:59 4,096 --a------ C:\Documents and Settings\Owner.lapdawg\DesktopTrojan.Win32.BlackBird.exe
2008-03-29 15:34 . 2008-03-29 16:59 1,583,697 ---hs---- C:\WINDOWS\system32\tmwphuqu.ini
2008-03-29 15:01 . 2008-03-29 15:04 1,583,637 ---hs---- C:\WINDOWS\system32\sdeqfofe.ini
2008-03-29 14:53 . 2008-04-01 18:04 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-29 01:40 . 2008-03-30 21:08 <DIR> d-------- C:\FLEXLM
2008-03-29 01:37 . 2008-03-29 01:37 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-27 21:18 . 2008-03-27 21:18 124,928 --ahs---- C:\WINDOWS\system32\iSecurity(2).cpl
2008-03-23 18:06 . 2008-04-13 20:54 <DIR> d-------- C:\Program Files\GIMPshop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 02:56 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\.purple
2008-04-15 12:35 27,588 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\wklnhst.dat
2008-04-15 04:38 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\gtk-2.0
2008-04-02 00:45 --------- d-----w C:\Program Files\twbwzijk
2008-03-30 05:37 --------- d-----w C:\Program Files\Diablo II
2008-03-30 01:56 --------- d-----w C:\Program Files\StepMania
2008-03-29 22:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-29 06:39 --------- d-----w C:\Program Files\AviCreator 1.5
2008-03-29 06:38 --------- d-----w C:\Program Files\Steam
2008-03-02 00:03 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\Template
2008-02-28 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 04:04 --------- d-----w C:\Program Files\Zone Labs
2008-02-28 04:04 --------- d-----w C:\Program Files\Pure Networks
2008-02-28 04:04 --------- d-----w C:\Program Files\NibblesRHS
2008-02-28 04:04 --------- d-----w C:\Program Files\IMVU
2008-02-28 04:04 --------- d-----w C:\Program Files\Elaborate Bytes
2008-02-28 04:03 --------- d-----w C:\Program Files\Xfire
2008-02-23 22:19 --------- d-----w C:\Program Files\Finale NotePad 2007
2007-11-23 18:02 24,249 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\info.dat
2007-05-06 02:22 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-09-15 19:22 66,936 --sha-w C:\WINDOWS\dlinfo_0.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 15:49 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 17:10 4662776]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 12:20 413696 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 21:22 573440]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 20:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 21:22 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 16:26 212992]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 12:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 18:16 1121792]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 14:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 19:17 999424]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-26 18:03 98304]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 14:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 14:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-09-26 18:02 26112]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-08-19 01:01 190024]
"c4cf0baf"="C:\WINDOWS\system32\bhuaykje.dll" [ ]
"BMc7fc3833"="C:\WINDOWS\system32\jiprusqe.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"9Zuux9F8B1"= C:\WINDOWS\TEMP\win3B0.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccCTmk]
ddccCTmk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winldd32]
winldd32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\TEMP\win1A.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-07 18:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc7fc3833]
C:\WINDOWS\system32\qsoljkfr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bqratsvc]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\bqratsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4cf0baf]
C:\WINDOWS\system32\feorqlyc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-29 10:09 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\khuzqdmv]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\khuzqdmv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\klahizuf]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\klahizuf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDisp32]
--a------ 2008-02-06 00:17 15872 C:\WINDOWS\system32\drvbuj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive]
C:\WINDOWS\system32\drvgan.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-26 18:03 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbwzijk]
C:\Program Files\twbwzijk\pgtahqvk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-24 17:10 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Diablo\\diablo.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24686:TCP"= 24686:TCP:BitTorrent
"5738:TCP"= 5738:TCP:vbalink
"4664:TCP"= 4664:TCP:EMule
"4674:UDP"= 4674:UDP:Emule0


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 22:01:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\VSO\McShield.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\McAfee\SpamKiller\MSKAgent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-19 22:06:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 03:06:27

Pre-Run: 56,224,247,808 bytes free
Post-Run: 56,089,899,008 bytes free

407 --- E O F --- 2008-04-10 08:01:48

KrisReizer
2008-04-20, 06:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:35 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.lapdawg\Desktop\Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [c4cf0baf] rundll32.exe "C:\WINDOWS\system32\bhuaykje.dll",b
O4 - HKLM\..\Run: [BMc7fc3833] Rundll32.exe "C:\WINDOWS\system32\jiprusqe.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [9Zuux9F8B1] C:\WINDOWS\TEMP\win3B0.exe
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A98DF8F-2E4F-4E88-8E5D-96C6977A4823}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddccCTmk - ddccCTmk.dll (file missing)
O20 - Winlogon Notify: winldd32 - winldd32.dll (file missing)
O21 - SSODL: ComponentService - {631f7f2d-b799-49c9-b0e9-70ea1e194f22} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 8170 bytes

KrisReizer
2008-04-20, 06:19
I would like to explain that the reason I did not install the recovery console is that I do not have a floppy drive with which to create the boot disk. Also, combo fix has removed the issue, but I receive a popup from DUNDLL saying that a module cannot be found.

random/random
2008-04-20, 13:09
Right click here (http://downloads.subratam.org/ResetTeaTimer.bat) and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish


Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

File::
C:\WINDOWS\system32\qpbmkhyq.ini
C:\WINDOWS\system32\ofxihahf.dll
C:\WINDOWS\system32\fsnadiof.dll
C:\WINDOWS\system32\drvbin.dll
C:\WINDOWS\system32\uobdtxlj.dll
C:\WINDOWS\system32\euuwkpkc.dll
C:\WINDOWS\system32\drvsew.dll
C:\WINDOWS\system32\tkhwjyrg.ini
C:\WINDOWS\system32\drvses.dll
C:\Documents and Settings\Owner.lapdawg\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\system32\tmwphuqu.ini
C:\WINDOWS\system32\sdeqfofe.ini
C:\WINDOWS\system32\iSecurity(2).cpl
C:\WINDOWS\system32\drvbuj.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c4cf0baf"=-
"BMc7fc3833"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccCTmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winldd32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc7fc3833]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bqratsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4cf0baf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\khuzqdmv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\klahizuf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDisp32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbwzijk]

Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

KrisReizer
2008-04-22, 04:21
ComboFix 08-04-18.3 - Owner 2008-04-21 0:31:47.2 - NTFSx86

Running from: C:\Documents and Settings\Owner.lapdawg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.lapdawg\Desktop\CFscript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Owner.lapdawg\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\system32\drvbin.dll
C:\WINDOWS\system32\drvbuj.dll
C:\WINDOWS\system32\drvses.dll
C:\WINDOWS\system32\drvsew.dll
C:\WINDOWS\system32\euuwkpkc.dll
C:\WINDOWS\system32\fsnadiof.dll
C:\WINDOWS\system32\iSecurity(2).cpl
C:\WINDOWS\system32\ofxihahf.dll
C:\WINDOWS\system32\qpbmkhyq.ini
C:\WINDOWS\system32\sdeqfofe.ini
C:\WINDOWS\system32\tkhwjyrg.ini
C:\WINDOWS\system32\tmwphuqu.ini
C:\WINDOWS\system32\uobdtxlj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Austin\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Owner.lapdawg\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\b.exe
C:\WINDOWS\system32\aapbljco.dllbox
C:\WINDOWS\system32\drvbin.dll
C:\WINDOWS\system32\drvbuj.dll
C:\WINDOWS\system32\drvses.dll
C:\WINDOWS\system32\drvsew.dll
C:\WINDOWS\system32\euuwkpkc.dll
C:\WINDOWS\system32\fsnadiof.dll
C:\WINDOWS\system32\iSecurity(2).cpl
C:\WINDOWS\system32\ofxihahf.dll
C:\WINDOWS\system32\qpbmkhyq.ini
C:\WINDOWS\system32\reipcole.dllbox
C:\WINDOWS\system32\sdeqfofe.ini
C:\WINDOWS\system32\tkhwjyrg.ini
C:\WINDOWS\system32\tmwphuqu.ini
C:\WINDOWS\system32\uobdtxlj.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-15 20:32 . 2008-04-15 20:32 <DIR> d-------- C:\Program Files\Blender Foundation
2008-04-15 20:32 . 2008-04-15 20:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 20:32 . 2008-04-15 20:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 20:57 . 2008-04-13 21:19 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\.gimp-2.4
2008-04-13 20:56 . 2008-04-13 20:56 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-09 18:39 . 2008-04-09 18:41 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 14:37 . 2007-12-29 15:50 6,854,656 --a--c--- C:\hellgate_sp_dx9_x86.exe
2008-04-04 20:47 . 2008-04-04 20:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-04 20:47 . 2008-04-05 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 00:07 . 2008-04-04 00:52 <DIR> d-------- C:\Program Files\DominateGame
2008-04-02 00:35 . 2008-04-02 22:18 <DIR> d-------- C:\Program Files\Rheingold3D
2008-04-01 21:40 . 2008-04-01 21:40 <DIR> d-------- C:\Program Files\Uniblue
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\Application Data\SUPERAntiSpyware.com
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-31 23:19 . 2008-03-31 23:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 21:28 . 2008-04-04 17:59 4,678 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-29 22:39 . 2008-04-01 18:04 <DIR> d----c--- C:\!KillBox
2008-03-29 20:23 . 2008-03-29 20:24 <DIR> d-------- C:\Program Files\DancingGorilla
2008-03-29 18:51 . 2008-03-29 18:51 <DIR> d----c--- C:\67597b168ad9622978893c1ec50d8205
2008-03-29 17:18 . 2008-03-29 17:18 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-29 17:06 . 2008-03-29 18:41 1,583,937 ---hs---- C:\WINDOWS\system32\uluetamf.ini
2008-03-29 14:53 . 2008-04-01 18:04 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-29 01:40 . 2008-03-30 21:08 <DIR> d-------- C:\FLEXLM
2008-03-29 01:37 . 2008-03-29 01:37 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-23 18:06 . 2008-04-13 20:54 <DIR> d-------- C:\Program Files\GIMPshop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 05:30 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\.purple
2008-04-15 12:35 27,588 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\wklnhst.dat
2008-04-15 04:38 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\gtk-2.0
2008-04-02 00:45 --------- d-----w C:\Program Files\twbwzijk
2008-03-30 05:37 --------- d-----w C:\Program Files\Diablo II
2008-03-30 04:08 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-30 01:56 --------- d-----w C:\Program Files\StepMania
2008-03-29 22:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-29 06:39 --------- d-----w C:\Program Files\AviCreator 1.5
2008-03-29 06:38 --------- d-----w C:\Program Files\Steam
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 05:10 3,914 ----a-w C:\WINDOWS\system32\oupebkba.dll
2008-03-03 03:45 3,914 ----a-w C:\WINDOWS\system32\qrocarsh.dll
2008-03-03 03:42 3,914 ----a-w C:\WINDOWS\system32\fkifbopc.dll
2008-03-02 00:55 3,914 ----a-w C:\WINDOWS\system32\kjnyscxm.dll
2008-03-02 00:03 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\Template
2008-03-01 23:02 3,914 ----a-w C:\WINDOWS\system32\xniqglax.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-29 02:38 3,914 ----a-w C:\WINDOWS\system32\gaopbgwk.dll
2008-02-28 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 04:04 --------- d-----w C:\Program Files\Zone Labs
2008-02-28 04:04 --------- d-----w C:\Program Files\Pure Networks
2008-02-28 04:04 --------- d-----w C:\Program Files\NibblesRHS
2008-02-28 04:04 --------- d-----w C:\Program Files\IMVU
2008-02-28 04:04 --------- d-----w C:\Program Files\Elaborate Bytes
2008-02-28 04:03 --------- d-----w C:\Program Files\Xfire
2008-02-25 05:39 1,254,203 --sh--w C:\WINDOWS\system32\khebsjfd.tmp
2008-02-23 22:19 --------- d-----w C:\Program Files\Finale NotePad 2007
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-09 19:31 3,914 ----a-w C:\WINDOWS\system32\arkvjprd.dll
2008-02-09 03:11 3,914 ----a-w C:\WINDOWS\system32\atibnave.dll
2008-02-09 03:04 3,914 ----a-w C:\WINDOWS\system32\lmjujhsl.dll
2008-02-08 22:53 3,914 ----a-w C:\WINDOWS\system32\cpwvboin.dll
2008-02-08 01:34 3,914 ----a-w C:\WINDOWS\system32\shrnnexq.dll
2008-02-08 01:29 3,914 ----a-w C:\WINDOWS\system32\bbeprnfd.dll
2008-02-07 22:03 3,914 ----a-w C:\WINDOWS\system32\pakstvuh.dll
2008-02-07 22:00 3,914 ----a-w C:\WINDOWS\system32\njtnuavw.dll
2008-02-07 21:58 3,914 ----a-w C:\WINDOWS\system32\srjsdgmf.dll
2008-02-06 05:49 3,914 ----a-w C:\WINDOWS\system32\siunxjcm.dll
2008-02-05 00:27 3,914 ----a-w C:\WINDOWS\system32\bwfysvfe.dll
2008-02-03 19:42 15,872 ----a-w C:\WINDOWS\system32\drvxek.dll
2008-02-03 04:26 3,914 ----a-w C:\WINDOWS\system32\uyowxgjh.dll
2008-01-29 01:12 3,914 ----a-w C:\WINDOWS\system32\quwveaah.dll
2008-01-24 18:22 3,914 ----a-w C:\WINDOWS\system32\jockwyhw.dll
2008-01-24 18:19 3,914 ----a-w C:\WINDOWS\system32\aykcwrla.dll
2008-01-24 01:49 3,914 ----a-w C:\WINDOWS\system32\ahayujdh.dll
2008-01-22 01:55 3,914 ----a-w C:\WINDOWS\system32\scaysbwy.dll
2008-01-22 01:34 3,914 ----a-w C:\WINDOWS\system32\kceqtxix.dll
2008-01-22 01:34 3,914 ----a-w C:\WINDOWS\system32\hskmcfwi.dll
2008-01-22 01:31 3,914 ----a-w C:\WINDOWS\system32\sgeweblo.dll
2007-11-23 18:02 24,249 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\info.dat
2007-05-06 02:22 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-09-15 19:22 66,936 --sha-w C:\WINDOWS\dlinfo_0.drv
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_22.06.00.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 03:00:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 04:02:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 15:49 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 17:10 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 12:20 413696 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 21:22 573440]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 20:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 21:22 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 16:26 212992]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 12:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 18:16 1121792]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 14:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 19:17 999424]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-26 18:03 98304]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 14:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 14:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-09-26 18:02 26112]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-08-19 01:01 190024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-07 18:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-29 10:09 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-26 18:03 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-24 17:10 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Diablo\\diablo.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24686:TCP"= 24686:TCP:BitTorrent
"5738:TCP"= 5738:TCP:vbalink
"4664:TCP"= 4664:TCP:EMule
"4674:UDP"= 4674:UDP:Emule0


*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 00:35:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 0:37:02
ComboFix-quarantined-files.txt 2008-04-21 05:36:55
ComboFix2.txt 2008-04-20 03:06:33

Pre-Run: 57,186,988,032 bytes free
Post-Run: 57,169,408,000 bytes free

231 --- E O F --- 2008-04-10 08:01:48

KrisReizer
2008-04-22, 04:21
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:33 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.lapdawg\Desktop\Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: ComponentService - {631f7f2d-b799-49c9-b0e9-70ea1e194f22} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 7217 bytes

random/random
2008-04-22, 19:51
Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O21 - SSODL: ComponentService - {631f7f2d-b799-49c9-b0e9-70ea1e194f22} - (no file)

Then close all windows except HijackThis and click Fix Checked.


Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

File::
C:\WINDOWS\system32\uluetamf.ini
C:\WINDOWS\system32\oupebkba.dll
C:\WINDOWS\system32\qrocarsh.dll
C:\WINDOWS\system32\fkifbopc.dll
C:\WINDOWS\system32\kjnyscxm.dll
C:\WINDOWS\system32\xniqglax.dll
C:\WINDOWS\system32\gaopbgwk.dll
C:\WINDOWS\system32\khebsjfd.tmp
C:\WINDOWS\system32\arkvjprd.dll
C:\WINDOWS\system32\atibnave.dll
C:\WINDOWS\system32\lmjujhsl.dll
C:\WINDOWS\system32\cpwvboin.dll
C:\WINDOWS\system32\shrnnexq.dll
C:\WINDOWS\system32\bbeprnfd.dll
C:\WINDOWS\system32\pakstvuh.dll
C:\WINDOWS\system32\njtnuavw.dll
C:\WINDOWS\system32\srjsdgmf.dll
C:\WINDOWS\system32\siunxjcm.dll
C:\WINDOWS\system32\bwfysvfe.dll
C:\WINDOWS\system32\drvxek.dll
C:\WINDOWS\system32\uyowxgjh.dll
C:\WINDOWS\system32\quwveaah.dll
C:\WINDOWS\system32\jockwyhw.dll
C:\WINDOWS\system32\aykcwrla.dll
C:\WINDOWS\system32\ahayujdh.dll
C:\WINDOWS\system32\scaysbwy.dll
C:\WINDOWS\system32\kceqtxix.dll
C:\WINDOWS\system32\hskmcfwi.dll
C:\WINDOWS\system32\sgeweblo.dll
Folder::
C:\Program Files\twbwzijk

Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

KrisReizer
2008-04-24, 01:07
ComboFix 08-04-18.3 - Owner 2008-04-22 23:41:58.3 - NTFSx86

Running from: C:\Documents and Settings\Owner.lapdawg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.lapdawg\Desktop\CFscript.txt
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ahayujdh.dll
C:\WINDOWS\system32\arkvjprd.dll
C:\WINDOWS\system32\atibnave.dll
C:\WINDOWS\system32\aykcwrla.dll
C:\WINDOWS\system32\bbeprnfd.dll
C:\WINDOWS\system32\bwfysvfe.dll
C:\WINDOWS\system32\cpwvboin.dll
C:\WINDOWS\system32\drvxek.dll
C:\WINDOWS\system32\fkifbopc.dll
C:\WINDOWS\system32\gaopbgwk.dll
C:\WINDOWS\system32\hskmcfwi.dll
C:\WINDOWS\system32\jockwyhw.dll
C:\WINDOWS\system32\kceqtxix.dll
C:\WINDOWS\system32\khebsjfd.tmp
C:\WINDOWS\system32\kjnyscxm.dll
C:\WINDOWS\system32\lmjujhsl.dll
C:\WINDOWS\system32\njtnuavw.dll
C:\WINDOWS\system32\oupebkba.dll
C:\WINDOWS\system32\pakstvuh.dll
C:\WINDOWS\system32\qrocarsh.dll
C:\WINDOWS\system32\quwveaah.dll
C:\WINDOWS\system32\scaysbwy.dll
C:\WINDOWS\system32\sgeweblo.dll
C:\WINDOWS\system32\shrnnexq.dll
C:\WINDOWS\system32\siunxjcm.dll
C:\WINDOWS\system32\srjsdgmf.dll
C:\WINDOWS\system32\uluetamf.ini
C:\WINDOWS\system32\uyowxgjh.dll
C:\WINDOWS\system32\xniqglax.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ahayujdh.dll
C:\WINDOWS\system32\arkvjprd.dll
C:\WINDOWS\system32\atibnave.dll
C:\WINDOWS\system32\aykcwrla.dll
C:\WINDOWS\system32\bbeprnfd.dll
C:\WINDOWS\system32\bwfysvfe.dll
C:\WINDOWS\system32\cpwvboin.dll
C:\WINDOWS\system32\drvxek.dll
C:\WINDOWS\system32\fkifbopc.dll
C:\WINDOWS\system32\gaopbgwk.dll
C:\WINDOWS\system32\hskmcfwi.dll
C:\WINDOWS\system32\jockwyhw.dll
C:\WINDOWS\system32\kceqtxix.dll
C:\WINDOWS\system32\khebsjfd.tmp
C:\WINDOWS\system32\kjnyscxm.dll
C:\WINDOWS\system32\lmjujhsl.dll
C:\WINDOWS\system32\njtnuavw.dll
C:\WINDOWS\system32\oupebkba.dll
C:\WINDOWS\system32\pakstvuh.dll
C:\WINDOWS\system32\qrocarsh.dll
C:\WINDOWS\system32\quwveaah.dll
C:\WINDOWS\system32\scaysbwy.dll
C:\WINDOWS\system32\sgeweblo.dll
C:\WINDOWS\system32\shrnnexq.dll
C:\WINDOWS\system32\siunxjcm.dll
C:\WINDOWS\system32\srjsdgmf.dll
C:\WINDOWS\system32\uluetamf.ini
C:\WINDOWS\system32\uyowxgjh.dll
C:\WINDOWS\system32\xniqglax.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-15 20:32 . 2008-04-15 20:32 <DIR> d-------- C:\Program Files\Blender Foundation
2008-04-15 20:32 . 2008-04-21 20:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 20:32 . 2008-04-15 20:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 20:57 . 2008-04-22 02:25 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\.gimp-2.4
2008-04-13 20:56 . 2008-04-13 20:56 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-09 18:39 . 2008-04-09 18:41 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 14:37 . 2007-12-29 15:50 6,854,656 --a--c--- C:\hellgate_sp_dx9_x86.exe
2008-04-04 20:47 . 2008-04-04 20:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-04 20:47 . 2008-04-05 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 00:07 . 2008-04-04 00:52 <DIR> d-------- C:\Program Files\DominateGame
2008-04-02 00:35 . 2008-04-02 22:18 <DIR> d-------- C:\Program Files\Rheingold3D
2008-04-01 21:40 . 2008-04-01 21:40 <DIR> d-------- C:\Program Files\Uniblue
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\Application Data\SUPERAntiSpyware.com
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-31 23:19 . 2008-03-31 23:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 21:28 . 2008-04-04 17:59 4,678 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-29 22:39 . 2008-04-01 18:04 <DIR> d----c--- C:\!KillBox
2008-03-29 20:23 . 2008-03-29 20:24 <DIR> d-------- C:\Program Files\DancingGorilla
2008-03-29 18:51 . 2008-03-29 18:51 <DIR> d----c--- C:\67597b168ad9622978893c1ec50d8205
2008-03-29 17:18 . 2008-03-29 17:18 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-29 14:53 . 2008-04-01 18:04 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-29 01:40 . 2008-03-30 21:08 <DIR> d-------- C:\FLEXLM
2008-03-23 18:06 . 2008-04-13 20:54 <DIR> d-------- C:\Program Files\GIMPshop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 02:02 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\.purple
2008-04-22 21:59 27,588 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\wklnhst.dat
2008-04-22 07:00 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\gtk-2.0
2008-04-21 05:40 --------- d-----w C:\Program Files\StepMania
2008-03-30 05:37 --------- d-----w C:\Program Files\Diablo II
2008-03-30 04:08 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-29 22:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-29 06:39 --------- d-----w C:\Program Files\AviCreator 1.5
2008-03-29 06:38 --------- d-----w C:\Program Files\Steam
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-02 00:03 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\Template
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 04:04 --------- d-----w C:\Program Files\Zone Labs
2008-02-28 04:04 --------- d-----w C:\Program Files\Pure Networks
2008-02-28 04:04 --------- d-----w C:\Program Files\NibblesRHS
2008-02-28 04:04 --------- d-----w C:\Program Files\IMVU
2008-02-28 04:04 --------- d-----w C:\Program Files\Elaborate Bytes
2008-02-28 04:03 --------- d-----w C:\Program Files\Xfire
2008-02-23 22:19 --------- d-----w C:\Program Files\Finale NotePad 2007
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-11-23 18:02 24,249 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\info.dat
2007-05-06 02:22 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-09-15 19:22 66,936 --sha-w C:\WINDOWS\dlinfo_0.drv
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_22.06.00.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 03:00:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 02:06:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 15:49 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-24 17:10 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 12:20 413696 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 21:22 573440]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 20:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 21:22 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 16:26 212992]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 12:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 18:16 1121792]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 14:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 19:17 999424]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-26 18:03 98304]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 14:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 14:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-09-26 18:02 26112]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-08-19 01:01 190024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-07 18:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-29 10:09 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-26 18:03 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-24 17:10 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Diablo\\diablo.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24686:TCP"= 24686:TCP:BitTorrent
"5738:TCP"= 5738:TCP:vbalink
"4664:TCP"= 4664:TCP:EMule
"4674:UDP"= 4674:UDP:Emule0


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 23:45:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 23:46:27
ComboFix-quarantined-files.txt 2008-04-23 04:46:22
ComboFix2.txt 2008-04-21 05:37:03
ComboFix3.txt 2008-04-20 03:06:33

Pre-Run: 57,175,027,712 bytes free
Post-Run: 57,162,002,432 bytes free

226 --- E O F --- 2008-04-10 08:01:48

KrisReizer
2008-04-24, 01:08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:40 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.lapdawg\Desktop\Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A98DF8F-2E4F-4E88-8E5D-96C6977A4823}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 7340 bytes

random/random
2008-04-24, 18:56
Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems.