"Windows Security Center"

**random/random** · 2008-04-20, 12:09

Right click here and click save link as
Save it as resetteatimer.bat to your desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

Open a new notepad window (Start>All programs>accessories>notepad)

Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

Code:

File::
C:\WINDOWS\system32\qpbmkhyq.ini
C:\WINDOWS\system32\ofxihahf.dll
C:\WINDOWS\system32\fsnadiof.dll
C:\WINDOWS\system32\drvbin.dll
C:\WINDOWS\system32\uobdtxlj.dll
C:\WINDOWS\system32\euuwkpkc.dll
C:\WINDOWS\system32\drvsew.dll
C:\WINDOWS\system32\tkhwjyrg.ini
C:\WINDOWS\system32\drvses.dll
C:\Documents and Settings\Owner.lapdawg\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\system32\tmwphuqu.ini
C:\WINDOWS\system32\sdeqfofe.ini
C:\WINDOWS\system32\iSecurity(2).cpl
C:\WINDOWS\system32\drvbuj.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c4cf0baf"=-
"BMc7fc3833"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccCTmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winldd32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMc7fc3833]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bqratsvc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c4cf0baf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\khuzqdmv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\klahizuf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDisp32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\twbwzijk]

Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**KrisReizer** · 2008-04-22, 03:21

ComboFix 08-04-18.3 - Owner 2008-04-21 0:31:47.2 - NTFSx86

Running from: C:\Documents and Settings\Owner.lapdawg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.lapdawg\Desktop\CFscript.txt
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Owner.lapdawg\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\system32\drvbin.dll
C:\WINDOWS\system32\drvbuj.dll
C:\WINDOWS\system32\drvses.dll
C:\WINDOWS\system32\drvsew.dll
C:\WINDOWS\system32\euuwkpkc.dll
C:\WINDOWS\system32\fsnadiof.dll
C:\WINDOWS\system32\iSecurity(2).cpl
C:\WINDOWS\system32\ofxihahf.dll
C:\WINDOWS\system32\qpbmkhyq.ini
C:\WINDOWS\system32\sdeqfofe.ini
C:\WINDOWS\system32\tkhwjyrg.ini
C:\WINDOWS\system32\tmwphuqu.ini
C:\WINDOWS\system32\uobdtxlj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Austin\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Owner.lapdawg\DesktopTrojan.Win32.BlackBird.exe
C:\WINDOWS\b.exe
C:\WINDOWS\system32\aapbljco.dllbox
C:\WINDOWS\system32\drvbin.dll
C:\WINDOWS\system32\drvbuj.dll
C:\WINDOWS\system32\drvses.dll
C:\WINDOWS\system32\drvsew.dll
C:\WINDOWS\system32\euuwkpkc.dll
C:\WINDOWS\system32\fsnadiof.dll
C:\WINDOWS\system32\iSecurity(2).cpl
C:\WINDOWS\system32\ofxihahf.dll
C:\WINDOWS\system32\qpbmkhyq.ini
C:\WINDOWS\system32\reipcole.dllbox
C:\WINDOWS\system32\sdeqfofe.ini
C:\WINDOWS\system32\tkhwjyrg.ini
C:\WINDOWS\system32\tmwphuqu.ini
C:\WINDOWS\system32\uobdtxlj.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-15 20:32 . 2008-04-15 20:32 <DIR> d-------- C:\Program Files\Blender Foundation
2008-04-15 20:32 . 2008-04-15 20:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 20:32 . 2008-04-15 20:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 20:57 . 2008-04-13 21:19 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\.gimp-2.4
2008-04-13 20:56 . 2008-04-13 20:56 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-09 18:39 . 2008-04-09 18:41 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 14:37 . 2007-12-29 15:50 6,854,656 --a--c--- C:\hellgate_sp_dx9_x86.exe
2008-04-04 20:47 . 2008-04-04 20:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-04 20:47 . 2008-04-05 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 00:07 . 2008-04-04 00:52 <DIR> d-------- C:\Program Files\DominateGame
2008-04-02 00:35 . 2008-04-02 22:18 <DIR> d-------- C:\Program Files\Rheingold3D
2008-04-01 21:40 . 2008-04-01 21:40 <DIR> d-------- C:\Program Files\Uniblue
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\Application Data\SUPERAntiSpyware.com
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-31 23:19 . 2008-03-31 23:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 21:28 . 2008-04-04 17:59 4,678 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-29 22:39 . 2008-04-01 18:04 <DIR> d----c--- C:\!KillBox
2008-03-29 20:23 . 2008-03-29 20:24 <DIR> d-------- C:\Program Files\DancingGorilla
2008-03-29 18:51 . 2008-03-29 18:51 <DIR> d----c--- C:\67597b168ad9622978893c1ec50d8205
2008-03-29 17:18 . 2008-03-29 17:18 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-29 17:06 . 2008-03-29 18:41 1,583,937 ---hs---- C:\WINDOWS\system32\uluetamf.ini
2008-03-29 14:53 . 2008-04-01 18:04 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-29 01:40 . 2008-03-30 21:08 <DIR> d-------- C:\FLEXLM
2008-03-29 01:37 . 2008-03-29 01:37 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-03-23 18:06 . 2008-04-13 20:54 <DIR> d-------- C:\Program Files\GIMPshop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 05:30 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\.purple
2008-04-15 12:35 27,588 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\wklnhst.dat
2008-04-15 04:38 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\gtk-2.0
2008-04-02 00:45 --------- d-----w C:\Program Files\twbwzijk
2008-03-30 05:37 --------- d-----w C:\Program Files\Diablo II
2008-03-30 04:08 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-30 01:56 --------- d-----w C:\Program Files\StepMania
2008-03-29 22:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-29 06:39 --------- d-----w C:\Program Files\AviCreator 1.5
2008-03-29 06:38 --------- d-----w C:\Program Files\Steam
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-03 05:10 3,914 ----a-w C:\WINDOWS\system32\oupebkba.dll
2008-03-03 03:45 3,914 ----a-w C:\WINDOWS\system32\qrocarsh.dll
2008-03-03 03:42 3,914 ----a-w C:\WINDOWS\system32\fkifbopc.dll
2008-03-02 00:55 3,914 ----a-w C:\WINDOWS\system32\kjnyscxm.dll
2008-03-02 00:03 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\Template
2008-03-01 23:02 3,914 ----a-w C:\WINDOWS\system32\xniqglax.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-29 02:38 3,914 ----a-w C:\WINDOWS\system32\gaopbgwk.dll
2008-02-28 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 04:04 --------- d-----w C:\Program Files\Zone Labs
2008-02-28 04:04 --------- d-----w C:\Program Files\Pure Networks
2008-02-28 04:04 --------- d-----w C:\Program Files\NibblesRHS
2008-02-28 04:04 --------- d-----w C:\Program Files\IMVU
2008-02-28 04:04 --------- d-----w C:\Program Files\Elaborate Bytes
2008-02-28 04:03 --------- d-----w C:\Program Files\Xfire
2008-02-25 05:39 1,254,203 --sh--w C:\WINDOWS\system32\khebsjfd.tmp
2008-02-23 22:19 --------- d-----w C:\Program Files\Finale NotePad 2007
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-09 19:31 3,914 ----a-w C:\WINDOWS\system32\arkvjprd.dll
2008-02-09 03:11 3,914 ----a-w C:\WINDOWS\system32\atibnave.dll
2008-02-09 03:04 3,914 ----a-w C:\WINDOWS\system32\lmjujhsl.dll
2008-02-08 22:53 3,914 ----a-w C:\WINDOWS\system32\cpwvboin.dll
2008-02-08 01:34 3,914 ----a-w C:\WINDOWS\system32\shrnnexq.dll
2008-02-08 01:29 3,914 ----a-w C:\WINDOWS\system32\bbeprnfd.dll
2008-02-07 22:03 3,914 ----a-w C:\WINDOWS\system32\pakstvuh.dll
2008-02-07 22:00 3,914 ----a-w C:\WINDOWS\system32\njtnuavw.dll
2008-02-07 21:58 3,914 ----a-w C:\WINDOWS\system32\srjsdgmf.dll
2008-02-06 05:49 3,914 ----a-w C:\WINDOWS\system32\siunxjcm.dll
2008-02-05 00:27 3,914 ----a-w C:\WINDOWS\system32\bwfysvfe.dll
2008-02-03 19:42 15,872 ----a-w C:\WINDOWS\system32\drvxek.dll
2008-02-03 04:26 3,914 ----a-w C:\WINDOWS\system32\uyowxgjh.dll
2008-01-29 01:12 3,914 ----a-w C:\WINDOWS\system32\quwveaah.dll
2008-01-24 18:22 3,914 ----a-w C:\WINDOWS\system32\jockwyhw.dll
2008-01-24 18:19 3,914 ----a-w C:\WINDOWS\system32\aykcwrla.dll
2008-01-24 01:49 3,914 ----a-w C:\WINDOWS\system32\ahayujdh.dll
2008-01-22 01:55 3,914 ----a-w C:\WINDOWS\system32\scaysbwy.dll
2008-01-22 01:34 3,914 ----a-w C:\WINDOWS\system32\kceqtxix.dll
2008-01-22 01:34 3,914 ----a-w C:\WINDOWS\system32\hskmcfwi.dll
2008-01-22 01:31 3,914 ----a-w C:\WINDOWS\system32\sgeweblo.dll
2007-11-23 18:02 24,249 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\info.dat
2007-05-06 02:22 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-09-15 19:22 66,936 --sha-w C:\WINDOWS\dlinfo_0.drv
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_22.06.00.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 03:00:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-21 04:02:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 15:49 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-10-24 17:10 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 12:20 413696 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 21:22 573440]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 20:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 21:22 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 16:26 212992]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 12:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 18:16 1121792]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 14:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 19:17 999424]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-26 18:03 98304]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 14:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 14:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-09-26 18:02 26112]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-08-19 01:01 190024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-07 18:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-29 10:09 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-26 18:03 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-24 17:10 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Diablo\\diablo.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24686:TCP"= 24686:TCP:BitTorrent
"5738:TCP"= 5738:TCP:vbalink
"4664:TCP"= 4664:TCP:EMule
"4674:UDP"= 4674:UDP:Emule0

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 00:35:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 0:37:02
ComboFix-quarantined-files.txt 2008-04-21 05:36:55
ComboFix2.txt 2008-04-20 03:06:33

Pre-Run: 57,186,988,032 bytes free
Post-Run: 57,169,408,000 bytes free

231 --- E O F --- 2008-04-10 08:01:48

**KrisReizer** · 2008-04-22, 03:21

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:33 AM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.lapdawg\Desktop\Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: ComponentService - {631f7f2d-b799-49c9-b0e9-70ea1e194f22} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 7217 bytes

**random/random** · 2008-04-22, 18:51

Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O21 - SSODL: ComponentService - {631f7f2d-b799-49c9-b0e9-70ea1e194f22} - (no file)

Then close all windows except HijackThis and click Fix Checked.

Open a new notepad window (Start>All programs>accessories>notepad)

Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

Code:

File::
C:\WINDOWS\system32\uluetamf.ini
C:\WINDOWS\system32\oupebkba.dll
C:\WINDOWS\system32\qrocarsh.dll
C:\WINDOWS\system32\fkifbopc.dll
C:\WINDOWS\system32\kjnyscxm.dll
C:\WINDOWS\system32\xniqglax.dll
C:\WINDOWS\system32\gaopbgwk.dll
C:\WINDOWS\system32\khebsjfd.tmp
C:\WINDOWS\system32\arkvjprd.dll
C:\WINDOWS\system32\atibnave.dll
C:\WINDOWS\system32\lmjujhsl.dll
C:\WINDOWS\system32\cpwvboin.dll
C:\WINDOWS\system32\shrnnexq.dll
C:\WINDOWS\system32\bbeprnfd.dll
C:\WINDOWS\system32\pakstvuh.dll
C:\WINDOWS\system32\njtnuavw.dll
C:\WINDOWS\system32\srjsdgmf.dll
C:\WINDOWS\system32\siunxjcm.dll
C:\WINDOWS\system32\bwfysvfe.dll
C:\WINDOWS\system32\drvxek.dll
C:\WINDOWS\system32\uyowxgjh.dll
C:\WINDOWS\system32\quwveaah.dll
C:\WINDOWS\system32\jockwyhw.dll
C:\WINDOWS\system32\aykcwrla.dll
C:\WINDOWS\system32\ahayujdh.dll
C:\WINDOWS\system32\scaysbwy.dll
C:\WINDOWS\system32\kceqtxix.dll
C:\WINDOWS\system32\hskmcfwi.dll
C:\WINDOWS\system32\sgeweblo.dll
Folder::
C:\Program Files\twbwzijk

Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**KrisReizer** · 2008-04-24, 00:07

ComboFix 08-04-18.3 - Owner 2008-04-22 23:41:58.3 - NTFSx86

Running from: C:\Documents and Settings\Owner.lapdawg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.lapdawg\Desktop\CFscript.txt
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\ahayujdh.dll
C:\WINDOWS\system32\arkvjprd.dll
C:\WINDOWS\system32\atibnave.dll
C:\WINDOWS\system32\aykcwrla.dll
C:\WINDOWS\system32\bbeprnfd.dll
C:\WINDOWS\system32\bwfysvfe.dll
C:\WINDOWS\system32\cpwvboin.dll
C:\WINDOWS\system32\drvxek.dll
C:\WINDOWS\system32\fkifbopc.dll
C:\WINDOWS\system32\gaopbgwk.dll
C:\WINDOWS\system32\hskmcfwi.dll
C:\WINDOWS\system32\jockwyhw.dll
C:\WINDOWS\system32\kceqtxix.dll
C:\WINDOWS\system32\khebsjfd.tmp
C:\WINDOWS\system32\kjnyscxm.dll
C:\WINDOWS\system32\lmjujhsl.dll
C:\WINDOWS\system32\njtnuavw.dll
C:\WINDOWS\system32\oupebkba.dll
C:\WINDOWS\system32\pakstvuh.dll
C:\WINDOWS\system32\qrocarsh.dll
C:\WINDOWS\system32\quwveaah.dll
C:\WINDOWS\system32\scaysbwy.dll
C:\WINDOWS\system32\sgeweblo.dll
C:\WINDOWS\system32\shrnnexq.dll
C:\WINDOWS\system32\siunxjcm.dll
C:\WINDOWS\system32\srjsdgmf.dll
C:\WINDOWS\system32\uluetamf.ini
C:\WINDOWS\system32\uyowxgjh.dll
C:\WINDOWS\system32\xniqglax.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ahayujdh.dll
C:\WINDOWS\system32\arkvjprd.dll
C:\WINDOWS\system32\atibnave.dll
C:\WINDOWS\system32\aykcwrla.dll
C:\WINDOWS\system32\bbeprnfd.dll
C:\WINDOWS\system32\bwfysvfe.dll
C:\WINDOWS\system32\cpwvboin.dll
C:\WINDOWS\system32\drvxek.dll
C:\WINDOWS\system32\fkifbopc.dll
C:\WINDOWS\system32\gaopbgwk.dll
C:\WINDOWS\system32\hskmcfwi.dll
C:\WINDOWS\system32\jockwyhw.dll
C:\WINDOWS\system32\kceqtxix.dll
C:\WINDOWS\system32\khebsjfd.tmp
C:\WINDOWS\system32\kjnyscxm.dll
C:\WINDOWS\system32\lmjujhsl.dll
C:\WINDOWS\system32\njtnuavw.dll
C:\WINDOWS\system32\oupebkba.dll
C:\WINDOWS\system32\pakstvuh.dll
C:\WINDOWS\system32\qrocarsh.dll
C:\WINDOWS\system32\quwveaah.dll
C:\WINDOWS\system32\scaysbwy.dll
C:\WINDOWS\system32\sgeweblo.dll
C:\WINDOWS\system32\shrnnexq.dll
C:\WINDOWS\system32\siunxjcm.dll
C:\WINDOWS\system32\srjsdgmf.dll
C:\WINDOWS\system32\uluetamf.ini
C:\WINDOWS\system32\uyowxgjh.dll
C:\WINDOWS\system32\xniqglax.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-15 20:32 . 2008-04-15 20:32 <DIR> d-------- C:\Program Files\Blender Foundation
2008-04-15 20:32 . 2008-04-21 20:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-15 20:32 . 2008-04-15 20:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-13 20:57 . 2008-04-22 02:25 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\.gimp-2.4
2008-04-13 20:56 . 2008-04-13 20:56 <DIR> d-------- C:\Program Files\GIMP-2.0
2008-04-09 18:39 . 2008-04-09 18:41 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 14:37 . 2007-12-29 15:50 6,854,656 --a--c--- C:\hellgate_sp_dx9_x86.exe
2008-04-04 20:47 . 2008-04-04 20:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-04 20:47 . 2008-04-05 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-04 00:07 . 2008-04-04 00:52 <DIR> d-------- C:\Program Files\DominateGame
2008-04-02 00:35 . 2008-04-02 22:18 <DIR> d-------- C:\Program Files\Rheingold3D
2008-04-01 21:40 . 2008-04-01 21:40 <DIR> d-------- C:\Program Files\Uniblue
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\Owner.lapdawg\Application Data\SUPERAntiSpyware.com
2008-03-31 23:20 . 2008-03-31 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-31 23:19 . 2008-03-31 23:19 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 21:28 . 2008-04-04 17:59 4,678 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-29 22:39 . 2008-04-01 18:04 <DIR> d----c--- C:\!KillBox
2008-03-29 20:23 . 2008-03-29 20:24 <DIR> d-------- C:\Program Files\DancingGorilla
2008-03-29 18:51 . 2008-03-29 18:51 <DIR> d----c--- C:\67597b168ad9622978893c1ec50d8205
2008-03-29 17:18 . 2008-03-29 17:18 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-03-29 14:53 . 2008-04-01 18:04 <DIR> d-------- C:\Program Files\IE Extensions
2008-03-29 01:40 . 2008-03-30 21:08 <DIR> d-------- C:\FLEXLM
2008-03-23 18:06 . 2008-04-13 20:54 <DIR> d-------- C:\Program Files\GIMPshop

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 02:02 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\.purple
2008-04-22 21:59 27,588 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\wklnhst.dat
2008-04-22 07:00 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\gtk-2.0
2008-04-21 05:40 --------- d-----w C:\Program Files\StepMania
2008-03-30 05:37 --------- d-----w C:\Program Files\Diablo II
2008-03-30 04:08 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-03-29 22:08 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-29 06:39 --------- d-----w C:\Program Files\AviCreator 1.5
2008-03-29 06:38 --------- d-----w C:\Program Files\Steam
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-02 00:03 --------- d-----w C:\Documents and Settings\Owner.lapdawg\Application Data\Template
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-28 04:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-28 04:04 --------- d-----w C:\Program Files\Zone Labs
2008-02-28 04:04 --------- d-----w C:\Program Files\Pure Networks
2008-02-28 04:04 --------- d-----w C:\Program Files\NibblesRHS
2008-02-28 04:04 --------- d-----w C:\Program Files\IMVU
2008-02-28 04:04 --------- d-----w C:\Program Files\Elaborate Bytes
2008-02-28 04:03 --------- d-----w C:\Program Files\Xfire
2008-02-23 22:19 --------- d-----w C:\Program Files\Finale NotePad 2007
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-11-23 18:02 24,249 ----a-w C:\Documents and Settings\Owner.lapdawg\Application Data\info.dat
2007-05-06 02:22 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-09-15 19:22 66,936 --sha-w C:\WINDOWS\dlinfo_0.drv
.

((((((((((((((((((((((((((((( snapshot@2008-04-19_22.06.00.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-20 03:00:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 02:06:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-03 15:49 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-24 17:10 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 09:47 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 09:47 688218]
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" [ ]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 12:20 413696 C:\WINDOWS\stsystra.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-23 21:22 573440]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 20:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 00:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-07-01 21:22 303104]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 16:26 212992]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 12:26 110592]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 18:16 1121792]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 14:49 163840]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-27 19:17 999424]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-26 18:03 98304]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 14:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 14:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00 455168]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-09-26 18:02 26112]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-08-19 01:01 190024]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 22:24:38 1134592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-07 18:01 43008 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-29 10:09 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-26 18:03 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-10-24 17:10 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Diablo\\diablo.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\BYOND\\bin\\byond.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Alias\\Maya8.0\\bin\\maya.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24686:TCP"= 24686:TCP:BitTorrent
"5738:TCP"= 5738:TCP:vbalink
"4664:TCP"= 4664:TCP:EMule
"4674:UDP"= 4674:UDP:Emule0

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 23:45:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 23:46:27
ComboFix-quarantined-files.txt 2008-04-23 04:46:22
ComboFix2.txt 2008-04-21 05:37:03
ComboFix3.txt 2008-04-20 03:06:33

Pre-Run: 57,175,027,712 bytes free
Post-Run: 57,162,002,432 bytes free

226 --- E O F --- 2008-04-10 08:01:48

**KrisReizer** · 2008-04-24, 00:08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:40 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.lapdawg\Desktop\Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1407522397-1983649389-1661241170-1006\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A98DF8F-2E4F-4E88-8E5D-96C6977A4823}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 7340 bytes

**random/random** · 2008-04-24, 17:56

Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems.

Thread: "Windows Security Center"

Thread Tools

Display

ComboFix Log

HJT Log

ComboFix Log

HJT Log

Posting Permissions