Tech Support Forum - View Single Post

jimmydime · 07-02-2008, 09:08 AM

Ok so, I have finally had the time to sit and follow these instructions carefully and here are the reports, thanks so much

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:39 AM, on 7/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\netdde.exe
H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\explorer.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {48eb86a8-8233-32aa-8204-a90b51bead43} - {34daeb15-b09a-4028-aa23-33288a68be84} - H:\WINDOWS\system32\rrvljw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Flag Owns Live Grim] H:\Documents and Settings\All Users\Application Data\Software rule flag owns\Flag Jump.exe
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "H:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm793MFCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Kody.KYLE\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.****online.com/plugins/IDMFlash.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.easypix.ca/en/ImageUploader4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...v2.0.0.10.cab?
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - H:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - AppInit_DLLs: H:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Symantec Core LC - Unknown owner - H:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8022 bytes

combo fix
ComboFix 08-06-30.2 - Stacy 2008-07-02 10:22:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -4:00]
Running from: H:\Documents and Settings\Stacy\Desktop\ComboFix.exe
Command switches used :: H:\Documents and Settings\Stacy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
H:\Documents and Settings\Kody\Application Data\macromedia\Flash Player\#SharedObjects\XKWYFJFE\www.broadcaster.com
H:\Documents and Settings\Kody\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
H:\Documents and Settings\Kody\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
H:\Documents and Settings\Kody\Application Data\Starware316
H:\Documents and Settings\Kody\Application Data\Starware316\BrowserSearch\BrowserSearch.xml
H:\Documents and Settings\Kody\Application Data\Starware316\BrowserSearch\BrowserSearch.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\Configurator\Configurator.xml
H:\Documents and Settings\Kody\Application Data\Starware316\Configurator\Configurator.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\Games\GamesOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\Games\GamesOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\Manager\ManagerOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\Manager\ManagerOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\Movies\MoviesOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\Movies\MoviesOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\Reference\ReferenceOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\Reference\ReferenceOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\Screensavers\ScreensaversOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\Screensavers\ScreensaversOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml.backup
H:\Documents and Settings\Kody\Application Data\Starware316\Weather\WeatherOptions.xml
H:\Documents and Settings\Kody\Application Data\Starware316\Weather\WeatherOptions.xml.backup
H:\WINDOWS\BM1736e4a6.txt
H:\WINDOWS\cookies.ini
H:\WINDOWS\Downloaded Program Files\setup.inf
H:\WINDOWS\pskt.ini
H:\WINDOWS\system32\aaeyybdt.ini
H:\WINDOWS\system32\AbehOqss.ini
H:\WINDOWS\system32\AbehOqss.ini2
H:\WINDOWS\system32\bkydrokk.ini
H:\WINDOWS\system32\bnsomtys.dll
H:\WINDOWS\system32\bqeaptly.dll
H:\WINDOWS\system32\brbhtetm.ini
H:\WINDOWS\system32\bwaoomkn.ini
H:\WINDOWS\system32\byXNdbAQ.dll
H:\WINDOWS\system32\ccxrevhy.ini
H:\WINDOWS\system32\ceqmixup.ini
H:\WINDOWS\system32\cycovorp.ini
H:\WINDOWS\system32\dkrilesn.ini
H:\WINDOWS\system32\eavsdylm.dll
H:\WINDOWS\system32\edricrps.dll
H:\WINDOWS\system32\efyumvnq.dll
H:\WINDOWS\system32\fbhbnocf.dll
H:\WINDOWS\system32\fccbBQIX.dll
H:\WINDOWS\system32\fvivbcrw.dll
H:\WINDOWS\system32\hgiiwsaw.ini
H:\WINDOWS\system32\hoaueaak.dll
H:\WINDOWS\system32\hqbvsqxr.dll
H:\WINDOWS\system32\Iklklnnn.ini
H:\WINDOWS\system32\Iklklnnn.ini2
H:\WINDOWS\system32\iuxiqtqj.dll
H:\WINDOWS\system32\iwnqliss.dll
H:\WINDOWS\system32\jfcjmsxi.dll
H:\WINDOWS\system32\jkkiGwvw.dll
H:\WINDOWS\system32\jkkLFywt.dll
H:\WINDOWS\system32\jodvwvty.dll
H:\WINDOWS\system32\jQpoYJjl.ini
H:\WINDOWS\system32\jQpoYJjl.ini2
H:\WINDOWS\system32\kkordykb.dll
H:\WINDOWS\system32\kmugdlvv.ini
H:\WINDOWS\system32\kttfsftd.dll
H:\WINDOWS\system32\kutjicpw.dll
H:\WINDOWS\system32\lixuhpra.dll
H:\WINDOWS\system32\ljJYopQj.dll
H:\WINDOWS\system32\lsunupcy.dll
H:\WINDOWS\system32\mcrh.tmp
H:\WINDOWS\system32\mfwxcjpq.dll
H:\WINDOWS\system32\mkdybqyr.ini
H:\WINDOWS\system32\MSssAyxx.ini
H:\WINDOWS\system32\MSssAyxx.ini2
H:\WINDOWS\system32\mtethbrb.dll
H:\WINDOWS\system32\nfvklrpf.ini
H:\WINDOWS\system32\nmeiytlx.dll
H:\WINDOWS\system32\nnnlklkI.dll
H:\WINDOWS\system32\nohebmjr.dll
H:\WINDOWS\system32\nselirkd.dll
H:\WINDOWS\system32\nuspgouw.dll
H:\WINDOWS\system32\oqoadtyn.ini
H:\WINDOWS\system32\oxlgecjs.ini
H:\WINDOWS\system32\provocyc.dll
H:\WINDOWS\system32\pvobwmir.ini
H:\WINDOWS\system32\QAbdNXyb.ini
H:\WINDOWS\system32\QAbdNXyb.ini2
H:\WINDOWS\system32\qoMcbcBq.dll
H:\WINDOWS\system32\raubhtya.dll
H:\WINDOWS\system32\ridddrke.ini
H:\WINDOWS\system32\rimwbovp.dll
H:\WINDOWS\system32\rlnfdief.dll
H:\WINDOWS\system32\sblbkkxc.dll
H:\WINDOWS\system32\sjvxgtli.ini
H:\WINDOWS\system32\sppeggas.dll
H:\WINDOWS\system32\ssqOhebA.dll
H:\WINDOWS\system32\ssqRLDVm.dll
H:\WINDOWS\system32\sxasyybg.dll
H:\WINDOWS\system32\syeyheby.ini
H:\WINDOWS\system32\tosoetou.dll
H:\WINDOWS\system32\tsafkcpp.dll
H:\WINDOWS\system32\twyFLkkj.ini
H:\WINDOWS\system32\twyFLkkj.ini2
H:\WINDOWS\system32\tybsowwp.dll
H:\WINDOWS\system32\ujbnotly.dll
H:\WINDOWS\system32\uvfgdpgq.ini
H:\WINDOWS\system32\vtefbqyb.ini
H:\WINDOWS\system32\wpymgnly.dll
H:\WINDOWS\system32\wvpcwcxf.dll
H:\WINDOWS\system32\wvwGikkj.ini
H:\WINDOWS\system32\wvwGikkj.ini2
H:\WINDOWS\system32\XIQBbccf.ini
H:\WINDOWS\system32\XIQBbccf.ini2
H:\WINDOWS\system32\xxyAssSM.dll
H:\WINDOWS\system32\xypksrnr.dll
H:\WINDOWS\system32\yabevthp.dll
H:\WINDOWS\system32\ybehyeys.dll
H:\WINDOWS\system32\yltpaeqb.ini
H:\WINDOWS\system32\ysypkcap.dll
H:\WINDOWS\system32\yurikbrn.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 19:56 . 2008-07-01 19:56 106,240 --a------ H:\WINDOWS\system32\uvjnbkgx.dll
2008-07-01 19:56 . 2008-07-01 19:56 106,240 --a------ H:\WINDOWS\system32\rrvljw.dll
2008-07-01 16:41 . 2008-07-01 17:31 23 --a------ H:\Documents and Settings\Kody.KYLE.001\jagex_runescape_preferences.dat
2008-06-30 19:56 . 2008-06-30 19:56 105,872 --a------ H:\WINDOWS\system32\zzxxyk.dll
2008-06-30 19:56 . 2008-06-30 19:56 105,872 --a------ H:\WINDOWS\system32\swsygrew.dll
2008-06-29 09:57 . 2008-06-29 09:57 105,856 --a------ H:\WINDOWS\system32\rlapeppx.dll
2008-06-29 09:57 . 2008-06-29 09:57 105,856 --a------ H:\WINDOWS\system32\fsluqm.dll
2008-06-28 07:29 . 2008-06-28 07:29 105,968 --a------ H:\WINDOWS\system32\ztlufu.dll
2008-06-28 07:29 . 2008-06-28 07:29 105,968 --a------ H:\WINDOWS\system32\ynvuqcde.dll
2008-06-27 22:08 . 2008-06-27 22:08 105,904 --a------ H:\WINDOWS\system32\jzbqgh.dll
2008-06-27 22:08 . 2008-06-27 22:08 105,904 --a------ H:\WINDOWS\system32\aeohxjac.dll
2008-06-27 00:24 . 2008-06-26 19:23 294 --ahs---- H:\WINDOWS\system32\ecxespli.ini
2008-06-26 19:23 . 2008-06-26 19:23 474 --ahs---- H:\WINDOWS\system32\ecxespli.tmp
2008-06-26 18:07 . 2008-06-26 18:07 107,968 --a------ H:\WINDOWS\system32\dwrvojcr.dll
2008-06-26 17:37 . 2008-06-26 17:37 91,568 --a------ H:\WINDOWS\system32\nrxbqkwu.dll
2008-06-26 14:53 . 2008-06-26 14:53 107,968 --a------ H:\WINDOWS\system32\vjbokgtu.dll
2008-06-26 14:49 . 2008-06-26 14:49 91,568 --a------ H:\WINDOWS\system32\biuslttf.dll
2008-06-26 14:40 . 2008-06-26 14:40 91,568 --a------ H:\WINDOWS\system32\dqomrclo.dll
2008-06-24 21:55 . 2008-06-24 21:55 <DIR> d-------- H:\Deckard
2008-06-20 22:39 . 2008-06-20 22:39 <DIR> d-------- H:\Documents and Settings\Kyle-Family Computer\Application Data\AdwareBot
2008-06-19 09:20 . 2008-06-19 09:20 <DIR> d-------- H:\Documents and Settings\Tiara\Application Data\Talkback
2008-06-19 09:11 . 2008-06-19 09:11 <DIR> d-------- H:\Documents and Settings\Tiara\Application Data\Nero
2008-06-19 09:10 . 2008-06-19 09:35 <DIR> d-------- H:\Documents and Settings\Tiara
2008-06-18 07:21 . 2008-06-18 07:21 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001\Application Data\Talkback
2008-06-16 23:09 . 2008-07-01 16:37 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001\Application Data\LimeWire
2008-06-16 23:08 . 2008-06-16 23:08 <DIR> d-------- H:\Program Files\LimeWire
2008-06-16 20:21 . 2008-06-16 21:26 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001\Contacts
2008-06-16 19:53 . 2008-06-16 19:53 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001\Application Data\Nero
2008-06-16 19:52 . 2008-07-01 16:41 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001
2008-06-16 19:26 . 2008-06-16 19:26 <DIR> d-------- H:\Documents and Settings\Stacy\Application Data\Nero
2008-06-16 19:13 . 2008-06-16 19:17 <DIR> d-------- H:\Program Files\Common Files\Nero
2008-06-14 21:54 . 2008-06-14 21:54 <DIR> d-------- H:\Program Files\Trend Micro
2008-06-13 21:12 . 2008-06-19 08:39 1,300 --a------ H:\WINDOWS\mozver.dat
2008-06-13 12:36 . 2008-06-13 12:36 <DIR> d-------- H:\Documents and Settings\Stacy\Application Data\Talkback
2008-06-12 12:22 . 2008-06-26 17:35 122,710 --a------ H:\WINDOWS\BM1736e4a6.xml
2008-06-10 15:50 . 2008-06-10 16:11 96,966 --a------ H:\WINDOWS\system32\drivers\klin.dat
2008-06-10 15:50 . 2008-06-10 16:11 88,774 --a------ H:\WINDOWS\system32\drivers\klick.dat
2008-06-10 15:48 . 2008-06-10 15:48 <DIR> d-------- H:\Program Files\Kaspersky Lab
2008-06-10 15:48 . 2008-07-02 10:12 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-10 15:47 . 2008-07-02 10:45 4,928,032 --ahs---- H:\WINDOWS\system32\drivers\fidbox.dat
2008-06-10 15:47 . 2008-07-02 10:42 143,904 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-10 15:47 . 2008-07-02 10:38 67,028 --ahs---- H:\WINDOWS\system32\drivers\fidbox.idx
2008-06-10 15:47 . 2008-07-02 10:38 14,492 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-08 21:32 . 2008-06-08 21:32 <DIR> d-------- H:\Documents and Settings\Kodygh\Application Data\Symantec
2008-06-08 21:28 . 2008-06-11 07:53 <DIR> d-------- H:\Documents and Settings\Kodygh
2008-06-07 17:21 . 2008-06-07 17:21 139,876 --a------ H:\WINDOWS\system32\mlJAsSJa.dll
2008-06-04 16:22 . 2008-06-09 17:31 <DIR> d-------- H:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 21:48 --------- d-----w H:\Program Files\Windows Live
2008-06-16 23:13 --------- d-----w H:\Program Files\Nero
2008-06-16 23:13 --------- d-----w H:\Documents and Settings\All Users\Application Data\Nero
2008-06-15 02:02 7,885 ----a-w H:\Program Files\hijackthis.log
2008-06-13 09:04 --------- d-----w H:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-06-10 23:40 --------- d-----w H:\Documents and Settings\All Users\Application Data\LiveItchDoesFind
2008-06-10 21:48 --------- d-----w H:\Program Files\Common Files\Wise Installation Wizard
2008-06-10 21:39 --------- d-----w H:\Program Files\Common Files\Symantec Shared
2008-06-10 20:59 --------- d-----w H:\Program Files\Norton 360
2008-06-10 20:14 112,144 ----a-w H:\WINDOWS\system32\drivers\kl1.sys
2008-05-21 19:03 --------- d-----w H:\Program Files\Rogers
2008-05-18 19:27 --------- d-----w H:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-04 16:14 --------- d-----w H:\Documents and Settings\Stacy\Application Data\LimeWire
2007-10-21 20:32 27,520 ----a-w H:\Documents and Settings\Kody.KYLE\Application Data\GDIPFONTCACHEV1.DAT
2007-06-21 00:24 24,928 ----a-w H:\Documents and Settings\Kyle-Family Computer\Application Data\GDIPFONTCACHEV1.DAT
2007-04-25 11:33 59,648 ----a-w H:\Documents and Settings\Kody\Application Data\GDIPFONTCACHEV1.DAT
2006-09-28 17:32 6,232 ----a-w H:\Documents and Settings\All Users\Application Data\ypinfo.bin
2005-10-29 20:59 0 ----a-w H:\Documents and Settings\Stacy\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34daeb15-b09a-4028-aa23-33288a68be84}]
2008-07-01 19:56 106240 --a------ H:\WINDOWS\system32\rrvljw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-18 03:54 68856]
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"EPSON Stylus CX4200 Series"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 04:00 98304]
"HP Software Update"="H:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-03-29 23:16 49152]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2007-06-08 20:24 282624]
"Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Flag Owns Live Grim"="H:\Documents and Settings\All Users\Application Data\Software rule flag owns\Flag Jump.exe" [2008-07-02 10:15 8185344]
"NeroFilterCheck"="H:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NBKeyScan"="H:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160]

H:\Documents and Settings\Tiara and Kody\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - H:\Program Files\LimeWire\LimeWire.exe [2008-06-05 14:52:50 147456]

H:\Documents and Settings\Kody.KYLE.000\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - H:\Program Files\LimeWire\LimeWire.exe [2008-06-05 14:52:50 147456]

H:\Documents and Settings\Kody.KYLE.001\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - H:\Program Files\LimeWire\LimeWire.exe [2008-06-05 14:52:50 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=H:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\\Program Files\\LimeWire\\LimeWire.exe"=
"H:\\Program Files\\Messenger\\msmsgs.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{348ba13a-f76c-11db-918e-0013d3529847}]
\Shell\AutoRun\command - J:\.\Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ce5195-086f-11da-a586-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 07:00:00 H:\WINDOWS\Tasks\AdwareBot Scheduled Scan.job"
- H:\Program Files\AdwareBot\AdwareBot.ex
- H:\Program Files\AdwareBot
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - H:\Program Files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
HKLM-Run-423b2b70 - H:\WINDOWS\system32\ybehyeys.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 10:42:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
H:\WINDOWS\system32\ati2evxx.exe
H:\WINDOWS\system32\ati2evxx.exe
H:\WINDOWS\system32\netdde.exe
H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
H:\WINDOWS\system32\wscntfy.exe
H:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-07-02 10:51:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 14:51:00

Pre-Run: 180,114,669,568 bytes free
Post-Run: 180,496,629,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\="Recovery"
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

298 --- E O F --- 2008-05-27 22:59:12

07-02-2008, 09:08 AM	#7 (permalink)
jimmydime Registered User Join Date: Jun 2008 Posts: 21 OS: XP sp2	Re: Help with constant pop ups Ok so, I have finally had the time to sit and follow these instructions carefully and here are the reports, thanks so much Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:55:39 AM, on 7/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: H:\WINDOWS\System32\smss.exe H:\WINDOWS\system32\winlogon.exe H:\WINDOWS\system32\services.exe H:\WINDOWS\system32\lsass.exe H:\WINDOWS\system32\Ati2evxx.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\System32\svchost.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\system32\Ati2evxx.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\system32\spoolsv.exe H:\WINDOWS\system32\netdde.exe H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe H:\WINDOWS\system32\svchost.exe H:\WINDOWS\system32\wscntfy.exe H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe H:\Program Files\HP\HP Software Update\HPWuSchd2.exe H:\Program Files\QuickTime\qttask.exe H:\Program Files\Java\jre1.6.0_05\bin\jusched.exe H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe H:\WINDOWS\system32\ctfmon.exe H:\Program Files\Internet Explorer\IEXPLORE.EXE H:\WINDOWS\explorer.exe H:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: {48eb86a8-8233-32aa-8204-a90b51bead43} - {34daeb15-b09a-4028-aa23-33288a68be84} - H:\WINDOWS\system32\rrvljw.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O4 - HKLM\..\Run: [RemoteControl] "H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200" O4 - HKLM\..\Run: [HP Software Update] H:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Flag Owns Live Grim] H:\Documents and Settings\All Users\Application Data\Software rule flag owns\Flag Jump.exe O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "H:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKCU\..\Run: [swg] H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm793MFCA O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Kody.KYLE\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4A116A80-85B6-4299-A018-A717FD7AC66A} (AXIDMDCP Class) - http://m1.cdn.***online.com/plugins/IDMFlash.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.easypix.ca/en/ImageUploader4.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...v2.0.0.10.cab? O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - H:\Program Files\QuickTax 2007\ic2007pp.dll O20 - AppInit_DLLs: H:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - H:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: Symantec Core LC - Unknown owner - H:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 8022 bytes combo fix ComboFix 08-06-30.2 - Stacy 2008-07-02 10:22:28.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.142 [GMT -4:00] Running from: H:\Documents and Settings\Stacy\Desktop\ComboFix.exe Command switches used :: H:\Documents and Settings\Stacy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf H:\Documents and Settings\Kody\Application Data\macromedia\Flash Player\#SharedObjects\XKWYFJFE\www.broadcaster.com H:\Documents and Settings\Kody\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com H:\Documents and Settings\Kody\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol H:\Documents and Settings\Kody\Application Data\Starware316 H:\Documents and Settings\Kody\Application Data\Starware316\BrowserSearch\BrowserSearch.xml H:\Documents and Settings\Kody\Application Data\Starware316\BrowserSearch\BrowserSearch.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\Configurator\Configurator.xml H:\Documents and Settings\Kody\Application Data\Starware316\Configurator\Configurator.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\Games\GamesOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\Games\GamesOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\Manager\ManagerOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\Manager\ManagerOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\Movies\MoviesOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\Movies\MoviesOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\Reference\ReferenceOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\Reference\ReferenceOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\Screensavers\ScreensaversOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\Screensavers\ScreensaversOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml.backup H:\Documents and Settings\Kody\Application Data\Starware316\Weather\WeatherOptions.xml H:\Documents and Settings\Kody\Application Data\Starware316\Weather\WeatherOptions.xml.backup H:\WINDOWS\BM1736e4a6.txt H:\WINDOWS\cookies.ini H:\WINDOWS\Downloaded Program Files\setup.inf H:\WINDOWS\pskt.ini H:\WINDOWS\system32\aaeyybdt.ini H:\WINDOWS\system32\AbehOqss.ini H:\WINDOWS\system32\AbehOqss.ini2 H:\WINDOWS\system32\bkydrokk.ini H:\WINDOWS\system32\bnsomtys.dll H:\WINDOWS\system32\bqeaptly.dll H:\WINDOWS\system32\brbhtetm.ini H:\WINDOWS\system32\bwaoomkn.ini H:\WINDOWS\system32\byXNdbAQ.dll H:\WINDOWS\system32\ccxrevhy.ini H:\WINDOWS\system32\ceqmixup.ini H:\WINDOWS\system32\cycovorp.ini H:\WINDOWS\system32\dkrilesn.ini H:\WINDOWS\system32\eavsdylm.dll H:\WINDOWS\system32\edricrps.dll H:\WINDOWS\system32\efyumvnq.dll H:\WINDOWS\system32\fbhbnocf.dll H:\WINDOWS\system32\fccbBQIX.dll H:\WINDOWS\system32\fvivbcrw.dll H:\WINDOWS\system32\hgiiwsaw.ini H:\WINDOWS\system32\hoaueaak.dll H:\WINDOWS\system32\hqbvsqxr.dll H:\WINDOWS\system32\Iklklnnn.ini H:\WINDOWS\system32\Iklklnnn.ini2 H:\WINDOWS\system32\iuxiqtqj.dll H:\WINDOWS\system32\iwnqliss.dll H:\WINDOWS\system32\jfcjmsxi.dll H:\WINDOWS\system32\jkkiGwvw.dll H:\WINDOWS\system32\jkkLFywt.dll H:\WINDOWS\system32\jodvwvty.dll H:\WINDOWS\system32\jQpoYJjl.ini H:\WINDOWS\system32\jQpoYJjl.ini2 H:\WINDOWS\system32\kkordykb.dll H:\WINDOWS\system32\kmugdlvv.ini H:\WINDOWS\system32\kttfsftd.dll H:\WINDOWS\system32\kutjicpw.dll H:\WINDOWS\system32\lixuhpra.dll H:\WINDOWS\system32\ljJYopQj.dll H:\WINDOWS\system32\lsunupcy.dll H:\WINDOWS\system32\mcrh.tmp H:\WINDOWS\system32\mfwxcjpq.dll H:\WINDOWS\system32\mkdybqyr.ini H:\WINDOWS\system32\MSssAyxx.ini H:\WINDOWS\system32\MSssAyxx.ini2 H:\WINDOWS\system32\mtethbrb.dll H:\WINDOWS\system32\nfvklrpf.ini H:\WINDOWS\system32\nmeiytlx.dll H:\WINDOWS\system32\nnnlklkI.dll H:\WINDOWS\system32\nohebmjr.dll H:\WINDOWS\system32\nselirkd.dll H:\WINDOWS\system32\nuspgouw.dll H:\WINDOWS\system32\oqoadtyn.ini H:\WINDOWS\system32\oxlgecjs.ini H:\WINDOWS\system32\provocyc.dll H:\WINDOWS\system32\pvobwmir.ini H:\WINDOWS\system32\QAbdNXyb.ini H:\WINDOWS\system32\QAbdNXyb.ini2 H:\WINDOWS\system32\qoMcbcBq.dll H:\WINDOWS\system32\raubhtya.dll H:\WINDOWS\system32\ridddrke.ini H:\WINDOWS\system32\rimwbovp.dll H:\WINDOWS\system32\rlnfdief.dll H:\WINDOWS\system32\sblbkkxc.dll H:\WINDOWS\system32\sjvxgtli.ini H:\WINDOWS\system32\sppeggas.dll H:\WINDOWS\system32\ssqOhebA.dll H:\WINDOWS\system32\ssqRLDVm.dll H:\WINDOWS\system32\sxasyybg.dll H:\WINDOWS\system32\syeyheby.ini H:\WINDOWS\system32\tosoetou.dll H:\WINDOWS\system32\tsafkcpp.dll H:\WINDOWS\system32\twyFLkkj.ini H:\WINDOWS\system32\twyFLkkj.ini2 H:\WINDOWS\system32\tybsowwp.dll H:\WINDOWS\system32\ujbnotly.dll H:\WINDOWS\system32\uvfgdpgq.ini H:\WINDOWS\system32\vtefbqyb.ini H:\WINDOWS\system32\wpymgnly.dll H:\WINDOWS\system32\wvpcwcxf.dll H:\WINDOWS\system32\wvwGikkj.ini H:\WINDOWS\system32\wvwGikkj.ini2 H:\WINDOWS\system32\XIQBbccf.ini H:\WINDOWS\system32\XIQBbccf.ini2 H:\WINDOWS\system32\xxyAssSM.dll H:\WINDOWS\system32\xypksrnr.dll H:\WINDOWS\system32\yabevthp.dll H:\WINDOWS\system32\ybehyeys.dll H:\WINDOWS\system32\yltpaeqb.ini H:\WINDOWS\system32\ysypkcap.dll H:\WINDOWS\system32\yurikbrn.dll . ((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 ))))))))))))))))))))))))))))))) . 2008-07-01 19:56 . 2008-07-01 19:56 106,240 --a------ H:\WINDOWS\system32\uvjnbkgx.dll 2008-07-01 19:56 . 2008-07-01 19:56 106,240 --a------ H:\WINDOWS\system32\rrvljw.dll 2008-07-01 16:41 . 2008-07-01 17:31 23 --a------ H:\Documents and Settings\Kody.KYLE.001\jagex_runescape_preferences.dat 2008-06-30 19:56 . 2008-06-30 19:56 105,872 --a------ H:\WINDOWS\system32\zzxxyk.dll 2008-06-30 19:56 . 2008-06-30 19:56 105,872 --a------ H:\WINDOWS\system32\swsygrew.dll 2008-06-29 09:57 . 2008-06-29 09:57 105,856 --a------ H:\WINDOWS\system32\rlapeppx.dll 2008-06-29 09:57 . 2008-06-29 09:57 105,856 --a------ H:\WINDOWS\system32\fsluqm.dll 2008-06-28 07:29 . 2008-06-28 07:29 105,968 --a------ H:\WINDOWS\system32\ztlufu.dll 2008-06-28 07:29 . 2008-06-28 07:29 105,968 --a------ H:\WINDOWS\system32\ynvuqcde.dll 2008-06-27 22:08 . 2008-06-27 22:08 105,904 --a------ H:\WINDOWS\system32\jzbqgh.dll 2008-06-27 22:08 . 2008-06-27 22:08 105,904 --a------ H:\WINDOWS\system32\aeohxjac.dll 2008-06-27 00:24 . 2008-06-26 19:23 294 --ahs---- H:\WINDOWS\system32\ecxespli.ini 2008-06-26 19:23 . 2008-06-26 19:23 474 --ahs---- H:\WINDOWS\system32\ecxespli.tmp 2008-06-26 18:07 . 2008-06-26 18:07 107,968 --a------ H:\WINDOWS\system32\dwrvojcr.dll 2008-06-26 17:37 . 2008-06-26 17:37 91,568 --a------ H:\WINDOWS\system32\nrxbqkwu.dll 2008-06-26 14:53 . 2008-06-26 14:53 107,968 --a------ H:\WINDOWS\system32\vjbokgtu.dll 2008-06-26 14:49 . 2008-06-26 14:49 91,568 --a------ H:\WINDOWS\system32\biuslttf.dll 2008-06-26 14:40 . 2008-06-26 14:40 91,568 --a------ H:\WINDOWS\system32\dqomrclo.dll 2008-06-24 21:55 . 2008-06-24 21:55 <DIR> d-------- H:\Deckard 2008-06-20 22:39 . 2008-06-20 22:39 <DIR> d-------- H:\Documents and Settings\Kyle-Family Computer\Application Data\AdwareBot 2008-06-19 09:20 . 2008-06-19 09:20 <DIR> d-------- H:\Documents and Settings\Tiara\Application Data\Talkback 2008-06-19 09:11 . 2008-06-19 09:11 <DIR> d-------- H:\Documents and Settings\Tiara\Application Data\Nero 2008-06-19 09:10 . 2008-06-19 09:35 <DIR> d-------- H:\Documents and Settings\Tiara 2008-06-18 07:21 . 2008-06-18 07:21 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001\Application Data\Talkback 2008-06-16 23:09 . 2008-07-01 16:37 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001\Application Data\LimeWire 2008-06-16 23:08 . 2008-06-16 23:08 <DIR> d-------- H:\Program Files\LimeWire 2008-06-16 20:21 . 2008-06-16 21:26 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001\Contacts 2008-06-16 19:53 . 2008-06-16 19:53 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001\Application Data\Nero 2008-06-16 19:52 . 2008-07-01 16:41 <DIR> d-------- H:\Documents and Settings\Kody.KYLE.001 2008-06-16 19:26 . 2008-06-16 19:26 <DIR> d-------- H:\Documents and Settings\Stacy\Application Data\Nero 2008-06-16 19:13 . 2008-06-16 19:17 <DIR> d-------- H:\Program Files\Common Files\Nero 2008-06-14 21:54 . 2008-06-14 21:54 <DIR> d-------- H:\Program Files\Trend Micro 2008-06-13 21:12 . 2008-06-19 08:39 1,300 --a------ H:\WINDOWS\mozver.dat 2008-06-13 12:36 . 2008-06-13 12:36 <DIR> d-------- H:\Documents and Settings\Stacy\Application Data\Talkback 2008-06-12 12:22 . 2008-06-26 17:35 122,710 --a------ H:\WINDOWS\BM1736e4a6.xml 2008-06-10 15:50 . 2008-06-10 16:11 96,966 --a------ H:\WINDOWS\system32\drivers\klin.dat 2008-06-10 15:50 . 2008-06-10 16:11 88,774 --a------ H:\WINDOWS\system32\drivers\klick.dat 2008-06-10 15:48 . 2008-06-10 15:48 <DIR> d-------- H:\Program Files\Kaspersky Lab 2008-06-10 15:48 . 2008-07-02 10:12 <DIR> d-------- H:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-06-10 15:47 . 2008-07-02 10:45 4,928,032 --ahs---- H:\WINDOWS\system32\drivers\fidbox.dat 2008-06-10 15:47 . 2008-07-02 10:42 143,904 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.dat 2008-06-10 15:47 . 2008-07-02 10:38 67,028 --ahs---- H:\WINDOWS\system32\drivers\fidbox.idx 2008-06-10 15:47 . 2008-07-02 10:38 14,492 --ahs---- H:\WINDOWS\system32\drivers\fidbox2.idx 2008-06-08 21:32 . 2008-06-08 21:32 <DIR> d-------- H:\Documents and Settings\Kodygh\Application Data\Symantec 2008-06-08 21:28 . 2008-06-11 07:53 <DIR> d-------- H:\Documents and Settings\Kodygh 2008-06-07 17:21 . 2008-06-07 17:21 139,876 --a------ H:\WINDOWS\system32\mlJAsSJa.dll 2008-06-04 16:22 . 2008-06-09 17:31 <DIR> d-------- H:\Program Files\Panda Security . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-23 21:48 --------- d-----w H:\Program Files\Windows Live 2008-06-16 23:13 --------- d-----w H:\Program Files\Nero 2008-06-16 23:13 --------- d-----w H:\Documents and Settings\All Users\Application Data\Nero 2008-06-15 02:02 7,885 ----a-w H:\Program Files\hijackthis.log 2008-06-13 09:04 --------- d-----w H:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-06-10 23:40 --------- d-----w H:\Documents and Settings\All Users\Application Data\LiveItchDoesFind 2008-06-10 21:48 --------- d-----w H:\Program Files\Common Files\Wise Installation Wizard 2008-06-10 21:39 --------- d-----w H:\Program Files\Common Files\Symantec Shared 2008-06-10 20:59 --------- d-----w H:\Program Files\Norton 360 2008-06-10 20:14 112,144 ----a-w H:\WINDOWS\system32\drivers\kl1.sys 2008-05-21 19:03 --------- d-----w H:\Program Files\Rogers 2008-05-18 19:27 --------- d-----w H:\Documents and Settings\All Users\Application Data\WLInstaller 2008-05-04 16:14 --------- d-----w H:\Documents and Settings\Stacy\Application Data\LimeWire 2007-10-21 20:32 27,520 ----a-w H:\Documents and Settings\Kody.KYLE\Application Data\GDIPFONTCACHEV1.DAT 2007-06-21 00:24 24,928 ----a-w H:\Documents and Settings\Kyle-Family Computer\Application Data\GDIPFONTCACHEV1.DAT 2007-04-25 11:33 59,648 ----a-w H:\Documents and Settings\Kody\Application Data\GDIPFONTCACHEV1.DAT 2006-09-28 17:32 6,232 ----a-w H:\Documents and Settings\All Users\Application Data\ypinfo.bin 2005-10-29 20:59 0 ----a-w H:\Documents and Settings\Stacy\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34daeb15-b09a-4028-aa23-33288a68be84}] 2008-07-01 19:56 106240 --a------ H:\WINDOWS\system32\rrvljw.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-18 03:54 68856] "ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="H:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768] "EPSON Stylus CX4200 Series"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-08 04:00 98304] "HP Software Update"="H:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-03-29 23:16 49152] "QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [2007-06-08 20:24 282624] "Adobe Reader Speed Launcher"="H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "Flag Owns Live Grim"="H:\Documents and Settings\All Users\Application Data\Software rule flag owns\Flag Jump.exe" [2008-07-02 10:15 8185344] "NeroFilterCheck"="H:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136] "NBKeyScan"="H:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 14:21 2213160] H:\Documents and Settings\Tiara and Kody\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - H:\Program Files\LimeWire\LimeWire.exe [2008-06-05 14:52:50 147456] H:\Documents and Settings\Kody.KYLE.000\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - H:\Program Files\LimeWire\LimeWire.exe [2008-06-05 14:52:50 147456] H:\Documents and Settings\Kody.KYLE.001\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - H:\Program Files\LimeWire\LimeWire.exe [2008-06-05 14:52:50 147456] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=H:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "H:\\Program Files\\LimeWire\\LimeWire.exe"= "H:\\Program Files\\Messenger\\msmsgs.exe"= [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{348ba13a-f76c-11db-918e-0013d3529847}] \Shell\AutoRun\command - J:\.\Start.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70ce5195-086f-11da-a586-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 . Contents of the 'Scheduled Tasks' folder "2008-07-01 07:00:00 H:\WINDOWS\Tasks\AdwareBot Scheduled Scan.job" - H:\Program Files\AdwareBot\AdwareBot.ex - H:\Program Files\AdwareBot . - - - - ORPHANS REMOVED - - - - HKCU-Run-MsnMsgr - H:\Program Files\MSN Messenger\MsnMsgr.Exe HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - H:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe HKLM-Run-423b2b70 - H:\WINDOWS\system32\ybehyeys.dll ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-02 10:42:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . H:\WINDOWS\system32\ati2evxx.exe H:\WINDOWS\system32\ati2evxx.exe H:\WINDOWS\system32\netdde.exe H:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe H:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe H:\WINDOWS\system32\wscntfy.exe H:\Program Files\Internet Explorer\iexplore.exe . ************************************************************************ . Completion time: 2008-07-02 10:51:09 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-02 14:51:00 Pre-Run: 180,114,669,568 bytes free Post-Run: 180,496,629,760 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\="Recovery" C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 298 --- E O F --- 2008-05-27 22:59:12