Tech Support Forum - View Single Post - Pop-ups and recurring infections

ohimtheking · 08-12-2007, 04:21 PM

Thanks, there is no listing for 'viewpoint' in the remove program function and nothing that looks unusual(although this is my daughter's PC so I'm not too familiar with what she may or may not have installed). One thing, after the ComboFix reboot I received a 'Microsoft Visual C++ Debug Library' pop-up alert with a 'Debug Assertion Failed' message.

Other info in the alert:

Program: C\hp\drivers\hplsbwatcher\lsburnwatcher.exe
File: C:\program files\microsoft visual studios.net 2003\vc7\atlmfc\include\atfile.h
Line: 188
Expression: m_h !=0

Anyway, here are the logs...

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 12, 2007 6:16:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/08/2007
Kaspersky Anti-Virus database records: 379047
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 80721
Number of viruses found: 21
Number of infected objects: 47
Number of suspicious objects: 2
Duration of the scan process: 01:57:40

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\WINDOWS\temp\botFFC5.tmp Infected: Trojan-Proxy.Win32.Xorpix.ar skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{42A879BC-DDCE-48AC-AD50-24AB32145C72}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19e26cec064e9195496f0b92ff8bcf4b_077e7ab7-aa53-44fb-a82a-28c9e931a4f8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\216f2eb77c793b4ddb489a6228420f30_077e7ab7-aa53-44fb-a82a-28c9e931a4f8 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/win3F.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file01 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file02/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file02 Infected: Trojan-Downloader.Win32.Agent.alr skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file18 Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file83 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe Inno: infected - 5 skipped
C:\Documents and Settings\HP_Owner\Shared\(Better Version) megatech 54.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\HP_Owner\Shared\(naked) megatech 21.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\HP_Owner\Shared\by Fry - megatech 40.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\HP_Owner\Shared\HuMMeR megatech 45.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\HP_Owner\Shared\Imogen Heap- Foolish.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\HP_Owner\Shared\megatech 08.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\HP_Owner\Shared\shared by m0m get the party ktu remix 25.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\HP_Owner\Shared\Top of Charts - 2005 (love).wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\HP_Owner\Shared\your love shines on me 23.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\HP_Owner\Shared\[[ your love shines on me 29.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Marc\.housecall6.6\Quarantine\02 - your love shines on me 50.wma.bac_a01760 Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\Marc\.housecall6.6\Quarantine\1CB.tmp.bac_a01760/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Marc\.housecall6.6\Quarantine\1CB.tmp.bac_a01760 NSIS: infected - 1 skipped
C:\Documents and Settings\Marc\.housecall6.6\Quarantine\1CB.tmp.bac_a01760 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Marc\.housecall6.6\Quarantine\[release] megatech 50.wma.bac_a01760 Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\Marc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Marc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Marc\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\TTC.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0002/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0006 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0007 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0008 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0009 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0010 Infected: Trojan-Downloader.Win32.Small.dxm skipped
C:\QooBox\Quarantine\C\Temp\bY001.exe.vir NSIS: infected - 7 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\chpemgkg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\QooBox\Quarantine\catchme2007-08-12_120558.43.zip/jkklm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.la skipped
C:\QooBox\Quarantine\catchme2007-08-12_120558.43.zip/byvspqq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\catchme2007-08-12_120558.43.zip ZIP: infected - 2 skipped
C:\QooBox\Quarantine\catchme2007-08-12_153344.23.zip/oobualw.dll Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\QooBox\Quarantine\catchme2007-08-12_153344.23.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP2\A0000071.sys Infected: Trojan.Win32.Patched.ad skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP2\A0000076.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000146.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.gp skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000168.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.la skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000189.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{28EECD8B-AFFA-41D0-B313-2EB916DD74D6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_vQMUL6baMD6KEGC Object is locked skipped
C:\WINDOWS\Temp\mcmsc_CV6dv9ZNNCcKYhx Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Oznik9jNYIprKkl Object is locked skipped
C:\WINDOWS\Temp\mcmsc_TXsrFPOAF1HSxi3 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_VNYNmISjnKPbscL Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\I386\Apps\APP20310\src\HPSummer2005.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
D:\I386\Apps\APP20310\src\HPSummer2005.exe WiseSFX: infected - 1 skipped
D:\I386\Apps\APP20310\src\HPSummer2005.exe WiseSFX Dropper: infected - 1 skipped
D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP6\change.log Object is locked skipped

Scan process completed.

ComboFix 07-08-12.5 - "Marc" 2007-08-12 15:29:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.130 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Marc\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\oobualw.dll
C:\Temp\bY001.exe
C:\WINDOWS\Setup167.exe
C:\WINDOWS\qooz

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Viewpoint
C:\Temp\bY001.exe
C:\WINDOWS\Setup167.exe
C:\WINDOWS\system32\oobualw.dll

((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))

2007-08-12 11:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-11 18:37 <DIR> d-------- C:\Deckard
2007-08-11 18:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-11 13:27 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-11 11:08 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-08-11 00:42 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\acccore
2007-08-10 23:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-10 23:30 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-10 22:18 <DIR> d-------- C:\DOCUME~1\Marc\.housecall6.6
2007-08-10 10:16 <DIR> d---s---- C:\DOCUME~1\Marc\UserData
2007-08-10 09:21 1,572,864 --ah----- C:\DOCUME~1\Marc\NTUSER.DAT
2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\WINDOWS
2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\Symantec
2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\SampleView
2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\Real
2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\InterMute
2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\Apple Computer
2007-08-10 08:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-09 18:35 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterMute
2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-08-03 23:42 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-08-03 23:40 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-08-03 23:40 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-08-03 23:40 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-08-03 23:40 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-08-03 23:40 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-08-03 23:39 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-08-03 23:37 <DIR> d-------- C:\Program Files\McAfee.com
2007-08-03 23:36 <DIR> d-------- C:\Program Files\McAfee
2007-08-03 23:36 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-08-03 21:51 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-03 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-03 21:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-03 21:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-03 17:50 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-08-03 17:28 <DIR> d-------- C:\Temp
2007-07-30 18:12 <DIR> d-------- C:\WINDOWS\qooz
2007-07-30 18:12 <DIR> d-------- C:\Program Files\Common Files\qooz

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 17:28 --------- d-------- C:\Program Files\QuickTime
2007-08-11 17:20 --------- d-------- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor
2007-08-11 17:19 --------- d-a------ C:\Program Files\Common Files\LightScribe
2007-08-09 22:17 --------- d-------- C:\Program Files\DivX
2007-08-09 18:19 --------- d-------- C:\Program Files\AIM
2007-08-03 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 23:12 --------- d-------- C:\Program Files\PC-Doctor for Windows
2007-08-03 17:34 14336 --a------ C:\WINDOWS\system32\svchost.exe
2007-08-03 17:34 14336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe
2007-05-16 11:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-04-12 11:31 C:\WINDOWS\system32\SiSPower.dll]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 18:34]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 09:54]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" []
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-27 13:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-24 18:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-13 23:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00]
"Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-09-25 20:52]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-09-02 20:36:21]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 22:28:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R2 WUSB54GCSVC;WUSB54GCSVC;"C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe"
S3 BCM42RLY;BCM42RLY;\??\C:\WINDOWS\System32\BCM42RLY.SYS

Contents of the 'Scheduled Tasks' folder
2007-08-04 03:38:47 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe
2007-08-04 03:38:45 C:\WINDOWS\Tasks\McQcTask.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 15:33:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-12 15:37:09 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 15:37
C:\ComboFix2.txt ... 2007-08-12 12:08

--- E O F ---

08-12-2007, 04:21 PM	#5 (permalink)
ohimtheking Registered User Join Date: Aug 2007 Posts: 5 OS: XP	Re: Pop-ups and recurring infections - can't clean. Thanks, there is no listing for 'viewpoint' in the remove program function and nothing that looks unusual(although this is my daughter's PC so I'm not too familiar with what she may or may not have installed). One thing, after the ComboFix reboot I received a 'Microsoft Visual C++ Debug Library' pop-up alert with a 'Debug Assertion Failed' message. Other info in the alert: Program: C\hp\drivers\hplsbwatcher\lsburnwatcher.exe File: C:\program files\microsoft visual studios.net 2003\vc7\atlmfc\include\atfile.h Line: 188 Expression: m_h !=0 Anyway, here are the logs... ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Sunday, August 12, 2007 6:16:34 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 12/08/2007 Kaspersky Anti-Virus database records: 379047 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 80721 Number of viruses found: 21 Number of infected objects: 47 Number of suspicious objects: 2 Duration of the scan process: 01:57:40 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\backup\WINDOWS\temp\botFFC5.tmp Infected: Trojan-Proxy.Win32.Xorpix.ar skipped C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{42A879BC-DDCE-48AC-AD50-24AB32145C72}.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR3.tmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\19e26cec064e9195496f0b92ff8bcf4b_077e7ab7-aa53-44fb-a82a-28c9e931a4f8 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\216f2eb77c793b4ddb489a6228420f30_077e7ab7-aa53-44fb-a82a-28c9e931a4f8 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/win3F.tmp.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file01 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file02/file01 Infected: Trojan-Downloader.Win32.Agent.alr skipped C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file02 Infected: Trojan-Downloader.Win32.Agent.alr skipped C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file18 Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe/file83 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped C:\Documents and Settings\HP_Owner\Local Settings\Temp\~freesetup.exe Inno: infected - 5 skipped C:\Documents and Settings\HP_Owner\Shared\(Better Version) megatech 54.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\HP_Owner\Shared\(naked) megatech 21.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\HP_Owner\Shared\by Fry - megatech 40.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\HP_Owner\Shared\HuMMeR megatech 45.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\HP_Owner\Shared\Imogen Heap- Foolish.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\HP_Owner\Shared\megatech 08.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\HP_Owner\Shared\shared by m0m get the party ktu remix 25.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\HP_Owner\Shared\Top of Charts - 2005 (love).wma Infected: Trojan-Downloader.WMA.Wimad.k skipped C:\Documents and Settings\HP_Owner\Shared\your love shines on me 23.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\HP_Owner\Shared\[[ your love shines on me 29.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Marc\.housecall6.6\Quarantine\02 - your love shines on me 50.wma.bac_a01760 Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\Marc\.housecall6.6\Quarantine\1CB.tmp.bac_a01760/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Documents and Settings\Marc\.housecall6.6\Quarantine\1CB.tmp.bac_a01760 NSIS: infected - 1 skipped C:\Documents and Settings\Marc\.housecall6.6\Quarantine\1CB.tmp.bac_a01760 CryptFF.b: infected - 1 skipped C:\Documents and Settings\Marc\.housecall6.6\Quarantine\[release] megatech 50.wma.bac_a01760 Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Documents and Settings\Marc\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Marc\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped C:\Documents and Settings\Marc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Marc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Marc\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Marc\Local Settings\Temp\hpodvd09.log Object is locked skipped C:\Documents and Settings\Marc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Marc\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Marc\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped C:\QooBox\Quarantine\C\Program Files\TTC.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0002/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.b skipped C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0006 Infected: Trojan-Downloader.Win32.Small.eqn skipped C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0007 Infected: not-a-virus:AdWare.Win32.Agent.co skipped C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0008 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0009 Infected: Trojan-Dropper.Win32.Agent.mu skipped C:\QooBox\Quarantine\C\Temp\bY001.exe.vir/data0010 Infected: Trojan-Downloader.Win32.Small.dxm skipped C:\QooBox\Quarantine\C\Temp\bY001.exe.vir NSIS: infected - 7 skipped C:\QooBox\Quarantine\C\WINDOWS\system32\chpemgkg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\QooBox\Quarantine\catchme2007-08-12_120558.43.zip/jkklm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.la skipped C:\QooBox\Quarantine\catchme2007-08-12_120558.43.zip/byvspqq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\QooBox\Quarantine\catchme2007-08-12_120558.43.zip ZIP: infected - 2 skipped C:\QooBox\Quarantine\catchme2007-08-12_153344.23.zip/oobualw.dll Infected: not-a-virus:AdWare.Win32.Agent.co skipped C:\QooBox\Quarantine\catchme2007-08-12_153344.23.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP2\A0000071.sys Infected: Trojan.Win32.Patched.ad skipped C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP2\A0000076.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000146.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.gp skipped C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000168.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.la skipped C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0000189.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP6\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{28EECD8B-AFFA-41D0-B313-2EB916DD74D6}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\mcafee_vQMUL6baMD6KEGC Object is locked skipped C:\WINDOWS\Temp\mcmsc_CV6dv9ZNNCcKYhx Object is locked skipped C:\WINDOWS\Temp\mcmsc_Oznik9jNYIprKkl Object is locked skipped C:\WINDOWS\Temp\mcmsc_TXsrFPOAF1HSxi3 Object is locked skipped C:\WINDOWS\Temp\mcmsc_VNYNmISjnKPbscL Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\I386\Apps\APP20310\src\HPSummer2005.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped D:\I386\Apps\APP20310\src\HPSummer2005.exe WiseSFX: infected - 1 skipped D:\I386\Apps\APP20310\src\HPSummer2005.exe WiseSFX Dropper: infected - 1 skipped D:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP6\change.log Object is locked skipped Scan process completed. ComboFix 07-08-12.5 - "Marc" 2007-08-12 15:29:42.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.130 [GMT -4:00] Command switches used :: C:\Documents and Settings\Marc\Desktop\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\system32\oobualw.dll C:\Temp\bY001.exe C:\WINDOWS\Setup167.exe C:\WINDOWS\qooz ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Program Files\Viewpoint C:\Temp\bY001.exe C:\WINDOWS\Setup167.exe C:\WINDOWS\system32\oobualw.dll ((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 ))))))))))))))))))))))))))))))) 2007-08-12 11:56 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-11 18:37 <DIR> d-------- C:\Deckard 2007-08-11 18:02 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-08-11 13:27 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-11 11:08 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-08-11 00:42 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\acccore 2007-08-10 23:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-08-10 23:30 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-08-10 22:18 <DIR> d-------- C:\DOCUME~1\Marc\.housecall6.6 2007-08-10 10:16 <DIR> d---s---- C:\DOCUME~1\Marc\UserData 2007-08-10 09:21 1,572,864 --ah----- C:\DOCUME~1\Marc\NTUSER.DAT 2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\WINDOWS 2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\Symantec 2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\SampleView 2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\Real 2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\InterMute 2007-08-10 09:21 <DIR> d-------- C:\DOCUME~1\Marc\APPLIC~1\Apple Computer 2007-08-10 08:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy 2007-08-09 18:35 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT 2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS 2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec 2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView 2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real 2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterMute 2007-08-09 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer 2007-08-03 23:42 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll 2007-08-03 23:40 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2007-08-03 23:40 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2007-08-03 23:40 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2007-08-03 23:40 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2007-08-03 23:40 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2007-08-03 23:39 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2007-08-03 23:37 <DIR> d-------- C:\Program Files\McAfee.com 2007-08-03 23:36 <DIR> d-------- C:\Program Files\McAfee 2007-08-03 23:36 <DIR> d-------- C:\Program Files\Common Files\McAfee 2007-08-03 21:51 <DIR> d-------- C:\Program Files\Lavasoft 2007-08-03 21:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-08-03 21:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft 2007-08-03 21:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee 2007-08-03 17:50 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-08-03 17:28 <DIR> d-------- C:\Temp 2007-07-30 18:12 <DIR> d-------- C:\WINDOWS\qooz 2007-07-30 18:12 <DIR> d-------- C:\Program Files\Common Files\qooz (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-11 17:28 --------- d-------- C:\Program Files\QuickTime 2007-08-11 17:20 --------- d-------- C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor 2007-08-11 17:19 --------- d-a------ C:\Program Files\Common Files\LightScribe 2007-08-09 22:17 --------- d-------- C:\Program Files\DivX 2007-08-09 18:19 --------- d-------- C:\Program Files\AIM 2007-08-03 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-03 23:12 --------- d-------- C:\Program Files\PC-Doctor for Windows 2007-08-03 17:34 14336 --a------ C:\WINDOWS\system32\svchost.exe 2007-08-03 17:34 14336 --a------ C:\WINDOWS\system32\dllcache\svchost.exe 2007-05-16 11:12 86528 --a------ C:\WINDOWS\system32\dllcache\directdb.dll 2007-05-16 11:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll 2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll 2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\dllcache\inetcomm.dll 2007-05-16 11:12 510976 --a------ C:\WINDOWS\system32\dllcache\wab32.dll 2007-05-16 11:12 1314816 --a------ C:\WINDOWS\system32\dllcache\msoe.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSPower"="SiSPower.dll" [2005-04-12 11:31 C:\WINDOWS\system32\SiSPower.dll] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 18:34] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 09:54] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38] "HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-27 13:17] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-24 18:59] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-13 23:07] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:00] "Aim6"="C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" [2006-09-25 20:52] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-09-02 20:36:21] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 22:28:24] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" R2 WUSB54GCSVC;WUSB54GCSVC;"C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe" S3 BCM42RLY;BCM42RLY;\??\C:\WINDOWS\System32\BCM42RLY.SYS Contents of the 'Scheduled Tasks' folder 2007-08-04 03:38:47 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe 2007-08-04 03:38:45 C:\WINDOWS\Tasks\McQcTask.job ************************************************************************ catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-12 15:33:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-08-12 15:37:09 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-12 15:37 C:\ComboFix2.txt ... 2007-08-12 12:08 --- E O F ---