Tech Support Forum - View Single Post - Pop ups

jusatsking · 02-07-2008, 02:25 PM

So that's why I didn't get the log, I thought it was done after the "drag and drop thing". lol Anyways, I followed what you've said and here's the log.

C:\ComboFix.txt:

ComboFix 08-02.05.3 - User 2008-02-07 15:38:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.568 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\iur99.sys
C:\Documents and Settings\All Users\Application Data\microsoft\office\system
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\6P2nzohpdw_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\AtwFRWIWZc_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\DFiQehr0E9_3103.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\k18NVRc7Kb_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\keWwOL8j35_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\KqlOcagh9x_3103.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\mh79dEPbiS_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\MxUK7IUi16_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\Qa5G3xjmmT_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\QLcY7HR73w_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\sysloader.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\uf0GPYlcZP_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\ydHh9ZbzCA_3103
C:\Documents and Settings\All Users\Application Data\microsoft\office\system\yV8qWKyK0W_3103.exe
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata
C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\webbrowser_3103.dll
C:\Documents and Settings\All Users\Application Data\microsoft\pctools
C:\WINDOWS\KB611311.log
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\dodolook254.exe
C:\WINDOWS\system32\drivers\iur99.sys
C:\WINDOWS\system32\iexp_log.txt
C:\WINDOWS\system32\mstacim.sig
C:\WINDOWS\system32\systeminfo3.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SYSLOADER
-------\sysloader

((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 15:37 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-07 01:24 . 2008-02-07 01:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-06 17:35 . 2008-02-06 17:35 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-06 17:35 . 2008-02-06 22:45 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-02-05 22:02 . 2008-02-05 22:02 70,120 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-02-05 21:49 . 2008-02-05 21:49 <DIR> d-------- C:\Program Files\Ready to Program
2008-02-01 23:45 . 2008-02-01 23:45 <DIR> d-------- C:\Deckard
2008-02-01 22:11 . 2008-02-01 22:13 <DIR> d-------- C:\ie-spyad_zo
2008-02-01 22:03 . 2008-02-07 01:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-01 21:52 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\mekyvadoedlc.sys
2008-02-01 18:29 . 2008-02-01 18:29 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-02-01 18:18 . 2008-02-01 18:18 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-01 18:15 . 2008-02-01 18:15 <DIR> d-------- C:\Program Files\HP
2008-02-01 18:12 . 2008-02-01 18:19 116,970 --------- C:\WINDOWS\hpoins11.dat
2008-01-30 00:03 . 2008-02-02 00:47 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-29 17:14 . 2008-01-29 23:52 32 --------- C:\WINDOWS\Menu.INI
2008-01-28 02:02 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.2
2008-01-28 01:59 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.1
2008-01-28 01:47 . 2008-01-28 01:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\OfficeUpdate12
2008-01-28 01:45 . 2008-01-28 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 01:43 . 2008-02-01 02:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-28 01:31 . 2008-01-28 01:31 1,409 --------- C:\WINDOWS\QTFont.for
2008-01-28 01:30 . 2008-01-28 01:30 <DIR> d-------- C:\Program Files\iPod
2008-01-28 01:29 . 2008-02-01 23:20 <DIR> d-------- C:\Program Files\iTunes
2008-01-28 01:26 . 2008-01-28 01:27 <DIR> d-------- C:\Program Files\QuickTime
2008-01-28 01:22 . 2008-01-28 01:22 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-28 01:01 . 2008-01-28 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-27 23:12 . 2008-01-27 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-27 23:08 . 2008-01-27 23:11 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-27 01:24 . 2008-01-27 01:24 221 --------- C:\WINDOWS\NCLogConfig.ini
2008-01-25 18:12 . 2008-02-01 01:27 370 --------- C:\WINDOWS\SIERRA.INI
2008-01-25 18:02 . 1994-08-24 00:00 188,960 --------- C:\WINDOWS\system\WINGDE.DLL
2008-01-25 18:02 . 1994-09-21 00:00 92,208 --------- C:\WINDOWS\system\WING.DLL
2008-01-25 18:02 . 1994-11-29 00:00 44,464 --------- C:\WINDOWS\system\D2HTOOLS.DLL
2008-01-25 18:02 . 1994-09-21 00:00 12,800 --------- C:\WINDOWS\system\WING32.DLL
2008-01-25 18:02 . 1994-09-21 00:00 6,736 --------- C:\WINDOWS\system\WINGDIB.DRV
2008-01-25 18:02 . 1994-09-21 00:00 5,024 --------- C:\WINDOWS\system\WINGPAL.WND
2008-01-25 18:02 . 1994-06-27 00:00 1,966 --------- C:\WINDOWS\system\DVA.386
2008-01-22 20:20 . 2008-02-07 00:23 <DIR> d-------- C:\Program Files\Microsoft Games
2008-01-21 15:11 . 2008-01-21 15:11 <DIR> d-------- C:\Documents and Settings\User\WINDOWS
2008-01-21 15:11 . 1996-08-16 13:49 298,496 --------- C:\WINDOWS\uninst.exe
2008-01-18 17:13 . 2008-01-18 18:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 15:36 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\rjvescefttgt.sys
2008-01-18 15:18 . 2008-02-01 23:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-18 15:18 . 2008-02-01 21:48 30,590 --------- C:\WINDOWS\system32\pavas.ico
2008-01-18 15:18 . 2008-02-01 21:48 2,550 --------- C:\WINDOWS\system32\Uninstall.ico
2008-01-18 15:18 . 2008-02-01 21:48 1,406 --------- C:\WINDOWS\system32\Help.ico
2008-01-14 20:31 . 2008-01-14 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-01-11 23:01 . 2008-01-11 23:01 <DIR> d-------- C:\Program Files\Chikka Messenger
2008-01-11 22:42 . 2008-01-11 22:42 <DIR> d-------- C:\Program Files\Xvid
2008-01-11 22:42 . 2007-06-28 18:52 765,952 --------- C:\WINDOWS\system32\xvidcore.dll
2008-01-11 22:42 . 2007-06-28 18:54 180,224 --------- C:\WINDOWS\system32\xvidvfw.dll
2008-01-11 22:42 . 2007-06-28 18:55 77,824 --------- C:\WINDOWS\system32\xvid.ax
2008-01-10 19:39 . 2008-02-01 23:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-10 15:29 . 2008-01-10 15:41 <DIR> d-------- C:\Program Files\Windows Live
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --------- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --------- C:\WINDOWS\system32\QuickTime.qts
2008-01-09 19:47 . 2008-01-09 19:47 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 20:39 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-07 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-07 03:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 05:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 04:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 23:10 --------- d-----w C:\Documents and Settings\User\Application Data\Image Zone Express
2008-01-28 18:14 --------- d-----w C:\Program Files\Apple Software Update
2008-01-10 20:24 45,056 --sh--w C:\WINDOWS\bitdot.dll
2008-01-06 01:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 23:15 47,360 ------w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-05 16:42 20,541 ------w C:\WINDOWS\system32\detoured.dll
2008-01-04 04:56 --------- d-----w C:\Program Files\Microsoft Works
2008-01-04 04:52 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-01-07 04:55 28 --sh--w C:\WINDOWS\bitdot.dat
2007-01-07 04:55 8,464 --sh--w C:\WINDOWS\system32\sporder.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [2007-08-28 17:11 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 09:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 09:31 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 04:00]
S0 iur99;iur9;C:\WINDOWS\system32\DRIVERS\iur99.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:14:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-07 21:05:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-07 04:45:00 C:\WINDOWS\Tasks\WebReg psc C3100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 16:02:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-07 16:07:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 21:06:32
.
2008-02-06 00:07:59 --- E O F ---

I just want to know if you have seen this problem (or malware) very dangerous in a way that it hacks or steals password, credit card number, etc.

Thank you.

02-07-2008, 02:25 PM	#9 (permalink)
jusatsking Registered User Join Date: Jan 2008 Posts: 9 OS: xp pro sp2	Re: Pop ups - Win32/BaiduSobar or Win32/Henbang So that's why I didn't get the log, I thought it was done after the "drag and drop thing". lol Anyways, I followed what you've said and here's the log. C:\ComboFix.txt: ComboFix 08-02.05.3 - User 2008-02-07 15:38:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.568 [GMT -5:00] Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\iur99.sys C:\Documents and Settings\All Users\Application Data\microsoft\office\system C:\Documents and Settings\All Users\Application Data\microsoft\office\system\6P2nzohpdw_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\AtwFRWIWZc_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\DFiQehr0E9_3103.exe C:\Documents and Settings\All Users\Application Data\microsoft\office\system\k18NVRc7Kb_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\keWwOL8j35_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\KqlOcagh9x_3103.exe C:\Documents and Settings\All Users\Application Data\microsoft\office\system\mh79dEPbiS_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\MxUK7IUi16_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\Qa5G3xjmmT_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\QLcY7HR73w_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\sysloader.exe C:\Documents and Settings\All Users\Application Data\microsoft\office\system\uf0GPYlcZP_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\ydHh9ZbzCA_3103 C:\Documents and Settings\All Users\Application Data\microsoft\office\system\yV8qWKyK0W_3103.exe C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata C:\Documents and Settings\All Users\Application Data\microsoft\office\userdata\webbrowser_3103.dll C:\Documents and Settings\All Users\Application Data\microsoft\pctools C:\WINDOWS\KB611311.log C:\WINDOWS\system32\d3d1caps.srg C:\WINDOWS\system32\dodolook254.exe C:\WINDOWS\system32\drivers\iur99.sys C:\WINDOWS\system32\iexp_log.txt C:\WINDOWS\system32\mstacim.sig C:\WINDOWS\system32\systeminfo3.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_SYSLOADER -------\sysloader ((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 ))))))))))))))))))))))))))))))) . 2008-02-07 15:37 . 2004-08-03 23:00 260,272 --a------ C:\cmldr 2008-02-07 01:24 . 2008-02-07 01:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight 2008-02-06 17:35 . 2008-02-06 17:35 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-02-06 17:35 . 2008-02-06 22:45 <DIR> d-------- C:\Program Files\GameSpy Arcade 2008-02-05 22:02 . 2008-02-05 22:02 70,120 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2008-02-05 21:49 . 2008-02-05 21:49 <DIR> d-------- C:\Program Files\Ready to Program 2008-02-01 23:45 . 2008-02-01 23:45 <DIR> d-------- C:\Deckard 2008-02-01 22:11 . 2008-02-01 22:13 <DIR> d-------- C:\ie-spyad_zo 2008-02-01 22:03 . 2008-02-07 01:27 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-02-01 21:52 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\mekyvadoedlc.sys 2008-02-01 18:29 . 2008-02-01 18:29 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer 2008-02-01 18:18 . 2008-02-01 18:18 <DIR> d-------- C:\Program Files\Hewlett-Packard 2008-02-01 18:15 . 2008-02-01 18:15 <DIR> d-------- C:\Program Files\HP 2008-02-01 18:12 . 2008-02-01 18:19 116,970 --------- C:\WINDOWS\hpoins11.dat 2008-01-30 00:03 . 2008-02-02 00:47 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2008-01-29 17:14 . 2008-01-29 23:52 32 --------- C:\WINDOWS\Menu.INI 2008-01-28 02:02 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.2 2008-01-28 01:59 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.1 2008-01-28 01:47 . 2008-01-28 01:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\OfficeUpdate12 2008-01-28 01:45 . 2008-01-28 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-01-28 01:43 . 2008-02-01 02:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-28 01:31 . 2008-01-28 01:31 1,409 --------- C:\WINDOWS\QTFont.for 2008-01-28 01:30 . 2008-01-28 01:30 <DIR> d-------- C:\Program Files\iPod 2008-01-28 01:29 . 2008-02-01 23:20 <DIR> d-------- C:\Program Files\iTunes 2008-01-28 01:26 . 2008-01-28 01:27 <DIR> d-------- C:\Program Files\QuickTime 2008-01-28 01:22 . 2008-01-28 01:22 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-01-28 01:01 . 2008-01-28 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-01-27 23:12 . 2008-01-27 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-01-27 23:08 . 2008-01-27 23:11 <DIR> d-------- C:\Program Files\Yahoo! 2008-01-27 01:24 . 2008-01-27 01:24 221 --------- C:\WINDOWS\NCLogConfig.ini 2008-01-25 18:12 . 2008-02-01 01:27 370 --------- C:\WINDOWS\SIERRA.INI 2008-01-25 18:02 . 1994-08-24 00:00 188,960 --------- C:\WINDOWS\system\WINGDE.DLL 2008-01-25 18:02 . 1994-09-21 00:00 92,208 --------- C:\WINDOWS\system\WING.DLL 2008-01-25 18:02 . 1994-11-29 00:00 44,464 --------- C:\WINDOWS\system\D2HTOOLS.DLL 2008-01-25 18:02 . 1994-09-21 00:00 12,800 --------- C:\WINDOWS\system\WING32.DLL 2008-01-25 18:02 . 1994-09-21 00:00 6,736 --------- C:\WINDOWS\system\WINGDIB.DRV 2008-01-25 18:02 . 1994-09-21 00:00 5,024 --------- C:\WINDOWS\system\WINGPAL.WND 2008-01-25 18:02 . 1994-06-27 00:00 1,966 --------- C:\WINDOWS\system\DVA.386 2008-01-22 20:20 . 2008-02-07 00:23 <DIR> d-------- C:\Program Files\Microsoft Games 2008-01-21 15:11 . 2008-01-21 15:11 <DIR> d-------- C:\Documents and Settings\User\WINDOWS 2008-01-21 15:11 . 1996-08-16 13:49 298,496 --------- C:\WINDOWS\uninst.exe 2008-01-18 17:13 . 2008-01-18 18:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-18 15:36 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\rjvescefttgt.sys 2008-01-18 15:18 . 2008-02-01 23:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-18 15:18 . 2008-02-01 21:48 30,590 --------- C:\WINDOWS\system32\pavas.ico 2008-01-18 15:18 . 2008-02-01 21:48 2,550 --------- C:\WINDOWS\system32\Uninstall.ico 2008-01-18 15:18 . 2008-02-01 21:48 1,406 --------- C:\WINDOWS\system32\Help.ico 2008-01-14 20:31 . 2008-01-14 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm 2008-01-11 23:01 . 2008-01-11 23:01 <DIR> d-------- C:\Program Files\Chikka Messenger 2008-01-11 22:42 . 2008-01-11 22:42 <DIR> d-------- C:\Program Files\Xvid 2008-01-11 22:42 . 2007-06-28 18:52 765,952 --------- C:\WINDOWS\system32\xvidcore.dll 2008-01-11 22:42 . 2007-06-28 18:54 180,224 --------- C:\WINDOWS\system32\xvidvfw.dll 2008-01-11 22:42 . 2007-06-28 18:55 77,824 --------- C:\WINDOWS\system32\xvid.ax 2008-01-10 19:39 . 2008-02-01 23:22 <DIR> d-------- C:\Program Files\Windows Defender 2008-01-10 15:29 . 2008-01-10 15:41 <DIR> d-------- C:\Program Files\Windows Live 2008-01-10 15:27 . 2008-01-10 15:27 90,112 --------- C:\WINDOWS\system32\QuickTimeVR.qtx 2008-01-10 15:27 . 2008-01-10 15:27 57,344 --------- C:\WINDOWS\system32\QuickTime.qts 2008-01-09 19:47 . 2008-01-09 19:47 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-07 20:39 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-02-07 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-02-07 03:12 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-06 05:03 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-02 04:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-28 23:10 --------- d-----w C:\Documents and Settings\User\Application Data\Image Zone Express 2008-01-28 18:14 --------- d-----w C:\Program Files\Apple Software Update 2008-01-10 20:24 45,056 --sh--w C:\WINDOWS\bitdot.dll 2008-01-06 01:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-05 23:15 47,360 ------w C:\WINDOWS\system32\drivers\pcouffin.sys 2008-01-05 16:42 20,541 ------w C:\WINDOWS\system32\detoured.dll 2008-01-04 04:56 --------- d-----w C:\Program Files\Microsoft Works 2008-01-04 04:52 --------- d-----w C:\Program Files\Microsoft Visual Studio 8 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-01-07 04:55 28 --sh--w C:\WINDOWS\bitdot.dat 2007-01-07 04:55 8,464 --sh--w C:\WINDOWS\system32\sporder.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [2007-08-28 17:11 36864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 09:36 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 09:31 126976] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42 1404928] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 04:00] S0 iur99;iur9;C:\WINDOWS\system32\DRIVERS\iur99.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-02-06 23:14:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-02-07 21:05:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-02-07 04:45:00 C:\WINDOWS\Tasks\WebReg psc C3100 series.job" - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-07 16:02:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-02-07 16:07:07 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-07 21:06:32 . 2008-02-06 00:07:59 --- E O F --- I just want to know if you have seen this problem (or malware) very dangerous in a way that it hacks or steals password, credit card number, etc. Thank you.