Tech Support Forum - View Single Post - Pop ups

jusatsking · 02-08-2008, 01:22 AM

Hi, this is what I have:

C:\ComboFix.txt:

ComboFix 08-02.05.3 - User 2008-02-07 23:34:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.649 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\morelion.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\morelion.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IUR99
-------\iur99

((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-07 15:37 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-07 01:24 . 2008-02-07 01:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-02-07 00:32 . 2004-08-04 05:00 388,608 --a------ C:\kmd.exe
2008-02-06 17:35 . 2008-02-06 17:35 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-02-06 17:35 . 2008-02-06 22:45 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-02-05 22:02 . 2008-02-05 22:02 70,120 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-02-05 21:49 . 2008-02-05 21:49 <DIR> d-------- C:\Program Files\Ready to Program
2008-02-01 23:45 . 2008-02-01 23:45 <DIR> d-------- C:\Deckard
2008-02-01 22:11 . 2008-02-01 22:13 <DIR> d-------- C:\ie-spyad_zo
2008-02-01 22:03 . 2008-02-07 01:27 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-02-01 21:52 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\mekyvadoedlc.sys
2008-02-01 18:29 . 2008-02-01 18:29 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-02-01 18:18 . 2008-02-01 18:18 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-01 18:15 . 2008-02-01 18:15 <DIR> d-------- C:\Program Files\HP
2008-02-01 18:12 . 2008-02-01 18:19 116,970 --------- C:\WINDOWS\hpoins11.dat
2008-01-30 00:03 . 2008-02-02 00:47 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-29 17:14 . 2008-01-29 23:52 32 --------- C:\WINDOWS\Menu.INI
2008-01-28 02:02 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.2
2008-01-28 01:59 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.1
2008-01-28 01:47 . 2008-01-28 01:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\OfficeUpdate12
2008-01-28 01:45 . 2008-01-28 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-28 01:43 . 2008-02-07 18:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-01-28 01:31 . 2008-01-28 01:31 1,409 --------- C:\WINDOWS\QTFont.for
2008-01-28 01:30 . 2008-01-28 01:30 <DIR> d-------- C:\Program Files\iPod
2008-01-28 01:29 . 2008-02-01 23:20 <DIR> d-------- C:\Program Files\iTunes
2008-01-28 01:26 . 2008-01-28 01:27 <DIR> d-------- C:\Program Files\QuickTime
2008-01-28 01:22 . 2008-01-28 01:22 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-28 01:01 . 2008-01-28 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-27 23:12 . 2008-01-27 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-27 23:08 . 2008-01-27 23:11 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-27 01:24 . 2008-01-27 01:24 221 --------- C:\WINDOWS\NCLogConfig.ini
2008-01-25 18:12 . 2008-02-01 01:27 370 --------- C:\WINDOWS\SIERRA.INI
2008-01-25 18:02 . 1994-08-24 00:00 188,960 --------- C:\WINDOWS\system\WINGDE.DLL
2008-01-25 18:02 . 1994-09-21 00:00 92,208 --------- C:\WINDOWS\system\WING.DLL
2008-01-25 18:02 . 1994-11-29 00:00 44,464 --------- C:\WINDOWS\system\D2HTOOLS.DLL
2008-01-25 18:02 . 1994-09-21 00:00 12,800 --------- C:\WINDOWS\system\WING32.DLL
2008-01-25 18:02 . 1994-09-21 00:00 6,736 --------- C:\WINDOWS\system\WINGDIB.DRV
2008-01-25 18:02 . 1994-09-21 00:00 5,024 --------- C:\WINDOWS\system\WINGPAL.WND
2008-01-25 18:02 . 1994-06-27 00:00 1,966 --------- C:\WINDOWS\system\DVA.386
2008-01-22 20:20 . 2008-02-07 00:23 <DIR> d-------- C:\Program Files\Microsoft Games
2008-01-21 15:11 . 2008-01-21 15:11 <DIR> d-------- C:\Documents and Settings\User\WINDOWS
2008-01-21 15:11 . 1996-08-16 13:49 298,496 --------- C:\WINDOWS\uninst.exe
2008-01-18 17:13 . 2008-01-18 18:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-18 15:36 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\rjvescefttgt.sys
2008-01-18 15:18 . 2008-02-01 23:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-18 15:18 . 2008-02-01 21:48 30,590 --------- C:\WINDOWS\system32\pavas.ico
2008-01-18 15:18 . 2008-02-01 21:48 2,550 --------- C:\WINDOWS\system32\Uninstall.ico
2008-01-18 15:18 . 2008-02-01 21:48 1,406 --------- C:\WINDOWS\system32\Help.ico
2008-01-14 20:31 . 2008-01-14 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm
2008-01-11 23:01 . 2008-01-11 23:01 <DIR> d-------- C:\Program Files\Chikka Messenger
2008-01-11 22:42 . 2008-02-07 16:07 <DIR> d-------- C:\Program Files\Xvid
2008-01-11 22:42 . 2007-06-28 18:52 765,952 --------- C:\WINDOWS\system32\xvidcore.dll
2008-01-11 22:42 . 2007-06-28 18:54 180,224 --------- C:\WINDOWS\system32\xvidvfw.dll
2008-01-11 22:42 . 2007-06-28 18:55 77,824 --------- C:\WINDOWS\system32\xvid.ax
2008-01-10 19:39 . 2008-02-01 23:22 <DIR> d-------- C:\Program Files\Windows Defender
2008-01-10 15:29 . 2008-01-10 15:41 <DIR> d-------- C:\Program Files\Windows Live
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --------- C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --------- C:\WINDOWS\system32\QuickTime.qts
2008-01-09 19:47 . 2008-01-09 19:47 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 04:36 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-07 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-07 03:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 05:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-02 04:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-28 23:10 --------- d-----w C:\Documents and Settings\User\Application Data\Image Zone Express
2008-01-28 18:14 --------- d-----w C:\Program Files\Apple Software Update
2008-01-10 20:24 45,056 --sh--w C:\WINDOWS\bitdot.dll
2008-01-06 01:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-05 23:15 47,360 ------w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-04 04:56 --------- d-----w C:\Program Files\Microsoft Works
2008-01-04 04:52 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-01-07 04:55 28 --sh--w C:\WINDOWS\bitdot.dat
2007-01-07 04:55 8,464 --sh--w C:\WINDOWS\system32\sporder.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [2007-08-28 17:11 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 09:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 09:31 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 04:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 23:14:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-07 21:05:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-07 04:45:00 C:\WINDOWS\Tasks\WebReg psc C3100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 23:36:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-07 23:39:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 04:39:01
ComboFix2.txt 2008-02-07 21:07:07
.
2008-02-07 21:07:16 --- E O F ---

Kaspersky results:

KASPERSKY ONLINE SCANNER REPORT
Friday, February 08, 2008 3:06:20 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/02/2008
Kaspersky Anti-Virus database records: 553987

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 39161
Number of viruses found 7
Number of infected objects 39
Number of suspicious objects 0
Duration of the scan process 00:55:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01102008-193920.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{58A32B48-8A91-49AC-94D6-EA7D2ECB2D19} Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008020820080209\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0062NAV~.TMP Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT\0096NAV~.TMP Object is locked skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir NSIS: infected - 2 skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\KqlOcagh9x_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hej skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\KqlOcagh9x_3103.exe.vir NSIS: infected - 1 skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream/data0001/data0001.bin Infected: Trojan-Downloader.Win32.Agent.iap skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream/data0001 Infected: Trojan-Downloader.Win32.Agent.iap skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream Infected: Trojan-Downloader.Win32.Agent.iap skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir NSIS: infected - 2 skipped

C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll.vir Infected: not-a-virus:AdWare.Win32.IEHlpr.bd skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir NSIS: infected - 3 skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir/data.rar/wtlair.dll Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir/data.rar Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir RarSFX: infected - 2 skipped

C:\QooBox\Quarantine\catchme2008-02-07_160242.95.zip/iur99.sys Infected: Trojan-Downloader.Win32.Hmir.tk skipped

C:\QooBox\Quarantine\catchme2008-02-07_160242.95.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032548.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hej skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032548.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032550.dll Infected: not-a-virus:AdWare.Win32.IEHlpr.bd skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP243\A0032605.dll Infected: Trojan-Downloader.Win32.Hmir.tk skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe/data.rar/wtlair.dll Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe/data.rar Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe RarSFX: infected - 2 skipped

C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{D88A4ECF-F01E-4239-89EA-14074A36033A}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:31 AM, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary...t.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7319 bytes

Update on system behavior:

As I've noticed, I'm not getting these pop-ups while browsing the Internet since the first ComboFix operation.

Thank you.

02-08-2008, 01:22 AM	#11 (permalink)
jusatsking Registered User Join Date: Jan 2008 Posts: 9 OS: xp pro sp2	Re: Pop ups - Win32/BaiduSobar or Win32/Henbang Hi, this is what I have: C:\ComboFix.txt: ComboFix 08-02.05.3 - User 2008-02-07 23:34:04.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.649 [GMT -5:00] Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\morelion.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\morelion.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_IUR99 -------\iur99 ((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 ))))))))))))))))))))))))))))))) . 2008-02-07 15:37 . 2004-08-03 23:00 260,272 --a------ C:\cmldr 2008-02-07 01:24 . 2008-02-07 01:24 <DIR> d-------- C:\Program Files\Microsoft Silverlight 2008-02-07 00:32 . 2004-08-04 05:00 388,608 --a------ C:\kmd.exe 2008-02-06 17:35 . 2008-02-06 17:35 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-02-06 17:35 . 2008-02-06 22:45 <DIR> d-------- C:\Program Files\GameSpy Arcade 2008-02-05 22:02 . 2008-02-05 22:02 70,120 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2008-02-05 21:49 . 2008-02-05 21:49 <DIR> d-------- C:\Program Files\Ready to Program 2008-02-01 23:45 . 2008-02-01 23:45 <DIR> d-------- C:\Deckard 2008-02-01 22:11 . 2008-02-01 22:13 <DIR> d-------- C:\ie-spyad_zo 2008-02-01 22:03 . 2008-02-07 01:27 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-02-01 21:52 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\mekyvadoedlc.sys 2008-02-01 18:29 . 2008-02-01 18:29 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer 2008-02-01 18:18 . 2008-02-01 18:18 <DIR> d-------- C:\Program Files\Hewlett-Packard 2008-02-01 18:15 . 2008-02-01 18:15 <DIR> d-------- C:\Program Files\HP 2008-02-01 18:12 . 2008-02-01 18:19 116,970 --------- C:\WINDOWS\hpoins11.dat 2008-01-30 00:03 . 2008-02-02 00:47 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2008-01-29 17:14 . 2008-01-29 23:52 32 --------- C:\WINDOWS\Menu.INI 2008-01-28 02:02 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.2 2008-01-28 01:59 . 2008-01-28 01:58 0 --------- C:\WINDOWS\_detmp.1 2008-01-28 01:47 . 2008-01-28 01:48 <DIR> d-------- C:\Documents and Settings\User\Application Data\OfficeUpdate12 2008-01-28 01:45 . 2008-01-28 01:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-01-28 01:43 . 2008-02-07 18:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-01-28 01:31 . 2008-01-28 01:31 1,409 --------- C:\WINDOWS\QTFont.for 2008-01-28 01:30 . 2008-01-28 01:30 <DIR> d-------- C:\Program Files\iPod 2008-01-28 01:29 . 2008-02-01 23:20 <DIR> d-------- C:\Program Files\iTunes 2008-01-28 01:26 . 2008-01-28 01:27 <DIR> d-------- C:\Program Files\QuickTime 2008-01-28 01:22 . 2008-01-28 01:22 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-01-28 01:01 . 2008-01-28 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-01-27 23:12 . 2008-01-27 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-01-27 23:08 . 2008-01-27 23:11 <DIR> d-------- C:\Program Files\Yahoo! 2008-01-27 01:24 . 2008-01-27 01:24 221 --------- C:\WINDOWS\NCLogConfig.ini 2008-01-25 18:12 . 2008-02-01 01:27 370 --------- C:\WINDOWS\SIERRA.INI 2008-01-25 18:02 . 1994-08-24 00:00 188,960 --------- C:\WINDOWS\system\WINGDE.DLL 2008-01-25 18:02 . 1994-09-21 00:00 92,208 --------- C:\WINDOWS\system\WING.DLL 2008-01-25 18:02 . 1994-11-29 00:00 44,464 --------- C:\WINDOWS\system\D2HTOOLS.DLL 2008-01-25 18:02 . 1994-09-21 00:00 12,800 --------- C:\WINDOWS\system\WING32.DLL 2008-01-25 18:02 . 1994-09-21 00:00 6,736 --------- C:\WINDOWS\system\WINGDIB.DRV 2008-01-25 18:02 . 1994-09-21 00:00 5,024 --------- C:\WINDOWS\system\WINGPAL.WND 2008-01-25 18:02 . 1994-06-27 00:00 1,966 --------- C:\WINDOWS\system\DVA.386 2008-01-22 20:20 . 2008-02-07 00:23 <DIR> d-------- C:\Program Files\Microsoft Games 2008-01-21 15:11 . 2008-01-21 15:11 <DIR> d-------- C:\Documents and Settings\User\WINDOWS 2008-01-21 15:11 . 1996-08-16 13:49 298,496 --------- C:\WINDOWS\uninst.exe 2008-01-18 17:13 . 2008-01-18 18:10 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-18 15:36 . 2007-06-08 09:44 8,576 --------- C:\WINDOWS\system32\drivers\rjvescefttgt.sys 2008-01-18 15:18 . 2008-02-01 23:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-18 15:18 . 2008-02-01 21:48 30,590 --------- C:\WINDOWS\system32\pavas.ico 2008-01-18 15:18 . 2008-02-01 21:48 2,550 --------- C:\WINDOWS\system32\Uninstall.ico 2008-01-18 15:18 . 2008-02-01 21:48 1,406 --------- C:\WINDOWS\system32\Help.ico 2008-01-14 20:31 . 2008-01-14 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\pixelStorm 2008-01-11 23:01 . 2008-01-11 23:01 <DIR> d-------- C:\Program Files\Chikka Messenger 2008-01-11 22:42 . 2008-02-07 16:07 <DIR> d-------- C:\Program Files\Xvid 2008-01-11 22:42 . 2007-06-28 18:52 765,952 --------- C:\WINDOWS\system32\xvidcore.dll 2008-01-11 22:42 . 2007-06-28 18:54 180,224 --------- C:\WINDOWS\system32\xvidvfw.dll 2008-01-11 22:42 . 2007-06-28 18:55 77,824 --------- C:\WINDOWS\system32\xvid.ax 2008-01-10 19:39 . 2008-02-01 23:22 <DIR> d-------- C:\Program Files\Windows Defender 2008-01-10 15:29 . 2008-01-10 15:41 <DIR> d-------- C:\Program Files\Windows Live 2008-01-10 15:27 . 2008-01-10 15:27 90,112 --------- C:\WINDOWS\system32\QuickTimeVR.qtx 2008-01-10 15:27 . 2008-01-10 15:27 57,344 --------- C:\WINDOWS\system32\QuickTime.qts 2008-01-09 19:47 . 2008-01-09 19:47 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-08 04:36 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-02-07 06:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-02-07 03:12 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-06 05:03 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-02 04:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-01-28 23:10 --------- d-----w C:\Documents and Settings\User\Application Data\Image Zone Express 2008-01-28 18:14 --------- d-----w C:\Program Files\Apple Software Update 2008-01-10 20:24 45,056 --sh--w C:\WINDOWS\bitdot.dll 2008-01-06 01:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-05 23:15 47,360 ------w C:\WINDOWS\system32\drivers\pcouffin.sys 2008-01-04 04:56 --------- d-----w C:\Program Files\Microsoft Works 2008-01-04 04:52 --------- d-----w C:\Program Files\Microsoft Visual Studio 8 2007-01-07 04:55 28 --sh--w C:\WINDOWS\bitdot.dat 2007-01-07 04:55 8,464 --sh--w C:\WINDOWS\system32\sporder.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "ChikkaDefault"="C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [2007-08-28 17:11 36864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-01-23 09:36 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-01-23 09:31 126976] "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 13:42 1404928] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-01-18 04:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d3cbaa-8028-11dc-8623-000f1f927d07}] \Shell\AutoRun\command - E:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{468a92cc-5a31-11dc-85cc-000f1f927d07}] \Shell\AutoRun\command - E:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-02-06 23:14:16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-02-07 21:05:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe "2008-02-07 04:45:00 C:\WINDOWS\Tasks\WebReg psc C3100 series.job" - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-07 23:36:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe . ********************************************************************** . Completion time: 2008-02-07 23:39:16 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-08 04:39:01 ComboFix2.txt 2008-02-07 21:07:07 . 2008-02-07 21:07:16 --- E O F --- Kaspersky results: KASPERSKY ONLINE SCANNER REPORT Friday, February 08, 2008 3:06:20 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 8/02/2008 Kaspersky Anti-Virus database records: 553987 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ Scan Statistics Total number of scanned objects 39161 Number of viruses found 7 Number of infected objects 39 Number of suspicious objects 0 Duration of the scan process 00:55:44 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01102008-193920.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{58A32B48-8A91-49AC-94D6-EA7D2ECB2D19} Object is locked skipped C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008020820080209\index.dat Object is locked skipped C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped C:\Program Files\Symantec AntiVirus\SAVRT\0062NAV~.TMP Object is locked skipped C:\Program Files\Symantec AntiVirus\SAVRT\0096NAV~.TMP Object is locked skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\DFiQehr0E9_3103.exe.vir NSIS: infected - 2 skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\KqlOcagh9x_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hej skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\KqlOcagh9x_3103.exe.vir NSIS: infected - 1 skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream/data0001/data0001.bin Infected: Trojan-Downloader.Win32.Agent.iap skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream/data0001 Infected: Trojan-Downloader.Win32.Agent.iap skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir/stream Infected: Trojan-Downloader.Win32.Agent.iap skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\MxUK7IUi16_3103.vir NSIS: infected - 3 skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\SYSTEM\yV8qWKyK0W_3103.exe.vir NSIS: infected - 2 skipped C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\USERDATA\webbrowser_3103.dll.vir Infected: not-a-virus:AdWare.Win32.IEHlpr.bd skipped C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped C:\QooBox\Quarantine\C\WINDOWS\system32\dodolook254.exe.vir NSIS: infected - 3 skipped C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir/data.rar/wtlair.dll Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir/data.rar Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped C:\QooBox\Quarantine\C\WINDOWS\system32\morelion.exe.vir RarSFX: infected - 2 skipped C:\QooBox\Quarantine\catchme2008-02-07_160242.95.zip/iur99.sys Infected: Trojan-Downloader.Win32.Hmir.tk skipped C:\QooBox\Quarantine\catchme2008-02-07_160242.95.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream/data0002/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe/stream Infected: not-a-virus:AdWare.Win32.Cinmus.bdh skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032545.exe NSIS: infected - 3 skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032547.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032548.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hej skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032548.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe/data0002/data0001.bin Infected: Trojan-Downloader.Win32.Agent.hkj skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe/data0002 Infected: Trojan-Downloader.Win32.Agent.hkj skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032549.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP242\A0032550.dll Infected: not-a-virus:AdWare.Win32.IEHlpr.bd skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP243\A0032605.dll Infected: Trojan-Downloader.Win32.Hmir.tk skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe/data.rar/wtlair.dll Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe/data.rar Infected: not-a-virus:AdWare.Win32.Hengbang.ac skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\A0032619.exe RarSFX: infected - 2 skipped C:\System Volume Information\_restore{441C4F76-685B-4810-BD85-5A366DC41C77}\RP245\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{D88A4ECF-F01E-4239-89EA-14074A36033A}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped C:\WINDOWS\system32\config\OSession.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. New HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:10:31 AM, on 08/02/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file) O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ChikkaDefault] C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} - http://www.trendsecure.com/easy_inst...syInstallX.CAB O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary...o.cab56649.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary...t.cab57213.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 7319 bytes Update on system behavior**: As I've noticed, I'm not getting these pop-ups while browsing the Internet since the first ComboFix operation. Thank you.