Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud (core.cache.dsk) / Tratbho Is The Only Infection Left


  • This topic is locked This topic is locked
18 replies to this topic

#1 davey doodle

davey doodle

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 16 January 2008 - 09:46 PM

Hi! I'm cleaning up my daughter's XP-SP2. Now have Avast! current. (Darn her!) Ran Spybot and AdAware 2007 and removed everything but one last pest. Avast identifies core.cache.dsk, while Spybot identifies it as TratBHO.

Here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:14 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://casper.bresnanhsi.com/community
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\system32\xxyxvtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O20 - Winlogon Notify: xxyxvtr - C:\WINDOWS\SYSTEM32\xxyxvtr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://bresnan.bresnanonline.net/templates...s/page_bkgd.gif

--
End of file - 5842 bytes

Thanks for any suggestions that you can provide!

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 17 January 2008 - 05:00 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Please download VundoFix to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please include VundoFix.txt and a new HijackThis log in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 davey doodle

davey doodle
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 20 January 2008 - 05:09 PM

Charles,

Thanks being willing to help folks and for the suggestion. It took me a few days to get over to my daughter's house to run Vudofix. Unfortunately, only removed two of the three problem dlls. I tried the last time in safe mode. Here are the logs:

----------------------------------------------------------------------------
VundoFix V6.7.7

Checking Java version...

Scan started at 5:01:57 PM 1/11/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\wvutuut.dll
C:\WINDOWS\SYSTEM32\xxyxvtr.dll

VundoFix V6.7.7

Checking Java version...

Scan started at 1:04:30 PM 1/20/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\pmkhh.dll
C:\WINDOWS\SYSTEM32\wvutuut.dll
C:\WINDOWS\SYSTEM32\xxyxvtr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\pmkhh.dll
C:\WINDOWS\SYSTEM32\pmkhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\wvutuut.dll
C:\WINDOWS\SYSTEM32\wvutuut.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\xxyxvtr.dll
C:\WINDOWS\SYSTEM32\xxyxvtr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 1:36:09 PM 1/20/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\xxyxvtr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\xxyxvtr.dll
C:\WINDOWS\SYSTEM32\xxyxvtr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\xxyxvtr.dll
C:\WINDOWS\SYSTEM32\xxyxvtr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Scan started at 2:04:25 PM 1/20/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\xxyxvtr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\xxyxvtr.dll
C:\WINDOWS\SYSTEM32\xxyxvtr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\xxyxvtr.dll
C:\WINDOWS\SYSTEM32\xxyxvtr.dll Could not be deleted.

Performing Repairs to the registry.
Done!
==============================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:25 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://casper.bresnanhsi.com/community
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\system32\xxyxvtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://bresnan.bresnanonline.net/templates...s/page_bkgd.gif

--
End of file - 5968 bytes
========================================

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 22 January 2008 - 05:27 PM

Don't worry about that other file not being removed yet, we'll get rid of it soon anyway.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 davey doodle

davey doodle
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 22 January 2008 - 09:47 PM

Now I see what it's doing. Isn't that hack just a cute piece of work? Here's the combofix log:




ComboFix 08-01-16.3 - Corrs 2008-01-22 18:58:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.53 [GMT -7:00]
Running from: C:\Documents and Settings\Corrs\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Corrs\My Documents\WNSXS~1
C:\Documents and Settings\Corrs\My Documents\WNSXS~1\W?nSxS\
C:\temp\tn3
C:\WINDOWS\SYSTEM32\cfhkj.ini
C:\WINDOWS\SYSTEM32\cfhkj.ini2
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfc.exe
C:\WINDOWS\SYSTEM32\klkkj.ini
C:\WINDOWS\SYSTEM32\klkkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\wtsicom32.exe
C:\WINDOWS\system32\xxyxvtr.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 19:14 . 2008-01-22 19:14 <DIR> d-------- C:\Temp\tn3
2008-01-22 18:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 17:45 . 2008-01-14 17:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 17:01 . 2008-01-20 14:44 <DIR> d-------- C:\VundoFix Backups
2008-01-11 15:25 . 2008-01-22 19:07 932 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-11 15:16 . 2008-01-11 15:17 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-11 13:31 . 2008-01-11 13:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-11 13:31 . 2008-01-11 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 13:30 . 2008-01-11 13:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 12:12 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-10 12:12 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-10 12:12 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-10 12:12 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-10 12:12 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-10 12:12 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-10 12:12 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-10 12:12 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-09 19:03 . 2004-06-17 13:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-09 19:03 . 2004-06-17 13:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-09 19:03 . 2004-06-17 13:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-09 19:03 . 2005-04-28 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-01-09 16:23 . 2008-01-22 16:55 15,360 --a------ C:\WINDOWS\SYSTEM32\ctfmon .exe
2008-01-08 21:27 . 2008-01-08 19:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-08 19:44 . 2008-01-08 20:45 <DIR> d-------- C:\Documents and Settings\Corrs\.housecall6.6
2008-01-08 00:43 . 2008-01-08 18:40 139,264 --a------ C:\WINDOWS\SYSTEM32\mobjchku .exe
2008-01-08 00:42 . 2008-01-10 07:34 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray .exe
2008-01-08 00:42 . 2008-01-10 07:34 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd .exe
2008-01-07 23:12 . 2008-01-10 10:31 <DIR> d--hs---- C:\WINDOWS\Q29ycnM
2008-01-07 23:12 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\SYSTEM32\rushebyr.exe
2008-01-07 23:12 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\SYSTEM32\bkmoopob.exe
2008-01-07 23:12 . 2008-01-07 23:12 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atapii.sys
2008-01-07 23:11 . 2008-01-10 10:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz0
2008-01-07 23:11 . 2008-01-11 16:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\usmvt3
2008-01-07 23:11 . 2008-01-10 10:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\comp2
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\cache3
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo01
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\Temp\cEeer12
2008-01-07 23:11 . 2008-01-22 19:14 <DIR> d-------- C:\Temp
2008-01-06 11:38 . 2008-01-06 11:38 1,283,174 --a------ C:\Install
2007-12-27 11:21 . 2008-01-10 09:15 <DIR> d-------- C:\Program Files\USB Disk Win98 Driver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 19:14 --------- d-----w C:\Program Files\WordPerfect Office 11
2008-01-10 16:13 --------- d-----w C:\Program Files\QuickTime
2008-01-09 02:02 --------- d-----w C:\Program Files\Alwil Software
2007-12-27 18:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 22:24 --------- d-----w C:\Documents and Settings\Corrs\Application Data\GetRightToGo
2007-12-13 21:48 --------- d-----w C:\Program Files\Google
2007-12-10 23:41 --------- d-----w C:\Documents and Settings\Corrs\Application Data\AdobeUM
2007-12-05 23:34 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-05 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-05 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-05 02:43 --------- d-----w C:\Program Files\Kodak
2007-12-05 02:43 --------- d-----w C:\Program Files\Common Files\Kodak
2007-11-26 16:00 --------- d-----w C:\Documents and Settings\Corrs\Application Data\Viewpoint
2007-11-26 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2005-07-29 23:24 472 --sha-r C:\WINDOWS\Q29ycnM\kZ6VwBg.vbs
.
<pre>
----a-w		 5,562,368 2008-01-10 19:54:59  C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.MySpaceIM .exe
----a-w		   639,488 2008-01-09 01:27:46  C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask   .exe
----a-w		   639,488 2008-01-08 20:54:25  C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask  .exe
----a-w		   639,488 2008-01-08 16:37:42  C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask .exe
----a-w		   313,472 2008-01-09 01:28:01  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w			79,224 2008-01-22 23:55:50  C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w		   171,448 2008-01-09 01:58:48  C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w		 1,694,208 2008-01-09 01:27:56  C:\Program Files\Messenger\msmsgs .exe
----a-w		 8,720,384 2008-01-23 02:15:51  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w		 1,460,560 2008-01-23 02:15:26  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			65,536 2008-01-10 14:34:45  C:\Program Files\USB Disk Win98 Driver\Res .EXE
----a-w		   158,208 2008-01-09 01:43:52 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w			15,360 2008-01-22 23:55:56  C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w		   126,976 2008-01-10 14:34:42  C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w		   155,648 2008-01-10 14:34:40  C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w		   139,264 2008-01-09 01:40:10  C:\WINDOWS\SYSTEM32\mobjchku .exe
----a-w		   122,933 2008-01-10 14:34:44 C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3DCC451-9584-415B-8073-6D20E2F3D8D1}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-22 18:58 1802752]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-22 18:59 9085440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-22 18:59 9085440]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\jkhfc

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
C:\DOCUME~1\Corrs\MYDOCU~1\WNSXS~1\spool32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]
C:\WINDOWS\system32\mobjchku.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 18:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkklk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-12 06:25 11776 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-01-22 18:59 9085440 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 17:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-18 23:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"Bonjour Service"=2 (0x2)

R1 atapii;atapii;C:\WINDOWS\system32\drivers\atapii.sys [2008-01-07 23:12]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-19 02:36:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 19:15:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 19:19:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 02:19:22
.
2008-01-09 06:03:35 --- E O F ---

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 23 January 2008 - 07:10 AM

Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quote box below into the document:

RENV::
----a-w 5,562,368 2008-01-10 19:54:59 C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.MySpaceIM .exe
----a-w 639,488 2008-01-09 01:27:46 C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask .exe
----a-w 639,488 2008-01-08 20:54:25 C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask .exe
----a-w 639,488 2008-01-08 16:37:42 C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask .exe
----a-w 313,472 2008-01-09 01:28:01 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 79,224 2008-01-22 23:55:50 C:\Program Files\Alwil Software\Avast4\ashDisp .exe
----a-w 171,448 2008-01-09 01:58:48 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
----a-w 1,694,208 2008-01-09 01:27:56 C:\Program Files\Messenger\msmsgs .exe
----a-w 8,720,384 2008-01-23 02:15:51 C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w 1,460,560 2008-01-23 02:15:26 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 65,536 2008-01-10 14:34:45 C:\Program Files\USB Disk Win98 Driver\Res .EXE
----a-w 158,208 2008-01-09 01:43:52 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 15,360 2008-01-22 23:55:56 C:\WINDOWS\SYSTEM32\ctfmon .exe
----a-w 126,976 2008-01-10 14:34:42 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2008-01-10 14:34:40 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 139,264 2008-01-09 01:40:10 C:\WINDOWS\SYSTEM32\mobjchku .exe
----a-w 122,933 2008-01-10 14:34:44 C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe


Save this as txtfile CFScript .
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again.
A new log will be created, which I would like to see in your reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 davey doodle

davey doodle
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 23 January 2008 - 09:39 PM

Charles,

Here is the log of Combofix with CFScript:
----------------------------------------------------------------------------

ComboFix 08-01-16.3 - Corrs 2008-01-23 18:49:34.2 - NTFSx86
Running from: C:\Documents and Settings\Corrs\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corrs\Desktop\cfscript
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\SYSTEM32\cfhkj.ini
C:\WINDOWS\SYSTEM32\cfhkj.ini2
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\jkhfc.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 19:01 . 2008-01-23 19:01 338,432 --a------ C:\WINDOWS\SYSTEM32\jkhfc.exe
2008-01-23 19:00 . 2008-01-23 19:00 <DIR> d-------- C:\Temp\tn3
2008-01-23 19:00 . 2008-01-23 19:00 334,848 --------- C:\WINDOWS\SYSTEM32\jkhfc.dll
2008-01-23 19:00 . 2008-01-23 19:00 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray .exe
2008-01-23 19:00 . 2008-01-23 19:00 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd .exe
2008-01-22 18:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 17:45 . 2008-01-14 17:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 17:01 . 2008-01-20 14:44 <DIR> d-------- C:\VundoFix Backups
2008-01-11 15:25 . 2008-01-23 18:59 167,545 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-11 15:16 . 2008-01-11 15:17 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-11 13:31 . 2008-01-11 13:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-11 13:31 . 2008-01-11 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 13:30 . 2008-01-11 13:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 12:12 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-10 12:12 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-10 12:12 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-10 12:12 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-10 12:12 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-10 12:12 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-10 12:12 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-10 12:12 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-09 19:03 . 2004-06-17 13:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-09 19:03 . 2004-06-17 13:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-09 19:03 . 2004-06-17 13:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-09 19:03 . 2005-04-28 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-01-08 21:27 . 2008-01-08 19:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-08 19:44 . 2008-01-08 20:45 <DIR> d-------- C:\Documents and Settings\Corrs\.housecall6.6
2008-01-08 18:43 . 2008-01-08 18:43 158,208 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msconfig.exe
2008-01-08 00:43 . 2008-01-08 18:40 139,264 --a------ C:\WINDOWS\SYSTEM32\mobjchku.exe
2008-01-08 00:42 . 2008-01-23 19:01 495,104 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-08 00:42 . 2008-01-23 18:50 466,432 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-01-07 23:12 . 2008-01-10 10:31 <DIR> d--hs---- C:\WINDOWS\Q29ycnM
2008-01-07 23:12 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\SYSTEM32\rushebyr.exe
2008-01-07 23:12 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\SYSTEM32\bkmoopob.exe
2008-01-07 23:12 . 2008-01-07 23:12 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atapii.sys
2008-01-07 23:11 . 2008-01-10 10:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz0
2008-01-07 23:11 . 2008-01-11 16:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\usmvt3
2008-01-07 23:11 . 2008-01-10 10:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\comp2
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\cache3
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo01
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\Temp\cEeer12
2008-01-07 23:11 . 2008-01-23 19:00 <DIR> d-------- C:\Temp
2008-01-06 11:38 . 2008-01-06 11:38 1,283,174 --a------ C:\Install
2007-12-27 11:21 . 2008-01-23 18:49 <DIR> d-------- C:\Program Files\USB Disk Win98 Driver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:15 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-01-11 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 19:14 --------- d-----w C:\Program Files\WordPerfect Office 11
2008-01-10 16:13 --------- d-----w C:\Program Files\QuickTime
2008-01-09 02:02 --------- d-----w C:\Program Files\Alwil Software
2008-01-09 01:43 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2007-12-27 18:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 22:24 --------- d-----w C:\Documents and Settings\Corrs\Application Data\GetRightToGo
2007-12-13 21:48 --------- d-----w C:\Program Files\Google
2007-12-10 23:41 --------- d-----w C:\Documents and Settings\Corrs\Application Data\AdobeUM
2007-12-05 23:34 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-05 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-05 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-05 02:43 --------- d-----w C:\Program Files\Kodak
2007-12-05 02:43 --------- d-----w C:\Program Files\Common Files\Kodak
2007-11-26 16:00 --------- d-----w C:\Documents and Settings\Corrs\Application Data\Viewpoint
2007-11-26 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-28 00:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-28 00:40 227,328 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:36 8,454,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2005-07-29 23:24 472 --sha-r C:\WINDOWS\Q29ycnM\kZ6VwBg.vbs
.
<pre>
----a-w		   639,488 2008-01-09 01:27:46  C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask   .exe
----a-w		   639,488 2008-01-08 20:54:25  C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask  .exe
----a-w		 8,720,384 2008-01-24 02:01:34  C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w		 1,460,560 2008-01-24 02:00:59  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   126,976 2008-01-24 02:00:43  C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w		   155,648 2008-01-24 02:00:40  C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w		   122,933 2008-01-24 02:00:44  C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-22_19.19.05.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 01:57:04 258,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 01:47:05 258,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 01:57:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 01:47:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 01:57:04 258,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 01:47:05 258,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 01:57:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 01:47:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 01:57:05 4,251,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 01:47:05 4,251,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 01:57:05 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 01:47:06 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 01:50:51 487,936 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
- 2008-01-23 02:08:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5b0.dat
+ 2008-01-24 01:59:47 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3F57FF4-0453-4D0A-8AD8-E7403A7B71DC}]
2008-01-23 19:00 334848 --------- C:\WINDOWS\system32\jkhfc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F42729C1-0A96-46DB-8FBD-8CAFE786F545}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-23 18:50 1802752]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-23 18:50 9085440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-23 19:01 495104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-23 18:50 466432]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-23 18:50 487936]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-01-23 19:01 444416]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-23 18:50 9085440]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\jkhfc.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkhfc

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
C:\DOCUME~1\Corrs\MYDOCU~1\WNSXS~1\spool32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]
--a------ 2008-01-08 18:40 139264 C:\WINDOWS\system32\mobjchku.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 18:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkklk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-12 06:25 11776 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-08 18:27 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-01-23 18:50 9085440 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 17:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-08 18:58 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-18 23:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2008-01-08 18:28 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"Bonjour Service"=2 (0x2)

R1 atapii;atapii;C:\WINDOWS\system32\drivers\atapii.sys [2008-01-07 23:12]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-19 02:36:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 19:01:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\cfhkj.ini

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\jkhfc.dll
.
Completion time: 2008-01-23 19:06:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-24 02:06:42
ComboFix2.txt 2008-01-23 02:19:26
.
2008-01-09 06:03:35 --- E O F ---
------------------------------------------------------

Thanks for the help!
Dave

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 24 January 2008 - 05:41 PM

Please edit the CFScript file to include the quotebox below, then run it again:

RENV::
----a-w 639,488 2008-01-09 01:27:46 C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask .exe
----a-w 639,488 2008-01-08 20:54:25 C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask .exe
----a-w 8,720,384 2008-01-24 02:01:34 C:\Program Files\MySpace\IM\MySpaceIM .exe
----a-w 1,460,560 2008-01-24 02:00:59 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 126,976 2008-01-24 02:00:43 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2008-01-24 02:00:40 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 122,933 2008-01-24 02:00:44 C:\WINDOWS\SYSTEM32\dla\tfswctrl .exe


After doing so, could I also have another HijackThis log?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 davey doodle

davey doodle
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 25 January 2008 - 12:42 PM

Charles,

Here are the latest Combofix and HJT logs. As you can see, I still haven't been able to eradicate core.cache.dsk:

-------------------------------------------------------------
ComboFix 08-01-16.3 - Corrs 2008-01-24 17:29:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -7:00]Running from: C:\Documents and Settings\Corrs\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Corrs\Desktop\cfscript
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\SYSTEM32\cfhkj.ini
C:\WINDOWS\SYSTEM32\cfhkj.ini2
C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-24 17:42 . 2008-01-24 17:42 <DIR> d-------- C:\Temp\tn3
2008-01-23 19:01 . 2008-01-23 19:01 338,432 --a------ C:\WINDOWS\SYSTEM32\jkhfc.exe
2008-01-22 18:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 17:45 . 2008-01-14 17:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 17:01 . 2008-01-20 14:44 <DIR> d-------- C:\VundoFix Backups
2008-01-11 15:25 . 2008-01-24 17:42 932 --------- C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-01-11 15:16 . 2008-01-11 15:17 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-11 13:31 . 2008-01-11 13:31 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-11 13:31 . 2008-01-11 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-11 13:30 . 2008-01-11 13:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 12:12 . 2007-12-04 06:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-01-10 12:12 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-01-10 12:12 . 2007-12-04 05:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-01-10 12:12 . 2007-12-04 07:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-01-10 12:12 . 2007-12-04 07:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-01-10 12:12 . 2007-12-04 07:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-01-10 12:12 . 2007-12-04 07:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-01-10 12:12 . 2007-12-04 07:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-01-09 19:03 . 2004-06-17 13:05 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-09 19:03 . 2004-06-17 13:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-09 19:03 . 2004-06-17 13:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-01-09 19:03 . 2005-04-28 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-01-08 21:27 . 2008-01-08 19:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-08 19:44 . 2008-01-08 20:45 <DIR> d-------- C:\Documents and Settings\Corrs\.housecall6.6
2008-01-08 18:43 . 2008-01-08 18:43 158,208 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msconfig.exe
2008-01-08 00:43 . 2008-01-08 18:40 139,264 --a------ C:\WINDOWS\SYSTEM32\mobjchku.exe
2008-01-08 00:42 . 2008-01-23 19:00 155,648 --a------ C:\WINDOWS\SYSTEM32\igfxtray.exe
2008-01-08 00:42 . 2008-01-23 19:00 126,976 --a------ C:\WINDOWS\SYSTEM32\hkcmd.exe
2008-01-07 23:12 . 2008-01-10 10:31 <DIR> d--hs---- C:\WINDOWS\Q29ycnM
2008-01-07 23:12 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\SYSTEM32\rushebyr.exe
2008-01-07 23:12 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\SYSTEM32\bkmoopob.exe
2008-01-07 23:12 . 2008-01-07 23:12 86,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\atapii.sys
2008-01-07 23:11 . 2008-01-10 10:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\winz0
2008-01-07 23:11 . 2008-01-11 16:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\usmvt3
2008-01-07 23:11 . 2008-01-10 10:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\comp2
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\cache3
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\ardCo01
2008-01-07 23:11 . 2008-01-07 23:11 <DIR> d-------- C:\Temp\cEeer12
2008-01-07 23:11 . 2008-01-24 17:42 <DIR> d-------- C:\Temp
2008-01-06 11:38 . 2008-01-06 11:38 1,283,174 --a------ C:\Install
2007-12-27 11:21 . 2008-01-23 18:49 <DIR> d-------- C:\Program Files\USB Disk Win98 Driver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-10 19:14 --------- d-----w C:\Program Files\WordPerfect Office 11
2008-01-10 16:13 --------- d-----w C:\Program Files\QuickTime
2008-01-09 02:02 --------- d-----w C:\Program Files\Alwil Software
2007-12-27 18:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 22:24 --------- d-----w C:\Documents and Settings\Corrs\Application Data\GetRightToGo
2007-12-13 21:48 --------- d-----w C:\Program Files\Google
2007-12-10 23:41 --------- d-----w C:\Documents and Settings\Corrs\Application Data\AdobeUM
2007-12-05 23:34 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-05 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2007-12-05 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-05 02:43 --------- d-----w C:\Program Files\Kodak
2007-12-05 02:43 --------- d-----w C:\Program Files\Common Files\Kodak
2007-11-26 16:00 --------- d-----w C:\Documents and Settings\Corrs\Application Data\Viewpoint
2007-11-26 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2005-07-29 23:24 472 --sha-r C:\WINDOWS\Q29ycnM\kZ6VwBg.vbs
.
<pre>
----a-w		   639,488 2008-01-09 01:27:46  C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask   .exe
----a-w		   639,488 2008-01-08 20:54:25  C:\Documents and Settings\Corrs\My Documents\Junk\antivirus infected\infected.qttask  .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-22_19.19.05.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 01:57:04 258,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-25 00:26:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 01:57:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-25 00:26:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 01:57:04 258,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-25 00:26:59 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 01:57:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-25 00:26:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 01:57:05 4,251,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-25 00:27:00 4,251,648 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 01:57:05 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 00:27:01 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2004-08-04 07:56:54 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
+ 2008-01-09 01:43:52 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
+ 2008-01-24 02:00:44 122,933 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2008-01-25 00:42:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_590.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3F57FF4-0453-4D0A-8AD8-E7403A7B71DC}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-23 19:00 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-23 19:01 8720384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-23 19:00 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-23 19:00 126976]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-23 19:00 122933]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-01-23 19:01 8720384]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
C:\DOCUME~1\Corrs\MYDOCU~1\WNSXS~1\spool32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]
--a------ 2008-01-08 18:40 139264 C:\WINDOWS\system32\mobjchku.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-08-04 17:28 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 18:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\jkklk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-12 06:25 11776 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-01-08 18:27 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-01-23 19:01 8720384 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 17:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-08 18:58 171448 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-18 23:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2008-01-08 18:28 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"Bonjour Service"=2 (0x2)

R1 atapii;atapii;C:\WINDOWS\system32\drivers\atapii.sys [2008-01-07 23:12]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-19 02:36:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOffer@16
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 17:43:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-24 17:49:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 00:49:23
ComboFix2.txt 2008-01-24 02:06:48
ComboFix3.txt 2008-01-23 02:19:26
.
2008-01-09 06:03:35 --- E O F ---

========================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:41 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://casper.bresnanhsi.com/community
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A3F57FF4-0453-4D0A-8AD8-E7403A7B71DC} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://bresnan.bresnanonline.net/templates...s/page_bkgd.gif

--
End of file - 5466 bytes

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 25 January 2008 - 05:27 PM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\SYSTEM32\jkhfc.exe
    C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
    C:\WINDOWS\SYSTEM32\mobjchku.exe
    C:\WINDOWS\SYSTEM32\rushebyr.exe
    C:\WINDOWS\SYSTEM32\bkmoopob.exe
    C:\WINDOWS\Q29ycnM
    C:\WINDOWS\SYSTEM32\winz0
    C:\WINDOWS\SYSTEM32\usmvt3
    C:\WINDOWS\SYSTEM32\comp2
    C:\WINDOWS\SYSTEM32\cache3
    C:\WINDOWS\SYSTEM32\ardCo01
    C:\Temp\cEeer12
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 davey doodle

davey doodle
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 25 January 2008 - 06:33 PM

Charles,

OTMoveIT moved a bunch of stuff that has crept back since I started on this mess, but it didn't get core.cache.dsk.
Here is the OTMoveIT log:

--------------------------------------------------------------
C:\WINDOWS\SYSTEM32\jkhfc.exe moved successfully.
File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk scheduled to be moved on reboot.
C:\WINDOWS\SYSTEM32\mobjchku.exe moved successfully.
C:\WINDOWS\SYSTEM32\rushebyr.exe moved successfully.
C:\WINDOWS\SYSTEM32\bkmoopob.exe moved successfully.
C:\WINDOWS\Q29ycnM moved successfully.
C:\WINDOWS\SYSTEM32\winz0 moved successfully.
C:\WINDOWS\SYSTEM32\usmvt3 moved successfully.
C:\WINDOWS\SYSTEM32\comp2 moved successfully.
C:\WINDOWS\SYSTEM32\cache3 moved successfully.
C:\WINDOWS\SYSTEM32\ardCo01 moved successfully.
C:\Temp\cEeer12 moved successfully.
[Custom Input]
< C:\WINDOWS\SYSTEM32\jkhfc.exe >
File/Folder C:\WINDOWS\SYSTEM32\jkhfc.exe not found.
< C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk >
File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk scheduled to be moved on reboot.
< C:\WINDOWS\SYSTEM32\mobjchku.exe >
File/Folder C:\WINDOWS\SYSTEM32\mobjchku.exe not found.
< C:\WINDOWS\SYSTEM32\rushebyr.exe >
File/Folder C:\WINDOWS\SYSTEM32\rushebyr.exe not found.
< C:\WINDOWS\SYSTEM32\bkmoopob.exe >
File/Folder C:\WINDOWS\SYSTEM32\bkmoopob.exe not found.
< C:\WINDOWS\Q29ycnM >
File/Folder C:\WINDOWS\Q29ycnM not found.
< C:\WINDOWS\SYSTEM32\winz0 >
File/Folder C:\WINDOWS\SYSTEM32\winz0 not found.
< C:\WINDOWS\SYSTEM32\usmvt3 >
File/Folder C:\WINDOWS\SYSTEM32\usmvt3 not found.
< C:\WINDOWS\SYSTEM32\comp2 >
File/Folder C:\WINDOWS\SYSTEM32\comp2 not found.
< C:\WINDOWS\SYSTEM32\cache3 >
File/Folder C:\WINDOWS\SYSTEM32\cache3 not found.
< C:\WINDOWS\SYSTEM32\ardCo01 >
File/Folder C:\WINDOWS\SYSTEM32\ardCo01 not found.
< C:\Temp\cEeer12 >
File/Folder C:\Temp\cEeer12 not found.

OTMoveIt2 v1.0.14 log created on 01252008_161420
-------------------------------------------------------------------------------------
Thanks!
Dave

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 26 January 2008 - 05:33 PM

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Fles to delete:
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

How do things seem to be running now?

Edited by rookie147, 26 January 2008 - 05:34 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 davey doodle

davey doodle
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 28 January 2008 - 09:38 PM

Charles,

Half successful. Avenger deletes core.cache.dsk just fine, but it reappears on reboot. I ran avenger three times and it always shows the file to be successfully deleted - except that it's always back again.
Here is the log:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xfposyhy

*******************

Script file located at: \??\C:\sjwcemxv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 29 January 2008 - 02:56 AM

We'll run a couple more scans to see if anything is hiding that brings the file back.
Download Silent Runners and extract it to a new folder on your Desktop.
Run the Silent Runners.vbs file.
You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
This script is not malicious so please allow it.
A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.

I'd also like you to run Combofix again and post the log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 davey doodle

davey doodle
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 30 January 2008 - 10:36 AM

Charles:

Here is the log from Silent Runners. For some reason, Combofix would not finish after rebooting. I tried it several times, but could not get it to quit and show the log. At any rate, core.cache.dsk is still active.

Dave

------------------------------------------------------
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MySpaceIM" = "C:\Program Files\MySpace\IM\MySpaceIM.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "6 Months of AOL Included"
-> {HKLM...CLSID} = "6 Months of AOL Included"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{9999A076-A9E2-4C99-8A2B-632FC9429223}" = "Bonjour"
-> {HKLM...CLSID} = "Bonjour"
\InProcServer32\(Default) = "C:\Program Files\Bonjour\ExplorerPlugin.dll" ["Apple Computer, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}"
-> {HKLM...CLSID} = "QuickFinder Shell Extension"
\InProcServer32\(Default) = "c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShareWallpaper.bmp"


Enabled Scheduled Tasks:
------------------------

"EasyShare Registration Task" -> launches: "C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.2.20.2.sxt _RegistrationOffer@16" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{9999A076-A9E2-4C99-8A2B-632FC9429223}\(Default) = "Bonjour"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Bonjour\ExplorerPlugin.dll" ["Apple Computer, Inc."]

HKLM\SOFTWARE\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [file not found]

{7F9DB11C-E358-4CA6-A83D-ACC663939424}\
"ButtonText" = "Bonjour"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2008-01-29 18:53:32)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 73 seconds.
---------- (total run time: 137 seconds)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users