Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Need Help! Can,t Remove This Bleeping Core.cache.dsk File


  • This topic is locked This topic is locked
18 replies to this topic

#1 biggB

biggB

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 25 January 2008 - 08:32 PM

Please help. I have tried everything to get rid of this damn thing and nothing works. Here is my HJT report.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:28 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
O4 - HKCU\..\Run: [Startup Manager] C:\Program Files\Advanced System Optimizer\startUp manager.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Br...OCX/flashax.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Security Service (HHWB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4129 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:51 AM

Posted 26 January 2008 - 09:13 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 biggB

biggB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 28 January 2008 - 08:09 PM

Thanks for your help, Sam. Here is the combofix log:

ComboFix 08-01-29.2 - Brad 2008-01-28 17:57:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.284 [GMT -7:00]
Running from: C:\Documents and Settings\Brad\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-28 17:58 . 2008-01-28 17:58 <DIR> d-------- C:\Temp\tn3
2008-01-28 13:34 . 2008-01-28 13:34 38 --a------ C:\WINDOWS\avisplitter.INI
2008-01-27 20:44 . 2008-01-27 20:44 174 --a------ C:\header.rtf
2008-01-27 20:30 . 2008-01-27 20:30 354 --a------ C:\titles.rtf
2008-01-27 19:28 . 2008-01-27 19:28 908 --a------ C:\Conflict or compromise.rtf
2008-01-27 18:58 . 2008-01-27 21:58 606 --a------ C:\Createdevelop.rtf
2008-01-27 18:57 . 2008-01-27 18:57 542 --a------ C:\Research how.rtf
2008-01-27 18:46 . 2008-01-27 18:46 292 --a------ C:\pp.rtf
2008-01-27 18:38 . 2008-01-27 18:38 357 --a------ C:\howdoes.rtf
2008-01-27 18:16 . 2008-01-27 20:06 1,009 --a------ C:\Q & A.rtf
2008-01-26 12:52 . 2008-01-28 13:00 <DIR> d-------- C:\Program Files\Incomplete
2008-01-26 07:49 . 2008-01-26 07:49 <DIR> d-------- C:\Program Files\X-Setup Pro
2008-01-25 17:59 . 2008-01-25 18:37 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-25 17:39 . 2008-01-25 17:39 231,390 --a------ C:\RootkitRevealer.zip
2008-01-25 17:36 . 2008-01-25 17:36 28,672 --a------ C:\catchme.exe
2008-01-25 17:21 . 2008-01-25 17:21 695,350 --a------ C:\gmer114.zip
2008-01-25 17:21 . 2008-01-26 08:12 316 --a------ C:\WINDOWS\gmer.ini
2008-01-25 16:54 . 2008-01-25 16:54 <DIR> d-------- C:\DVD X Studios
2008-01-25 16:54 . 2008-01-25 16:54 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys
2008-01-25 16:53 . 2008-01-25 16:53 <DIR> d-------- C:\Program Files\DVD X Studios
2008-01-25 16:53 . 2008-01-25 16:53 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD X Studios
2008-01-25 16:09 . 2008-01-25 16:09 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\X-Setup Pro
2008-01-25 16:09 . 2008-01-25 16:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\X-Setup Pro
2008-01-25 13:49 . 2008-01-25 14:15 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2008-01-25 13:49 . 2008-01-25 13:49 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Systweak
2008-01-25 13:45 . 2008-01-25 13:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 13:45 . 2008-01-25 13:45 812,344 --a------ C:\HJTInstall.exe
2008-01-25 12:58 . 2008-01-28 18:00 932 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-24 20:49 . 2008-01-27 18:34 1,041 --a------ C:\King tut.rtf
2008-01-24 17:40 . 2008-01-24 17:40 <DIR> d-------- C:\WINDOWS\system32\FlashAX
2008-01-24 17:36 . 2008-01-24 17:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MGS
2008-01-24 16:20 . 2008-01-24 16:20 <DIR> d-------- C:\MicroGaming
2008-01-24 15:57 . 2008-01-24 19:47 <DIR> d-------- C:\Program Files\Vegas Casino Online
2008-01-24 13:59 . 2008-01-24 13:59 0 --a------ C:\vidalia-bundle-0.1.2.19-0.0.16.exe
2008-01-24 13:38 . 2008-01-24 13:38 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-24 13:38 . 2008-01-24 13:38 34,816 --a------ C:\info.exe
2008-01-24 13:38 . 2008-01-28 17:30 114 --a------ C:\WINDOWS\system32\url3
2008-01-24 13:38 . 2008-01-28 17:30 102 --a------ C:\WINDOWS\system32\url2
2008-01-24 13:38 . 2008-01-28 17:30 102 --a------ C:\WINDOWS\system32\url1
2008-01-24 13:38 . 2008-01-28 17:30 8 --a------ C:\WINDOWS\system32\CID
2008-01-24 13:38 . 2008-01-24 13:38 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-23 09:50 . 2008-01-28 16:52 <DIR> d-------- C:\My DVDs
2008-01-21 15:33 . 2008-01-21 15:33 <DIR> d-------- C:\My Games
2008-01-20 15:28 . 2008-01-20 15:28 15,717 --a------ C:\CreditCard.zip
2008-01-19 12:50 . 2008-01-28 02:48 <DIR> d-------- C:\Program Files\DivoCodec
2008-01-19 12:50 . 2008-01-19 12:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Software rule flag owns
2008-01-19 12:49 . 2008-01-19 12:50 622,491 --a------ C:\DivoCodec-1.0.0.2-setup-0762.exe
2008-01-18 10:40 . 2008-01-18 10:40 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\CyberLink
2008-01-18 10:40 . 2008-01-18 10:40 <DIR> d-------- C:\CyberLink
2008-01-18 10:35 . 2008-01-18 10:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CyberLink
2008-01-18 10:34 . 2008-01-18 10:35 <DIR> d-------- C:\Program Files\CyberLink
2008-01-18 09:14 . 2008-01-18 09:14 672 --a------ C:\WINDOWS\mozver.dat
2008-01-17 17:01 . 2008-01-17 17:06 <DIR> dr------- C:\˙
2008-01-17 08:27 . 2008-01-17 08:27 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-01-17 08:26 . 2008-01-17 08:26 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-01-16 22:43 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-16 22:40 . 2008-01-16 22:40 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-16 22:40 . 2008-01-16 22:41 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-16 22:22 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-16 21:59 . 2008-01-16 22:03 <DIR> d-------- C:\Program Files\Panicware
2008-01-16 12:23 . 2008-01-16 12:23 <DIR> d-------- C:\WINDOWS\Sun
2008-01-16 10:17 . 2008-01-23 23:46 <DIR> d-------- C:\Shared
2008-01-16 10:17 . 2008-01-26 12:31 <DIR> d-------- C:\Documents and Settings\Brad\Incomplete
2008-01-16 10:17 . 2008-01-28 12:53 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\LimeWire
2008-01-16 10:02 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 10:00 . 2008-01-16 10:00 382,352 --a------ C:\jre-6u3-windows-i586-p-iftw.exe
2008-01-15 20:57 . 2008-01-15 20:57 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\TuneUp Software
2008-01-15 20:57 . 2008-01-15 20:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\TuneUp Software
2008-01-15 20:57 . 2006-12-19 16:53 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-15 15:47 . 2008-01-15 15:49 <DIR> d-------- C:\Program Files\Cheetah Burner
2008-01-15 11:37 . 2002-10-29 13:22 7,832,561 --a------ C:\E6712v1.2.pdf
2008-01-15 11:36 . 2008-01-15 11:37 6,744,126 --a------ C:\E6712v1.2.exe
2008-01-14 21:29 . 2008-01-14 21:29 <DIR> d-------- C:\Program Files\MagicISO
2008-01-14 18:33 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-14 10:45 . 2008-01-14 10:45 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\HP
2008-01-14 09:20 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-14 09:20 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-14 09:16 . 2001-08-17 12:12 117,760 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-01-14 09:16 . 2001-08-17 12:12 117,760 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-01-14 09:15 . 2001-08-17 13:28 347,550 --a------ C:\WINDOWS\system32\drivers\es56tpi.sys
2008-01-14 09:15 . 2001-08-17 13:28 347,550 --a--c--- C:\WINDOWS\system32\dllcache\es56tpi.sys
2008-01-14 09:15 . 2004-08-03 23:07 42,240 --a------ C:\WINDOWS\system32\drivers\VIAAGP.SYS
2008-01-14 09:15 . 2004-08-03 23:07 42,240 --a--c--- C:\WINDOWS\system32\dllcache\viaagp.sys
2008-01-14 09:15 . 2004-08-03 23:08 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2008-01-14 09:15 . 2004-08-03 23:08 20,480 --a--c--- C:\WINDOWS\system32\dllcache\usbuhci.sys
2008-01-14 09:15 . 2004-08-03 22:59 5,376 --a------ C:\WINDOWS\system32\drivers\viaide.sys
2008-01-14 09:15 . 2004-08-03 22:59 5,376 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2008-01-14 09:15 . 2001-08-17 12:19 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys
2008-01-14 09:15 . 2001-08-17 12:19 3,712 --a--c--- C:\WINDOWS\system32\dllcache\ctljystk.sys
2008-01-13 17:22 . 2008-01-13 17:24 7,850,453 --a------ C:\FXTS2Install.EXE
2008-01-13 17:20 . 2008-01-13 21:54 <DIR> d-------- C:\Program Files\FXDD - MetaTrader 4
2008-01-13 17:20 . 2008-01-13 17:20 3,564,216 --a------ C:\mt4setup.exe
2008-01-13 17:19 . 2008-01-13 17:19 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\VTSystems
2008-01-13 09:37 . 2008-01-24 14:00 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-13 09:37 . 2008-01-13 09:37 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\PC Tools
2008-01-13 09:37 . 2008-01-25 13:36 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-01-13 09:37 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-13 09:37 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-13 09:37 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-13 09:37 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 22:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 16:56 --------- d-----w C:\Program Files\DiscWizard for Windows
2008-01-13 00:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-12 22:49 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-12 22:49 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-05 08:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE" [2005-06-02 16:06 516096]
"Startup Manager"="C:\Program Files\Advanced System Optimizer\startUp manager.exe" [2007-06-22 11:55 919280]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-08 20:52 579072]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2007-11-16 19:20 91432]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-10-28 09:35 72736]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-08 20:52 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTrayContextMenu"= 0 (0x0)
"DisallowRun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= core.cache.dsk

R1 httpp;httpp;C:\WINDOWS\system32\drivers\httpp.sys [2008-01-12 20:51]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12]
R2 HHWB;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-24 13:38]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:00]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2001-08-17 05:19]
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 06:28]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 00:17:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 18:01:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
.
**************************************************************************
.
Completion time: 2008-01-28 18:03:35 - machine was rebooted [Brad]
ComboFix-quarantined-files.txt 2008-01-29 01:03:26
.
2008-01-17 19:33:35 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:51 AM

Posted 29 January 2008 - 10:18 AM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 biggB

biggB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 29 January 2008 - 06:22 PM

O.K. Sam, here are the log files. Looks like the damn thing is still there.




SDFix: Version 1.133

Run by Brad on Tue 01/29/2008 at 09:07 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\VIDALI~1.EXE - Deleted
C:\WINDOWS\system32\CID - Deleted
C:\WINDOWS\system32\svcd\svchost.exe - Deleted
C:\WINDOWS\system32\SvcNm - Deleted
C:\WINDOWS\system32\upds.log - Deleted
C:\WINDOWS\system32\url1 - Deleted
C:\WINDOWS\system32\url2 - Deleted
C:\WINDOWS\system32\url3 - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\svcd - Removed


Removing Temp Files...

ADS Check:




Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 15:58:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 1 Jan 2008 52 A..H. --- "C:\Program Files\STOPzilla!\swin32z.sys"
Wed 16 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"

Finished!

----------------------------------------------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:44 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
O4 - HKCU\..\Run: [Startup Manager] C:\Program Files\Advanced System Optimizer\startUp manager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Br...OCX/flashax.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Security Service (HHWB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4451 bytes

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:51 AM

Posted 30 January 2008 - 09:30 AM

You've got more malware than just core.cache.dsk present. We need to get rid of all of it.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
httpp

File::
C:\WINDOWS\system32\drivers\httpp.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


==================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 biggB

biggB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 30 January 2008 - 02:11 PM

Here is the combofix log:

ComboFix 08-01-29.2 - Brad 2008-01-30 9:27:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.251 [GMT -7:00]
Running from: C:\Documents and Settings\Brad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brad\Desktop\New Folder\CFSCRIPT.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\httpp.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\httpp.sys
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\httpp.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HTTPP
-------\httpp


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 09:29 . 2008-01-30 09:29 <DIR> d-------- C:\Temp\tn3
2008-01-29 09:06 . 2008-01-29 09:06 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-28 22:43 . 2008-01-28 22:43 165 --a------ C:\WINDOWS\startUp manager.INI
2008-01-28 21:26 . 2008-01-28 21:26 1,019 --a------ C:\3 parts.rtf
2008-01-28 19:50 . 2008-01-28 19:50 <DIR> d-------- C:\WINDOWS\Setup533
2008-01-28 13:34 . 2008-01-28 13:34 38 --a------ C:\WINDOWS\avisplitter.INI
2008-01-27 20:44 . 2008-01-27 20:44 174 --a------ C:\header.rtf
2008-01-27 20:30 . 2008-01-27 20:30 354 --a------ C:\titles.rtf
2008-01-27 19:28 . 2008-01-27 19:28 908 --a------ C:\Conflict or compromise.rtf
2008-01-27 18:58 . 2008-01-27 21:58 606 --a------ C:\Createdevelop.rtf
2008-01-27 18:57 . 2008-01-27 18:57 542 --a------ C:\Research how.rtf
2008-01-27 18:46 . 2008-01-27 18:46 292 --a------ C:\pp.rtf
2008-01-27 18:38 . 2008-01-27 18:38 357 --a------ C:\howdoes.rtf
2008-01-27 18:16 . 2008-01-27 20:06 1,009 --a------ C:\Q & A.rtf
2008-01-26 12:52 . 2008-01-28 13:00 <DIR> d-------- C:\Program Files\Incomplete
2008-01-26 07:49 . 2008-01-26 07:49 <DIR> d-------- C:\Program Files\X-Setup Pro
2008-01-25 17:59 . 2008-01-25 18:37 <DIR> d-------- C:\Program Files\XoftSpySE
2008-01-25 17:39 . 2008-01-25 17:39 231,390 --a------ C:\RootkitRevealer.zip
2008-01-25 17:36 . 2008-01-25 17:36 28,672 --a------ C:\catchme.exe
2008-01-25 17:21 . 2008-01-25 17:21 695,350 --a------ C:\gmer114.zip
2008-01-25 17:21 . 2008-01-26 08:12 316 --a------ C:\WINDOWS\gmer.ini
2008-01-25 16:54 . 2008-01-25 16:54 <DIR> d-------- C:\DVD X Studios
2008-01-25 16:54 . 2008-01-25 16:54 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys
2008-01-25 16:53 . 2008-01-25 16:53 <DIR> d-------- C:\Program Files\DVD X Studios
2008-01-25 16:53 . 2008-01-25 16:53 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\DVD X Studios
2008-01-25 16:09 . 2008-01-25 16:09 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\X-Setup Pro
2008-01-25 16:09 . 2008-01-25 16:09 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\X-Setup Pro
2008-01-25 13:49 . 2008-01-25 14:15 <DIR> d-------- C:\Program Files\Advanced System Optimizer
2008-01-25 13:49 . 2008-01-25 13:49 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\Systweak
2008-01-25 13:45 . 2008-01-25 13:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-25 13:45 . 2008-01-25 13:45 812,344 --a------ C:\HJTInstall.exe
2008-01-24 20:49 . 2008-01-27 18:34 1,041 --a------ C:\King tut.rtf
2008-01-24 17:40 . 2008-01-24 17:40 <DIR> d-------- C:\WINDOWS\system32\FlashAX
2008-01-24 17:36 . 2008-01-24 17:36 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MGS
2008-01-24 16:20 . 2008-01-24 16:20 <DIR> d-------- C:\MicroGaming
2008-01-24 15:57 . 2008-01-24 19:47 <DIR> d-------- C:\Program Files\Vegas Casino Online
2008-01-24 13:38 . 2008-01-24 13:38 34,816 --a------ C:\info.exe
2008-01-23 09:50 . 2008-01-29 18:58 <DIR> d-------- C:\My DVDs
2008-01-21 15:33 . 2008-01-21 15:33 <DIR> d-------- C:\My Games
2008-01-20 15:28 . 2008-01-20 15:28 15,717 --a------ C:\CreditCard.zip
2008-01-19 12:50 . 2008-01-28 02:48 <DIR> d-------- C:\Program Files\DivoCodec
2008-01-19 12:50 . 2008-01-19 12:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Software rule flag owns
2008-01-19 12:49 . 2008-01-19 12:50 622,491 --a------ C:\DivoCodec-1.0.0.2-setup-0762.exe
2008-01-18 10:40 . 2008-01-18 10:40 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\CyberLink
2008-01-18 10:40 . 2008-01-18 10:40 <DIR> d-------- C:\CyberLink
2008-01-18 10:35 . 2008-01-18 10:40 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CyberLink
2008-01-18 10:34 . 2008-01-18 10:35 <DIR> d-------- C:\Program Files\CyberLink
2008-01-18 09:14 . 2008-01-18 09:14 672 --a------ C:\WINDOWS\mozver.dat
2008-01-17 17:01 . 2008-01-17 17:06 <DIR> dr------- C:\˙
2008-01-17 08:27 . 2008-01-17 08:27 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-01-17 08:26 . 2008-01-17 08:26 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\nView_Profiles
2008-01-16 22:43 . 2004-08-04 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-16 22:40 . 2008-01-29 17:48 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-16 22:40 . 2008-01-16 22:41 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-16 22:22 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-16 21:59 . 2008-01-16 22:03 <DIR> d-------- C:\Program Files\Panicware
2008-01-16 12:23 . 2008-01-16 12:23 <DIR> d-------- C:\WINDOWS\Sun
2008-01-16 10:17 . 2008-01-23 23:46 <DIR> d-------- C:\Shared
2008-01-16 10:17 . 2008-01-26 12:31 <DIR> d-------- C:\Documents and Settings\Brad\Incomplete
2008-01-16 10:17 . 2008-01-28 12:53 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\LimeWire
2008-01-16 10:02 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-16 10:00 . 2008-01-16 10:00 382,352 --a------ C:\jre-6u3-windows-i586-p-iftw.exe
2008-01-15 20:57 . 2008-01-15 20:57 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\TuneUp Software
2008-01-15 20:57 . 2008-01-15 20:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\TuneUp Software
2008-01-15 20:57 . 2006-12-19 16:53 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-15 15:47 . 2008-01-15 15:49 <DIR> d-------- C:\Program Files\Cheetah Burner
2008-01-15 11:37 . 2002-10-29 13:22 7,832,561 --a------ C:\E6712v1.2.pdf
2008-01-15 11:36 . 2008-01-15 11:37 6,744,126 --a------ C:\E6712v1.2.exe
2008-01-14 21:29 . 2008-01-14 21:29 <DIR> d-------- C:\Program Files\MagicISO
2008-01-14 18:33 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-14 10:45 . 2008-01-14 10:45 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\HP
2008-01-14 09:20 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-14 09:20 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-01-14 09:16 . 2001-08-17 12:12 117,760 --a------ C:\WINDOWS\system32\drivers\e100b325.sys
2008-01-14 09:16 . 2001-08-17 12:12 117,760 --a--c--- C:\WINDOWS\system32\dllcache\e100b325.sys
2008-01-14 09:15 . 2001-08-17 13:28 347,550 --a------ C:\WINDOWS\system32\drivers\es56tpi.sys
2008-01-14 09:15 . 2001-08-17 13:28 347,550 --a--c--- C:\WINDOWS\system32\dllcache\es56tpi.sys
2008-01-14 09:15 . 2004-08-03 23:07 42,240 --a------ C:\WINDOWS\system32\drivers\VIAAGP.SYS
2008-01-14 09:15 . 2004-08-03 23:07 42,240 --a--c--- C:\WINDOWS\system32\dllcache\viaagp.sys
2008-01-14 09:15 . 2004-08-03 23:08 20,480 --a------ C:\WINDOWS\system32\drivers\usbuhci.sys
2008-01-14 09:15 . 2004-08-03 23:08 20,480 --a--c--- C:\WINDOWS\system32\dllcache\usbuhci.sys
2008-01-14 09:15 . 2004-08-03 22:59 5,376 --a------ C:\WINDOWS\system32\drivers\viaide.sys
2008-01-14 09:15 . 2004-08-03 22:59 5,376 --a--c--- C:\WINDOWS\system32\dllcache\viaide.sys
2008-01-14 09:15 . 2001-08-17 12:19 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys
2008-01-14 09:15 . 2001-08-17 12:19 3,712 --a--c--- C:\WINDOWS\system32\dllcache\ctljystk.sys
2008-01-13 17:22 . 2008-01-13 17:24 7,850,453 --a------ C:\FXTS2Install.EXE
2008-01-13 17:20 . 2008-01-13 21:54 <DIR> d-------- C:\Program Files\FXDD - MetaTrader 4
2008-01-13 17:20 . 2008-01-13 17:20 3,564,216 --a------ C:\mt4setup.exe
2008-01-13 17:19 . 2008-01-13 17:19 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\VTSystems
2008-01-13 09:37 . 2008-01-24 14:00 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-13 09:37 . 2008-01-13 09:37 <DIR> d-------- C:\Documents and Settings\Brad\Application Data\PC Tools
2008-01-13 09:37 . 2008-01-25 13:36 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-01-13 09:37 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-13 09:37 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-13 09:37 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-13 09:37 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-13 08:50 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-13 08:37 . 2007-02-28 02:10 2,180,352 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-13 08:37 . 2007-02-28 02:08 2,136,064 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-13 08:37 . 2007-02-28 01:38 2,057,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 02:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 16:56 --------- d-----w C:\Program Files\DiscWizard for Windows
2008-01-13 00:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-12 22:49 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-12 22:49 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-05 08:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpStopperProfessional"="C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE" [2005-06-02 16:06 516096]
"Startup Manager"="C:\Program Files\Advanced System Optimizer\startUp manager.exe" [2007-06-22 11:55 919280]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-08 20:52 579072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-08 20:52 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTrayContextMenu"= 0 (0x0)

R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 05:00]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2001-08-17 05:19]
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 06:28]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys [2002-10-21 11:37]
S2 HHWB;Security Service;C:\WINDOWS\system32\svcd\svchost.exe []
S2 perfmons;perfmons Service;C:\WINDOWS\system32\perfs.exe []
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys []
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [2002-07-25 11:19]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 00:17:32 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 09:32:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
.
**************************************************************************
.
Completion time: 2008-01-30 9:34:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 16:34:19
ComboFix2.txt 2008-01-29 01:03:35
.
2008-01-17 19:33:35 --- E O F ---

#8 biggB

biggB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 30 January 2008 - 03:09 PM

The Kaspersky log is too big to post. What is the size limit on posts? I will need to split it up into several sections as it is almost 2 MB.

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:51 AM

Posted 30 January 2008 - 05:06 PM

You can just attach it as a text file.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 biggB

biggB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 30 January 2008 - 07:01 PM

O.K. Here it is:

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:51 AM

Posted 30 January 2008 - 07:17 PM

Please run SDFix once again and post that log.
Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 biggB

biggB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 30 January 2008 - 07:30 PM

Sorry about that, still trying to get used to the system. Here is the Kaspersky log.

Attached Files



#13 biggB

biggB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 30 January 2008 - 08:09 PM

Her are SDFix and HJT:


SDFix: Version 1.133

Run by Brad on Wed 01/30/2008 at 05:53 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\comsa32.sys - Deleted



Folder C:\Temp\tn3 - Removed


Removing Temp Files...

ADS Check:




Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 18:02:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 1 Jan 2008 52 A..H. --- "C:\Program Files\STOPzilla!\swin32z.sys"
Wed 16 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"

Finished!

------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:44 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
O4 - HKCU\..\Run: [Startup Manager] C:\Program Files\Advanced System Optimizer\startUp manager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Br...OCX/flashax.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Security Service (HHWB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4878 bytes

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:51 AM

Posted 31 January 2008 - 04:22 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O23 - Service: Security Service (HHWB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)



Reboot and post a new hijackthis log.
Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 biggB

biggB
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Utah
  • Local time:11:51 AM

Posted 01 February 2008 - 12:03 PM

Thanks much Sam, my computer is running alot faster and I'm not getting the popups now when on the net. I must say you know your stuff. I will make a donation to you a soon as I can. Thanks again. Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:29 AM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
O4 - HKCU\..\Run: [Startup Manager] C:\Program Files\Advanced System Optimizer\startUp manager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Br...OCX/flashax.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Security Service (HHWB) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 4877 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users