Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Core.cache.dsk - I Have It Bad


  • Please log in to reply
17 replies to this topic

#1 camelx

camelx

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2008 - 03:22 PM

Here is my Hijackthis log and ComboFix logs as per instructions from this board. Thank you so much in advance!!!!!!!!!!!!

Attached Files


Edited by camelx, 05 February 2008 - 04:54 PM.


BC AdBot (Login to Remove)

 


m

#2 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2008 - 05:46 PM

While waiting for a response and reading along with other help, here's my SmitFraudFix log. Hope it helps.

SmitFraudFix v2.281

Scan done at 13:59:51.84, Tue 02/05/2008
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Killing process


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ hosts

127.0.0.1 localhost

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
TypeLib Not Found.
Error while deleting C:\Program Files\STOPzilla!\SZIEBHO.dll.
C:\WINDOWS\system32\WPDShServiceObj.dll deleted.


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Generic Renos Fix

GenericRenosFix by S!Ri


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Deleting infected files


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ IEDFix

IEDFix.exe by S!Ri


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ DNS

Description: Intel® PRO/100 VE Network Connection
DNS Server Search Order: 10.4.20.41
DNS Server Search Order: 10.4.20.42

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3AE885BE-6742-42C5-A7ED-637A0B26A1CA}: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5B6F87F2-7FC0-4C9B-B721-245CC2DAD5AF}: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3AE885BE-6742-42C5-A7ED-637A0B26A1CA}: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5B6F87F2-7FC0-4C9B-B721-245CC2DAD5AF}: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3AE885BE-6742-42C5-A7ED-637A0B26A1CA}: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5B6F87F2-7FC0-4C9B-B721-245CC2DAD5AF}: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3AE885BE-6742-42C5-A7ED-637A0B26A1CA}: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5B6F87F2-7FC0-4C9B-B721-245CC2DAD5AF}: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.4.20.41 10.4.20.42
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.4.20.41 10.4.20.42


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Deleting Temp Files


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ Registry Cleaning

Registry Cleaning done.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ End

#3 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2008 - 06:53 PM

And here's the AVG Anti-Virus report - no viruses.


"General properties" ""
"Report name" "Selected Areas Test"
"Start time" "2/5/2008 2:55:48 PM"
"End time" "2/5/2008 4:47:39 PM (total: 1:51:49.10 hrs)"
"Launch method" "Scanning launched manually"
"Scanning result" "No threats found"
"Report status" "Scanning completed successfully"
" " ""
"Object summary" ""
"Scanned" "248190"
"Threats Found" "0"
"Cleaned" "0"
"Moved to vault" "0"
"Deleted" "0"
"Errors" "0"
"C:\WINDOWS\system32\drivers\etc\hosts" "Change" "Changed"

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:49 AM

Posted 05 February 2008 - 08:01 PM

Hi and welcome,

Thanks for the logs.

Couple questions:

You recognize these logon scripts? They to do with work?
I gather \\ihs is part of a network you access?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Shutdown\0\0]
"Script"=pwrmgmt.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\ihs\netlogon\setpass\setpass.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3609080306-1671255945-596033090-4988\Scripts\Logon\0\0]
"Script"=logon.bat

First one looks to be part of a power management policy, second seems to do with password settings, 3rd -- seems a 'typical' logon script when logging into a domain.
they look normal -- but just need to know if you recognize em.

looks like at one time or another you had Trend Micro's Security package -- but since uninstalled. correct?

What drive is G & J?

And...
It looks as though you did a recent Windows Update. correct?
I ask because your logs show lots of changes and that is unusual unless you performed a bunch of updates.

-----------------------------

notes:

You will need to re-install your StopZilla -- SmitFraudFix took out part of it during repair process.
Much easier to just re-install the program rather than try & fix it.

-------------------------------

K... onto removin what I know is bad.

Open notepad and copy the following text to it:

driver::
diskk

folder::
C:\temp\tn3
C:\WINDOWS\system\DRIVER

file::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\diskk.sys

dirlook::
C:\WINDOWS\ms

Save this file as CFScript.txt to the desktop. Don't use it yet.

Once saved, disable TeaTimer like this:

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

1.) Open Spybot and click on Mode and check Advanced Mode
2.) Check yes to next window.
3.) Click on Tools in bottom left hand corner.
4.) Click on System Startup icon.
5.) Uncheck Teatimer box.
6.) Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

Reset TeaTimer like this:

Download this file and save it:
http://downloads.subratam.org/ResetTeaTimer.bat

Once saved, double click it and allow to run.
leave TeaTimer off till we are done please.

Exit all running programs -- especially any antimalware programs.

Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new C:\Combofix.txt along with a new Hijackthis log.

Let me know how machine is running.
Answer best you can what I asked you at beginning of my post.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:49 AM

Posted 05 February 2008 - 08:06 PM

hang on a moment camelx, I have an edit to do

Thanks :thumbsup:

Reply here please you seen this message before doing above.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2008 - 08:30 PM

oops!! I just saw your final reply, but NOT before I did the cut and paste with combofix!

Yes logon scripts are fine with ihs.com stuff and I have full permission from sys admin to try and fix box, thanks to you.

Correct on trendmicro, uninstalled it today and now use the AVG free version.

yes those were other local drives, the two you mentioned.

I flipped the service of stopzilla to manual and stopped it, I considered it worthless and a pain in this process.

#7 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2008 - 08:34 PM

I have noticed that - SO FAR -, in past 5 mins, NO Popups from IE. I also check the windows\system32\drivers dir for core.cache.dsk and diskk.sys and they are NOT there.

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:49 AM

Posted 05 February 2008 - 08:58 PM

Hi,

I am pretty sure those files are there....
they are normally hidden unless in SAFE mode.

did you run combofix already?

if so -- post the log please.
If not -- let me know & we'll revise it.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 05 February 2008 - 09:33 PM

Blender

First off, thanks a million!

I was still at work working on that with you until 6:45pm and had to leave to pick up my son. I will say I had Mozilla up for 25 mins and IE up for 10 mins with NOT ONE IE Popup instance. Before I left, I ran Spybot, because it would ALWAYS identify SmitFraud. so if it comes out clean when I see it in the morning, then you probably nailed it - the diskk.sys file, (in my case). I also left my mozilla up, in the past if I did that I would have 10s of 10s of IE browser windows.

When Combofix rebooted and ran after the reboot, it did not come up with a combofix text file. I noticed AVG was coming up while Combofix was finishing and I right clicked and closed AVG - this may have interfered with the smooth completion of Combobox.

As for not seeing core.cache.dsk, well I could always find it in normal mode in the past, it would show up after I ran a browser. Wasn't ever really noticing diskk.sys, so I can't say about that one, however neither is there now.

SO....in the morning should I...

1) should I re-run combo fix and send the log back here?
2) I will post results of spybot and if there are any IE windows.

---------------------

On a side note:

1) how can we, the normal guys, learn about what to look for in the combofix log? or is that just after a lot of experience?
2) is there some guide to it?
3) I'm sure it's just a matter of time before there is a couple of fixes that will nail this thing, until now, I hope you guys can get your just reward.
4) I will be donating tomorrow for this and damn happy to do so. You guys are a great help and should get so much more.

Thanks again my friend,
camelx

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:49 AM

Posted 05 February 2008 - 09:55 PM

hi,

Sorry for not getting back sooner..
I'm doing other logs too.

Seems we got it. Popups being gone -- tells me we are likely near finished. :thumbsup:
Check to see if Combofix did make a new log.
Should be here if it did:

C:\Combofix.txt

If not -- possibly here:

C:\combofix\log.txt

Please attach this file: (it will show me diskk.sys and whatever else that was removed)

C:\qoobox\quarentined_files.txt

No -- shouldn't need to do another combofix run.

I'd like to do an online scan to ensure we got everything...

Run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Don't freak out if F-Secure picks up on stuff in c:\qoobox -- that is combofix's backups. :wacko:
We'll purge that out when we know we are done with the tools.

On a side note:

1) how can we, the normal guys, learn about what to look for in the combofix log? or is that just after a lot of experience?
2) is there some guide to it?
3) I'm sure it's just a matter of time before there is a couple of fixes that will nail this thing, until now, I hope you guys can get your just reward.
4) I will be donating tomorrow for this and damn happy to do so. You guys are a great help and should get so much more.


1.) Reading combofix results come with alot of training -- it is not a tool to be used for general cleanup and so on without experienced help.
It os one powerful tool and if used improperly -- it can trash an OS pretty quick.
2.) basic guide here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
It does not show one how to read it though -- that is private info.
Combofix has alot of routines to it that need to be protected from the bad guys.
3.) No matter what happens -- we don't give up.
The war against malware will always be there but we hope to educate more and more users on prevention to help prevent repeat occurances.
4.) Thanks for the consideration. Much appreciated. But please hang off till we are sure the computer is clean cus I hate to see paypal or similar in use if there is a keylogger present.

thanks :blink:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 06 February 2008 - 11:05 AM

Blender

I think it looks good, here's the combofix.txt from the c:\combofix directory:

ComboFix 08-02.03.1 - eqa04214 2008-02-05 18:11:42.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.87 [GMT -7:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\diskk.sys
.


-----------------------------------------
And here's the ComboDel.txt from same dir:

Files to Move:
C:\WINDOWS\system32\drivers\core.cache.dsk|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
C:\WINDOWS\system32\drivers\diskk.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\diskk.sys.vir
C:\WINDOWS\system32\drivers\core.cache.dsk|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
C:\WINDOWS\system32\drivers\core.cache.dsk|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir

__________________

So if it all looks good to your, then I'll do all the recommended actions by you to close it out. I'm thinking of:

1) clean out all existing Restore Points (the disabling/reboot/and re-enable trick) and do a new one "after fix".
2) run full virus scan
3) run spybot and others recommended by you
4) cclean and/or ATF clean

Thanks!!!!!!!!!!!

#12 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 06 February 2008 - 01:22 PM

So far still great, and here's my log for my full AVG antivirus scan:

The couple of files it found virus in, I deleted prior to it's cleaning.

- <history>
- <!-- 01c867e5771d4dc0
-->
- <rec time="2008/02/05 10:54:22" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avgcc:506-497;avgui:507-503;avgw:506-502;email:512-501;fshmfx86:510-473;kernel:510-501;lngus:508-501;update:516-503;</attr>
</rec>
- <rec time="2008/02/05 10:55:09" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:1258-1205;banner:489-100;iavi:1270-1147;</attr>
</rec>
- <rec time="2008/02/05 10:55:27" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">setup:510-503;</attr>
</rec>
- <rec time="2008/02/05 10:55:56" user="eqa04214" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2008/02/05 11:02:17" user="eqa04214" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BAOKZL51\2900229[1].htm</attr>
<attr name="type">@EID_Fi_vir</attr>
<attr name="what">JS/Downloader.Agent</attr>
</rec>
- <rec time="2008/02/05 12:38:00" user="eqa04214" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">E:\F-Secure.Internet.Security.2006.rar</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic8.DGN</attr>
</rec>
- <rec time="2008/02/05 12:38:04" user="eqa04214" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">2</attr>
</rec>
- <rec time="2008/02/05 12:38:07" user="eqa04214" source="Virus">
<value>@HL_ActionTakenFailed</value>
<attr name="filename">C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BAOKZL51\2900229[1].htm</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2008/02/05 14:55:48" user="eqa04214" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_13</attr>
</rec>
- <rec time="2008/02/05 16:47:41" user="eqa04214" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_13</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2008/02/06 08:45:26" user="eqa04214" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2008/02/06 08:52:44" user="eqa04214" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\user\Desktop\catchme.zip</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">BackDoor.Generic9.OEP</attr>
</rec>
- <rec time="2008/02/06 09:26:01" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">iavi:1272-1270;</attr>
</rec>
- <rec time="2008/02/06 10:51:56" user="eqa04214" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">E:\F-Secure.Internet.Security.2006.rar</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic8.DGN</attr>
</rec>
- <rec time="2008/02/06 11:07:56" user="eqa04214" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
- <rec time="2008/02/06 11:08:06" user="eqa04214" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">E:\F-Secure.Internet.Security.2006.rar</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic8.DGN</attr>
</rec>
- <rec time="2008/02/06 11:08:06" user="eqa04214" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">1</attr>
</rec>
- <rec time="2008/02/06 11:17:47" user="eqa04214" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">2</attr>
</rec>
</history>

#13 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 06 February 2008 - 05:27 PM

and hopefully my final Hijackthis log: (are all the '02' BHOs okay?)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:22, on 2008-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\slClient.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_01\bin\ssv.dll (file missing)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\YzShadow\YzShadow.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://thesource.ihs.com/Pages/default.aspx
O15 - Trusted Zone: http://insight2.ihs.com
O15 - Trusted Zone: http://webapps.ihs.com
O15 - Trusted Zone: http://*.hosted.internal.corp
O15 - Trusted Zone: http://*.ihs.internal.corp
O15 - Trusted Zone: http://eng2pweb03.ihs.internal.corp
O15 - Trusted Zone: http://epp.ihs.internal.corp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://webmail.ihs.com/iNotes6.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0281d01efb90ed...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201802172757
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198184875921
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ihs.internal.corp
O17 - HKLM\Software\..\Telephony: DomainName = ihs.internal.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ihs.internal.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ihs.internal.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ihs.internal.corp
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = ihs.internal.corp
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: IHS Intra/Spex Version 2 (IntraSpexSvc) - Information Handling Services, Inc. - C:\Inetpub\wwwroot\IntraSpex\IntraSpex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - ScriptLogic Software Corporation - (no file)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)

--
End of file - 9311 bytes

#14 camelx

camelx
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 08 February 2008 - 11:37 AM

Blender!!!!!!!!!!!!!

Where did you go?????????

Been waiting for follow up for a few days now, however I think it's all good now.

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:49 AM

Posted 08 February 2008 - 03:42 PM

Hi,

sorry for delay -- I've had some internet connection issues and I screwed up my back so been groggy lol.

Log looks pretty good.

You can fix these entries:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0281d01efb90ed...ip/RdxIE601.cab
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

Start Hijackthis
run system scan and check the above 3 entries.
Click "fix checked" and OK.
Exit Hijackthis & reboot.

Post one more Hijackthis log please.

Hold off on resetting system restore till you know all is well.

Few questions:

Spybot scan clean other than cookies?

Can you confirm for me this file is truely missing?

c:\program files\windows media connect\mswmccds.exe

I see one entry in your log pointing to SuperAntispyware.. still have that or did you uninstall it?
It is an OK program -- just looking at possibility of some leftovers that didn't get removed if you uninstalled it.

--------------------------

While waiting on me to get back --
You have some old Java installed -- this presents security risks.
I recommend to uninstall all versions of Java then get the new one.
there may be several Java versions listed in add/remove.

Do reboot before installing new.

New one can be downloaded here:

http://www.java.com/en/download/index.jsp

Also make sure you have the latest QuickTime/iTunes.
there are exploits out for older versions of it as well.
As with Java -- uninstall the old> reboot> install new.

Acrobat reader -- same thing.
Uninstall old> reboot> install new.

Acrobat reader download is here:

http://www.adobe.com/products/acrobat/readstep2.html

Uncheck google toolbar if you don't want it before the install.

Let me know how it goes

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users