Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Core.cache.dsk


  • This topic is locked This topic is locked
6 replies to this topic

#1 Caspersim

Caspersim

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Global
  • Local time:09:26 PM

Posted 14 February 2008 - 09:48 PM

Thank you ahead for your time on this matter. I see that this is not a new topic, but they all seem very specific to each user, so here goes.
Ran all forms of software (ad-aware, spy-bot, AVG, etc.) and nothing deletes core.cache.dsk.
So I ran highjackthis, and combofix, here are the scans.
I did follow directions from a few different users, but most of the fixes are individual to each pc.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:30 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brian\Desktop\HiJackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4088 bytes




And combo fix.

ComboFix 08-02-15.1 - Brian 2008-02-14 19:19:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1661 [GMT -7:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tapee.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\tapee.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_TAPEE
-------\tapee


((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-14 19:00 . 2008-02-14 19:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-14 18:56 . 2008-02-14 19:05 <DIR> d-------- C:\SDFix
2008-02-14 16:53 . 2008-02-14 16:53 <DIR> d-------- C:\VundoFix Backups
2008-02-14 16:39 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-02-14 16:39 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-02-14 16:39 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-02-14 16:39 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-02-13 23:48 . 2008-02-13 23:48 101 --a------ C:\WINDOWS\wininit.ini
2008-02-13 23:19 . 2008-02-13 23:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-13 23:19 . 2008-02-13 23:19 3,442 --a------ C:\WINDOWS\unins000.dat
2008-02-13 23:06 . 2008-02-13 23:06 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-13 23:06 . 2008-02-14 18:56 <DIR> d-------- C:\Documents and Settings\Brian\Application Data\AVG7
2008-02-13 23:06 . 2008-02-13 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-13 23:06 . 2008-02-13 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-13 22:53 . 2008-02-13 22:53 <DIR> d-------- C:\Program Files\Unlocker
2008-02-13 21:57 . 2008-02-13 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(3)
2008-02-13 20:22 . 2008-02-13 20:22 <DIR> d-------- C:\Program Files\FRISK Software
2008-02-13 20:22 . 2008-02-13 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FRISK Software
2008-02-13 17:24 . 2008-02-13 17:24 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-10 14:15 . 2008-02-13 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft(2)
2008-02-06 08:27 . 2001-11-26 00:00 40,448 --a------ C:\WINDOWS\system32\dsofile.dll
2008-02-06 08:26 . 2008-02-06 08:28 <DIR> d-------- C:\Program Files\Winsim
2008-01-22 09:15 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-01-22 09:15 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-01-22 09:15 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-22 09:15 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-19 15:47 . 2008-01-19 15:47 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-19 15:47 . 2008-01-19 15:47 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 06:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-14 05:43 --------- d-----w C:\Documents and Settings\Brian\Application Data\uTorrent
2008-02-10 22:40 --------- d-----w C:\Program Files\Lexmark 3100 Series
2008-02-08 23:37 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-08 23:37 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-06 15:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 18:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-30 02:33 --------- d-----w C:\Program Files\Foxit
2007-12-30 02:31 --------- d-----w C:\Documents and Settings\Brian\Application Data\MSNInstaller
2007-12-27 21:55 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-27 01:12 22,328 ----a-w C:\Documents and Settings\Brian\Application Data\PnkBstrK.sys
2007-12-27 01:02 --------- d-----w C:\Program Files\Activision
2007-12-23 20:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Christmasville
2007-12-23 02:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 08:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 10:22 1822720 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 09:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 09:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 09:43 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 19:33 106496]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 07:57 294912]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-13 23:06 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-13 23:06 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-11-11 10:28:01 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2007-11-11 10:27:57 106496]

R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\WINDOWS\system32\DRIVERS\l151x86.sys [2007-07-03 04:06]
S3 PciCon;PciCon;D:\PciCon.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 19:21:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
.
**************************************************************************
.
Completion time: 2008-02-14 19:22:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 02:22:51
.
2008-02-14 06:23:59 --- E O F ---
"History records that the money changers have used every form of abuse,
intrigue, deceit, and violent means possible to maintain their control over
governments by controlling the money and its issuance."

~ 4th US President James Madison

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 15 February 2008 - 05:43 PM

Hello Caspersim,

Welcome to Bleeping Computer :blink:

Are you still having problems? Your logs look good, but that's not a tell all. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Caspersim

Caspersim
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Global
  • Local time:09:26 PM

Posted 15 February 2008 - 07:07 PM

i think it is fixed. But damnit! I hate when things like this happen, (its good that it is fixed) but i swear the file core.cache.dsk was in my computer last night. I posted on the forum, and went to bed. Today, I ran no scans, nothing, and now it is magically fixed?
I searched for the file just now and it is gone. but how?
Thank you for your time on this, sorry for wasting it.
"History records that the money changers have used every form of abuse,
intrigue, deceit, and violent means possible to maintain their control over
governments by controlling the money and its issuance."

~ 4th US President James Madison

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 15 February 2008 - 07:20 PM

Hello,

ComboFix fixed it, and often times it won't go away until after a reboot. You did good. :thumbsup: Don't be sorry, and you didn't waste my time. That was a serious infection, and you need to know if it's gone. :wacko:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Is your computer behaving normally now? :blink:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Caspersim

Caspersim
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Global
  • Local time:09:26 PM

Posted 15 February 2008 - 07:32 PM

Everything is fine. no more pop ups, and the file is gone. Thank you for your time teacup.
"History records that the money changers have used every form of abuse,
intrigue, deceit, and violent means possible to maintain their control over
governments by controlling the money and its issuance."

~ 4th US President James Madison

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 15 February 2008 - 07:45 PM

You're most welcome. Posted Image

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 20 February 2008 - 08:56 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users