Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Core.cache.dsk


  • This topic is locked This topic is locked
22 replies to this topic

#1 phi1097

phi1097

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 28 March 2008 - 09:16 AM

I can't get rid of core.cache.dsk

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:47 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jyhefkxw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jyhefkxw.dll"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [946ad6d0] rundll32.exe "C:\WINDOWS\system32\gvtakaqs.dll",b
O4 - HKLM\..\Run: [BM9759e54c] Rundll32.exe "C:\WINDOWS\system32\ddioaxiw.dll",s
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-766063241-1414189709-1275517655-1009\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User '?')
O4 - HKUS\S-1-5-21-766063241-1414189709-1275517655-1009\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7341 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:13 AM

Posted 06 April 2008 - 09:49 PM

Hello phi1097,

Since it has been a few days, please post a new HijackThis log.

Thank you for your patience.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:13 AM

Posted 18 April 2008 - 12:35 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Edited by SifuMike, 18 April 2008 - 12:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 19 April 2008 - 01:13 PM

I can't get rid of core.cache.dsk

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:47 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jyhefkxw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jyhefkxw.dll"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [946ad6d0] rundll32.exe "C:\WINDOWS\system32\gvtakaqs.dll",b
O4 - HKLM\..\Run: [BM9759e54c] Rundll32.exe "C:\WINDOWS\system32\ddioaxiw.dll",s
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-766063241-1414189709-1275517655-1009\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User '?')
O4 - HKUS\S-1-5-21-766063241-1414189709-1275517655-1009\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7341 bytes

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:13 AM

Posted 19 April 2008 - 01:35 PM

Hello phi1097,

I have merged your new topic with your previous topic which I have reopened. Please post your replies concerning this issue to this thread rather than starting new topics. If you know you will be unable to respond for a while, please post a reply explaining that so your helper knows. Also, please stick to the topic until you are declared clean.

Back to you SifuMike.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:13 AM

Posted 19 April 2008 - 01:52 PM

Hello phi1097,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Sun Java Runtime Environment 6 Update 6.
  • Scroll down to where it says "Sun Java Runtime Environment 6 Update 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u5-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.


Please tell me what is finding core.cache.dsk?

Edited by SifuMike, 19 April 2008 - 01:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 22 April 2008 - 12:14 PM

i updated my Java.
When I run Spybot Search & Destroy it comes up as Smitfraud-C.CoreService location is C:\WINDOWS\system32\drivers\core.cache.dsk

When I run SUPERAntiSpyware:
RootKit. TNCore/Trace appears in C:\WINDOWS\system32\drivers\core.cache.dsk
Rootkit.TNCore-Installer appears in C:\WINDOWS\SYSTEM32\LOWS8|SPGD65.EXE
Rootkit.TNCore-Variant/A appears in C:\WINDOWS\SYSTEM32\DRIVERS\MFF.SYS

Also when I run Ad-Aware SE the following problems come and when i try to fix them it causes the program to freeze. They are as follows:
Win32.trojanDownloader.Agent C:\System Volume Information\_restore{202550A8-7A33-4BCA9586-051D24DDBF8F}RP225\A0031107.exe
Win32.trojanDownloader.Agent C:\System Volume Information\_restore{202550A8-7A33-4BCA9586-051D24DDBF8F}RP225\A0031108.exe
Win32.Adware.Insider C:\System Volume Information\_restore{202550A8-7A33-4BCA9586-051D24DDBF8F}RP225\A0031110.exe
Win32.Trojan.Matcash C:\System Volume Information\_restore{202550A8-7A33-4BCA9586-051D24DDBF8F}RP225\A0031111.exe


Thank you in advance RJ

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:13 AM

Posted 22 April 2008 - 12:40 PM

Hello phi1097,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 23 April 2008 - 12:16 PM

SDFix log:

SDFix: Version 1.173
Run by mm on Wed 04/23/2008 at 12:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\MM40FA~1.DH3\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting SecurityProviders Value

Rebooting


Checking Files :

Trojan Files Found:

C:\PROGRA~1\COMMON~1\LAVU479 - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Temp\gbRve12\csLioes.log - Deleted
C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe - Deleted
C:\DOCUME~1\MM40FA~1.DH3\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\system32\pac.txt - Deleted



Folder C:\Temp\1cb - Removed
Folder C:\Temp\gbRve12 - Removed
Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\aqVreo01 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 13:07:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000000a4

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Documents and Settings\\mm.DH34G391\\Application Data\\printer.exe"="C:\\Documents and Settings\\mm.DH34G391\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\mm.DH34G391\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\mm.DH34G391\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Documents and Settings\\mm.DH34G391\\Application Data\\printer.exe"="C:\\Documents and Settings\\mm.DH34G391\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\mm.DH34G391\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\mm.DH34G391\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\DOCUME~1\MM40FA~1.DH3\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 29 Dec 2006 56 ..SHR --- "C:\WINDOWS\system32\AE292043F8.sys"
Sun 23 Mar 2008 1,543,339 ..SH. --- "C:\WINDOWS\system32\erikcnmw.tmp"
Fri 29 Dec 2006 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 24 Mar 2008 1,577,903 ..SH. --- "C:\WINDOWS\system32\wgcimuop.tmp"
Sun 29 Apr 2007 8 A..H. --- "C:\Documents and Settings\karen messina\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 29 Apr 2007 8 A..H. --- "C:\Documents and Settings\karen messina\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 29 Apr 2007 8 A..H. --- "C:\Documents and Settings\karen messina\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 29 Apr 2007 8 A..H. --- "C:\Documents and Settings\karen messina\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sun 29 Apr 2007 8 A..H. --- "C:\Documents and Settings\mm.DH34G391\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 29 Apr 2007 8 A..H. --- "C:\Documents and Settings\mm.DH34G391\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 29 Apr 2007 8 A..H. --- "C:\Documents and Settings\mm.DH34G391\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 29 Apr 2007 8 A..H. --- "C:\Documents and Settings\mm.DH34G391\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\ROBERT MESSINA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Fri 13 Apr 2007 8 A..H. --- "C:\Documents and Settings\ROBERT MESSINA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\ROBERT MESSINA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 21 Apr 2007 8 A..H. --- "C:\Documents and Settings\ROBERT MESSINA\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:01 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0ddc797b-d6df-418e-9171-f221ceafcf38} - (no file)
O2 - BHO: (no name) - {106DADD2-24D3-4047-B0DD-62C79CA248BE} - (no file)
O2 - BHO: (no name) - {2700B6DD-C5A4-41E6-AD03-EB12AF8E028C} - (no file)
O2 - BHO: (no name) - {34257E78-0663-4C12-A92B-2AA7F6EB7FA9} - (no file)
O2 - BHO: (no name) - {4335CAE8-0156-29AD-5166-2E00B8B58FC8} - C:\WINDOWS\system32\ydyte.dll (file missing)
O2 - BHO: (no name) - {4400DAC8-B3DF-41A2-9E37-1B9422ED71F2} - (no file)
O2 - BHO: (no name) - {463ACFBC-5708-79A3-5766-2E00B8B5DBC3} - (no file)
O2 - BHO: (no name) - {46659EBF-0452-75A3-0A66-2E00B8B5DDCB} - (no file)
O2 - BHO: (no name) - {4AC30382-91E9-43AC-BB61-BAFCB42ED9C7} - (no file)
O2 - BHO: (no name) - {4f8f6121-e63c-411f-bf79-e4987159d78b} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {543AEB71-6810-4502-9E8C-203BDA42C954} - (no file)
O2 - BHO: (no name) - {6F419884-8A5A-4C9A-A457-59756C2255F8} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {82AF561A-7914-413E-871D-DD2AC26A00F2} - (no file)
O2 - BHO: (no name) - {8A898DF8-6505-4BD6-A75C-6A2742A42E54} - (no file)
O2 - BHO: (no name) - {97F5248B-4911-4AAA-A613-F6229D16AE24} - (no file)
O2 - BHO: (no name) - {C23F9173-98F9-46F5-8B14-008C12F41386} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {D2293BC1-0784-442E-A5E8-C479F6B43303} - (no file)
O2 - BHO: (no name) - {D5A3D640-9893-4E97-8DE7-024AA41793E6} - (no file)
O2 - BHO: (no name) - {d6da6f13-51e9-4f53-9bf8-2f972478e22d} - (no file)
O2 - BHO: (no name) - {e34886a4-2bd8-48b6-ab66-a1e92b37ba6f} - (no file)
O2 - BHO: (no name) - {E5B6C31B-F502-4542-88B1-CAA83960A710} - (no file)
O2 - BHO: (no name) - {EBCDD005-D776-476B-B6E0-527919F97EE5} - (no file)
O2 - BHO: (no name) - {f3590720-b5ce-4806-919c-08d3a00e3ddd} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [jyhefkxw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jyhefkxw.dll"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [BM9759e54c] Rundll32.exe "C:\WINDOWS\system32\gxdcjgaw.dll",s
O4 - HKLM\..\Run: [946ad6d0] rundll32.exe "C:\WINDOWS\system32\adeyifra.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: cbxyyxv - cbxyyxv.dll (file missing)
O20 - Winlogon Notify: iifcyvw - C:\WINDOWS\
O20 - Winlogon Notify: nnnnopm - nnnnopm.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8470 bytes

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:13 AM

Posted 23 April 2008 - 01:29 PM

Hello phi1097,

This computer is really infected, so we will probably have to use another tool besides Hijackthis to remove these infections.


Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Disable Spybot Teatimer if you have it running.
Disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.


Use Task Manager (Press Ctrl-Alt-Del to reach Task Manager) to end this running process (if you can)
rundll32.exe

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O2 - BHO: (no name) - {0ddc797b-d6df-418e-9171-f221ceafcf38} - (no file)
O2 - BHO: (no name) - {106DADD2-24D3-4047-B0DD-62C79CA248BE} - (no file)
O2 - BHO: (no name) - {2700B6DD-C5A4-41E6-AD03-EB12AF8E028C} - (no file)
O2 - BHO: (no name) - {34257E78-0663-4C12-A92B-2AA7F6EB7FA9} - (no file)
O2 - BHO: (no name) - {4335CAE8-0156-29AD-5166-2E00B8B58FC8} - C:\WINDOWS\system32\ydyte.dll (file missing)
O2 - BHO: (no name) - {4400DAC8-B3DF-41A2-9E37-1B9422ED71F2} - (no file)
O2 - BHO: (no name) - {463ACFBC-5708-79A3-5766-2E00B8B5DBC3} - (no file)
O2 - BHO: (no name) - {46659EBF-0452-75A3-0A66-2E00B8B5DDCB} - (no file)
O2 - BHO: (no name) - {4AC30382-91E9-43AC-BB61-BAFCB42ED9C7} - (no file)
O2 - BHO: (no name) - {4f8f6121-e63c-411f-bf79-e4987159d78b} - (no file)
O2 - BHO: (no name) - {543AEB71-6810-4502-9E8C-203BDA42C954} - (no file)
O2 - BHO: (no name) - {6F419884-8A5A-4C9A-A457-59756C2255F8} - (no file)
O2 - BHO: (no name) - {82AF561A-7914-413E-871D-DD2AC26A00F2} - (no file)
O2 - BHO: (no name) - {8A898DF8-6505-4BD6-A75C-6A2742A42E54} - (no file)
O2 - BHO: (no name) - {97F5248B-4911-4AAA-A613-F6229D16AE24} - (no file)
O2 - BHO: (no name) - {C23F9173-98F9-46F5-8B14-008C12F41386} - (no file)
O2 - BHO: (no name) - {D2293BC1-0784-442E-A5E8-C479F6B43303} - (no file)
O2 - BHO: (no name) - {D5A3D640-9893-4E97-8DE7-024AA41793E6} - (no file)
O2 - BHO: (no name) - {d6da6f13-51e9-4f53-9bf8-2f972478e22d} - (no file)
O2 - BHO: (no name) - {e34886a4-2bd8-48b6-ab66-a1e92b37ba6f} - (no file)
O2 - BHO: (no name) - {E5B6C31B-F502-4542-88B1-CAA83960A710} - (no file)
O2 - BHO: (no name) - {EBCDD005-D776-476B-B6E0-527919F97EE5} - (no file)
O2 - BHO: (no name) - {f3590720-b5ce-4806-919c-08d3a00e3ddd} - (no file)
O4 - HKLM\..\Run: [jyhefkxw] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\jyhefkxw.dll"
O4 - HKLM\..\Run: [BM9759e54c] Rundll32.exe "C:\WINDOWS\system32\gxdcjgaw.dll",s
O4 - HKLM\..\Run: [946ad6d0] rundll32.exe "C:\WINDOWS\system32\adeyifra.dll",b
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: cbxyyxv - cbxyyxv.dll (file missing)
O20 - Winlogon Notify: iifcyvw - C:\WINDOWS\
O20 - Winlogon Notify: nnnnopm - nnnnopm.dll (file missing)


*******************************************

Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Application Data\jyhefkxw.dll
    C:\WINDOWS\system32\gxdcjgaw.dll
    C:\WINDOWS\system32\adeyifra.dll
    C:\WINDOWS\system32\wowfx.dll


  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer, post a new Hijackthis log, OTMoveIt2 log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 23 April 2008 - 03:56 PM

File/Folder C:\Documents and Settings\All Users\Application Data\jyhefkxw.dll not found.
File/Folder C:\WINDOWS\system32\gxdcjgaw.dll not found.
File/Folder C:\WINDOWS\system32\adeyifra.dll not found.
File/Folder C:\WINDOWS\system32\wowfx.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04232008_163900



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:46 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: cbxyyxv - cbxyyxv.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6272 bytes

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:13 AM

Posted 23 April 2008 - 04:48 PM

Hi phi1097,

You have some malware that is changing names, so we will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your Trend Micro Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Trend Micro AntiVirus from the system tray menu
1. Close the Trend Micro AntiVirus main console if it is open.
2. Right-click the Trend Micro AntiVirus icon on the lower right corner of your screen.
3. Click Exit from the menu.
4. Click Yes when the confirmation message appears.
The Trend Micro AntiVirus icon will disappear. Windows may display a popup message saying "Your computer might be at risk. Trend Micro AntiVirus - Virus Protection is turned off".
5. To turn on Trend Micro AntiVirus again, do either of the following:
Click Start > Programs or All Programs > Trend Micro Anti Virus 2007 > Trend Micro Anti Virus 2007.
Double-click the Trend Micro AntiVirus icon on your Desktop.





Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT This acts as safety net.

You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 23 April 2008 - 05:29 PM

ComboFix 08-04-22.5 - mm 2008-04-23 18:15:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.92 [GMT -4:00]
Running from: C:\Documents and Settings\mm.DH34G391\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mm.DH34G391\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\3.tmp
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\mm.DH34G391\Application Data\DOBE~1
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\racle~1
C:\Program Files\racle~1\?racle\
C:\Redemption.ECF
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\WINDOWS\BM9759e54c.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\cccdd.ini2
C:\WINDOWS\system32\coversqf.ini
C:\WINDOWS\system32\glirfjfs.ini
C:\WINDOWS\system32\hordalkh.ini
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\jraeauyi.ini
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\klkkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nvkchnbp.ini
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\rnqsfjbp.ini
C:\WINDOWS\wnsxs~1

----- BITS: Possible infected sites -----

hxxp://77.91.227.196
.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-23 16:20 . 2008-04-23 16:20 <DIR> d-------- C:\_OTMoveIt
2008-04-23 16:06 . 2008-04-23 16:06 <DIR> d-------- C:\Program Files\CCleaner
2008-04-23 12:51 . 2008-04-23 12:52 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-23 12:36 . 2008-04-21 02:33 <DIR> d-------- C:\SDFix
2008-04-22 11:30 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-22 11:29 . 2008-04-22 11:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-01 13:39 . 2008-04-01 13:39 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-29 12:01 . 2008-03-29 13:42 1,583,695 ---hs---- C:\WINDOWS\system32\wgydswcg.ini
2008-03-29 11:17 . 2008-03-29 11:18 1,583,937 ---hs---- C:\WINDOWS\system32\qmjnanrt.ini
2008-03-27 12:12 . 2008-03-29 11:12 1,583,815 ---hs---- C:\WINDOWS\system32\sqakatvg.ini
2008-03-25 15:03 . 2008-03-26 12:38 2,536,137 ---hs---- C:\WINDOWS\system32\ipbfnjrg.ini
2008-03-25 13:12 . 2008-03-27 15:08 <DIR> d-------- C:\Documents and Settings\mm.DH34G391\.housecall6.6
2008-03-25 12:44 . 2008-03-25 15:03 1,580,343 ---hs---- C:\WINDOWS\system32\gpxexwhc.ini
2008-03-25 09:47 . 2008-03-25 10:59 1,578,181 ---hs---- C:\WINDOWS\system32\arfiyeda.ini
2008-03-24 14:49 . 2008-03-24 14:49 1,577,965 ---hs---- C:\WINDOWS\system32\wgcimuop.ini2
2008-03-24 14:48 . 2008-03-24 14:49 1,577,903 ---hs---- C:\WINDOWS\system32\wgcimuop.tmp
2008-03-24 14:48 . 2008-03-24 14:49 1,577,903 ---hs---- C:\WINDOWS\system32\wgcimuop.ini
2008-03-24 14:47 . 2008-03-24 14:47 1,577,843 ---hs---- C:\WINDOWS\system32\gcttfgvj.ini
2008-03-23 14:39 . 2008-03-23 14:46 1,543,706 ---hs---- C:\WINDOWS\system32\hlopdyrm.ini
2008-03-23 13:50 . 2008-03-23 14:36 1,543,577 ---hs---- C:\WINDOWS\system32\pwwwqfsg.ini
2008-03-23 13:50 . 2008-03-23 13:51 1,543,339 ---hs---- C:\WINDOWS\system32\erikcnmw.tmp
2008-03-23 12:48 . 2008-03-23 13:31 1,543,279 ---hs---- C:\WINDOWS\system32\fsptkbgb.ini
2008-03-23 12:03 . 2008-03-23 12:03 <DIR> d-------- C:\Documents and Settings\ROBERT MESSINA\Application Data\SUPERAntiSpyware.com
2008-03-23 11:00 . 2008-03-23 12:03 1,543,426 ---hs---- C:\WINDOWS\system32\hjtgsiqn.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 15:30 --------- d-----w C:\Program Files\Java
2008-04-11 16:13 --------- d-----w C:\Documents and Settings\ROBERT MESSINA\Application Data\AdobeUM
2008-03-28 14:11 --------- d-----w C:\Program Files\Trend Micro
2008-03-23 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-21 18:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-17 12:30 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2006-12-30 01:13 56 --sh--r C:\WINDOWS\system32\AE292043F8.sys
2006-12-30 01:13 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 21:38 20553]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 21:42 1404928]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 03:02 86016]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 18:30 823362]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-29 10:10 155648]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk.disabled [2005-12-30 10:20:23 831]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-30 10:16:24 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-05-02 07:20 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyyxv]
cbxyyxv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.avrn"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.advj"= C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
"vidc.mszh"= C:\PROGRA~1\ACEMEG~1\SystemS\avimszh.dll
"vidc.zlib"= C:\PROGRA~1\ACEMEG~1\SystemS\avizlib.dll
"vidc.cscd"= C:\PROGRA~1\ACEMEG~1\SystemS\camcodec.dll
"vidc.cvid"= C:\PROGRA~1\ACEMEG~1\SystemS\iccvid.dll
"msacm.trspch"= C:\PROGRA~1\ACEMEG~1\SystemS\tssoft32.acm
"vidc.em2v"= C:\PROGRA~1\ACEMEG~1\SystemS\etxcodec.dll
"vidc.mkvc"= C:\PROGRA~1\ACEMEG~1\SystemS\kmvidc32.dll
"vidc.hfyu"= C:\PROGRA~1\ACEMEG~1\SystemS\huffyuv.dll
"msacm.lameacm"= C:\PROGRA~1\ACEMEG~1\SystemS\lameacm.acm
"msacm.lhacm"= C:\PROGRA~1\ACEMEG~1\SystemS\lhacm.acm
"msacm.l3acm"= C:\PROGRA~1\ACEMEG~1\SystemS\l3codecp.acm
"vidc.sjpg"= C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll
"vidc.dmb2"= C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll
"vidc.gepj"= C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll
"vidc.qpeg"= C:\PROGRA~1\ACEMEG~1\SystemS\Qpeg32.dll
"vidc.q1.0"= C:\PROGRA~1\ACEMEG~1\SystemS\Qpeg32.dll
"msacm.sl_anet"= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.tscc"= C:\PROGRA~1\ACEMEG~1\SystemS\tsccvid.dll
"vidc.vifp"= C:\PROGRA~1\ACEMEG~1\SystemS\vfcodec.dll
"vidc.wrpr"= C:\PROGRA~1\ACEMEG~1\SystemS\aviwrap.dll
"vidc.wnv1"= C:\PROGRA~1\ACEMEG~1\SystemS\wnvplay1.dll
"vidc.advs"= C:\PROGRA~1\ACEMEG~1\SystemS\Adaptec\Dvc.dll
"vidc.aflc"= C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\FLCCOD~1.DLL
"vidc.afli"= C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\FLCCOD~1.DLL
"vidc.aasc"= C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\Aasc32.dll
"vidc.aas4"= C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\Aasc32.dll
"vidc.asv1"= C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv1.dll
"vidc.asv2"= C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv2.dll
"vidc.asvx"= C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv2.dll
"vidc.vcr1"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\ativcr1.dll
"vidc.vcr2"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\ativcr2.dll
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.mwv1"= C:\PROGRA~1\ACEMEG~1\SystemS\Aware\icmw_32.dll
"vidc.bt20"= C:\PROGRA~1\ACEMEG~1\SystemS\BROOKT~1\btvvc32.drv
"vidc.y41p"= C:\PROGRA~1\ACEMEG~1\SystemS\BROOKT~1\btvvc32.drv
"msacm.pcdv"= C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\pcdv.acm
"vidc.cdvc"= C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\CSCCDVC.DLL
"vidc.ddvc"= C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\CSCdvsd.DLL
"vidc.png1"= C:\PROGRA~1\ACEMEG~1\SystemS\Core\COREPN~1.DLL
"msacm.CoreFLAC_ACM"= C:\PROGRA~1\ACEMEG~1\SystemS\Core\COREFL~1.ACM
"vidc.davc"= C:\PROGRA~1\ACEMEG~1\SystemS\dicas\davcvfw.dll
"vidc.div3"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll
"vidc.div5"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll
"vidc.mpg3"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll
"vidc.div4"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll
"vidc.div6"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll
"vidc.ap41"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll
"vidc.dvx4"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\divx4.dll
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"msacm.divxa32"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\divxa32.acm
"vidc.frwd"= C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwd.dll
"vidc.frwt"= C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwd.dll
"vidc.frwa"= C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwt.dll
"vidc.frwu"= C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwu.dll
"vidc.glzw"= C:\PROGRA~1\ACEMEG~1\SystemS\Gabest\GLZW.dll
"vidc.gpeg"= C:\PROGRA~1\ACEMEG~1\SystemS\Gabest\GPEG.dll
"vidc.i263"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\i263_32.drv
"vidc.iv30"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv31"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv32"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv33"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv34"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv35"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv36"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv37"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv38"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv39"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
"vidc.iv40"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv41"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv42"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv43"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv44"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv45"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv46"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv47"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv48"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv49"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
"vidc.iv50"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir50_32.dll
"vidc.iyuv"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.ir21"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IR21_R.DLL
"vidc.rt21"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IR21_R.DLL
"msacm.imc"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IMC32.ACM
"vidc.lead"= C:\PROGRA~1\ACEMEG~1\SystemS\LEAD\LCODCCMP.DLL
"vidc.dvsd"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL
"vidc.dvc"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL
"vidc.dvcs"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL
"vidc.dcmj"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL
"vidc.avi1"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL
"vidc.avi2"= C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL
"vidc.dv25"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.dv50"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.msmc"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mmjp"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx1"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx2"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx3"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx4"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx5"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx6"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx7"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx8"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mtx9"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"vidc.mmes"= C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
"msacm.msadpcm"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msadp32.acm
"msacm.imaadpcm"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\imaadp32.acm
"msacm.msg711"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msg711.acm
"msacm.msg723"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msg723.acm
"msacm.msgsm610"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msgsm32.acm
"vidc.m261"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msh261.drv
"vidc.m263"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msh263.drv
"vidc.i420"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msh263.drv
"vidc.mrle"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msrle32.dll
"vidc.uyvy"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.msvc"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msvidc32.dll
"vidc.cram"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msvidc32.dll
"vidc.mpg4"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
"vidc.mp41"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
"vidc.mp42"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
"vidc.mp43"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
"vidc.mp4s"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
"vidc.mp4v"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
"vidc.wmv3"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\WMV9VCM.dll
"msacm.msaudio1"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm
"vidc.vixl"= C:\PROGRA~1\ACEMEG~1\SystemS\Miro\miroxl32.dll
"vidc.nt00"= C:\PROGRA~1\ACEMEG~1\SystemS\Newtek\ntcodec.dll
"msacm.vorbis"= C:\PROGRA~1\ACEMEG~1\SystemS\OGG\vorbis.acm
"vidc.vp30"= C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp31vfw.dll
"vidc.vp31"= C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp31vfw.dll
"vidc.vp60"= C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp6vfw.dll
"vidc.vp61"= C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp6vfw.dll
"vidc.pdvc"= C:\PROGRA~1\ACEMEG~1\SystemS\PANASO~1\idvcodec.dll
"vidc.ipdv"= C:\PROGRA~1\ACEMEG~1\SystemS\PANASO~1\idvcodec.dll
"vidc.pvw2"= C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvwv220.dll
"vidc.pimj"= C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvljpg20.dll
"vidc.mjpx"= C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvmjpg21.dll
"vidc.miro"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\MIRODV~1.DLL
"vidc.dcap"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\MIRODV~1.DLL
"vidc.mjpa"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\RTMJPG~1.DLL
"vidc.gpjm"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\RTMJPG~1.DLL
"vidc.pim1"= C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\pclepim1.dll
"msacm.qmpeg"= C:\PROGRA~1\ACEMEG~1\SystemS\QDesign\qmpeg.acm
"vidc.rmp4"= C:\PROGRA~1\ACEMEG~1\SystemS\REALMA~1\rmp4.dll
"vidc.rud0"= C:\PROGRA~1\ACEMEG~1\SystemS\Rududu\rududu.dll
"msacm.at3"= C:\PROGRA~1\ACEMEG~1\SystemS\SONY\atrac3.acm
"vidc.sony"= C:\PROGRA~1\ACEMEG~1\SystemS\SONY\sonydv.dll
"vidc.dvcp"= C:\PROGRA~1\ACEMEG~1\SystemS\SONY\sonydv.dll
"vidc.s422"= C:\PROGRA~1\ACEMEG~1\SystemS\Tekram\tekyuv.dll
"vidc.t420"= C:\PROGRA~1\ACEMEG~1\SystemS\Toshiba\tsbyuv.dll
"vidc.y411"= C:\PROGRA~1\ACEMEG~1\SystemS\Toshiba\tsbyuv.dll
"vidc.vssv"= C:\PROGRA~1\ACEMEG~1\SystemS\VANGUA~1\vsscodec.dll
"msacm.voxacm160"= C:\PROGRA~1\ACEMEG~1\SystemS\VoxWare\vct3216.acm
"vidc.xvid"= C:\PROGRA~1\ACEMEG~1\SystemS\XviD\xvidvfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"SpamBlocker"=C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe
"SpyHunter Security Suite"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
"MimBoot"=C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=

S1 mff;mff;C:\WINDOWS\system32\drivers\mff.sys []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-06-12 01:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 00:28]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 18:21:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
.
**************************************************************************
.
Completion time: 2008-04-23 18:26:11 - machine was rebooted [mm]
ComboFix-quarantined-files.txt 2008-04-23 22:26:03

Pre-Run: 67,378,184,192 bytes free
Post-Run: 67,477,045,248 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

337 --- E O F --- 2008-04-09 20:51:30

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:13 AM

Posted 23 April 2008 - 05:45 PM

I can see that you did not disable your Trend Micro Antivirus, and TeaTimer was running. :thumbsup:

It will take me a while to write a script. This computer is really infected.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 phi1097

phi1097
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 23 April 2008 - 05:57 PM

Don't know how i missed the trend micro thing. The tea timer box is unchecked though so i don't know what else to do to disable it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users