Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Core.cache.dsk


  • This topic is locked This topic is locked
23 replies to this topic

#1 catbiscuits

catbiscuits

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 06 April 2008 - 08:20 PM

Seems i've gotten just about everything else off my computer except for the core.cache.dsk file in my system32/drivers folder.

Scans with AVG, Adaware, Spybot, Windows Defender and SUPERAntispyware took care of everything except for this file. Spybot and superantispyware say they fix it, but it keeps coming back and I keep getting the IE popup advertisement windows. Can anyone please help me? I read the thread on the Smithfraud virus removal, but I really don't want to screw anything up on my computer. I'd like some professional help to make sure I can get rid of this. Thanks guys.

Here is my Hijackthis log in case you wanted it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:55 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Super Ad Blocker\SABSVC.EXE
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\program files\Super Popup Blocker\popkill.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Super Ad Blocker\SAdBlock.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\windows\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\windows\system32\PnkBstrA.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\windows\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\Super Ad Blocker\SABBHO.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Super Popup Blocker - {F1C0FAF2-E52F-4370-BC75-2C828C027B9E} - C:\WINDOWS\System32\popkill.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Super Popup Blocker] C:\program files\Super Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [HDD Observer] C:\Program Files\HDD Observer\HDD Observer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA5457] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8208] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1876] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD985] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\windows\system32\PnkBstrA.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\Super Ad Blocker\SABSVC.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10984 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 AM

Posted 07 April 2008 - 12:29 PM

Hello catbiscuits,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your AVG Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.


To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions please install the Windows XP Recovery Console if you are using XP. <== IMPORTANT

You DO NOT need to have the Windows CD to install Recovery Console!

When Recovery Console installs correctly, ComboFix will give you a log like this:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons



We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Disconnect from the Internet.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.



Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 catbiscuits

catbiscuits
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 07 April 2008 - 03:18 PM

Thanks for taking the time to help me...

It seems i'm having trouble starting Combofix. I completely disabled windows defender and AVG in addition to what you already posted. For some reason I can't install recovery console either since my verison of windows is updated from what is on the disk. Do I really need to have the recovery console enabled?

So I tried to start combofix and it just pops up for one second, then it never loads anything. Should I start it in Safe mode instead?

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 AM

Posted 07 April 2008 - 03:39 PM

Hi catbiscuits,

For some reason I can't install recovery console either since my verison of windows is updated from what is on the disk. Do I really need to have the recovery console enabled?



Yes, as I said previously, you need to install Recovery Console (if it is not already on your computer).
If anything goes wrong with ComboFix, then we have a safety net. I would hate for you to have to do reformat and reload.

Did you read the link? I think not. It says that you do not need the Windows CD to install Recovery Console.

So I tried to start combofix and it just pops up for one second, then it never loads anything. Should I start it in Safe mode instead?


No, do NOT start in the Safe Mode.

Did you disable all your antivirus programs and registry protectors? If SUPERAntiSpyware has a registry protector then disable it. They will prevent it from running.

Are you downloading ComboFix to the Desktop?

Edited by SifuMike, 07 April 2008 - 03:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 catbiscuits

catbiscuits
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 07 April 2008 - 04:47 PM

Ugh, I can't install recovery console because my boot.ini file is missing, and I can't repair that because I need to run chkdsk first... Hopefully I can get this repaired so I can install recovery console.

Now checkdisk won't work... I guess i'll try regcure to try and fix things.

Edited by catbiscuits, 07 April 2008 - 05:03 PM.


#6 catbiscuits

catbiscuits
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 07 April 2008 - 05:31 PM

Recovery console is installed now, but i'm still having the same problem with starting up ComboFix. It still does the same thing and i've uninstalled SUPERAntispyware, SUPER ad blocker, Adware, Spybot and just about anything else i could think of.

ComboFix is downloaded to my desktop too. I don't know what to do. Windows Firewall is disabled, AVG resident shield is down, Windows defender is disabled.

Maybe bad problems in my registry?

Edit: I just happened to see a folder called C:\combofix with a lot of files in it, and also a boot.bak in C:\ so just an FYI for you...

Also, thanks for the help again, I know this is a big pain.

Edited by catbiscuits, 07 April 2008 - 05:50 PM.


#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 AM

Posted 07 April 2008 - 05:58 PM

Hi catbiscuits,

I guess i'll try regcure to try and fix things.


That is a big mistake, as you may be shooting yourself in the foot.
Should I Use a Registry Cleaner?

Summary of Registry Cleaner Software:
Do not bother with this. It it unlikely to help, it can cause harm.
There are no end-user benefits from running registry cleaners. Unecessary entries in the registry do no harm. This should not be a regular maintenance chore. It most certainly if done should not be automated.

I hold to the singular distinction I made in the beginning: there are times that a fast registry editor with search is needed to fix a single issue under Expert hands. There is no justification for the regular use of automated registry cleaning tools; and as the results above show, they are of dubious merit as the "fix" for even one-off problems that need solving.

Bill Castner
MS-MVP, Aumha VSOP & Moderator




I do not recommend Registry Cleaners because they may damage rather than cleaning/fixing your registry.
You should only use them if you have a basic knowledge about the registry and know if a certain key/value is safe to be removed or not.

Cleaning the registry won't really improve system performance, even though there a lot of orphaned keys.

IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.





Save the below command in Notepad as a text file so that you can copy/paste in safe mode.

"%userprofile%\desktop\combofix.exe"

Boot into safe mode by tapping the F8 key just before Windows starts to load.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe"

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 catbiscuits

catbiscuits
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 07 April 2008 - 07:05 PM

Even in safemode its the same problem. Combofix just doesn't seem to work. :thumbsup:

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 AM

Posted 07 April 2008 - 11:14 PM

Hi catbiscuits,

Please tell me exactly what happens when you try to run ComboFix in the Safe Mode (as per my previous instructions.)
The more details the better. :thumbsup:
Does it start to run, then quit? Or not run at all? Any error messages?
It may be your "registry cleaner" borked some files.

Edited by SifuMike, 07 April 2008 - 11:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 catbiscuits

catbiscuits
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 08 April 2008 - 04:29 AM

I ended up not using the registry cleaner.

Basically I click on combofix, it asks to run it, i click run, then the blue windows pops up for a split second and then goes away. It created that combofix folder in my c drive though. It's C:/combofix with 94 files in it.

But thats it, it just pops up for a second and nothing else.

Are there any other programs we could use instead to remove that core.cache.dsk file?

Edited by catbiscuits, 08 April 2008 - 06:42 AM.


#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 AM

Posted 08 April 2008 - 10:33 AM

Hi catbiscuits,

I found out there's a bug with current copies of ComboFix.exe. :thumbsup:
It causes ComboFix to end prematurely.
You need to download this version 08-04-07.5


Delete the version of ComboFix you have on the Desktop

Download this file - combofix.exe to your Desktop. Make sure it is on your desktop.

Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 catbiscuits

catbiscuits
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 08 April 2008 - 02:04 PM

ComboFix 08-04-08.4 - Chris 2008-04-08 13:45:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1572 [GMT -5:00]
Running from: C:\Documents and Settings\Chris\desktop\combofix.exe
Command switches used :: /killall
* Resident AV is active

.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Chris\Application Data\inst.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\pschedd.sys
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_pschedd
-------\Legacy_pschedd
-------\pschedd


((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-06 19:16 . 2008-04-06 19:16 3,430 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-06 11:06 . 2008-04-06 11:06 <DIR> d-------- C:\VundoFix Backups
2008-04-06 10:47 . 2008-04-06 10:47 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\SuperAdBlocker.com
2008-04-06 10:44 . 2008-04-06 10:44 <DIR> d-------- C:\Program Files\Super Ad Blocker
2008-04-06 10:23 . 2008-04-06 17:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 10:23 . 2008-04-06 10:23 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-04-06 10:23 . 2008-04-06 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 10:09 . 2008-04-08 05:41 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-06 10:09 . 2008-04-06 10:09 <DIR> d-------- C:\Program Files\AVG
2008-04-06 10:09 . 2008-04-06 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-06 10:09 . 2008-04-06 10:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-06 10:09 . 2008-04-06 10:09 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-06 10:09 . 2008-04-06 10:09 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-06 10:09 . 2008-04-06 10:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-06 10:03 . 2008-04-06 10:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 09:48 . 2008-04-06 09:49 <DIR> d-------- C:\Program Files\Panda Security
2008-04-06 09:21 . 2008-04-06 20:10 228 --a------ C:\WINDOWS\wininit.ini
2008-04-05 19:18 . 2008-04-05 19:17 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-05 19:18 . 2008-04-05 19:18 2,542 --a------ C:\WINDOWS\unins000.dat
2008-04-05 16:56 . 2008-04-05 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 16:54 . 2008-04-05 16:55 19,871,600 --a------ C:\aaw2007.exe
2008-04-05 12:59 . 2008-04-05 12:59 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Ubisoft
2008-04-05 12:59 . 2008-04-05 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-02 15:39 . 2008-04-02 15:39 8,996 --a------ C:\ultrahighqualitycfg_1[1].3final.zip
2008-03-30 14:07 . 2008-03-30 14:08 880,839 --a------ C:\htr-fpm.7z
2008-03-23 15:36 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-23 15:35 . 2008-03-23 15:35 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-23 15:35 . 2008-03-23 15:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-23 15:35 . 2008-03-23 15:35 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-23 15:31 . 2008-03-23 16:54 <DIR> d-------- C:\Program Files\MagicISO
2008-03-18 14:01 . 2008-03-23 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 18:57 --------- d-----w C:\Program Files\Bandwidth Monitor Pro
2008-04-08 18:43 --------- d-----w C:\Program Files\SpeedFan
2008-04-08 18:40 --------- d-----w C:\Documents and Settings\Chris\Application Data\Azureus
2008-04-06 16:44 --------- d-----w C:\Program Files\DAP
2008-04-06 15:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-06 00:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-05 21:56 --------- d-----w C:\Program Files\Lavasoft
2008-04-05 21:40 --------- d-----w C:\Program Files\Privacy Guardian
2008-04-05 17:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 20:35 --------- d-----w C:\Program Files\Winamp
2008-03-18 19:53 --------- d-----w C:\Program Files\Blaze Media Pro
2008-03-14 19:31 --------- d-----w C:\Program Files\Java
2008-03-06 20:42 --------- d-----w C:\Program Files\Azureus
2008-02-21 19:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-18 23:22 --------- d-----w C:\Program Files\Alarm
2008-01-12 05:41 22,328 ----a-w C:\Documents and Settings\Chris\Application Data\PnkBstrK.sys
2007-08-04 23:45 47,360 ----a-w C:\Documents and Settings\Chris\Application Data\pcouffin.sys
2007-05-01 09:39 92,064 ----a-w C:\Documents and Settings\Chris\mqdmmdm.sys
2007-05-01 09:39 9,232 ----a-w C:\Documents and Settings\Chris\mqdmmdfl.sys
2007-05-01 09:39 79,328 ----a-w C:\Documents and Settings\Chris\mqdmserd.sys
2007-05-01 09:39 66,656 ----a-w C:\Documents and Settings\Chris\mqdmbus.sys
2007-05-01 09:39 6,208 ----a-w C:\Documents and Settings\Chris\mqdmcmnt.sys
2007-05-01 09:39 5,936 ----a-w C:\Documents and Settings\Chris\mqdmwhnt.sys
2007-05-01 09:39 4,048 ----a-w C:\Documents and Settings\Chris\mqdmcr.sys
2007-05-01 09:39 25,600 ----a-w C:\Documents and Settings\Chris\usbsermptxp.sys
2007-05-01 09:39 22,768 ----a-w C:\Documents and Settings\Chris\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2005-04-15 15:18 1482752]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"Bandwidth Monitor Pro"="C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2005-02-12 12:29 224768]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 09:16 171464]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SuperAdBlocker"="C:\Program Files\Super Ad Blocker\SAdBlock.exe" [2007-08-01 09:28 1564672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 08:25 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 08:12 729088]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe" [2006-11-14 01:25 363008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Super Popup Blocker"="C:\program files\Super Popup Blocker\popkill.exe" [2007-04-28 04:58 1085440]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-31 15:44 282624]
"RtWLan"="C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe" [2005-03-25 10:13 491520]
"HDD Observer"="C:\Program Files\HDD Observer\HDD Observer.exe" [ ]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-11-12 07:51 8523776]
"nwiz"="nwiz.exe" [2007-11-12 07:51 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-11-12 07:51 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-06 10:09 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
Azureus.lnk - C:\Program Files\Azureus\Azureus.exe [2007-01-13 18:14:04 254976]
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe [2007-02-28 13:28:02 2796544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATITool.lnk - C:\Program Files\ATITool\ATITool.exe [2006-12-08 10:23:26 3035136]
Norton GoBack.lnk - C:\Program Files\Norton GoBack\GBTray.exe [2004-08-13 11:26:46 803976]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\Super Ad Blocker\SABSEHB.DLL [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\Super Ad Blocker\SABWINLO.DLL 2007-08-01 09:28 176128 C:\Program Files\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"VIDC.X264"= x264vfw.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 13:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-08-28 03:45 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
--a------ 2006-11-28 17:20 3714048 C:\Program Files\ASUS\AI Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Games\\Steam\\SteamApps\\hummercc@mchsi.com\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVWebServiceProxy.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Games\\Company Of Heroes\\RelicCOH.exe"=
"C:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Games\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Games\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Games\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-06 10:09]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-06 10:09]
R1 SABKUTIL;SABKUTIL;C:\Program Files\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-06 10:09]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-06 10:09]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-06 10:09]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-03-24 15:39]
R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\WINDOWS\system32\Drivers\GPWADrv.sys [2005-12-09 19:06]
R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2002-07-15 22:39]
S1 SABDIFSV;SABDIFSV;C:\Program Files\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
S3 hid8101;hid8101;C:\WINDOWS\system32\DRIVERS\system32.sys [2006-07-23 16:28]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 10:11]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-03-24 15:48]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 18:59:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 13:57:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\program files\Super Popup Blocker\MHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Super Ad Blocker\SABSVC.EXE
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\windows\system32\PnkBstrA.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-04-08 14:04:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-08 19:03:58
Pre-Run: 7,670,235,136 bytes free
Post-Run: 9,572,810,752 bytes free
.
2008-03-30 17:10:15 --- E O F ---

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:32 AM

Posted 08 April 2008 - 03:16 PM

Hi catbiscuits,

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\wininit.ini

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 catbiscuits

catbiscuits
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 08 April 2008 - 03:37 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:36, on 2008-04-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\windows\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\program files\Super Popup Blocker\popkill.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\Super Ad Blocker\SABBHO.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Super Popup Blocker - {F1C0FAF2-E52F-4370-BC75-2C828C027B9E} - C:\WINDOWS\System32\popkill.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Super Popup Blocker] C:\program files\Super Popup Blocker\popkill.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RtWLan] C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe /H
O4 - HKLM\..\Run: [HDD Observer] C:\Program Files\HDD Observer\HDD Observer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\Super Ad Blocker\SAdBlock.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: ATITool.lnk = C:\Program Files\ATITool\ATITool.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SABWinLogon - C:\Program Files\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\windows\system32\PnkBstrA.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\Super Ad Blocker\SABSVC.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10607 bytes


ComboFix 08-04-08.4 - Chris 2008-04-08 15:33:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1203 [GMT -5:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-08 14:09 . 2008-04-08 14:09 <DIR> d-------- C:\Ubisoft
2008-04-06 19:16 . 2008-04-06 19:16 3,430 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-06 10:47 . 2008-04-06 10:47 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\SuperAdBlocker.com
2008-04-06 10:44 . 2008-04-06 10:44 <DIR> d-------- C:\Program Files\Super Ad Blocker
2008-04-06 10:23 . 2008-04-06 17:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-06 10:23 . 2008-04-06 10:23 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-04-06 10:23 . 2008-04-06 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-06 10:09 . 2008-04-08 05:41 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-04-06 10:09 . 2008-04-06 10:09 <DIR> d-------- C:\Program Files\AVG
2008-04-06 10:09 . 2008-04-06 10:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-04-06 10:09 . 2008-04-06 10:09 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-06 10:09 . 2008-04-06 10:09 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-06 10:09 . 2008-04-06 10:09 12,424 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-04-06 10:09 . 2008-04-06 10:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-04-06 10:03 . 2008-04-06 10:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-06 09:48 . 2008-04-06 09:49 <DIR> d-------- C:\Program Files\Panda Security
2008-04-05 19:18 . 2008-04-05 19:17 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-05 19:18 . 2008-04-05 19:18 2,542 --a------ C:\WINDOWS\unins000.dat
2008-04-05 16:56 . 2008-04-05 16:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-05 16:54 . 2008-04-05 16:55 19,871,600 --a------ C:\aaw2007.exe
2008-04-05 12:59 . 2008-04-05 12:59 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Ubisoft
2008-04-05 12:59 . 2008-04-05 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-02 15:39 . 2008-04-02 15:39 8,996 --a------ C:\ultrahighqualitycfg_1[1].3final.zip
2008-03-30 14:07 . 2008-03-30 14:08 880,839 --a------ C:\htr-fpm.7z
2008-03-23 15:36 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-23 15:35 . 2008-03-23 15:35 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-23 15:35 . 2008-03-23 15:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-23 15:35 . 2008-03-23 15:35 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-23 15:31 . 2008-03-23 16:54 <DIR> d-------- C:\Program Files\MagicISO
2008-03-18 14:01 . 2008-03-23 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 20:34 --------- d-----w C:\Documents and Settings\Chris\Application Data\Azureus
2008-04-08 18:58 --------- d-----w C:\Program Files\SpeedFan
2008-04-08 18:57 --------- d-----w C:\Program Files\Bandwidth Monitor Pro
2008-04-06 16:44 --------- d-----w C:\Program Files\DAP
2008-04-06 15:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-06 00:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-05 21:56 --------- d-----w C:\Program Files\Lavasoft
2008-04-05 21:40 --------- d-----w C:\Program Files\Privacy Guardian
2008-04-05 17:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-01 20:35 --------- d-----w C:\Program Files\Winamp
2008-03-18 19:53 --------- d-----w C:\Program Files\Blaze Media Pro
2008-03-14 19:31 --------- d-----w C:\Program Files\Java
2008-03-06 20:42 --------- d-----w C:\Program Files\Azureus
2008-02-21 19:29 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-21 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-02-18 23:22 --------- d-----w C:\Program Files\Alarm
2008-01-30 22:44 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-12 05:47 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-01-12 05:41 22,328 ----a-w C:\Documents and Settings\Chris\Application Data\PnkBstrK.sys
2007-08-04 23:45 47,360 ----a-w C:\Documents and Settings\Chris\Application Data\pcouffin.sys
2007-05-01 09:39 92,064 ----a-w C:\Documents and Settings\Chris\mqdmmdm.sys
2007-05-01 09:39 9,232 ----a-w C:\Documents and Settings\Chris\mqdmmdfl.sys
2007-05-01 09:39 79,328 ----a-w C:\Documents and Settings\Chris\mqdmserd.sys
2007-05-01 09:39 66,656 ----a-w C:\Documents and Settings\Chris\mqdmbus.sys
2007-05-01 09:39 6,208 ----a-w C:\Documents and Settings\Chris\mqdmcmnt.sys
2007-05-01 09:39 5,936 ----a-w C:\Documents and Settings\Chris\mqdmwhnt.sys
2007-05-01 09:39 4,048 ----a-w C:\Documents and Settings\Chris\mqdmcr.sys
2007-05-01 09:39 25,600 ----a-w C:\Documents and Settings\Chris\usbsermptxp.sys
2007-05-01 09:39 22,768 ----a-w C:\Documents and Settings\Chris\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2005-04-15 15:18 1482752]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35 67112]
"Bandwidth Monitor Pro"="C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" [2005-02-12 12:29 224768]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 09:16 171464]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]
"SuperAdBlocker"="C:\Program Files\Super Ad Blocker\SAdBlock.exe" [2007-08-01 09:28 1564672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-10-05 08:25 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 08:12 729088]
"AsusStartupHelp"="C:\Program Files\ASUS\AASP\1.00.16\AsRunHelp.exe" [2006-11-14 01:25 363008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Super Popup Blocker"="C:\program files\Super Popup Blocker\popkill.exe" [2007-04-28 04:58 1085440]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-05-31 15:44 282624]
"RtWLan"="C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe" [2005-03-25 10:13 491520]
"HDD Observer"="C:\Program Files\HDD Observer\HDD Observer.exe" [ ]
"NvCplDaemon"="C:\windows\system32\NvCpl.dll" [2007-11-12 07:51 8523776]
"nwiz"="nwiz.exe" [2007-11-12 07:51 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\windows\system32\NvMcTray.dll" [2007-11-12 07:51 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-06 10:09 1177368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528]

C:\Documents and Settings\Chris\Start Menu\Programs\Startup\
Azureus.lnk - C:\Program Files\Azureus\Azureus.exe [2007-01-13 18:14:04 254976]
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe [2007-02-28 13:28:02 2796544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ATITool.lnk - C:\Program Files\ATITool\ATITool.exe [2006-12-08 10:23:26 3035136]
Norton GoBack.lnk - C:\Program Files\Norton GoBack\GBTray.exe [2004-08-13 11:26:46 803976]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000D7}"= C:\Program Files\Super Ad Blocker\SABSEHB.DLL [2006-11-07 12:58 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SABWinLogon]
C:\Program Files\Super Ad Blocker\SABWINLO.DLL 2007-08-01 09:28 176128 C:\Program Files\Super Ad Blocker\SABWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\system32\ctmp3.acm
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"VIDC.X264"= x264vfw.dll
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 13:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-08-28 03:45 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch Ai Booster]
--a------ 2006-11-28 17:20 3714048 C:\Program Files\ASUS\AI Booster\OverClk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Games\\Steam\\SteamApps\\hummercc@mchsi.com\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVWebServiceProxy.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"C:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Games\\Company Of Heroes\\RelicCOH.exe"=
"C:\\Games\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Games\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Games\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Games\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-04-06 10:09]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-06 10:09]
R1 SABKUTIL;SABKUTIL;C:\Program Files\Super Ad Blocker\SABKUTIL.sys [2007-02-20 16:02]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-06 10:09]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-06 10:09]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-06 10:09]
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-03-24 15:39]
R3 GPWADrv;Service for L6 GuitarPort Driver (WDM);C:\WINDOWS\system32\Drivers\GPWADrv.sys [2005-12-09 19:06]
R3 L6DP;L6DP;C:\WINDOWS\system32\Drivers\l6dp.sys [2002-07-15 22:39]
S1 SABDIFSV;SABDIFSV;C:\Program Files\Super Ad Blocker\SABDIFSV.SYS [2005-09-21 11:17]
S3 hid8101;hid8101;C:\WINDOWS\system32\DRIVERS\system32.sys [2006-07-23 16:28]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 10:11]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-03-24 15:48]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 18:59:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 15:34:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-08 15:35:19
ComboFix-quarantined-files.txt 2008-04-08 20:35:17
ComboFix2.txt 2008-04-08 19:04:03
Pre-Run: 9,576,742,912 bytes free
Post-Run: 9,557,958,656 bytes free
.
2008-03-30 17:10:15 --- E O F ---

#15 catbiscuits

catbiscuits
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 08 April 2008 - 03:40 PM

In case there isn't anything else to do... Everything seems to be working fine :thumbsup:

Now, what else do I have to do and how do I get my original settings/clock back?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users