CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 951
Comments: 28
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

[IN PROGRESS]C:\WINDOWS\system32\drivers\core.cache.dsk

 
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
Sacrifice

Cadet
Cadet


Joined: May 12, 2008
Posts: 4
Location: UK
PostPosted: Mon May 12, 2008 9:50 am    Post subject: C:\WINDOWS\system32\drivers\core.cache.dsk
Reply with quote

Hi, I've searched for about 2 weeks on trying to remove this file to stop pop-ups, and have had no success... I believe the file, spotted by Spyware Doctor, is

C:\WINDOWS\system32\drivers\core.cache.dsk

but Spyware Doctor cannot remove it... Please help me out...

Thank you...
Back to top
View users profile Send private message
Prince_Serendip

Site Moderator


Joined: Sep 07, 2002
Posts: 17541

1st Responders MIRT Moderators MVP Premium RootKit Detection Hosts Rootkit Experts Rootkit Responders

PostPosted: Mon May 12, 2008 2:39 pm    Post subject:
Reply with quote

You need to post a HijackThis Log to get help in this forum.

Please follow the instructions >>>HERE<<< at #5.

Please do NOT post the log here as an attachment. Post it in plain view. Thanks.


_________________
image
Microsoft MVP Consumer Security 2006, 2007 & 2008
Back to top
View users profile Send private message
Sacrifice

Cadet
Cadet


Joined: May 12, 2008
Posts: 4
Location: UK
PostPosted: Fri May 16, 2008 12:52 pm    Post subject:
Reply with quote

Thanks for the quick reply... Sorry I couldn't reply any earlier... Heres is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31:57, on 16/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: McAntiPhishingBHO - {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [{DC-CB-B4-4E-DW}] C:\DOCUME~1\SACRIF~1\LOCALS~1\Temp\build_dol.exe DWoli5
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: hggfdbx - hggfdbx.dll (file missing)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0157881223725220) (0157881223725220mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\015788~1.EXE
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ati hotkey poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService (kservice) - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (mcnasvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (msk80service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer (servicelayer) - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9335 bytes
Back to top
View users profile Send private message
Prince_Serendip

Site Moderator


Joined: Sep 07, 2002
Posts: 17541

1st Responders MIRT Moderators MVP Premium RootKit Detection Hosts Rootkit Experts Rootkit Responders

PostPosted: Fri May 16, 2008 2:36 pm    Post subject:
Reply with quote

You're Ready for cleaning. Thumbs Up

At CastleCops we screen all HijackThis logs for errors, out-of-date versions, unupdated operating systems, omissions and P2P applications; getting you [READY] for cleaning by our 1st Responders and Security Experts. Now you wait for one of them to come help you.


_________________
image
Microsoft MVP Consumer Security 2006, 2007 & 2008
Back to top
View users profile Send private message
Sacrifice

Cadet
Cadet


Joined: May 12, 2008
Posts: 4
Location: UK
PostPosted: Mon May 19, 2008 10:59 pm    Post subject:
Reply with quote

Okay... What do I do now?
Back to top
View users profile Send private message
sjpritch25

1st Responder
Premium Member

Joined: Mar 31, 2005
Posts: 5163
Location: West Coast of Florida, USA
1st Responder Mentors 1st Responders MVP Premium Rootkit Responders

PostPosted: Tue May 20, 2008 4:59 am    Post subject:
Reply with quote

Welcome to Castlecops!!!! Hello


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


_________________
Microsoft Valuable Professional--Consumer Security 2007-2009 image
image
http://geekfox26.blogspot.com/
Back to top
View users profile Send private message Visit posters website
Sacrifice

Cadet
Cadet


Joined: May 12, 2008
Posts: 4
Location: UK
PostPosted: Tue May 20, 2008 8:02 am    Post subject:
Reply with quote

Okay.... This is the log:

ComboFix 08-05-19.4 - Sacrifice 2008-05-20 8:34:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.582 [GMT 1:00]
Running from: C:\Documents and Settings\Sacrifice\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Sacrifice\Application Data\macromedia\Flash Player\#SharedObjects\T899WZUD\iforex.com
C:\Documents and Settings\Sacrifice\Application Data\macromedia\Flash Player\#SharedObjects\T899WZUD\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Sacrifice\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Sacrifice\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Program Files\Helper
C:\WINDOWS\BM674ef87d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\serazavr.log
C:\WINDOWS\system32\axpkprsm.ini
C:\WINDOWS\system32\bssegntu.dll
C:\WINDOWS\system32\cvykleic.dll
C:\WINDOWS\system32\dobqjhng.dll
C:\WINDOWS\system32\drivers\pciidee.sys
C:\WINDOWS\system32\duis.txt
C:\WINDOWS\system32\gtqyperx.ini
C:\WINDOWS\system32\hynevilq.dll
C:\WINDOWS\system32\msindc.dll
C:\WINDOWS\system32\msrpkpxa.dll
C:\WINDOWS\system32\qkxnyxal.dll
C:\WINDOWS\system32\reqluwee.dll
C:\WINDOWS\system32\sfjqiblv.ini
C:\WINDOWS\system32\tidnadfh.dll
C:\WINDOWS\system32\trugdfyp.dll
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\ugovbwox.ini
C:\WINDOWS\system32\utngessb.ini
C:\WINDOWS\system32\vhhjicsl.dll
C:\WINDOWS\system32\vrritvdm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PCIIDEE
-------\Service_pciidee
-------\Service_serazavr


((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-10-07 10:09 . 2008-10-07 10:09 268 --ah----- C:\sqmdata15.sqm
2008-10-07 10:09 . 2008-10-07 10:09 244 --ah----- C:\sqmnoopt15.sqm
2008-10-07 09:26 . 2008-10-07 09:26 268 --ah----- C:\sqmdata14.sqm
2008-10-07 09:26 . 2008-10-07 09:26 244 --ah----- C:\sqmnoopt14.sqm
2008-10-07 08:08 . 2008-10-07 08:08 268 --ah----- C:\sqmdata13.sqm
2008-10-07 08:08 . 2008-10-07 08:08 244 --ah----- C:\sqmnoopt13.sqm
2008-10-07 08:04 . 2008-10-07 08:04 <DIR> d-------- C:\FileASSASSIN
2008-10-07 07:58 . 2008-10-07 07:58 268 --ah----- C:\sqmdata12.sqm
2008-10-07 07:58 . 2008-10-07 07:58 244 --ah----- C:\sqmnoopt12.sqm
2008-09-25 23:32 . 2008-09-25 23:32 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-09-25 23:32 . 2008-09-25 23:32 <DIR> d-------- C:\Program Files\GiPo@Utilities
2008-09-22 00:42 . 2008-10-10 08:49 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-17 19:07 . 2008-09-17 19:07 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-15 13:14 . 2008-09-15 13:14 0 --a------ C:\WINDOWS\OpPrintServer.INI
2008-09-15 13:12 . 2008-09-15 13:18 <DIR> d-------- C:\Program Files\Canon
2008-09-12 07:10 . 2008-09-12 07:10 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-09-12 07:10 . 2007-11-29 10:33 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-09-12 07:10 . 2007-11-29 10:39 95,744 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-09-10 17:53 . 2008-09-10 17:53 <DIR> d-------- C:\Program Files\Stardock
2008-09-10 17:53 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-09-10 17:34 . 2008-09-10 19:12 <DIR> d-------- C:\Program Files\EphPod
2008-09-08 22:00 . 2008-09-08 22:00 <DIR> d-------- C:\Program Files\PC Inspector File Recovery
2008-09-08 22:00 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\INT13EXT.VXD
2008-09-05 19:20 . 2008-09-05 19:20 268 --ah----- C:\sqmdata11.sqm
2008-09-05 19:20 . 2008-09-05 19:20 244 --ah----- C:\sqmnoopt11.sqm
2008-09-05 16:44 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-09-05 16:44 . 2008-05-20 08:36 16,233 --a------ C:\WINDOWS\system32\Config.MPF
2008-09-05 03:06 . 2008-09-05 03:06 268 --ah----- C:\sqmdata10.sqm
2008-09-05 03:06 . 2008-09-05 03:06 244 --ah----- C:\sqmnoopt10.sqm
2008-09-04 23:29 . 2008-09-04 23:29 268 --ah----- C:\sqmdata09.sqm
2008-09-04 23:29 . 2008-09-04 23:29 244 --ah----- C:\sqmnoopt09.sqm
2008-09-04 22:59 . 2004-08-04 00:56 130,048 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-09-04 22:59 . 2004-08-04 00:56 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-09-04 22:55 . 2008-09-04 22:55 <DIR> d-------- C:\Program Files\Intel Desktop Board Audio Driver
2008-09-04 22:31 . 2008-09-04 22:31 1,174 --a------ C:\WINDOWS\mozver.dat
2008-05-20 08:36 . 2008-05-20 08:36 <DIR> d-------- C:\Kontiki
2008-05-20 08:36 . 2008-05-20 08:36 268 --ah----- C:\sqmdata16.sqm
2008-05-20 08:36 . 2008-05-20 08:36 244 --ah----- C:\sqmnoopt16.sqm
2008-05-16 13:31 . 2008-05-16 13:31 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 09:38 --------- d-----w C:\Program Files\LimeWire
2008-10-07 09:02 --------- d-----w C:\Documents and Settings\Sacrifice\Application Data\LimeWire
2008-10-07 08:39 167,545 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-09-26 19:53 --------- d-----w C:\Documents and Settings\Sacrifice\Application Data\Nokia
2008-09-26 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-09-26 19:19 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-26 19:19 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-09-21 23:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-21 23:42 --------- d-----w C:\Documents and Settings\Sacrifice\Application Data\PC Tools
2008-09-17 18:08 --------- d-----w C:\Program Files\Safari
2008-09-16 17:54 19,552 ----a-w C:\Documents and Settings\Sacrifice\Application Data\GDIPFONTCACHEV1.DAT
2008-09-15 12:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-13 14:30 --------- d-----w C:\Documents and Settings\Sacrifice\Application Data\Nokia Multimedia Player
2008-09-12 06:12 --------- d-----w C:\Program Files\Nokia
2008-09-12 06:12 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-09-12 06:12 --------- d-----w C:\Program Files\Common Files\Nokia
2008-09-06 23:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-09-05 18:21 --------- d-----w C:\Program Files\McAfee.com
2008-09-05 18:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-09-05 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-05 15:42 --------- d-----w C:\Program Files\Common Files\McAfee
2008-05-20 07:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-20 02:47 --------- d-----w C:\Program Files\McAfee
2008-05-19 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-08 11:14 53,312 ----a-w C:\WINDOWS\system32\tjnavwid.dll
2008-04-07 11:16 53,312 ----a-w C:\WINDOWS\system32\cpsggdmj.dll
2008-04-07 11:06 --------- d-----w C:\Program Files\Google
2008-04-07 09:43 --------- d-----w C:\Program Files\Western Digital Technologies
2008-04-07 09:31 --------- d-----w C:\Program Files\Sky
2008-04-07 09:31 --------- d-----w C:\Program Files\Kontiki
2008-04-07 09:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sky
2008-04-07 09:29 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-07 08:01 53,312 ----a-w C:\WINDOWS\system32\uqkogadn.dll
2008-04-07 02:00 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-06 07:59 53,312 ----a-w C:\WINDOWS\system32\agmgsyvq.dll
2008-04-05 20:57 --------- d-----w C:\Program Files\ASUS
2008-04-05 18:28 --------- d-----w C:\Program Files\EPSON CopyFactory
2008-04-05 18:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-04-05 18:27 --------- d-----w C:\Documents and Settings\Sacrifice\Application Data\InstallShield
2008-04-05 18:09 --------- d-----w C:\Program Files\HP
2008-04-05 18:09 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-05 16:49 58,880 ----a-w C:\bxhfcf.exe
2008-04-05 16:24 --------- d-----w C:\Program Files\DIFX
2008-04-05 16:24 --------- d-----w C:\Documents and Settings\Sacrifice\Application Data\PC Suite
2008-04-05 16:23 --------- d-----w C:\Program Files\Java
2008-04-05 16:22 --------- d-----w C:\Program Files\Common Files\Java
2008-04-05 16:21 --------- d-----w C:\Program Files\Red Kawa
2008-04-05 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-04-05 16:16 --------- d-----w C:\Program Files\Common Files\Canon
2008-04-05 16:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-05 14:49 --------- d-----w C:\Program Files\MSN Messenger
2008-04-05 14:48 --------- d-----w C:\Program Files\iTunes
2008-04-05 14:48 --------- d-----w C:\Program Files\iPod
2008-04-05 14:48 --------- d-----w C:\Program Files\Bonjour
2008-04-05 14:48 --------- d-----w C:\Documents and Settings\Sacrifice\Application Data\Apple Computer
2008-04-05 14:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-05 14:47 --------- d-----w C:\Program Files\QuickTime
2008-04-05 14:46 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-05 14:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-05 14:43 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-05 14:42 --------- d-----w C:\Program Files\Common Files\L&H
2008-04-05 14:40 --------- d-----w C:\Program Files\Sky Broadband
2008-04-05 14:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-05 14:36 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-04-05 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-05 14:30 --------- d-----w C:\Documents and Settings\Sacrifice\Application Data\Ahead
2008-04-05 14:28 --------- d-----w C:\Program Files\Nero
2008-04-05 14:28 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-05 14:22 --------- d-----w C:\Program Files\ORiNOCO
2008-04-05 14:16 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-06 10:14 831,048 ----a-w C:\WINDOWS\system32\WudfUpdate_01005.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 10:23 1032640]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-07 12:04 68856]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-03-28 11:20 1079296]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 19:51 233472]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 03:40 176128]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 10:23 1032640]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

C:\Documents and Settings\Sacrifice\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-07 12:03:40 124400]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-04-05 17:20:07 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfdbx]
hggfdbx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wbsrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-09-10 17:55 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 upperdev;upperdev;C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]
S3 usbserfilt;usbserfilt;C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{630922cd-0485-11dd-a8d2-0020a650a967}]
\shell\autorun\command - G:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76af910c-7db7-11dd-a8db-0020a650a967}]
\shell\autorun\command - G:\
\shell\open\command - rundll32.exe .\\w3osl.dll,InstallM

.
Contents of the 'Scheduled Tasks' folder
"2008-10-08 20:08:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-09-15 00:47:43 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-10-01 00:00:24 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 08:37:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-20 8:39:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 07:39:46

Pre-Run: 95,625,752,576 bytes free
Post-Run: 96,083,689,472 bytes free

273 --- E O F --- 2008-10-10 02:00:54
Back to top
View users profile Send private message
sjpritch25

1st Responder
Premium Member

Joined: Mar 31, 2005
Posts: 5163
Location: West Coast of Florida, USA
1st Responder Mentors 1st Responders MVP Premium Rootkit Responders

PostPosted: Wed May 21, 2008 9:53 pm    Post subject:
Reply with quote

Just a couple leftover vundo/conhook files to remove.


Download the attached file CFScript.txt to your Desktop


[IMG]http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif[/IMG]

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!



================================


Please perform a scan with Kaspersky Webscan Online Virus Scanner

1. Read the Requirements and Privacy statement, then select "Accept". 2. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?". 3. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run. 4. When the download is complete it will say ready, click "Next". 5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard). 6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases". 7. Click "OK". 8. Under "Select a target to scan", click on "My Computer". 9. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!



CFScript.txt
 Description:

Download
 Filename:  CFScript.txt
 Filesize:  188 Bytes
 Downloaded:  14 Time(s)

_________________
Microsoft Valuable Professional--Consumer Security 2007-2009 image
image
http://geekfox26.blogspot.com/
Back to top
View users profile Send private message Visit posters website
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Trend Micro HijackThis Logs All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
194ppm 0.551s (0.143s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer