Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smitfraud-C.CoreService on Windows Vista [RESOLVED]


  • This topic is locked This topic is locked

#16
Mercuryrose88

Mercuryrose88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you again for helping me, unfortunately when i tried posting this the first time, it wouldn't allow me to since I apparently had an outdated version of HJT, and I can't find the log from ComboFix. :-( Do you know where I can find it?

When I tried to run ComboFix, it still had the problem of "freeware implementation of REG.exe has stopped working" and then later it said that an unknown program that was in the same folder as ComboFix had some problems installing and asking if i wanted to reinstall it. Since the computer was just restarting, i decided to click "the program was installed correctly".

When it rebooted, i noticed that the icon for Internet Explorer browser was on my desktop, when it has never been there before, and when i first saw it, the browser kept popping up. I deleted it off my desktop, but the icon kept reappearing back on my desktop.

Anyways, here is the HJT log, and I'll run combofix again if need be.

Oh wait... it's still on my copy board... LOL

ComboFix 08-01-31.1 - Mercuryrose88 2008-01-30 21:23:40.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.151 [GMT -5:00]
Running from: C:\Users\Mercuryrose88\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 02:23 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-30 00:06 932 ----a-w C:\Windows\system32\drivers\core.cache.dsk
2008-01-29 17:57 --------- d-----w C:\Program Files\Trend Micro
2008-01-29 15:31 --------- d-----w C:\Program Files\McAfee
2008-01-29 00:58 --------- d-----w C:\ProgramData\Avg7
2008-01-28 01:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-27 19:37 81,920 ----a-w C:\Windows\System32\IEDFix.exe
2008-01-27 19:00 --------- d-----w C:\Program Files\Startup Mechanic
2008-01-27 17:09 86,144 ----a-w C:\Windows\system32\drivers\msteee.sys
2008-01-23 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-23 17:44 --------- d-----w C:\Program Files\Cisco Systems
2008-01-18 23:37 --------- d-----w C:\Program Files\QuickTime
2008-01-11 04:38 --------- d-----w C:\Users\Mercuryrose88\AppData\Roaming\SiteAdvisor
2008-01-09 22:19 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 22:15 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-09 22:15 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-09 22:15 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-09 22:15 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-09 22:15 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-09 22:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 22:10 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 22:10 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 22:10 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 22:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-09 22:10 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-09 22:09 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-09 22:09 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 22:09 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-09 22:09 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-09 22:09 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-09 22:09 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-09 22:09 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 22:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 22:06 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-21 18:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 21:54 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-12 22:13 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-12 22:12 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 22:11 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 22:11 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 22:10 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 22:09 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 22:09 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 22:09 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 22:08 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 22:08 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 22:08 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 22:08 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 22:04 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 22:04 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-09 13:56 --------- d-----w C:\Program Files\MSBuild
2007-12-09 13:48 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-07 21:26 --------- d-----w C:\Program Files\Gravity
2007-12-01 23:13 --------- d-----w C:\ProgramData\WildTangent
2007-11-17 21:15 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-13 22:04 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-13 22:04 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-13 22:04 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-13 22:04 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-13 22:04 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-13 22:04 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-13 22:04 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-13 22:04 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-13 22:04 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-13 22:04 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-13 22:02 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-13 22:02 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-10-29 11:23 110,592 ----a-w C:\Windows\System32\SynTPCo4.dll
2007-10-29 10:55 147,456 ----a-w C:\Windows\System32\SynTPAPI.dll
2007-10-29 10:47 196,608 ----a-w C:\Windows\System32\SynCtrl.dll
2007-10-29 10:47 163,840 ----a-w C:\Windows\System32\SynCOM.dll
2007-10-11 03:28 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-10-11 03:28 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-10-11 03:28 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-10-11 03:28 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-10-11 03:23 84,480 ----a-w C:\Windows\System32\INETRES.dll
2007-10-11 03:23 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2007-10-11 03:22 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2007-10-04 04:36 25,600 ----a-w C:\Windows\System32\WS2Fix.exe
2007-09-02 21:38 938 ----a-w C:\Users\Mercuryrose88\AppData\Roaming\wklnhst.dat
2007-08-31 07:16 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ZipFile]
@={2D7E38A6-A604-45AE-9A87-4F5F25760650}

[HKEY_CLASSES_ROOT\CLSID\{2D7E38A6-A604-45AE-9A87-4F5F25760650}]
C:\Windows\System32\winsdrv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 11:18 307200]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-18 22:54 5674352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-29 13:08 1006264]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2006-10-18 11:14 35928]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00 267064]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-08-24 19:54 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-08-24 19:54 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-08-24 19:54 129560]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-10-29 06:02 102400]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

C:\Users\Mercuryrose88\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 22:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R2 ACEDRV09;ACEDRV09;C:\Windows\system32\drivers\ACEDRV09.sys [2007-09-07 13:11]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 01:11]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 19:39]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-03 03:43]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-03 03:43]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2007-01-03 03:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 15:49:01 C:\Windows\Tasks\At1.job"
- C:\ComboFix\kmd.exe
"2008-01-29 21:44:00 C:\Windows\Tasks\At2.job"
- C:\ComboFix\kmd.exe
"2008-01-31 02:29:00 C:\Windows\Tasks\At3.job"
- C:\ComboFix\kmd.exe
"2007-12-15 08:32:28 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 06:00:16 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 21:32:14
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-30 21:36:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 02:36:27
ComboFix2.txt 2008-01-29 21:58:46
.
2008-01-09 22:15:36 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:19 PM, on 1/30/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0027931201705853) (0027931201705853mcinstcleanup) - Unknown owner - C:\Windows\TEMP\002793~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8753 bytes

PS- my friend offered to help by using a linux disk, which I heard online is a way to fix this kind of virus. Will this have to come to that?

Thank you very much!
  • 0

Advertisements


#17
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No it wont have to come to that

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\system32\drivers\core.cache.dsk
C:\Windows\System32\winsdrv.dll
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\Tasks\At3.job


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#18
Mercuryrose88

Mercuryrose88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you again!

However, I already deleted that file when you posted that suggestion on your previous post. ComboFix still seems to be having that REG.exe problem, and I noticed when it starts it says that it cannot find a certain message file.

I did run combofix and HJT again, and here are the logs! ^_^ Hope this helps!

I ran spybot again, and it still pulled up the file, so it's not gone yet :-(

Anyways, here are the logs!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:23 PM, on 1/31/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0265301201793397) (0265301201793397mcinstcleanup) - Unknown owner - C:\Windows\TEMP\026530~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8665 bytes

ComboFix 08-01-31.5 - Mercuryrose88 2008-01-31 10:35:28.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.212 [GMT -5:00]
Running from: C:\Users\Mercuryrose88\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 15:35 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-01-30 00:06 932 ----a-w C:\Windows\system32\drivers\core.cache.dsk
2008-01-29 17:57 --------- d-----w C:\Program Files\Trend Micro
2008-01-29 15:31 --------- d-----w C:\Program Files\McAfee
2008-01-29 00:58 --------- d-----w C:\ProgramData\Avg7
2008-01-28 01:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-27 19:37 81,920 ----a-w C:\Windows\System32\IEDFix.exe
2008-01-27 19:00 --------- d-----w C:\Program Files\Startup Mechanic
2008-01-27 17:09 86,144 ----a-w C:\Windows\system32\drivers\msteee.sys
2008-01-23 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-23 17:44 --------- d-----w C:\Program Files\Cisco Systems
2008-01-18 23:37 --------- d-----w C:\Program Files\QuickTime
2008-01-11 04:38 --------- d-----w C:\Users\Mercuryrose88\AppData\Roaming\SiteAdvisor
2008-01-09 22:19 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 22:15 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-09 22:15 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-09 22:15 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-09 22:15 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-09 22:15 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-09 22:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 22:10 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 22:10 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 22:10 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 22:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-09 22:10 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-09 22:09 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-09 22:09 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 22:09 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-09 22:09 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-09 22:09 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-09 22:09 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-09 22:09 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 22:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 22:06 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-21 18:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 21:54 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-12 22:13 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-12 22:12 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 22:11 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 22:11 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 22:10 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 22:09 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 22:09 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 22:09 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 22:08 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 22:08 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 22:08 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 22:08 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 22:04 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 22:04 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-09 13:56 --------- d-----w C:\Program Files\MSBuild
2007-12-09 13:48 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-07 21:26 --------- d-----w C:\Program Files\Gravity
2007-12-01 23:13 --------- d-----w C:\ProgramData\WildTangent
2007-11-17 21:15 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-13 22:04 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-13 22:04 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-13 22:04 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-13 22:04 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-13 22:04 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-13 22:04 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-13 22:04 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-13 22:04 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-13 22:04 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-13 22:04 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-13 22:02 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-13 22:02 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-10-29 11:23 110,592 ----a-w C:\Windows\System32\SynTPCo4.dll
2007-10-29 10:55 147,456 ----a-w C:\Windows\System32\SynTPAPI.dll
2007-10-29 10:47 196,608 ----a-w C:\Windows\System32\SynCtrl.dll
2007-10-29 10:47 163,840 ----a-w C:\Windows\System32\SynCOM.dll
2007-10-11 03:28 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-10-11 03:28 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-10-11 03:28 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-10-11 03:28 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-10-11 03:23 84,480 ----a-w C:\Windows\System32\INETRES.dll
2007-10-11 03:23 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2007-10-11 03:22 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2007-10-04 04:36 25,600 ----a-w C:\Windows\System32\WS2Fix.exe
2007-09-02 21:38 938 ----a-w C:\Users\Mercuryrose88\AppData\Roaming\wklnhst.dat
2007-08-31 07:16 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ZipFile]
@={2D7E38A6-A604-45AE-9A87-4F5F25760650}

[HKEY_CLASSES_ROOT\CLSID\{2D7E38A6-A604-45AE-9A87-4F5F25760650}]
C:\Windows\System32\winsdrv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 11:18 307200]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-18 22:54 5674352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-29 13:08 1006264]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2006-10-18 11:14 35928]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00 267064]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-08-24 19:54 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-08-24 19:54 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-08-24 19:54 129560]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-10-29 06:02 102400]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

C:\Users\Mercuryrose88\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 22:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R2 ACEDRV09;ACEDRV09;C:\Windows\system32\drivers\ACEDRV09.sys [2007-09-07 13:11]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 01:11]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 19:39]
R3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-12-19 11:12]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-03 03:43]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-03 03:43]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2007-01-03 03:43]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 15:49:01 C:\Windows\Tasks\At1.job"
- C:\ComboFix\kmd.exe
"2008-01-29 21:44:00 C:\Windows\Tasks\At2.job"
- C:\ComboFix\kmd.exe
"2008-01-31 02:29:00 C:\Windows\Tasks\At3.job"
- C:\ComboFix\kmd.exe
"2008-01-31 15:41:07 C:\Windows\Tasks\At4.job"
)\- C:\ComboFix\kmd.exe
"2007-12-15 08:32:28 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 06:00:16 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 10:44:56
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\consent.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
.
**************************************************************************
.
Completion time: 2008-01-31 10:49:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 15:49:07
.
2008-01-09 22:15:36 --- E O F ---
  • 0

#19
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Delete your version of ComboFix.exe and the folder C:\qoobox then do this

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#20
Mercuryrose88

Mercuryrose88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you very much for all of your help!

I asked a friend of mine, who is a graphic design student and certified technician at the IT Center on campus, if he could help me as well as I knew it is difficult to fix something that you can't see, so I thought maybe it would help you if he took a look at my computer and gave me any information that I could give you that would help.

He had a disk that had a bootable version of Linux (I think that's what he called it), and he used it to go onto my computer and see if he could delete the file that the virus was in. After many tries, he decided to erase the system restore points, and delete the file, and running spybot again. After running SpyBot on safe mode and normal mode and not finding the file anymore, he had me go to safe mode with networking and go to Trend Micro HouseCall online scanner and have them scan my computer and fix anything they found.

As far as I can tell, after HouseCall found a "freeloader-smitfraud" infection and deleting it, I cannot find any trace of the virus.

However, I want to be positive it is gone, but I don't know if running ComboFix will be safe to run if my computer is indeed no longer infected. I ran HJT, and here is the log report of that.

After this post, I will go to kaspersky online scanner again and have it scan my computer once again, and post the results again.

Thank you very much for all of you help again, I really appreciate it!! ^_^

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:18, on 2008-02-01
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0296581201914767) (0296581201914767mcinstcleanup) - Unknown owner - C:\Windows\TEMP\029658~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: @%SystemRoot%\system32\msimsg.dll,-27 (msiserver) - Unknown owner - cmd.exe (file missing)
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8285 bytes
  • 0

#21
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No need to run Kaspersky

Tell me if this file is still there

C:\Windows\system32\drivers\core.cache.dsk


Edit : Also tell me if this is present

C:\Windows\System32\drivers\msteee.sys

Edited by Rorschach112, 01 February 2008 - 07:40 PM.

  • 0

#22
Mercuryrose88

Mercuryrose88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you for replying so fast!

If you meant mstee.sys, then yes it's still here... Is that a bad thing?

However, the core.cache.dsk file is no longer here, at least not that i can see, and i've searched for it enough lol!

Edited by Mercuryrose88, 01 February 2008 - 07:48 PM.

  • 0

#23
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\Windows\System32\drivers\msteee.sys "
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\Windows\System32\drivers\msteee.sys

  • Click Open.
  • Click Post.
Thank you!




Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe




Please download and unzip Icesword to its own folder on your desktop


Now for the fix. Close all windows and disconnect from the Internet. Run IceSword.exe. Do not restart your PC until the very end to ensure the fix works



Step 1 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) in bold and delete them.

C:\Windows\system32\drivers\core.cache.dsk
C:\Windows\System32\drivers\msteee.sys



Step 2 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msteee
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msteee




Then reboot your PC and tell me if those two files are present
  • 0

#24
Mercuryrose88

Mercuryrose88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello!

Thank you for your suggestions!

However, IceSword does not seem to work. At first, it went to blue screen and before I could read all of what was written on the computer, my computer restarted. I tried it again, and the same thing happened. Then I went to safe mode, and it still would not work.

I tried deleting the file and folder and redownload it but now it's not initializing.

Please help me! I'm really lost...

PS- I went to SpyKiller forum and posted under the name of Anna Jaap with the same title you suggested. ^_^ Thank you!
  • 0

#25
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Delete the IceSword folder then go to this site

http://antirootkit.c...re/IceSword.htm

Download

Icesword 1.20 for Windows Vista

Then try my previous steps
  • 0

Advertisements


#26
Mercuryrose88

Mercuryrose88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you for your suggestions!

However, i deleted the folder and redownloaded the vista compatible version of IceSword, and it still is failing to initialize. It bluescreens but before I could read what it says, my computer restarts.

I don't know what to do, but IceSword doesn't seem to work on my computer, even when I change its properties to run with Windows XP service pack 2.

I'll try to read what the bluescreen says if you want me to try again, but i don't know if it's safe for my computer to do so. ^~^

THank you for your help!
  • 0

#27
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Lets not push that then

Delete IceSword.exe and it's folder


Delete ComboFix.exe and the folder C:\qoobox then do this


Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#28
Mercuryrose88

Mercuryrose88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you for your help!

Here are the logs from HJT and ComboFix. The only wierd thing is that when combofix was running, when it completed stage 5, Flash Player popped up asking me to install it, which i declined. I wasn't connected to the internet either, so I don't know why it popped up. ^_^

Anyways, here are the logs!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:19 PM, on 2/3/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0039021202077464) (0039021202077464mcinstcleanup) - Unknown owner - C:\Windows\TEMP\003902~1.EXE (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8550 bytes

ComboFix 08-02.03.1 - Mercuryrose88 2008-02-03 17:41:47.5 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.261 [GMT -5:00]
Running from: C:\Users\Mercuryrose88\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 22:41 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-02-03 22:24 --------- d-----w C:\Program Files\McAfee
2008-02-02 22:45 182,069 ----a-w C:\Windows\system32\drivers\IsDrv120.sys
2008-02-01 21:53 102,664 ----a-w C:\Windows\system32\drivers\tmcomm.sys
2008-01-29 17:57 --------- d-----w C:\Program Files\Trend Micro
2008-01-29 00:58 --------- d-----w C:\ProgramData\Avg7
2008-01-28 01:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-27 19:37 81,920 ----a-w C:\Windows\System32\IEDFix.exe
2008-01-27 19:00 --------- d-----w C:\Program Files\Startup Mechanic
2008-01-23 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-23 17:44 --------- d-----w C:\Program Files\Cisco Systems
2008-01-18 23:37 --------- d-----w C:\Program Files\QuickTime
2008-01-11 04:38 --------- d-----w C:\Users\Mercuryrose88\AppData\Roaming\SiteAdvisor
2008-01-09 22:19 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 22:15 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-09 22:15 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-09 22:15 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-09 22:15 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-09 22:15 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-09 22:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 22:10 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 22:10 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 22:10 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 22:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-09 22:10 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-09 22:09 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-09 22:09 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 22:09 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-09 22:09 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-09 22:09 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-09 22:09 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-09 22:09 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 22:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 22:06 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-21 18:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 21:54 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-12 22:13 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-12 22:12 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 22:11 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 22:11 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 22:10 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 22:09 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 22:09 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 22:09 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 22:08 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 22:08 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 22:08 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 22:08 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 22:04 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 22:04 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-09 13:56 --------- d-----w C:\Program Files\MSBuild
2007-12-09 13:48 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-07 21:26 --------- d-----w C:\Program Files\Gravity
2007-11-17 21:15 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-13 22:04 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-13 22:04 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-13 22:04 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-13 22:04 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-13 22:04 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-13 22:04 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-13 22:04 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-13 22:04 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-13 22:04 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-13 22:04 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-13 22:02 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-13 22:02 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-09-02 21:38 938 ----a-w C:\Users\Mercuryrose88\AppData\Roaming\wklnhst.dat
2007-08-31 07:16 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ZipFile]
@={2D7E38A6-A604-45AE-9A87-4F5F25760650}

[HKEY_CLASSES_ROOT\CLSID\{2D7E38A6-A604-45AE-9A87-4F5F25760650}]
C:\Windows\System32\winsdrv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 11:18 307200]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-18 22:54 5674352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-29 13:08 1006264]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2006-10-18 11:14 35928]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00 267064]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-08-24 19:54 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-08-24 19:54 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-08-24 19:54 129560]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-10-29 06:02 102400]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

C:\Users\Mercuryrose88\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 22:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R2 ACEDRV09;ACEDRV09;C:\Windows\system32\drivers\ACEDRV09.sys [2007-09-07 13:11]
R2 pinger;pinger;C:\Toshiba\IVP\ISM\pinger.exe [2007-01-25 20:47]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 17:56]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 01:11]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 19:39]
R3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-12-19 11:12]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 14:50]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 19:13]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-01-09 13:00]
S2 0039021202077464mcinstcleanup;McAfee Application Installer Cleanup (0039021202077464);C:\Windows\TEMP\003902~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 GameConsoleService;GameConsoleService;"C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [2007-11-27 16:38]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-03 03:43]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-03 03:43]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2007-01-03 03:43]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 08:32:28 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 06:00:16 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 17:47:03
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 17:49:27
.
2008-01-09 22:15:36 --- E O F ---
  • 0

#29
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looks good

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Windows\System32\winsdrv.dll

Registry::
[-HKEY_CLASSES_ROOT\CLSID\{2D7E38A6-A604-45AE-9A87-4F5F25760650}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Then do this again


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#30
Mercuryrose88

Mercuryrose88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you for your help!

I ran kaspersky online scanner and unfortunately it says i still have one virus infection, with four infected objects. ^~^ Here are the logs for ComboFix and Kaspersky. ^_^

ComboFix 08-02.03.1 - Mercuryrose88 2008-02-04 12:20:46.6 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.289 [GMT -5:00]
Running from: C:\Users\Mercuryrose88\Desktop\ComboFix.exe
Command switches used :: C:\Users\Mercuryrose88\Desktop\CFScript.txt

FILE
C:\Windows\System32\winsdrv.dll
.

((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 17:20 262,144 ----a-w C:\ProgramData\ntuser.dat
2008-02-03 22:24 --------- d-----w C:\Program Files\McAfee
2008-02-02 22:45 182,069 ----a-w C:\Windows\system32\drivers\IsDrv120.sys
2008-02-01 21:53 102,664 ----a-w C:\Windows\system32\drivers\tmcomm.sys
2008-01-29 17:57 --------- d-----w C:\Program Files\Trend Micro
2008-01-29 00:58 --------- d-----w C:\ProgramData\Avg7
2008-01-28 01:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-27 19:37 81,920 ----a-w C:\Windows\System32\IEDFix.exe
2008-01-27 19:00 --------- d-----w C:\Program Files\Startup Mechanic
2008-01-23 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2008-01-23 17:44 --------- d-----w C:\Program Files\Cisco Systems
2008-01-18 23:37 --------- d-----w C:\Program Files\QuickTime
2008-01-11 04:38 --------- d-----w C:\Users\Mercuryrose88\AppData\Roaming\SiteAdvisor
2008-01-09 22:19 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 22:15 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-09 22:15 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-09 22:15 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-09 22:15 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-09 22:15 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-09 22:10 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 22:10 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 22:10 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 22:10 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 22:10 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-09 22:10 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-09 22:09 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-09 22:09 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 22:09 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-09 22:09 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-09 22:09 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-09 22:09 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-09 22:09 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 22:06 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 22:06 --------- d-----w C:\Program Files\Windows Sidebar
2007-12-21 18:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-19 21:54 --------- d-----w C:\Program Files\SiteAdvisor
2007-12-12 22:13 --------- d-----w C:\ProgramData\Microsoft Help
2007-12-12 22:12 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 22:11 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 22:11 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 22:10 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 22:09 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 22:09 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 22:09 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 22:08 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 22:08 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 22:08 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 22:08 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 22:04 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 22:04 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-09 13:56 --------- d-----w C:\Program Files\MSBuild
2007-12-09 13:48 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-07 21:26 --------- d-----w C:\Program Files\Gravity
2007-11-17 21:15 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-13 22:04 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-13 22:04 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-13 22:04 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-13 22:04 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-13 22:04 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-13 22:04 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-13 22:04 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-13 22:04 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-13 22:04 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-13 22:04 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-13 22:02 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-13 22:02 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-09-02 21:38 938 ----a-w C:\Users\Mercuryrose88\AppData\Roaming\wklnhst.dat
2007-08-31 07:16 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ZipFile]
@={2D7E38A6-A604-45AE-9A87-4F5F25760650}

[HKEY_CLASSES_ROOT\CLSID\{2D7E38A6-A604-45AE-9A87-4F5F25760650}]
C:\Windows\System32\winsdrv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 11:18 307200]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-18 22:54 5674352]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-06-29 13:08 1006264]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2006-10-18 11:14 35928]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00 267064]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-08-24 19:54 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-08-24 19:54 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-08-24 19:54 129560]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-10-29 06:02 102400]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

C:\Users\Mercuryrose88\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 22:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R2 ACEDRV09;ACEDRV09;C:\Windows\system32\drivers\ACEDRV09.sys [2007-09-07 13:11]
R2 pinger;pinger;C:\Toshiba\IVP\ISM\pinger.exe [2007-01-25 20:47]
R2 TOSHIBA Bluetooth Service;TOSHIBA Bluetooth Service;C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe [2007-02-02 17:56]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-20 01:11]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-08-24 19:39]
R3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-12-19 11:12]
R3 tdcmdpst;TOSHIBA Writing Engine Filter Driver;C:\Windows\system32\DRIVERS\tdcmdpst.sys [2006-10-18 14:50]
R3 UVCFTR;UVCFTR;C:\Windows\system32\DRIVERS\UVCFTR_S.SYS [2007-01-26 19:13]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-01-09 13:00]
S2 0039021202077464mcinstcleanup;McAfee Application Installer Cleanup (0039021202077464);C:\Windows\TEMP\003902~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog []
S3 GameConsoleService;GameConsoleService;"C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [2007-11-27 16:38]
S4 KR10I;KR10I;C:\Windows\system32\drivers\kr10i.sys [2007-01-03 03:43]
S4 KR10N;KR10N;C:\Windows\system32\drivers\kr10n.sys [2007-01-03 03:43]
S4 KR3NPXP;KR3NPXP;C:\Windows\system32\drivers\kr3npxp.sys [2007-01-03 03:43]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 08:32:28 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 06:00:16 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 12:25:28
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 12:27:49
ComboFix2.txt 2008-02-03 22:49:29
.
2008-01-09 22:15:36 --- E O F ---

I'll attach the kaspersky file separately since i've had some problems the last time i tried to post that log. ^_^Attached File  report_kas.txt   168.26KB   179 downloads
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP