Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Core.cache.dsk + other major problems? [RESOLVED]

Started by TJReilly , Jan 31 2008 08:23 AM

  • This topic is locked This topic is locked

#1
TJReilly
Posted 31 January 2008 - 08:23 AM

TJReilly

    New Member

  • Member
  • Pip
  • 4 posts
I know I am infected with all kinds of malware. Have tried several online solutions witout luck. Thanks in advance for the help. TJ

Here is the HJT log:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:54 AM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
X:\ImageXL\Name Grabber.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (file missing)
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174401550239
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
  • 0

Advertisements

#2
miekiemoes
Posted 01 February 2008 - 07:41 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
TJReilly
Posted 04 February 2008 - 09:26 AM

TJReilly

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the help. Here are your requested logs:

ComboFix 08-02.03.1 - FrontDesk 2008-02-04 9:44:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.130 [GMT -5:00]
Running from: C:\Documents and Settings\FrontDesk\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\FrontDesk\Application Data\inst.exe
C:\Documents and Settings\FrontDesk\My Documents\SMANTE~1
C:\Documents and Settings\FrontDesk\My Documents\STEM~1
C:\Documents and Settings\FrontDesk\My Documents\STEM~1\??stem\
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aebbsyvw.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\kytrsdgm.ini
C:\WINDOWS\system32\pjwkfdcm.ini
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 09:48 . 2008-02-04 09:48 <DIR> d-------- C:\TEMP\tn3
2008-02-04 09:43 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-04 09:43 . 2006-02-03 15:18 211 --a------ C:\Boot.bak
2008-01-29 12:56 . 2008-02-04 09:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-29 12:56 . 2008-01-29 12:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-29 12:56 . 2008-01-29 12:56 <DIR> d-------- C:\Documents and Settings\FrontDesk\Application Data\SUPERAntiSpyware.com
2008-01-29 12:56 . 2008-01-29 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-29 12:17 . 2008-01-31 08:56 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-15 12:04 . 2008-01-15 12:04 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-10 15:41 . 2008-01-14 12:40 <DIR> d-------- C:\Program Files\CleanUp!
2008-01-10 14:33 . 2008-01-10 14:33 <DIR> d-------- C:\Documents and Settings\FrontDesk\Application Data\Grisoft
2008-01-10 14:32 . 2008-01-10 14:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-10 14:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-10 11:42 . 2008-01-10 11:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-10 09:29 . 2008-01-10 09:30 6,516 --ahs---- C:\WINDOWS\system32\oqtss.ini
2008-01-08 15:31 . 2008-02-04 08:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-01-08 15:29 . 2008-01-14 12:09 <DIR> d-------- C:\Program Files\STOPzilla!
2008-01-08 15:29 . 2008-01-08 15:29 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-01-08 15:29 . 2008-02-04 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-08 13:31 . 2008-01-08 13:31 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-08 12:45 . 2008-01-08 12:45 4,286 --a------ C:\WINDOWS\system32\MobileSidewalk.ico
2008-01-08 08:31 . 2008-01-08 08:31 114,688 --a------ C:\WINDOWS\system32\igfxpers .exe
2008-01-08 08:31 . 2008-01-08 08:31 94,208 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-08 08:31 . 2008-01-08 08:31 77,824 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-08 08:17 . 2008-01-08 08:17 <DIR> d-------- C:\Documents and Settings\FrontDesk\Application Data\EasySpywareCleaner.com
2008-01-08 08:15 . 2008-01-09 09:15 <DIR> d-------- C:\Program Files\EasySpywareCleaner
2008-01-07 17:15 . 2008-01-14 08:31 <DIR> d-------- C:\WINDOWS\VXNlcg
2008-01-07 17:15 . 2008-01-09 09:15 <DIR> d-------- C:\WINDOWS\system32\oobe3
2008-01-07 17:15 . 2008-01-08 08:26 <DIR> d-------- C:\WINDOWS\system32\drivez4
2008-01-07 17:15 . 2008-01-07 17:15 86,016 --a------ C:\WINDOWS\system32\drivers\classpnpp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 17:48 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-14 17:09 --------- d-----w C:\Program Files\Google
2008-01-09 15:03 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-08 20:36 --------- d-----w C:\Program Files\Dentrix
2008-01-08 20:35 --------- d-----w C:\Program Files\QuickTime
2008-01-08 20:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-12 17:28 30,208 ----a-r C:\WINDOWS\system32\drivers\SZKG.sys
2007-10-09 19:05 7,404,592 ----a-w C:\Program Files\vsoConvertXtoDVD2_setup.exe
2007-10-09 19:05 47,360 ----a-w C:\Documents and Settings\FrontDesk\Application Data\pcouffin.sys
2007-10-01 13:43 182,131,744 ----a-w C:\Program Files\Nero-7.10.1.0_eng_trial_wch.exe
2007-09-27 12:57 2,501,967 ----a-w C:\Program Files\PFCSetup1.0.160.exe
2007-08-29 14:35 2,560 ----a-w C:\Documents and Settings\FrontDesk\cdcache.dat
2007-08-29 14:34 3,584 ----a-w C:\Documents and Settings\FrontDesk\netcache.dat
2007-06-21 20:22 28,608 ----a-w C:\WINDOWS\Fonts\HeroOfFools.zip
2007-06-21 20:22 22,752 ----a-w C:\WINDOWS\Fonts\AlanisHand.zip
2007-06-21 20:17 39,121 ----a-w C:\WINDOWS\Fonts\jandles.zip
2006-07-18 17:53 563,712 ----a-w C:\Documents and Settings\FrontDesk\370_gotomypc.exe
2006-06-01 16:16 6,656 ----a-w C:\Documents and Settings\FrontDesk\KWDCACHE.DAT
2007-06-20 12:22 56 --sh--r C:\WINDOWS\system32\E131B0BBDE.sys
2007-06-20 12:22 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
<pre>
----a-w		 1,404,928 2008-01-08 13:31:00  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w		   344,064 2008-01-08 13:30:59  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w			22,016 2008-01-08 13:31:14  C:\Program Files\Borland\InterBase\Bin\ibguard .exe
----a-w		   155,648 2008-01-08 13:31:28  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w			81,920 2008-01-08 13:31:09  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w			48,752 2008-01-08 13:31:01  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			53,248 2008-01-08 13:30:58  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w			81,920 2008-01-08 13:31:53  C:\Program Files\Dentrix\DtxQuickLaunch .exe
----a-w		   305,490 2008-01-08 19:54:46  C:\Program Files\EasySpywareCleaner\EasySpywareCleaner .exe
----a-w			68,856 2008-01-08 13:32:01  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w		 1,694,208 2008-01-08 21:23:43  C:\Program Files\Messenger\msmsgs .exe
----a-w			85,184 2008-01-08 13:31:04  C:\Program Files\Symantec AntiVirus\VPTray .exe
----a-w		 1,106,944 2008-01-08 13:31:12  C:\Program Files\X-Rite\ShadeVision\SRman .exe
----a-w			15,360 2008-01-08 18:31:43  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-01-08 13:31:22  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-08 13:31:25  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-08 13:31:19  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShadeVisionManager"="C:\Program Files\X-Rite\ShadeVision\SRman.exe" [ ]
"NWEReboot"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Name Grabber.LNK - X:\ImageXL\Name Grabber.exe [2005-08-16 09:38:54 495616]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-08 09:03:02 811008]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-08-22 07:46:12 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, , , , , , , , , , , , , , , , , , , , , ,

R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2007-12-12 12:28]
R1 classpnpp;classpnpp;C:\WINDOWS\system32\drivers\classpnpp.sys [2008-01-07 17:15]
S3 InterBaseGuardian;InterBase Guardian;C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe []
S3 InterBaseServer;InterBase Server;C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe -s []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 09:49:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-02-04 9:50:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 14:50:27
.
2007-09-27 13:05:36 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
X:\ImageXL\Name Grabber.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (file missing)
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174401550239
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 4635 bytes

TJ
  • 0

#4
miekiemoes
Posted 04 February 2008 - 10:55 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please uninstall EasySpywareCleaner via software > add/remove programs.
Reboot afterwards.

After reboot,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drivers\classpnpp.sys
C:\WINDOWS\Fonts\HeroOfFools.zip
C:\WINDOWS\Fonts\AlanisHand.zip
C:\WINDOWS\Fonts\jandles.zip
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\oqtss.ini

Folder::
C:\Program Files\EasySpywareCleaner
C:\Documents and Settings\FrontDesk\Application Data\EasySpywareCleaner.com
C:\WINDOWS\VXNlcg
C:\WINDOWS\system32\oobe3
C:\WINDOWS\system32\drivez4
C:\TEMP\tn3

RENV::
C:\Program Files\Analog Devices\Core\smax4pnp .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Borland\InterBase\Bin\ibguard .exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
C:\Program Files\Dentrix\DtxQuickLaunch .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Symantec AntiVirus\VPTray .exe
C:\Program Files\X-Rite\ShadeVision\SRman .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxtray .exe

Driver::
classpnpp

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#5
TJReilly
Posted 04 February 2008 - 11:53 AM

TJReilly

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here is Combofix + Hijack this logs:

ComboFix 08-02.03.1 - FrontDesk 2008-02-04 12:47:01.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.357 [GMT -5:00]
Running from: C:\Documents and Settings\FrontDesk\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\FrontDesk\Desktop\CFScript.txt

FILE
C:\WINDOWS\Fonts\AlanisHand.zip
C:\WINDOWS\Fonts\HeroOfFools.zip
C:\WINDOWS\Fonts\jandles.zip
C:\WINDOWS\system32\drivers\classpnpp.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\oqtss.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\FrontDesk\Application Data\EasySpywareCleaner.com
C:\temp\tn3
C:\WINDOWS\Fonts\AlanisHand.zip
C:\WINDOWS\Fonts\HeroOfFools.zip
C:\WINDOWS\Fonts\jandles.zip
C:\WINDOWS\system32\drivers\classpnpp.sys
C:\WINDOWS\system32\drivez4
C:\WINDOWS\system32\oobe3
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\VXNlcg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CLASSPNPP
-------\classpnpp


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 09:43 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-04 09:43 . 2006-02-03 15:18 211 --a------ C:\Boot.bak
2008-01-29 12:56 . 2008-02-04 12:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-29 12:56 . 2008-01-29 12:56 <DIR> d-------- C:\Documents and Settings\FrontDesk\Application Data\SUPERAntiSpyware.com
2008-01-29 12:56 . 2008-01-29 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-15 12:04 . 2008-01-15 12:04 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-10 15:41 . 2008-01-14 12:40 <DIR> d-------- C:\Program Files\CleanUp!
2008-01-10 14:33 . 2008-01-10 14:33 <DIR> d-------- C:\Documents and Settings\FrontDesk\Application Data\Grisoft
2008-01-10 14:32 . 2008-01-10 14:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-10 14:32 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-10 11:42 . 2008-01-10 11:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 15:31 . 2008-02-04 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-01-08 15:29 . 2008-01-14 12:09 <DIR> d-------- C:\Program Files\STOPzilla!
2008-01-08 15:29 . 2008-01-08 15:29 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-01-08 15:29 . 2008-02-04 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-08 12:45 . 2008-01-08 12:45 4,286 --a------ C:\WINDOWS\system32\MobileSidewalk.ico
2008-01-08 08:31 . 2008-01-08 08:31 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2008-01-08 08:31 . 2008-01-08 08:31 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-08 08:31 . 2008-01-08 08:31 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 17:46 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-04 17:46 --------- d-----w C:\Program Files\Dentrix
2008-02-04 17:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-14 17:09 --------- d-----w C:\Program Files\Google
2008-01-09 15:03 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-08 20:35 --------- d-----w C:\Program Files\QuickTime
2007-12-12 17:28 30,208 ----a-r C:\WINDOWS\system32\drivers\SZKG.sys
2007-10-09 19:05 7,404,592 ----a-w C:\Program Files\vsoConvertXtoDVD2_setup.exe
2007-10-09 19:05 47,360 ----a-w C:\Documents and Settings\FrontDesk\Application Data\pcouffin.sys
2007-10-01 13:43 182,131,744 ----a-w C:\Program Files\Nero-7.10.1.0_eng_trial_wch.exe
2007-09-27 12:57 2,501,967 ----a-w C:\Program Files\PFCSetup1.0.160.exe
2007-08-29 14:35 2,560 ----a-w C:\Documents and Settings\FrontDesk\cdcache.dat
2007-08-29 14:34 3,584 ----a-w C:\Documents and Settings\FrontDesk\netcache.dat
2006-07-18 17:53 563,712 ----a-w C:\Documents and Settings\FrontDesk\370_gotomypc.exe
2006-06-01 16:16 6,656 ----a-w C:\Documents and Settings\FrontDesk\KWDCACHE.DAT
2007-06-20 12:22 56 --sh--r C:\WINDOWS\system32\E131B0BBDE.sys
2007-06-20 12:22 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShadeVisionManager"="C:\Program Files\X-Rite\ShadeVision\SRman.exe" [2008-01-08 08:31 1106944]
"NWEReboot"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Name Grabber.LNK - X:\ImageXL\Name Grabber.exe [2005-08-16 09:38:54 495616]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-08 09:03:02 811008]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-08-22 07:46:12 122880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, , , , , , , , , , , , , , , , , , , , , ,

R0 szkg5;szkg;C:\WINDOWS\system32\DRIVERS\szkg.sys [2007-12-12 12:28]
S3 InterBaseGuardian;InterBase Guardian;C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe [2008-01-08 08:31]
S3 InterBaseServer;InterBase Server;C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe -s []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 12:50:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-02-04 12:51:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 17:51:54
ComboFix2.txt 2008-02-04 14:50:43
.
2007-09-27 13:05:36 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\X-Rite\ShadeVision\SRman.exe
C:\WINDOWS\system32\ctfmon.exe
X:\ImageXL\Name Grabber.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (file missing)
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1174401550239
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
  • 0

#6
miekiemoes
Posted 04 February 2008 - 12:11 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

I also suggest you reinstall your Norton again because some entries/files are compromised.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

As a final check..

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply and also let me know how things are now.

  • 0

#7
TJReilly
Posted 04 February 2008 - 12:52 PM

TJReilly

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
YOU ROCK!!!!

Here is the scan log to prove it:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2847 (20080204)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=d403d2bd85b3714185eaea1b1977db71
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-02-04 06:47:15
# local_time=2008-02-04 01:47:15 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=207785
# found=0
# scan_time=1265

Thanks again and a donation has already been sent your way.

TJ
  • 0

#8
miekiemoes
Posted 04 February 2008 - 01:22 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Clean log here :)
And thank you very much for the donation, much appreciated.

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#9
miekiemoes
Posted 05 February 2008 - 02:37 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP