Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

core.cache.dsk keeps coming back [CLOSED]

Started by GameQber , Feb 04 2008 01:48 PM

  • This topic is locked This topic is locked

#1
GameQber
Posted 04 February 2008 - 01:48 PM

GameQber

    Member

  • Member
  • PipPip
  • 23 posts
Hi, and thanks for helping!

I'm usually pretty good with removing spyware of most kinds. This one, however, has me stumped. I did a lot of cleaning on this computer already with Spybot Search & Destroy, AVG, Avast, ComboFix, SDFix, SmitfraudFix and ATFCleaner.

I'm still getting random, yet blank pop-ups as soon as I start using IE (before they used to be advertisements).

Every time I do a scan with SDFix or a couple other tools I've used, they always report core.cache.dsk coming back. The full path is:

C:\WINDOWS\system32\drivers\core.cache.dsk


Other than this problem of blank pop-ups, everything else on the computer seems fine.

Here's the HJT log:

************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:36, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thegardnernews.local
O17 - HKLM\Software\..\Telephony: DomainName = thegardnernews.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEEB40E3-96BD-44D4-8B5E-FCD2E685ECAD}: NameServer = 10.0.80.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thegardnernews.local
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6016 bytes

*********************


Thanks again!
  • 0

Advertisements

#2
Rorschach112
Posted 04 February 2008 - 02:16 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
GameQber
Posted 04 February 2008 - 02:17 PM

GameQber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
While I'm at it, here is a ComboFix log:

********************

ComboFix 08-02.03.1 - abell 2008-02-04 14:49:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.644 [GMT -5:00]
Running from: C:\tools\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 14:52 . 2008-02-04 14:52 <DIR> d-------- C:\Temp\tn3
2008-02-04 14:23 . 2008-02-04 14:23 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-02-04 13:57 . 2008-02-04 13:57 167,029 --a------ C:\catchme.zip
2008-02-04 13:51 . 2008-02-04 13:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 13:51 . 2008-02-04 14:49 <DIR> d-------- C:\SDFix
2008-02-04 13:51 . 2005-03-02 13:09 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-02-04 13:39 . 2008-02-04 13:39 <DIR> d-------- C:\Program Files\CCleaner
2008-02-04 12:27 . 2008-02-04 12:27 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-04 12:04 . 2008-02-04 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-04 12:04 . 2008-02-04 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 12:04 . 2008-02-04 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-04 12:04 . 2008-02-04 12:06 <DIR> d-------- \\server01\users$\abell\Application Data\AVG7
2008-02-04 12:04 . 2008-02-04 12:06 <DIR> d-------- \\server01\users$\abell\APPLIC~1\AVG7
2008-02-04 11:21 . 2008-02-04 11:21 <DIR> d-------- C:\VundoFix Backups
2008-02-04 11:19 . 2008-02-04 12:20 3,496 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-04 11:18 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-04 11:18 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-04 11:18 . 2008-02-04 12:47 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-04 11:18 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-04 11:18 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-04 11:18 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-04 11:18 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-04 11:05 . 2008-02-04 11:18 <DIR> d-------- C:\tools
2008-02-04 10:28 . 2008-02-04 10:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-04 10:28 . 2008-02-04 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 10:23 . 2008-02-04 10:23 <DIR> d-------- \\server01\users$\abell\Application Data\U3
2008-02-04 10:23 . 2008-02-04 10:23 <DIR> d-------- \\server01\users$\abell\APPLIC~1\U3
2008-02-03 16:31 . 2008-02-03 16:31 2,989 --a------ C:\WINDOWS\system32\dxjlpduo.dll
2008-02-03 16:20 . 2008-02-03 16:20 2,993 --a------ C:\WINDOWS\system32\equhrpes.dll
2008-02-03 16:16 . 2008-02-03 16:16 2,989 --a------ C:\WINDOWS\system32\kwfqcras.dll
2008-02-03 14:55 . 2008-02-03 14:55 2,712 --a------ C:\WINDOWS\system32\vstgfsrb.dll
2008-02-02 14:49 . 2008-02-02 14:49 <DIR> d-------- \\server01\users$\abell\Application Data\??stem32
2008-02-02 14:49 . 2008-02-02 14:49 <DIR> d-------- \\server01\users$\abell\APPLIC~1\??stem32
2008-02-02 14:48 . 2008-02-02 14:48 <DIR> d-------- C:\WINDOWS\system32\tip4
2008-02-02 14:48 . 2008-02-02 15:31 <DIR> d-------- C:\WINDOWS\system32\rom1
2008-02-02 14:48 . 2008-02-02 14:48 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-02-02 14:48 . 2008-02-04 13:07 <DIR> d-------- C:\WINDOWS\system32\lis6
2008-02-02 14:48 . 2008-02-02 14:48 <DIR> d-------- C:\WINDOWS\system32\kps5
2008-02-02 14:48 . 2008-02-02 14:48 <DIR> d-------- C:\Temp\gTiis19
2008-02-02 14:48 . 2008-02-02 14:48 <DIR> d-------- C:\Temp\cXzz9
2008-02-02 14:48 . 2008-02-04 14:52 <DIR> d-------- C:\Temp
2008-02-02 14:48 . 2008-02-02 14:48 86,016 --a------ C:\WINDOWS\system32\drivers\ultraa.sys
2008-01-28 12:24 . 2008-01-29 10:55 <DIR> d-------- C:\Program Files\Google
2008-01-28 12:23 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
d-----w 0 2008-02-04 17:06:05 \\server01\users$\abell\Application Data\AVG7
d-----w 0 2008-02-04 17:06:05 \\server01\users$\abell\APPLIC~1\AVG7
d-----w 0 2008-02-04 15:23:51 \\server01\users$\abell\Application Data\U3
d-----w 0 2008-02-04 15:23:51 \\server01\users$\abell\APPLIC~1\U3
d-----w 0 2008-02-02 19:49:13 \\server01\users$\abell\Application Data\??stem32
d-----w 0 2008-02-02 19:49:13 \\server01\users$\abell\APPLIC~1\??stem32
d-----w 0 2008-02-02 16:28:16 \\server01\users$\abell\Application Data\Google
d-----w 0 2008-02-02 16:28:16 \\server01\users$\abell\APPLIC~1\Google
d-----w 0 2008-01-25 14:12:13 \\server01\users$\abell\Application Data\AdobeUM
d-----w 0 2008-01-25 14:12:13 \\server01\users$\abell\APPLIC~1\AdobeUM
d-----w 0 2008-01-14 21:21:43 \\server01\users$\abell\Application Data\Move Networks
d-----w 0 2008-01-14 21:21:43 \\server01\users$\abell\APPLIC~1\Move Networks
2008-02-04 19:27 --------- d-----w C:\Program Files\Trend Micro
2008-01-28 17:23 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-28 12:28 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 21:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"PivotSoftware"="C:\Program Files\WinPortrait\wpctrl.exe" [2004-10-04 14:59 694008]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"OPSE reminder"="C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 09:29 729088]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 05:00 143360]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-04 12:04 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-04 12:04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]


R1 pivot;pivot;C:\WINDOWS\system32\drivers\pivot.sys [2004-10-04 14:59]
R1 ultraa;ultraa;C:\WINDOWS\system32\drivers\ultraa.sys [2008-02-02 14:48]
R2 PDIHWCTL;PDIHWCTL;C:\WINDOWS\system32\drivers\PDIHWCTL.sys [2003-01-29 14:08]
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2004-10-04 14:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 14:52:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\WinPortrait\floater.exe
.
**************************************************************************
.
Completion time: 2008-02-04 14:53:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 19:53:19
ComboFix2.txt 2008-02-04 17:19:45
ComboFix3.txt 2008-02-04 16:17:35


*************
  • 0

#4
GameQber
Posted 04 February 2008 - 02:27 PM

GameQber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Haha, you snuck that response in just before I posted my ComboFix log!

The HiJackThis log is from a scan AFTER the last ComboFix (seen in my first reply). So, the combofix I just posted was done just prior to the HJT log in the first post.

I hope that makes sense.
  • 0

#5
Rorschach112
Posted 04 February 2008 - 02:27 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\system32\drivers\ultraa.sys
C:\WINDOWS\mrofinu572.exe
F:\LaunchU3.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\dxjlpduo.dll
C:\WINDOWS\system32\equhrpes.dll
C:\WINDOWS\system32\kwfqcras.dll
C:\WINDOWS\system32\vstgfsrb.dll

Folder::
C:\Temp\tn3
\\server01\users$\abell\Application Data\??stem32
\\server01\users$\abell\APPLIC~1\??stem32
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\rom1
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\kps5
C:\Temp\gTiis19
C:\Temp\cXzz9
\\server01\users$\abell\Application Data\??stem32
\\server01\users$\abell\APPLIC~1\??stem32
C:\Program Files\Insider

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

Driver::
ultraa


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#6
GameQber
Posted 04 February 2008 - 02:39 PM

GameQber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I can safely say that core.cache.dsk did not return! The blank pop-ups have also stopped. :0)

Here's the ComboFix log:

********************

ComboFix 08-02.03.1 - abell 2008-02-04 15:24:52.4 - NTFSx86

Running from: C:\tools\ComboFix.exe
Command switches used :: C:\tools\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\ultraa.sys
C:\WINDOWS\system32\dxjlpduo.dll
C:\WINDOWS\system32\equhrpes.dll
C:\WINDOWS\system32\kwfqcras.dll
C:\WINDOWS\system32\vstgfsrb.dll
F:\LaunchU3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\ultraa.sys
C:\Temp\cXzz9
C:\Temp\gTiis19
C:\Temp\gTiis19\lTig.log
C:\temp\tn3
C:\WINDOWS\system32\drivers\ultraa.sys
C:\WINDOWS\system32\dxjlpduo.dll
C:\WINDOWS\system32\equhrpes.dll
C:\WINDOWS\system32\kps5
C:\WINDOWS\system32\kps5\covstadcom7.exe
C:\WINDOWS\system32\kwfqcras.dll
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\rom1
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\tip4\woetidndll3.exe
C:\WINDOWS\system32\vstgfsrb.dll
F:\LaunchU3.exe . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ULTRAA
-------\ultraa


((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-04 15:25 . 2008-02-04 15:25 241,602 --a------ C:\catchme.zip
2008-02-04 13:51 . 2008-02-04 13:51 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 13:51 . 2008-02-04 14:49 <DIR> d-------- C:\SDFix
2008-02-04 13:51 . 2005-03-02 13:09 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-02-04 13:39 . 2008-02-04 13:39 <DIR> d-------- C:\Program Files\CCleaner
2008-02-04 12:27 . 2008-02-04 12:27 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-04 12:04 . 2008-02-04 12:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-04 12:04 . 2008-02-04 12:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 12:04 . 2008-02-04 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-02-04 12:04 . 2008-02-04 12:06 <DIR> d-------- \\server01\users$\abell\Application Data\AVG7
2008-02-04 12:04 . 2008-02-04 12:06 <DIR> d-------- \\server01\users$\abell\APPLIC~1\AVG7
2008-02-04 11:21 . 2008-02-04 11:21 <DIR> d-------- C:\VundoFix Backups
2008-02-04 11:19 . 2008-02-04 12:20 3,496 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-04 11:18 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-04 11:18 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-04 11:18 . 2008-02-04 12:47 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-04 11:18 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-04 11:18 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-04 11:18 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-04 11:18 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-04 11:05 . 2008-02-04 15:24 <DIR> d-------- C:\tools
2008-02-04 10:28 . 2008-02-04 10:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-04 10:28 . 2008-02-04 11:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 10:23 . 2008-02-04 10:23 <DIR> d-------- \\server01\users$\abell\Application Data\U3
2008-02-04 10:23 . 2008-02-04 10:23 <DIR> d-------- \\server01\users$\abell\APPLIC~1\U3
2008-02-02 14:49 . 2008-02-02 14:49 <DIR> d-------- \\server01\users$\abell\Application Data\??stem32
2008-02-02 14:49 . 2008-02-02 14:49 <DIR> d-------- \\server01\users$\abell\APPLIC~1\??stem32
2008-02-02 14:48 . 2008-02-04 15:25 <DIR> d-------- C:\Temp
2008-01-28 12:24 . 2008-01-29 10:55 <DIR> d-------- C:\Program Files\Google
2008-01-28 12:23 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
d-----w 0 2008-02-04 17:06:05 \\server01\users$\abell\Application Data\AVG7
d-----w 0 2008-02-04 17:06:05 \\server01\users$\abell\APPLIC~1\AVG7
d-----w 0 2008-02-04 15:23:51 \\server01\users$\abell\Application Data\U3
d-----w 0 2008-02-04 15:23:51 \\server01\users$\abell\APPLIC~1\U3
d-----w 0 2008-02-02 19:49:13 \\server01\users$\abell\Application Data\??stem32
d-----w 0 2008-02-02 19:49:13 \\server01\users$\abell\APPLIC~1\??stem32
d-----w 0 2008-02-02 16:28:16 \\server01\users$\abell\Application Data\Google
d-----w 0 2008-02-02 16:28:16 \\server01\users$\abell\APPLIC~1\Google
d-----w 0 2008-01-25 14:12:13 \\server01\users$\abell\Application Data\AdobeUM
d-----w 0 2008-01-25 14:12:13 \\server01\users$\abell\APPLIC~1\AdobeUM
d-----w 0 2008-01-14 21:21:43 \\server01\users$\abell\Application Data\Move Networks
d-----w 0 2008-01-14 21:21:43 \\server01\users$\abell\APPLIC~1\Move Networks
2008-02-04 19:27 --------- d-----w C:\Program Files\Trend Micro
2008-01-28 17:23 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17 50736]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-28 12:28 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-31 21:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"PivotSoftware"="C:\Program Files\WinPortrait\wpctrl.exe" [2004-10-04 14:59 694008]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152]
"OPSE reminder"="C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 09:29 729088]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 05:00 143360]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-04 12:04 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-04 12:04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunLogonScriptSync"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)

R1 pivot;pivot;C:\WINDOWS\system32\drivers\pivot.sys [2004-10-04 14:59]
R2 PDIHWCTL;PDIHWCTL;C:\WINDOWS\system32\drivers\PDIHWCTL.sys [2003-01-29 14:08]
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2004-10-04 14:59]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 15:27:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-02-04 15:28:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 20:28:35
ComboFix2.txt 2008-02-04 19:53:22
ComboFix3.txt 2008-02-04 17:19:45
ComboFix4.txt 2008-02-04 16:17:35


***************


Thanks a lot for your help. I really appreciate it!
  • 0

#7
Rorschach112
Posted 04 February 2008 - 02:44 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking good

You need to delete this folder in bold, where the question marks are some random characters


\\server01\users$\abell\Application Data\??stem32



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.



Also post a new HijackThis log
  • 0

#8
GameQber
Posted 04 February 2008 - 04:11 PM

GameQber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I can't recall word-for-word, but once the scan finished, a box popped up saying that no infections were found.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202157489203
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thegardnernews.local
O17 - HKLM\Software\..\Telephony: DomainName = thegardnernews.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEEB40E3-96BD-44D4-8B5E-FCD2E685ECAD}: NameServer = 10.0.80.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thegardnernews.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7392 bytes


*********

Thanks again!
  • 0

#9
Rorschach112
Posted 04 February 2008 - 05:02 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



Also tell me how your PC is running
  • 0

#10
Rorschach112
Posted 08 February 2008 - 07:38 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP