Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

corecache.dsk rootkit virus

Started by Mr.B wins , Feb 14 2008 03:44 PM

  • Please log in to reply

#1
Mr.B wins
Posted 14 February 2008 - 03:44 PM

Mr.B wins

    New Member

  • Member
  • Pip
  • 1 posts
What happens is that I get pop ups with IE, when I am browsing on firefox. I run every spyware and adware program I can think off and finally tracked it to the corecache.dsk file. it says it has a RootKit.Agent spyware/virus... I have tried everything to remove it and it isnt working. I also have tracking cookies according to my AVG Anti-Spyware. But I click to repair/remove them but they come back.
Here is the logs I have

Hijack this!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:38 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\progra~1\mozill~1\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: CPU History.lnk = C:\Documents and Settings\Mr.B\My Documents\Simple Meters\CPUHist.exe
O4 - Startup: Dual Core History.lnk = C:\Documents and Settings\Mr.B\My Documents\Simple Meters\DuoCoreHist.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: System Meter.lnk = C:\Documents and Settings\Mr.B\My Documents\MiniMeter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5299 bytes



Combo Fix Log

ComboFix 08-02-14.1 - Mr.B 2008-02-14 15:25:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1533 [GMT -6:00]
Running from: C:\Documents and Settings\Mr.B\My Documents\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sysaudioo.sys
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sysaudioo.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SYSAUDIOO
-------\sysaudioo


((((((((((((((((((((((((( Files Created from 2008-01-14 to 2008-02-14 )))))))))))))))))))))))))))))))
.

2008-02-14 15:26 . 2008-02-14 15:26 <DIR> d-------- C:\temp\tn3
2008-02-14 15:23 . 2008-02-14 15:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 21:11 . 2008-02-13 21:13 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-13 21:04 . 2008-02-13 21:04 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\Grisoft
2008-02-13 21:03 . 2008-02-13 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-13 21:03 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-13 20:58 . 2008-02-13 20:58 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-02-13 20:52 . 2008-02-13 20:52 <DIR> d-------- C:\eb95ec6a6ae4a26fd08f82ab
2008-02-13 20:51 . 2008-02-13 20:51 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-13 20:50 . 2008-02-13 20:51 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-13 19:30 . 2008-02-13 19:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-13 19:30 . 2008-02-13 19:30 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\PC Tools
2008-02-13 19:30 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-13 19:30 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-13 19:30 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-13 19:30 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-13 17:49 . 2008-02-13 17:49 13 --a------ C:\WINDOWS\scode8.cfg
2008-02-13 17:47 . 2004-03-09 00:00 212,240 --------- C:\WINDOWS\system32\Richtx32.ocx
2008-02-13 17:47 . 2001-04-07 12:43 65,536 --a------ C:\WINDOWS\system32\foxcbmp3.dll
2008-02-13 17:46 . 2008-02-13 17:50 <DIR> d-------- C:\Program Files\SpyBlocker Software
2008-02-13 17:46 . 2008-02-13 17:46 796,672 --a------ C:\WINDOWS\GPInstall.exe
2008-02-13 17:46 . 2001-04-26 22:12 57,399 --------- C:\WINDOWS\system32\Registry.ocx
2008-02-13 17:46 . 2002-07-08 18:09 7,878 --a------ C:\WINDOWS\Eng_UK.gpl
2008-02-13 17:44 . 2008-02-13 17:44 <DIR> d-------- C:\Program Files\Camtech
2008-02-13 17:44 . 2001-09-03 07:52 766 --a------ C:\WINDOWS\win98Logo.ico
2008-02-13 17:33 . 2008-02-13 17:39 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-12 17:09 . 2008-02-13 15:42 <DIR> d-------- C:\Program Files\WhiteCanyon
2008-02-12 17:09 . 2008-02-12 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sctemp
2008-02-12 17:09 . 2007-03-23 13:50 1,044,480 --a------ C:\WINDOWS\system32\ROBOEX32.DLL
2008-02-12 17:04 . 2008-02-13 15:02 <DIR> d-------- C:\Program Files\Registry Clean Pro
2008-02-12 17:04 . 2000-12-08 20:59 122,880 --a------ C:\WINDOWS\UnGins.exe
2008-02-11 23:01 . 2008-02-13 15:02 <DIR> d-------- C:\Program Files\Google
2008-02-11 20:16 . 2008-02-11 20:29 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-02-11 19:58 . 2008-02-11 19:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-11 19:58 . 2008-02-11 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-11 19:50 . 2008-02-11 19:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-11 15:23 . 2008-02-11 15:23 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-02-11 09:40 . 2008-02-11 09:40 2,715,648 --a------ C:\WINDOWS\system32\OnlineScanner.ocx
2008-02-11 09:39 . 2008-02-11 09:39 253,952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 . 2008-02-11 09:39 237,568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-10 19:19 . 2008-02-10 19:19 <DIR> d-------- C:\Program Files\JFK Reloaded
2008-02-10 19:03 . 2008-02-10 19:08 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\GetRightToGo
2008-02-09 00:34 . 2008-02-09 00:34 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-02-08 13:53 . 2008-02-08 13:53 110,592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 08:48 . 2008-02-05 08:48 77,824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-02-04 20:47 . 2008-02-04 20:48 <DIR> d-------- C:\Program Files\QuickTime
2008-02-03 13:57 . 2008-02-03 13:57 <DIR> d-------- C:\Program Files\Rockstar Games
2008-02-03 00:26 . 2008-02-03 00:26 45 --a------ C:\WINDOWS\system32\initdebug.nfo
2008-02-02 18:25 . 2008-02-12 15:19 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-02-02 18:15 . 2008-02-02 18:15 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-01 17:39 . 2008-02-01 17:39 25 --a------ C:\WINDOWS\cdplayer.ini
2008-02-01 17:36 . 2008-02-01 17:36 <DIR> d-------- C:\Program Files\Real
2008-02-01 17:36 . 2008-02-01 17:39 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-30 20:02 . 2008-01-30 20:02 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-30 16:47 . 2008-01-30 16:57 <DIR> d-------- C:\Program Files\Microsoft Bootvis
2008-01-30 16:43 . 2008-01-30 16:43 <DIR> d-------- C:\Program Files\MemTurbo 4
2008-01-23 18:03 . 2008-01-23 18:03 <DIR> d-------- C:\Program Files\FastStone Image Viewer
2008-01-23 18:03 . 2008-01-23 18:03 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\FastStone
2008-01-23 16:47 . 2008-01-23 16:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-22 20:47 . 2008-01-22 20:47 <DIR> d-------- C:\Program Files\Sonic Foundry
2008-01-22 20:47 . 2008-01-22 20:47 <DIR> d-------- C:\Program Files\Pure Motion
2008-01-22 20:46 . 2008-01-22 20:48 <DIR> d-------- C:\Program Files\DebugMode
2008-01-22 20:46 . 2008-01-22 20:46 <DIR> d-------- C:\Documents and Settings\Mr.B\.DownloadManager
2008-01-22 20:02 . 2008-02-02 18:32 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\AVG7
2008-01-22 20:01 . 2008-01-22 20:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-20 15:29 . 2008-01-20 15:29 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\teamspeak2
2008-01-20 15:26 . 2008-01-20 15:29 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-01-20 15:26 . 2008-01-20 15:26 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-01-20 15:02 . 2008-01-20 15:02 <DIR> d-------- C:\Program Files\Activision
2008-01-20 15:01 . 2008-01-20 15:01 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-20 12:54 . 2008-01-20 12:54 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-01-20 12:39 . 2008-01-20 12:43 <DIR> d-------- C:\Program Files\Quick Screen Capture
2008-01-20 11:52 . 2000-10-20 01:05 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-20 11:21 . 2008-01-20 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2008-01-20 11:21 . 2006-03-29 08:50 671,744 --a------ C:\WINDOWS\system32\DolbyHph.dll
2008-01-20 11:21 . 2006-03-29 08:51 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-20 11:21 . 2006-03-29 08:51 60,416 --a------ C:\WINDOWS\system32\DSETUP.dll
2008-01-20 11:21 . 2006-03-29 08:49 9,856 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-01-20 11:21 . 2006-05-05 19:21 4,608 --a------ C:\WINDOWS\system32\drivers\nvport.sys
2008-01-20 11:07 . 2008-01-20 11:07 0 --a------ C:\WINDOWS\iplayer.INI
2008-01-20 11:06 . 2008-01-20 11:06 <DIR> d-------- C:\Program Files\InterActual
2008-01-19 15:53 . 2008-01-19 15:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-01-18 18:34 . 2008-01-18 18:36 <DIR> d-------- C:\divx
2008-01-18 17:57 . 2008-01-18 17:57 <DIR> d-------- C:\Program Files\LimeWire
2008-01-18 17:57 . 2008-01-18 17:57 <DIR> d-------- C:\Documents and Settings\Mr.B\Incomplete
2008-01-18 17:57 . 2008-02-12 20:48 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\LimeWire
2008-01-18 16:13 . 2008-01-18 16:13 <DIR> d-------- C:\Program Files\Fraps
2008-01-18 15:51 . 2008-01-18 15:51 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\Pegasys Inc
2008-01-18 15:37 . 2005-08-27 13:38 1,435,272 --a------ C:\WINDOWS\system32\Flash8.ocx
2008-01-18 15:37 . 1996-11-08 02:48 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-01-18 15:37 . 2002-04-23 20:38 204,848 --a------ C:\WINDOWS\system32\gswin32c.exe
2008-01-18 15:37 . 2006-08-22 18:18 196,608 --a------ C:\WINDOWS\system32\Utility.dll
2008-01-18 15:37 . 2004-03-09 00:00 132,880 --------- C:\WINDOWS\system32\msinet.ocx
2008-01-18 15:37 . 2004-03-09 00:00 124,688 --------- C:\WINDOWS\system32\mswinsck.ocx
2008-01-18 15:37 . 2006-05-22 10:32 32,768 --a------ C:\WINDOWS\system32\Flash8.oca
2008-01-18 15:30 . 2008-01-18 15:30 32 --a------ C:\WINDOWS\tdlp32.ini
2008-01-18 15:28 . 2008-01-18 15:28 <DIR> d-------- C:\Program Files\Xara
2008-01-18 15:28 . 2008-01-18 15:28 <DIR> d-------- C:\Program Files\Common Files\Xara
2008-01-18 14:31 . 2008-01-18 14:31 <DIR> d-------- C:\Documents and Settings\Mr.B\Application Data\DivX
2008-01-18 14:28 . 2008-01-18 15:14 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 03:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-14 01:54 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-14 01:27 --------- d-----w C:\Documents and Settings\Mr.B\Application Data\uTorrent
2008-02-13 21:13 --------- d-----w C:\Documents and Settings\Mr.B\Application Data\.purple
2008-02-12 23:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-12 22:43 --------- d-----w C:\Program Files\Stardock
2008-02-12 22:43 --------- d-----w C:\Program Files\Common Files\Stardock
2008-02-12 01:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 01:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-10 07:38 --------- d-----w C:\Program Files\Steam
2008-02-03 06:22 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-01-20 21:17 22,328 ----a-w C:\Documents and Settings\Mr.B\Application Data\PnkBstrK.sys
2008-01-20 17:21 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-01-17 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-14 22:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-14 21:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-14 04:43 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-01-14 04:42 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
2008-01-14 03:44 --------- d-----w C:\Program Files\Wallpaper Changer
2008-01-13 19:04 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-13 19:03 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-01-13 19:03 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-13 18:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-01-13 18:56 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-13 18:56 --------- d-----w C:\Program Files\MSBuild
2008-01-13 18:56 --------- d-----w C:\Program Files\Microsoft SDKs
2008-01-13 18:55 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-13 17:51 --------- d-----w C:\Program Files\MSDN
2008-01-13 17:43 --------- d-----w C:\Program Files\Undisker
2008-01-13 17:35 --------- d-----w C:\Documents and Settings\Mr.B\Application Data\ImgBurn
2008-01-13 17:09 --------- d-----w C:\Program Files\ImgBurn
2008-01-12 23:30 --------- d-----w C:\Program Files\Electronic Arts
2008-01-12 23:29 --------- d-----w C:\Program Files\NFS
2008-01-12 21:29 --------- d-----w C:\Documents and Settings\Mr.B\Application Data\Codemasters
2008-01-12 20:59 --------- d-----w C:\Program Files\uTorrent
2008-01-12 20:49 --------- d-----w C:\Program Files\AGEIA Technologies
2008-01-12 20:49 --------- d-----w C:\Documents and Settings\Mr.B\Application Data\InstallShield
2008-01-12 20:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-12 20:48 --------- d-----w C:\Program Files\Codemasters
2008-01-12 20:42 --------- d-----w C:\Program Files\id Software
2008-01-12 20:22 --------- d--h--r C:\Documents and Settings\Mr.B\Application Data\SecuROM
2008-01-12 20:21 --------- d-----w C:\Program Files\Sierra Entertainment
2008-01-12 19:45 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-01-12 19:45 --------- d-----w C:\Program Files\Java
2008-01-12 19:45 --------- d-----w C:\Documents and Settings\Mr.B\Application Data\SystemRequirementsLab
2008-01-12 19:44 --------- d-----w C:\Program Files\Common Files\Java
2008-01-12 18:24 --------- d-----w C:\Program Files\WinCustomize
2008-01-12 17:27 --------- d-----w C:\Program Files\Pidgin
2008-01-12 17:27 --------- d-----w C:\Program Files\Common Files\GTK
2008-01-12 17:16 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-12 17:16 --------- d-----w C:\Program Files\Realtek
2008-01-12 17:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-06 19:30 8523776]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

C:\Documents and Settings\Mr.B\Start Menu\Programs\Startup\
CPU History.lnk - C:\Documents and Settings\Mr.B\My Documents\Simple Meters\CPUHist.exe [2008-02-07 16:21:29 77824]
Dual Core History.lnk - C:\Documents and Settings\Mr.B\My Documents\Simple Meters\DuoCoreHist.exe [2008-02-07 16:21:29 80896]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-01-20 11:55:45 3446512]
System Meter.lnk - C:\Documents and Settings\Mr.B\My Documents\MiniMeter.exe [2008-02-08 21:05:06 86528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
"RunLogonScriptSync"= 0 (0x0)
"RunStartupScriptSync"= 0 (0x0)
"HideStartupScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"HideLogoffScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 0 (0x0)
"DisableRegistryTools"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"HideLogoffScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 15:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mr.B^Start Menu^Programs^Startup^AbsoluteShield Track Eraser.lnk]
backup=C:\WINDOWS\pss\AbsoluteShield Track Eraser.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mr.B^Start Menu^Programs^Startup^MemTurbo.lnk]
backup=C:\WINDOWS\pss\MemTurbo.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2007-06-13 14:18 4177920 C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-12 12:47 1266936 C:\Program Files\Steam\Steam.exe

R3 WinMTBus;WinMount Bus;C:\WINDOWS\system32\DRIVERS\WinMTBus.sys [2007-04-11 12:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{065dbe49-c14f-11dc-b887-00044b071a6b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d2b083d-c3af-11dc-b896-00044b071a6b}]
\Shell\AutoRun\command - E:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 23:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-14 21:07:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-02-14 21:28:19 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-14 15:28:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
.
**************************************************************************
.
Completion time: 2008-02-14 15:30:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-14 21:30:02
.
2008-02-14 21:08:34 --- E O F ---
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP