*Sigh* core.cache.dsk removal

diamondclub · 01-30-2008, 04:17 PM

I know, i know, i know. Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 10:06:09 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\stealthp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [StealthPlug Control Panel] "C:\WINDOWS\system32\stealthp.exe" -min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Punk · 01-30-2008, 04:32 PM

hello,

We've had a few core.cache.dsk infections here and got rid of it

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

diamondclub · 01-30-2008, 06:14 PM

Here is my combofix report.

ComboFix 08-01-30.6 - J2 2008-01-30 12:02:22.2 - NTFSx86
Running from: C:\Documents and Settings\J2\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://gpdl.google.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 10:48 . 2008-01-30 10:52 <DIR> d-------- C:\MGtools
2008-01-30 10:48 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-01-30 10:39 . 2008-01-30 10:40 1,238,674 --a------ C:\MGtools.exe
2008-01-30 10:31 . 2008-01-30 10:31 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-01-30 10:23 . 2008-01-30 10:30 <DIR> d-------- C:\ComboFix[1]
2008-01-30 10:00 . 2008-01-30 10:00 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 09:56 . 2008-01-30 09:56 <DIR> d-------- C:\WINDOWS\Google Toolbar
2008-01-30 09:55 . 2008-01-30 09:55 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-01-30 09:39 . 2008-01-30 10:30 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-30 08:22 . 2008-01-30 09:30 354,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 08:22 . 2008-01-30 09:30 10,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-30 08:22 . 2008-01-30 09:30 5,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-30 08:22 . 2008-01-30 09:30 2,036 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-30 08:19 . 2008-01-30 08:19 <DIR> d-------- C:\KAV
2008-01-30 03:06 . 2008-01-30 03:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-30 03:02 . 2008-01-30 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-30 03:01 . 2008-01-30 03:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-30 03:01 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-30 03:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 23:42 . 2008-01-29 23:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-29 23:42 . 2008-01-29 23:42 <DIR> d-------- C:\Documents and Settings\J2\Application Data\PC Tools
2008-01-29 23:42 . 2008-01-30 12:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-29 23:42 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-29 23:42 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-29 23:42 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-29 23:42 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-29 23:01 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-01-29 22:00 . 2008-01-29 22:00 <DIR> d---s---- C:\Documents and Settings\J2\UserData
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 17:40 . 2008-01-29 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-29 17:39 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-29 17:39 . 2008-01-29 17:40 537 --ah----- C:\IPH.PH
2008-01-29 13:56 . 2008-01-29 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-01-29 12:55 . 2008-01-29 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-29 11:05 . 2008-01-29 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iTunes
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iPod
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Apple Computer
2008-01-29 10:27 . 2008-01-30 09:54 <DIR> d-------- C:\Program Files\Google
2008-01-29 10:27 . 2008-01-30 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-29 10:27 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 10:26 . 2008-01-29 10:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-29 10:12 . 2008-01-30 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 09:49 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-29 09:49 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-29 09:49 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-29 09:34 . 2008-01-29 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-29 09:31 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Conduit
2008-01-29 09:28 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\MSBuild
2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-29 09:23 . 2008-01-29 09:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-29 09:21 . 2008-01-30 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-29 09:20 . 2008-01-29 09:20 <DIR> dr-h----- C:\MSOCache
2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-29 00:54 . 2008-01-29 00:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\VstPlugIns
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\DigiDesign
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Documents and Settings\J2\Application Data\InstallShield
2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\system32\w3data.vss
2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\msocreg32.dat
2008-01-29 00:15 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\IK Multimedia
2008-01-29 00:15 . 2006-10-06 10:51 499,712 --a------ C:\WINDOWS\system32\stealthp.exe
2008-01-29 00:15 . 2006-10-06 10:51 77,824 --------- C:\WINDOWS\system32\IKStealthPlugASIO.dll
2008-01-29 00:15 . 2006-10-06 10:51 60,416 --a------ C:\WINDOWS\system32\drivers\IKStealthPlugLL.sys
2008-01-29 00:15 . 2006-10-06 10:51 49,152 --------- C:\WINDOWS\system32\IKStealthPlugAPI.dll
2008-01-29 00:15 . 2006-10-06 10:51 40,960 --a------ C:\WINDOWS\system32\IKClsCoInst.dll
2008-01-28 23:52 . 2008-01-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-28 23:36 . 2008-01-28 23:36 86,144 --a------ C:\WINDOWS\system32\drivers\mouclasss.sys
2008-01-28 23:32 . 2008-01-28 23:51 <DIR> d-------- C:\Program Files\PowerISO
2008-01-28 23:23 . 2008-01-29 23:49 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Azureus
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Java
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-28 23:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-28 23:07 . 2008-01-30 08:58 <DIR> d-------- C:\Program Files\QuickTime
2008-01-28 23:04 . 2008-01-28 23:04 <DIR> d-------- C:\Program Files\Azureus
2008-01-28 22:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-28 22:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-28 22:49 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Bonjour
2008-01-28 22:44 . 2008-01-28 22:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-28 22:34 . 2008-01-29 12:52 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-28 22:24 . 2004-11-17 13:27 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.dll
2008-01-28 22:24 . 2004-11-17 13:27 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-29 05:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-29 05:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 01:47 --------- d-----w C:\Program Files\Broadcom
2008-01-29 01:39 --------- d-----w C:\Program Files\CONEXANT
2008-01-29 01:37 --------- d-----w C:\Program Files\Intel
2008-01-29 01:35 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-29 01:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-29 01:17 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-01-29 10:27 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBE V~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704]
"StealthPlug Control Panel"="C:\WINDOWS\system32\stealthp.exe" [2006-10-06 10:51 499712]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53 29744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-29 10:27:27 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~ 1.DLL

R1 mouclasss;mouclasss;C:\WINDOWS\system32\drivers\mo uclasss.sys [2008-01-28 23:36]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53]
S3 IKStealthPlug;IK Multimedia StealthPlug Low-Level Driver;C:\WINDOWS\system32\Drivers\IKStealthPlugLL .sys [2006-10-06 10:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 15:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 12:12:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\stealthp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
.
************************************************** ************************
.
Completion time: 2008-01-30 12:15:41 - machine was rebooted [J2]
ComboFix-quarantined-files.txt 2008-01-30 17:15:37
.
2008-01-30 08:08:01 --- E O F ---

Punk · 01-30-2008, 07:08 PM

COMBOFIX-Script

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
```
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

diamondclub · 01-30-2008, 08:11 PM

ComboFix 08-01-30.6 - J2 2008-01-30 14:00:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.233 [GMT -5:00]
Running from: C:\Documents and Settings\J2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\J2\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 10:48 . 2008-01-30 10:52 <DIR> d-------- C:\MGtools
2008-01-30 10:48 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-01-30 10:39 . 2008-01-30 10:40 1,238,674 --a------ C:\MGtools.exe
2008-01-30 10:31 . 2008-01-30 10:31 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-01-30 10:23 . 2008-01-30 10:30 <DIR> d-------- C:\ComboFix[1]
2008-01-30 10:00 . 2008-01-30 10:00 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 09:56 . 2008-01-30 09:56 <DIR> d-------- C:\WINDOWS\Google Toolbar
2008-01-30 09:55 . 2008-01-30 09:55 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-01-30 09:39 . 2008-01-30 10:30 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-30 08:22 . 2008-01-30 09:30 354,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 08:22 . 2008-01-30 09:30 10,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-30 08:22 . 2008-01-30 09:30 5,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-30 08:22 . 2008-01-30 09:30 2,036 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-30 08:19 . 2008-01-30 08:19 <DIR> d-------- C:\KAV
2008-01-30 03:06 . 2008-01-30 03:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-30 03:02 . 2008-01-30 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-30 03:01 . 2008-01-30 03:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-30 03:01 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-30 03:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 23:42 . 2008-01-29 23:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-29 23:42 . 2008-01-29 23:42 <DIR> d-------- C:\Documents and Settings\J2\Application Data\PC Tools
2008-01-29 23:42 . 2008-01-30 12:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-29 23:42 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-29 23:42 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-29 23:42 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-29 23:42 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-29 23:01 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-01-29 22:00 . 2008-01-29 22:00 <DIR> d---s---- C:\Documents and Settings\J2\UserData
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 17:40 . 2008-01-29 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-29 17:39 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-29 17:39 . 2008-01-29 17:40 537 --ah----- C:\IPH.PH
2008-01-29 13:56 . 2008-01-29 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-01-29 12:55 . 2008-01-29 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-29 11:05 . 2008-01-29 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iTunes
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iPod
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Apple Computer
2008-01-29 10:27 . 2008-01-30 09:54 <DIR> d-------- C:\Program Files\Google
2008-01-29 10:27 . 2008-01-30 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-29 10:27 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 10:26 . 2008-01-29 10:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-29 10:12 . 2008-01-30 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 09:49 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-29 09:49 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-29 09:49 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-29 09:34 . 2008-01-29 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-29 09:31 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Conduit
2008-01-29 09:28 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\MSBuild
2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-29 09:23 . 2008-01-29 09:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-29 09:21 . 2008-01-30 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-29 09:20 . 2008-01-29 09:20 <DIR> dr-h----- C:\MSOCache
2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-29 00:54 . 2008-01-29 00:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\VstPlugIns
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\DigiDesign
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Documents and Settings\J2\Application Data\InstallShield
2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\system32\w3data.vss
2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\msocreg32.dat
2008-01-29 00:15 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\IK Multimedia
2008-01-29 00:15 . 2006-10-06 10:51 499,712 --a------ C:\WINDOWS\system32\stealthp.exe
2008-01-29 00:15 . 2006-10-06 10:51 77,824 --------- C:\WINDOWS\system32\IKStealthPlugASIO.dll
2008-01-29 00:15 . 2006-10-06 10:51 60,416 --a------ C:\WINDOWS\system32\drivers\IKStealthPlugLL.sys
2008-01-29 00:15 . 2006-10-06 10:51 49,152 --------- C:\WINDOWS\system32\IKStealthPlugAPI.dll
2008-01-29 00:15 . 2006-10-06 10:51 40,960 --a------ C:\WINDOWS\system32\IKClsCoInst.dll
2008-01-28 23:52 . 2008-01-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-28 23:36 . 2008-01-28 23:36 86,144 --a------ C:\WINDOWS\system32\drivers\mouclasss.sys
2008-01-28 23:32 . 2008-01-28 23:51 <DIR> d-------- C:\Program Files\PowerISO
2008-01-28 23:23 . 2008-01-29 23:49 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Azureus
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Java
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-28 23:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-28 23:07 . 2008-01-30 08:58 <DIR> d-------- C:\Program Files\QuickTime
2008-01-28 23:04 . 2008-01-28 23:04 <DIR> d-------- C:\Program Files\Azureus
2008-01-28 22:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-28 22:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-28 22:49 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Bonjour
2008-01-28 22:44 . 2008-01-28 22:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-28 22:34 . 2008-01-29 12:52 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-28 22:24 . 2004-11-17 13:27 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.dll
2008-01-28 22:24 . 2004-11-17 13:27 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-29 05:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-29 05:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 01:47 --------- d-----w C:\Program Files\Broadcom
2008-01-29 01:39 --------- d-----w C:\Program Files\CONEXANT
2008-01-29 01:37 --------- d-----w C:\Program Files\Intel
2008-01-29 01:35 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-29 01:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-29 01:17 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-01-29 10:27 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBE V~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704]
"StealthPlug Control Panel"="C:\WINDOWS\system32\stealthp.exe" [2006-10-06 10:51 499712]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53 29744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-29 10:27:27 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~ 1.DLL

R1 mouclasss;mouclasss;C:\WINDOWS\system32\drivers\mo uclasss.sys [2008-01-28 23:36]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53]
S3 IKStealthPlug;IK Multimedia StealthPlug Low-Level Driver;C:\WINDOWS\system32\Drivers\IKStealthPlugLL .sys [2006-10-06 10:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 15:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 14:05:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\stealthp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
.
************************************************** ************************
.
Completion time: 2008-01-30 14:08:50 - machine was rebooted [J2]
ComboFix-quarantined-files.txt 2008-01-30 19:08:47
ComboFix2.txt 2008-01-30 17:15:41
.
2008-01-30 08:08:01 --- E O F ---

Punk · 01-30-2008, 08:52 PM

Hmm didn't work.
Let's try this:

Download Avenger, and unzip it to your desktop or somewhere you can find it.Â (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

Open a Notepad file by clicking Start > RunÂ and typing Notepad.exe in the box, click OK.
Click Format, and ensure Word Wrap is unchecked.
Copy and Paste the text in the box below into Notepad.
Now save the file as RemoveFiles.txt in a location where you can find it.

Quote:

Drivers to unload:
mouclasss

Files to delete:
C:\WINDOWS\system32\drivers\mouclasss.sys
C:\WINDOWS\system32\drivers\core.cache.dsk

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:
Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
Double click it to enter it into Avenger.
Click the green traffic light symbol.
You will be asked if you want to execute the script, answer Yes.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer Yes, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created C:\avenger.txt.
Copy and Paste it into your next post please.

01-30-2008, 04:17 PM	#1 (permalink)
diamondclub New Member Join Date: Jan 2008 Posts: 3	Sigh core.cache.dsk removal I know, i know, i know. Here is my HJT log. Logfile of HijackThis v1.99.1 Scan saved at 10:06:09 AM, on 1/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\WINDOWS\system32\stealthp.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [StealthPlug Control Panel] "C:\WINDOWS\system32\stealthp.exe" -min O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

01-30-2008, 04:32 PM	#2 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 18 Posts: 5,012	hello, We've had a few core.cache.dsk infections here and got rid of it Download and Run ComboFix If you already have Combofix, please delete this copy and download it again as it's being updated regularly. Download this file from one of the three below listed places : http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe Then double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end. __________________ Punk's anti-hackers website Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see

01-30-2008, 07:08 PM	#4 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 18 Posts: 5,012	COMBOFIX-Script Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: File:: C:\WINDOWS\system32\drivers\core.cache.dsk Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. __________________ Punk's anti-hackers website Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see Last edited by Punk; 02-03-2008 at 05:25 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
core.cache.dsk removal	flipboi15	Computer Security	11	02-05-2008 06:24 AM
Malware Removal Tutorial	SirKenin	Computer Security	25	12-16-2006 08:14 PM
Excellent spyware removal tool	SirKenin	Computer Security	9	10-04-2006 04:02 AM
hijackthis log	spkenn5	Computer Security	11	07-08-2006 07:34 PM
wireless connection fails after spyware removal	mikekelly	Laptop and Smartphones	5	08-27-2005 07:37 PM

01-30-2008, 06:14 PM	#3 (permalink)
diamondclub New Member Join Date: Jan 2008 Posts: 3	Here is my combofix report. ComboFix 08-01-30.6 - J2 2008-01-30 12:02:22.2 - NTFSx86 Running from: C:\Documents and Settings\J2\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete C:\WINDOWS\system32\msvcsv60.dll C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete ----- BITS: Possible infected sites ----- hxxp://gpdl.google.com . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-30 10:48 . 2008-01-30 10:52 <DIR> d-------- C:\MGtools 2008-01-30 10:48 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com 2008-01-30 10:39 . 2008-01-30 10:40 1,238,674 --a------ C:\MGtools.exe 2008-01-30 10:31 . 2008-01-30 10:31 100 --a------ C:\WINDOWS\system32\ikhcore.cfg 2008-01-30 10:23 . 2008-01-30 10:30 <DIR> d-------- C:\ComboFix[1] 2008-01-30 10:00 . 2008-01-30 10:00 <DIR> d-------- C:\Program Files\CCleaner 2008-01-30 09:56 . 2008-01-30 09:56 <DIR> d-------- C:\WINDOWS\Google Toolbar 2008-01-30 09:55 . 2008-01-30 09:55 <DIR> d-------- C:\WINDOWS\system32\runtime 2008-01-30 09:39 . 2008-01-30 10:30 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk 2008-01-30 08:22 . 2008-01-30 09:30 354,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-01-30 08:22 . 2008-01-30 09:30 10,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-01-30 08:22 . 2008-01-30 09:30 5,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-01-30 08:22 . 2008-01-30 09:30 2,036 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-01-30 08:19 . 2008-01-30 08:19 <DIR> d-------- C:\KAV 2008-01-30 03:06 . 2008-01-30 03:06 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-01-30 03:02 . 2008-01-30 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-01-30 03:01 . 2008-01-30 03:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-01-30 03:01 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-01-30 03:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-01-29 23:42 . 2008-01-29 23:46 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-01-29 23:42 . 2008-01-29 23:42 <DIR> d-------- C:\Documents and Settings\J2\Application Data\PC Tools 2008-01-29 23:42 . 2008-01-30 12:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-29 23:42 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-01-29 23:42 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-01-29 23:42 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-01-29 23:42 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-01-29 23:01 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Cool YouTube Downloader 2008-01-29 22:00 . 2008-01-29 22:00 <DIR> d---s---- C:\Documents and Settings\J2\UserData 2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Program Files\Viewpoint 2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-01-29 17:40 . 2008-01-29 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL 2008-01-29 17:39 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Common Files\AOL 2008-01-29 17:39 . 2008-01-29 17:40 537 --ah----- C:\IPH.PH 2008-01-29 13:56 . 2008-01-29 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM 2008-01-29 12:55 . 2008-01-29 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard 2008-01-29 11:05 . 2008-01-29 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iTunes 2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iPod 2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Apple Computer 2008-01-29 10:27 . 2008-01-30 09:54 <DIR> d-------- C:\Program Files\Google 2008-01-29 10:27 . 2008-01-30 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-01-29 10:27 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-01-29 10:26 . 2008-01-29 10:26 <DIR> d-------- C:\Program Files\Apple Software Update 2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-01-29 10:12 . 2008-01-30 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-01-29 09:49 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-01-29 09:49 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-01-29 09:49 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-01-29 09:34 . 2008-01-29 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2008-01-29 09:31 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Conduit 2008-01-29 09:28 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\MSBuild 2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\Microsoft Works 2008-01-29 09:23 . 2008-01-29 09:27 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-01-29 09:21 . 2008-01-30 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-01-29 09:20 . 2008-01-29 09:20 <DIR> dr-h----- C:\MSOCache 2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll 2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll 2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll 2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll 2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll 2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll 2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll 2008-01-29 00:54 . 2008-01-29 00:54 <DIR> d--h----- C:\WINDOWS\PIF 2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\VstPlugIns 2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\DigiDesign 2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\ASIO4ALL v2 2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Documents and Settings\J2\Application Data\InstallShield 2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\system32\w3data.vss 2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\msocreg32.dat 2008-01-29 00:15 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\IK Multimedia 2008-01-29 00:15 . 2006-10-06 10:51 499,712 --a------ C:\WINDOWS\system32\stealthp.exe 2008-01-29 00:15 . 2006-10-06 10:51 77,824 --------- C:\WINDOWS\system32\IKStealthPlugASIO.dll 2008-01-29 00:15 . 2006-10-06 10:51 60,416 --a------ C:\WINDOWS\system32\drivers\IKStealthPlugLL.sys 2008-01-29 00:15 . 2006-10-06 10:51 49,152 --------- C:\WINDOWS\system32\IKStealthPlugAPI.dll 2008-01-29 00:15 . 2006-10-06 10:51 40,960 --a------ C:\WINDOWS\system32\IKClsCoInst.dll 2008-01-28 23:52 . 2008-01-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-01-28 23:36 . 2008-01-28 23:36 86,144 --a------ C:\WINDOWS\system32\drivers\mouclasss.sys 2008-01-28 23:32 . 2008-01-28 23:51 <DIR> d-------- C:\Program Files\PowerISO 2008-01-28 23:23 . 2008-01-29 23:49 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Azureus 2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\WINDOWS\Sun 2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Java 2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-28 23:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-01-28 23:07 . 2008-01-30 08:58 <DIR> d-------- C:\Program Files\QuickTime 2008-01-28 23:04 . 2008-01-28 23:04 <DIR> d-------- C:\Program Files\Azureus 2008-01-28 22:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll 2008-01-28 22:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe 2008-01-28 22:49 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Bonjour 2008-01-28 22:44 . 2008-01-28 22:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2008-01-28 22:34 . 2008-01-29 12:52 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-01-28 22:24 . 2004-11-17 13:27 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.dll 2008-01-28 22:24 . 2004-11-17 13:27 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-01-29 05:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-29 05:14 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-01-29 01:47 --------- d-----w C:\Program Files\Broadcom 2008-01-29 01:39 --------- d-----w C:\Program Files\CONEXANT 2008-01-29 01:37 --------- d-----w C:\Program Files\Intel 2008-01-29 01:35 --------- d--h--w C:\Program Files\Uninstall Information 2008-01-29 01:21 --------- d-----w C:\Program Files\microsoft frontpage 2008-01-29 01:17 --------- d-----w C:\Program Files\Windows Media Connect 2 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-01-29 10:27 68856] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248] "Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBE V~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704] "StealthPlug Control Panel"="C:\WINDOWS\system32\stealthp.exe" [2006-10-06 10:51 499712] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53 29744] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-29 10:27:27 125624] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~ 1.DLL R1 mouclasss;mouclasss;C:\WINDOWS\system32\drivers\mo uclasss.sys [2008-01-28 23:36] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38] S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53] S3 IKStealthPlug;IK Multimedia StealthPlug Low-Level Driver;C:\WINDOWS\system32\Drivers\IKStealthPlugLL .sys [2006-10-06 10:51] . Contents of the 'Scheduled Tasks' folder "2008-01-29 15:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************ ******************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 12:12:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\stealthp.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe . ********************************************** ********************** . Completion time: 2008-01-30 12:15:41 - machine was rebooted [J2] ComboFix-quarantined-files.txt 2008-01-30 17:15:37 . 2008-01-30 08:08:01 --- E O F ---

01-30-2008, 08:11 PM	#5 (permalink)
diamondclub New Member Join Date: Jan 2008 Posts: 3	ComboFix 08-01-30.6 - J2 2008-01-30 14:00:33.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.233 [GMT -5:00] Running from: C:\Documents and Settings\J2\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\J2\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE C:\WINDOWS\system32\drivers\core.cache.dsk . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-30 10:48 . 2008-01-30 10:52 <DIR> d-------- C:\MGtools 2008-01-30 10:48 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com 2008-01-30 10:39 . 2008-01-30 10:40 1,238,674 --a------ C:\MGtools.exe 2008-01-30 10:31 . 2008-01-30 10:31 100 --a------ C:\WINDOWS\system32\ikhcore.cfg 2008-01-30 10:23 . 2008-01-30 10:30 <DIR> d-------- C:\ComboFix[1] 2008-01-30 10:00 . 2008-01-30 10:00 <DIR> d-------- C:\Program Files\CCleaner 2008-01-30 09:56 . 2008-01-30 09:56 <DIR> d-------- C:\WINDOWS\Google Toolbar 2008-01-30 09:55 . 2008-01-30 09:55 <DIR> d-------- C:\WINDOWS\system32\runtime 2008-01-30 09:39 . 2008-01-30 10:30 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk 2008-01-30 08:22 . 2008-01-30 09:30 354,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-01-30 08:22 . 2008-01-30 09:30 10,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2008-01-30 08:22 . 2008-01-30 09:30 5,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-01-30 08:22 . 2008-01-30 09:30 2,036 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2008-01-30 08:19 . 2008-01-30 08:19 <DIR> d-------- C:\KAV 2008-01-30 03:06 . 2008-01-30 03:06 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-01-30 03:02 . 2008-01-30 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0 2008-01-30 03:01 . 2008-01-30 03:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-01-30 03:01 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-01-30 03:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-01-29 23:42 . 2008-01-29 23:46 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-01-29 23:42 . 2008-01-29 23:42 <DIR> d-------- C:\Documents and Settings\J2\Application Data\PC Tools 2008-01-29 23:42 . 2008-01-30 12:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-01-29 23:42 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2008-01-29 23:42 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2008-01-29 23:42 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2008-01-29 23:42 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2008-01-29 23:01 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Cool YouTube Downloader 2008-01-29 22:00 . 2008-01-29 22:00 <DIR> d---s---- C:\Documents and Settings\J2\UserData 2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Program Files\Viewpoint 2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-01-29 17:40 . 2008-01-29 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL 2008-01-29 17:39 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Common Files\AOL 2008-01-29 17:39 . 2008-01-29 17:40 537 --ah----- C:\IPH.PH 2008-01-29 13:56 . 2008-01-29 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM 2008-01-29 12:55 . 2008-01-29 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard 2008-01-29 11:05 . 2008-01-29 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage 2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iTunes 2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iPod 2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Apple Computer 2008-01-29 10:27 . 2008-01-30 09:54 <DIR> d-------- C:\Program Files\Google 2008-01-29 10:27 . 2008-01-30 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater 2008-01-29 10:27 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-01-29 10:26 . 2008-01-29 10:26 <DIR> d-------- C:\Program Files\Apple Software Update 2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Program Files\Common Files\Apple 2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-01-29 10:12 . 2008-01-30 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-01-29 09:49 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-01-29 09:49 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-01-29 09:49 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-01-29 09:34 . 2008-01-29 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2008-01-29 09:31 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Conduit 2008-01-29 09:28 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll 2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\MSBuild 2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\Microsoft Works 2008-01-29 09:23 . 2008-01-29 09:27 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-01-29 09:21 . 2008-01-30 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-01-29 09:20 . 2008-01-29 09:20 <DIR> dr-h----- C:\MSOCache 2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll 2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll 2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll 2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll 2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll 2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll 2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll 2008-01-29 00:54 . 2008-01-29 00:54 <DIR> d--h----- C:\WINDOWS\PIF 2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\VstPlugIns 2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\DigiDesign 2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\ASIO4ALL v2 2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Documents and Settings\J2\Application Data\InstallShield 2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\system32\w3data.vss 2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\msocreg32.dat 2008-01-29 00:15 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\IK Multimedia 2008-01-29 00:15 . 2006-10-06 10:51 499,712 --a------ C:\WINDOWS\system32\stealthp.exe 2008-01-29 00:15 . 2006-10-06 10:51 77,824 --------- C:\WINDOWS\system32\IKStealthPlugASIO.dll 2008-01-29 00:15 . 2006-10-06 10:51 60,416 --a------ C:\WINDOWS\system32\drivers\IKStealthPlugLL.sys 2008-01-29 00:15 . 2006-10-06 10:51 49,152 --------- C:\WINDOWS\system32\IKStealthPlugAPI.dll 2008-01-29 00:15 . 2006-10-06 10:51 40,960 --a------ C:\WINDOWS\system32\IKClsCoInst.dll 2008-01-28 23:52 . 2008-01-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-01-28 23:36 . 2008-01-28 23:36 86,144 --a------ C:\WINDOWS\system32\drivers\mouclasss.sys 2008-01-28 23:32 . 2008-01-28 23:51 <DIR> d-------- C:\Program Files\PowerISO 2008-01-28 23:23 . 2008-01-29 23:49 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Azureus 2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\WINDOWS\Sun 2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Java 2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Common Files\Java 2008-01-28 23:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-01-28 23:07 . 2008-01-30 08:58 <DIR> d-------- C:\Program Files\QuickTime 2008-01-28 23:04 . 2008-01-28 23:04 <DIR> d-------- C:\Program Files\Azureus 2008-01-28 22:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll 2008-01-28 22:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe 2008-01-28 22:49 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Bonjour 2008-01-28 22:44 . 2008-01-28 22:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2008-01-28 22:34 . 2008-01-29 12:52 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-01-28 22:24 . 2004-11-17 13:27 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.dll 2008-01-28 22:24 . 2004-11-17 13:27 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-01-29 05:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-29 05:14 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-01-29 01:47 --------- d-----w C:\Program Files\Broadcom 2008-01-29 01:39 --------- d-----w C:\Program Files\CONEXANT 2008-01-29 01:37 --------- d-----w C:\Program Files\Intel 2008-01-29 01:35 --------- d--h--w C:\Program Files\Uninstall Information 2008-01-29 01:21 --------- d-----w C:\Program Files\microsoft frontpage 2008-01-29 01:17 --------- d-----w C:\Program Files\Windows Media Connect 2 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-01-29 10:27 68856] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248] "Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBE V~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704] "StealthPlug Control Panel"="C:\WINDOWS\system32\stealthp.exe" [2006-10-06 10:51 499712] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048] "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53 29744] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-29 10:27:27 125624] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~ 1.DLL R1 mouclasss;mouclasss;C:\WINDOWS\system32\drivers\mo uclasss.sys [2008-01-28 23:36] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38] S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53] S3 IKStealthPlug;IK Multimedia StealthPlug Low-Level Driver;C:\WINDOWS\system32\Drivers\IKStealthPlugLL .sys [2006-10-06 10:51] . Contents of the 'Scheduled Tasks' folder "2008-01-29 15:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************ ******************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 14:05:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\WINDOWS\system32\stealthp.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe . ********************************************** ********************** . Completion time: 2008-01-30 14:08:50 - machine was rebooted [J2] ComboFix-quarantined-files.txt 2008-01-30 19:08:47 ComboFix2.txt 2008-01-30 17:15:41 . 2008-01-30 08:08:01 --- E O F ---