core.cache.dsk HELP

N

nervana1

New Member
It seems that core.cache.disk is the new pain in the butt today, I have been infected for 2 days and have tried everything in my power to rid my self of this little bug, auto runs does not show it, spyware doctor finds it, but fails to remove it.

I have tried all the steps here in the previous posts, but it seems to appreciate me so much that it comes back after all cleaning processes.

I have Vista, which makes it even more annoying as most dos proggies fail to work on this piece of work.

here is my combo fix log



ComboFix 08-01-17.5 - Administrator 2008-01-17 8:37:10.5 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.486 [GMT -7:00]
Running from: D:\Users\Administrator\Desktop\ComboFix.exe
Command switches used :: D:\Users\Administrator\Desktop\CFSCRIPT.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\OpenVPN\bin\openvpn-gui .exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\pciidexx.sys
C:\WINDOWS\system32\tmp.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
D:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 08:45 . 2008-01-17 08:45 100 --a------ D:\Windows\System32\ikhcore.cfg
2008-01-17 08:25 . 2008-01-17 08:44 932 --------- D:\Windows\System32\drivers\core.cache.dsk
2008-01-17 07:57 . 2008-01-17 07:57 <DIR> d-------- D:\Program Files\Trend Micro
2008-01-17 07:02 . 2008-01-17 07:02 <DIR> d-------- D:\Program Files\Armada Online Alpha
2008-01-16 17:07 . 2008-01-17 08:45 <DIR> d-a------ D:\Users\All Users\TEMP
2008-01-16 17:07 . 2008-01-16 17:07 <DIR> d-------- D:\Users\Administrator\AppData\Roaming\PC Tools
2008-01-16 17:07 . 2008-01-17 08:45 <DIR> d-a------ D:\ProgramData\TEMP
2008-01-16 17:07 . 2008-01-17 00:54 <DIR> d-------- D:\Program Files\Spyware Doctor
2008-01-16 17:07 . 2007-12-10 14:53 81,288 --a------ D:\Windows\System32\drivers\iksyssec.sys
2008-01-16 17:07 . 2007-12-10 14:53 66,952 --a------ D:\Windows\System32\drivers\iksysflt.sys
2008-01-16 17:07 . 2007-12-10 14:53 41,864 --a------ D:\Windows\System32\drivers\ikfilesec.sys
2008-01-16 17:07 . 2007-12-10 14:53 29,576 --a------ D:\Windows\System32\drivers\kcom.sys
2008-01-16 11:08 . 2008-01-16 11:08 <DIR> d-------- D:\Users\All Users\SUPERAntiSpyware.com
2008-01-16 11:08 . 2008-01-16 11:08 <DIR> d-------- D:\ProgramData\SUPERAntiSpyware.com
2008-01-16 11:08 . 2008-01-16 18:08 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2008-01-16 06:40 . 2008-01-17 08:20 874 --a------ D:\Windows\System32\tmp.reg
2008-01-15 21:16 . 2008-01-16 07:13 229 --a------ D:\Windows\wininit.ini
2008-01-15 20:22 . 2008-01-16 18:07 <DIR> d-------- D:\Users\All Users\Spybot - Search & Destroy
2008-01-15 20:22 . 2008-01-16 18:07 <DIR> d-------- D:\ProgramData\Spybot - Search & Destroy
2008-01-15 19:58 . 2005-08-25 18:19 115,920 --a------ D:\Windows\System32\MSINET.OCX
2008-01-15 19:56 . 2000-08-31 08:00 51,200 --a------ D:\Windows\NirCmd.exe
2008-01-15 19:42 . 2008-01-15 19:42 <DIR> d-------- D:\Users\Administrator\DoctorWeb
2008-01-15 17:45 . 2008-01-15 17:45 86,144 --a------ D:\Windows\System32\drivers\Dot44.sys
2008-01-14 17:32 . 2008-01-14 17:32 <DIR> d-------- D:\Windows\Sun
2008-01-14 17:19 . 2008-01-14 17:19 <DIR> d-------- D:\Users\Administrator\LimeWire Store Purchased
2008-01-14 17:19 . 2008-01-14 17:19 <DIR> d-------- D:\Users\Administrator\LimeWire Shared
2008-01-14 17:19 . 2008-01-14 17:26 <DIR> d-------- D:\Users\Administrator\LimeWire Saved
2008-01-14 17:19 . 2008-01-14 17:33 <DIR> d-------- D:\Users\Administrator\Incomplete
2008-01-14 17:19 . 2008-01-14 17:33 <DIR> d-------- D:\Users\Administrator\AppData\Roaming\LimeWire
2008-01-14 17:18 . 2007-07-12 02:22 69,632 --a------ D:\Windows\System32\javacpl.cpl
2008-01-14 17:17 . 2008-01-14 17:18 <DIR> d-------- D:\Program Files\LimeWire
2008-01-14 17:17 . 2008-01-14 17:18 <DIR> d-------- D:\Program Files\Java
2008-01-14 17:17 . 2008-01-14 17:17 <DIR> d-------- D:\Program Files\Common Files\Java
2008-01-12 20:10 . 2008-01-12 20:10 <DIR> d-------- D:\Program Files\Foxit Software
2008-01-12 11:20 . 2006-02-05 15:05 18,902 --a------ D:\Windows\rixane-icon.ico
2008-01-12 11:20 . 2007-12-29 19:29 85 --a------ D:\Windows\solar-system-moon-register.url
2008-01-12 11:20 . 2007-12-29 19:29 83 --a------ D:\Windows\solar-system-moon-homepage.url
2008-01-12 11:20 . 2006-02-05 14:29 65 --a------ D:\Windows\rixane-screensavers.url
2008-01-12 11:19 . 2008-01-12 11:19 <DIR> d-------- D:\Windows\Solar System - Moon 3D
2008-01-12 11:19 . 2007-12-29 19:42 11,421,184 --a------ D:\Windows\Solar System - Moon 3D Screensaver.exe
2008-01-12 11:19 . 2007-12-29 20:01 300,544 --a------ D:\Windows\Solar System - Moon 3D Screensaver.scr
2008-01-12 11:19 . 2007-12-29 19:32 27,648 --a------ D:\Windows\instmoon.exe
2008-01-10 20:11 . 2008-01-10 20:15 <DIR> d-------- D:\Users\Administrator\AppData\Roaming\Intuit
2008-01-10 20:05 . 2008-01-10 20:05 <DIR> d-------- D:\Users\All Users\Intuit
2008-01-10 20:05 . 2008-01-10 20:05 <DIR> d-------- D:\ProgramData\Intuit
2008-01-10 20:05 . 2008-01-10 20:05 <DIR> d-------- D:\Program Files\Common Files\Intuit
2008-01-10 20:05 . 2007-10-22 18:58 1,721,712 --------- D:\Windows\System32\InetClnt.dll
2008-01-10 20:03 . 2008-01-10 20:03 <DIR> d-------- D:\Program Files\TurboTax
2008-01-09 03:57 . 2008-01-16 13:28 <DIR> d-------- D:\Program Files\Citrus Alarm Clock
2008-01-08 17:15 . 2008-01-08 17:15 802,816 --a------ D:\Windows\System32\drivers\tcpip.sys
2008-01-08 17:15 . 2008-01-08 17:15 216,760 --a------ D:\Windows\System32\drivers\netio.sys
2008-01-08 17:15 . 2008-01-08 17:15 167,424 --a------ D:\Windows\System32\tcpipcfg.dll
2008-01-08 17:15 . 2008-01-08 17:15 24,064 --a------ D:\Windows\System32\netcfg.exe
2008-01-08 17:15 . 2008-01-08 17:15 22,016 --a------ D:\Windows\System32\netiougc.exe
2008-01-08 17:14 . 2008-01-08 17:14 4,247,552 --a------ D:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-08 17:14 . 2008-01-08 17:14 1,686,016 --a------ D:\Windows\System32\gameux.dll
2008-01-08 17:13 . 2008-01-08 17:13 1,060,920 --a------ D:\Windows\System32\drivers\ntfs.sys
2008-01-08 17:13 . 2008-01-08 17:13 211,000 --a------ D:\Windows\System32\drivers\volsnap.sys
2008-01-08 17:13 . 2008-01-08 17:13 154,624 --a------ D:\Windows\System32\drivers\nwifi.sys
2008-01-08 17:13 . 2008-01-08 17:13 109,624 --a------ D:\Windows\System32\drivers\ataport.sys
2008-01-08 17:13 . 2008-01-08 17:13 45,112 --a------ D:\Windows\System32\drivers\pciidex.sys
2008-01-08 17:13 . 2008-01-08 17:13 21,560 --a------ D:\Windows\System32\drivers\atapi.sys
2008-01-08 17:13 . 2008-01-08 17:13 20,024 --a------ D:\Windows\System32\drivers\viaide.sys
2008-01-08 17:13 . 2008-01-08 17:13 11,776 --a------ D:\Windows\System32\sbunattend.exe
2008-01-04 17:56 . 2008-01-04 17:56 21,840 --a------ D:\Windows\System32\SIntfNT.dll
2008-01-04 17:56 . 2008-01-04 17:56 17,212 --a------ D:\Windows\System32\SIntf32.dll
2008-01-04 17:56 . 2008-01-04 17:56 12,067 --a------ D:\Windows\System32\SIntf16.dll
2008-01-03 19:02 . 2008-01-03 19:07 <DIR> d-------- D:\Users\Administrator\AppData\Roaming\NewsLeecher
2008-01-03 19:01 . 2008-01-03 19:05 <DIR> d-------- D:\Program Files\NewsLeecher
2008-01-03 13:19 . 2008-01-03 13:19 <DIR> d-------- D:\Users\Administrator\AppData\Roaming\Media Player Classic
2008-01-03 09:39 . 2006-10-26 19:56 32,592 --a------ D:\Windows\System32\msonpmon.dll
2008-01-03 09:37 . 2008-01-03 09:37 <DIR> d-------- D:\Program Files\Microsoft Works
2008-01-03 09:35 . 2008-01-03 09:35 <DIR> d-------- D:\Windows\PCHEALTH
2008-01-03 09:35 . 2008-01-03 09:35 <DIR> d-------- D:\Program Files\Microsoft.NET
2008-01-03 09:33 . 2008-01-03 09:33 <DIR> d-------- D:\Program Files\Microsoft Visual Studio 8
2008-01-03 09:31 . 2008-01-03 09:39 <DIR> d-------- D:\Users\All Users\Microsoft Help
2008-01-03 09:31 . 2008-01-03 09:39 <DIR> d-------- D:\ProgramData\Microsoft Help
2008-01-03 09:30 . 2008-01-03 09:30 <DIR> dr-h----- D:\MSOCache
2008-01-03 08:10 . 2008-01-03 08:10 <DIR> d-------- D:\Program Files\Torrent Harvester
2008-01-02 21:26 . 2008-01-02 21:26 <DIR> d-------- D:\Windows\System32\xlive
2008-01-02 21:10 . 2008-01-02 21:10 1 --a------ D:\Windows\System32\SI.bin
2008-01-02 21:09 . 2008-01-16 13:20 <DIR> d-------- D:\Program Files\Common Files\InstallShield
2008-01-02 15:00 . 2008-01-17 08:41 12 --a------ D:\Windows\bthservsdp.dat
2008-01-02 14:54 . 2008-01-02 14:54 278,984 --a------ D:\Windows\System32\drivers\atksgt.sys
2008-01-02 14:54 . 2008-01-02 14:54 25,416 --a------ D:\Windows\System32\drivers\lirsgt.sys
2008-01-02 14:51 . 2005-05-26 15:34 2,297,552 --a------ D:\Windows\System32\d3dx9_26.dll
2008-01-02 14:41 . 2008-01-02 14:41 694,784 --a------ D:\Windows\System32\localspl.dll
2008-01-02 14:16 . 2008-01-10 20:07 <DIR> d--h----- D:\Program Files\InstallShield Installation Information
2008-01-02 13:57 . 2008-01-03 17:51 <DIR> d-------- D:\Users\Administrator\AppData\Roaming\GrabIt
2008-01-02 13:44 . 2008-01-17 00:43 <DIR> d-------- D:\Users\Administrator\AppData\Roaming\AVG7
2008-01-02 13:43 . 2008-01-02 13:43 9,216 --a------ D:\Windows\System32\avgwlntf.dll
2008-01-02 13:42 . 2008-01-02 13:42 <DIR> d-------- D:\Users\All Users\Grisoft
2008-01-02 13:42 . 2008-01-02 14:43 <DIR> d-------- D:\Users\All Users\avg7
2008-01-02 13:42 . 2008-01-02 13:42 <DIR> d-------- D:\ProgramData\Grisoft
2008-01-02 13:42 . 2008-01-02 14:43 <DIR> d-------- D:\ProgramData\avg7
2008-01-02 13:42 . 2008-01-02 13:42 55,304 --a------ D:\Windows\System32\drivers\avgwfp.sys
2008-01-02 13:03 . 2008-01-09 12:55 60,416 --a------ D:\Windows\ALCFDRTM.VER
2008-01-02 13:03 . 2008-01-02 13:03 60,416 --a------ D:\Windows\ALCFDRTM.EXE
2008-01-02 03:44 . 2008-01-02 03:44 <DIR> d-------- D:\Program Files\BitLocker
2008-01-02 03:37 . 2008-01-02 03:37 205,824 --a------ D:\Windows\System32\msoeacct.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 10:06 --------- d-----w D:\Program Files\Windows Sidebar
2008-01-09 10:06 --------- d-----w D:\Program Files\Windows Mail
2008-01-09 00:14 537,600 ----a-w D:\Windows\AppPatch\AcLayers.dll
2008-01-09 00:14 449,024 ----a-w D:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 00:14 2,143,744 ----a-w D:\Windows\AppPatch\AcGenral.dll
2008-01-09 00:14 173,056 ----a-w D:\Windows\AppPatch\AcXtrnal.dll
2008-01-03 16:37 --------- d-----w D:\Program Files\MSBuild
2008-01-02 21:55 --------- d-----w D:\Program Files\Windows Calendar
2008-01-02 21:42 8,192 ----a-w D:\Windows\System32\riched32.dll
2008-01-02 21:42 77,824 ----a-w D:\Windows\System32\rascfg.dll
2008-01-02 21:42 61,952 ----a-w D:\Windows\system32\drivers\wanarp.sys
2008-01-02 21:42 52,736 ----a-w D:\Windows\System32\rasdiag.dll
2008-01-02 21:42 48,640 ----a-w D:\Windows\system32\drivers\ndproxy.sys
2008-01-02 21:42 32,768 ----a-w D:\Windows\System32\rasmxs.dll
2008-01-02 21:42 22,016 ----a-w D:\Windows\System32\rasser.dll
2008-01-02 21:42 20,480 ----a-w D:\Windows\system32\drivers\ndistapi.sys
2008-01-02 21:41 70,144 ----a-w D:\Windows\system32\drivers\pacer.sys
2008-01-02 21:41 619,008 ----a-w D:\Windows\system32\drivers\dxgkrnl.sys
2008-01-02 21:41 384,000 ----a-w D:\Windows\System32\netcfgx.dll
2008-01-02 21:41 36,864 ----a-w D:\Windows\System32\cdd.dll
2008-01-02 21:41 33,280 ----a-w D:\Windows\System32\traffic.dll
2008-01-02 21:41 286,208 ----a-w D:\Windows\System32\ipnathlp.dll
2008-01-02 21:41 15,360 ----a-w D:\Windows\System32\pacerprf.dll
2008-01-02 21:41 134,656 ----a-w D:\Windows\System32\dps.dll
2008-01-02 21:41 13,824 ----a-w D:\Windows\System32\wshqos.dll
2008-01-02 21:41 13,824 ----a-w D:\Windows\System32\icsunattend.exe
2008-01-02 10:49 174 --sha-w D:\Program Files\desktop.ini
2008-01-02 10:44 --------- d-----w D:\Program Files\Windows Defender
2008-01-02 10:44 --------- d-----w D:\Program Files\Microsoft Games
2008-01-02 10:36 704,000 ----a-w D:\Windows\System32\PhotoScreensaver.scr
2008-01-02 10:36 67,584 ----a-w D:\Windows\System32\wlanhlp.dll
2008-01-02 10:36 542,720 ----a-w D:\Windows\System32\sysmain.dll
2008-01-02 10:36 502,784 ----a-w D:\Windows\System32\wlansvc.dll
2008-01-02 10:36 47,104 ----a-w D:\Windows\System32\wlanapi.dll
2008-01-02 10:36 297,984 ----a-w D:\Windows\System32\wlansec.dll
2008-01-02 10:36 290,816 ----a-w D:\Windows\System32\wlanmsm.dll
2008-01-02 10:36 258,232 ----a-w D:\Windows\system32\drivers\acpi.sys
2008-01-02 10:36 24,064 ----a-w D:\Windows\System32\wtsapi32.dll
2008-01-02 10:36 2,923,520 ----a-w D:\Windows\explorer.exe
2008-01-02 10:36 2,027,008 ----a-w D:\Windows\System32\win32k.sys
2008-01-02 10:14 88,576 ----a-w D:\Windows\System32\avifil32.dll
2008-01-02 10:14 82,944 ----a-w D:\Windows\System32\mciavi32.dll
2008-01-02 10:14 8,138,240 ----a-w D:\Windows\System32\ssBranded.scr
2008-01-02 10:14 712,192 ----a-w D:\Windows\System32\WindowsCodecs.dll
2008-01-02 10:14 69,632 ----a-w D:\Windows\System32\sendmail.dll
2008-01-02 10:14 65,024 ----a-w D:\Windows\System32\avicap32.dll
2008-01-02 10:14 61,440 ----a-w D:\Windows\System32\ntprint.exe
2008-01-02 10:14 320,000 ----a-w D:\Windows\system32\drivers\csc.sys
2008-01-02 10:14 31,232 ----a-w D:\Windows\System32\msvidc32.dll
2008-01-02 10:14 269,824 ----a-w D:\Windows\System32\schannel.dll
2008-01-02 10:14 220,160 ----a-w D:\Windows\System32\ntprint.dll
2008-01-02 10:14 123,904 ----a-w D:\Windows\System32\msvfw32.dll
2008-01-02 10:14 120,320 ----a-w D:\Windows\System32\dhcpcsvc6.dll
2008-01-02 10:14 12,800 ----a-w D:\Windows\System32\msrle32.dll
2008-01-02 10:14 105,984 ----a-w D:\Windows\System32\CscMig.dll
2008-01-02 10:14 10,240 ----a-w D:\Windows\System32\dhcpcmonitor.dll
2008-01-02 10:14 1,984,512 ----a-w D:\Windows\System32\authui.dll
2008-01-02 10:08 824,832 ----a-w D:\Windows\System32\wininet.dll
2008-01-02 10:08 56,320 ----a-w D:\Windows\System32\iesetup.dll
2008-01-02 10:08 52,736 ----a-w D:\Windows\AppPatch\iebrshim.dll
2008-01-02 10:08 26,624 ----a-w D:\Windows\System32\ieUnatt.exe
2007-12-11 08:32 761,856 ----a-w D:\Windows\system32\drivers\athr.sys
2007-12-05 05:25 55,104 ----a-w D:\Windows\system32\drivers\ativvpxx.vp
2007-12-05 03:08 3,351,040 ----a-w D:\Windows\system32\drivers\atikmdag.sys
2007-12-05 02:56 43,520 ----a-w D:\Windows\System32\ati2edxx.dll
2007-12-05 02:56 368,640 ----a-w D:\Windows\System32\ATIDEMGX.dll
2007-12-05 02:56 274,432 ----a-w D:\Windows\System32\atipdlxx.dll
2007-12-05 02:56 241,664 ----a-w D:\Windows\System32\Oemdspif.dll
2007-12-05 02:56 159,744 ----a-w D:\Windows\System32\atitmmxx.dll
2007-12-05 02:55 245,760 ----a-w D:\Windows\System32\Ati2evxx.dll
2007-12-05 02:54 626,688 ----a-w D:\Windows\System32\Ati2evxx.exe
2007-12-05 02:43 3,117,568 ----a-w D:\Windows\System32\atiumdag.dll
2007-12-05 02:42 9,408,512 ----a-w D:\Windows\System32\atioglxx.dll
2007-12-05 02:30 3,934,720 ----a-w D:\Windows\System32\atiumdva.dll
2007-12-05 02:20 48,128 ----a-w D:\Windows\System32\amdpcom32.dll
2007-12-05 02:08 49,152 ----a-w D:\Windows\system32\drivers\ati2erec.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-17_ 7.23.35.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 14:21:09 67,584 --s-a-w D:\Windows\bootstat.dat
+ 2008-01-17 15:45:04 67,584 --s-a-w D:\Windows\bootstat.dat
- 2008-01-17 14:14:00 1,335,296 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 15:36:57 1,335,296 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 14:14:00 1,335,296 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
+ 2008-01-17 15:36:57 1,335,296 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
- 2008-01-17 14:14:00 3,715,072 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 15:36:57 3,715,072 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-17 14:14:00 1,015,808 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 15:36:57 1,032,192 ----a-w D:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 14:02:09 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-17 15:27:22 262,144 ----a-w D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-17 14:21:38 1,572,864 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-17 15:45:37 1,572,864 --sha-w D:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-17 14:05:07 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-17 15:29:00 262,144 ----a-w D:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-17 14:21:38 1,572,864 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-17 15:45:37 1,572,864 --sha-w D:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-01-17 01:26:50 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
+ 2008-01-17 15:31:37 16,384 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
- 2008-01-17 14:01:03 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-17 15:45:25 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-17 15:31:37 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011720080118\index.dat
- 2008-01-17 14:01:03 49,152 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-17 15:45:25 49,152 --sha-w D:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-17 14:01:03 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-17 15:45:25 32,768 --sha-w D:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-17 14:07:19 104,662 ----a-w D:\Windows\System32\perfc009.dat
+ 2008-01-17 15:31:13 104,662 ----a-w D:\Windows\System32\perfc009.dat
- 2008-01-17 14:07:19 621,314 ----a-w D:\Windows\System32\perfh009.dat
+ 2008-01-17 15:31:13 621,314 ----a-w D:\Windows\System32\perfh009.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-29 05:05 486856]
"uTorrent"="D:\Program Files\uTorrent\uTorrent.exe" [2008-01-01 19:40 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SoundMan"="SOUNDMAN.EXE" [2007-03-09 16:28 598016 D:\Windows\SOUNDMAN.EXE]
"AVG7_CC"="D:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-02 13:42 579072]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"ISTray"="D:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="D:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-02 13:42 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-02 13:43 9216 D:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-02 03:34 1006264 D:\Program Files\Windows Defender\MSASCui.exe

R3 atikmdag;atikmdag;D:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-04 20:08]
R3 AvgWFP;AVG7 Firewall Driver x86;D:\Windows\system32\Drivers\avgwfp.sys [2008-01-02 13:42]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;D:\Windows\system32\DRIVERS\yk60x86.sys [2007-07-31 08:22]
S3 athr;Atheros Extensible Wireless LAN device driver;D:\Windows\system32\DRIVERS\athr.sys [2007-12-11 01:32]
S3 R300;R300;D:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-04 20:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f2b84ae-b8ea-11dc-bf8c-00055d2eba03}]
\shell\AutoRun\command - G:\AutorunArcanum.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f2b84c2-b8ea-11dc-bf8c-00055d2eba03}]
\shell\AutoRun\command - H:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f2b84c3-b8ea-11dc-bf8c-00055d2eba03}]
\shell\AutoRun\command - I:\AutoRun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 08:45:49
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 8:48:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 15:48:13
ComboFix2.txt 2008-01-17 15:16:50
ComboFix3.txt 2008-01-17 14:24:19
.
2008-01-16 00:19:37 --- E O F ---


Your help is appreciated. Thank you!
 
C:\WINDOWS\system32\drivers\core.cache.dsk
D:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

Let's do it manually. Reboot in safe mode. First print out all instructions although this is easy to do and remember.
You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

How to view Hidden files/folders.
http://www.bleepingcomputer.com/tutorials/tutorial62.html
don't forget to hide files/folders when this is finished

Search and find these files/folders (or navigate to them ) in red below and delete them:
D:\Windows\system32\drivers\core.cache.dsk
Meaning example click on My Computer, D:/, System32, drivers and then delete core.cache.dsk.
That should be that easy. Also, do it same but in C:/ drive.
When done, reboot in normal mode and please post your hijackThis log. Instructions how to do it, on sticky Essential thread on this forum.
 
Tried but could not erase it =/

This thing is driving me nuts!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:45 PM, on 1/17/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
D:\Windows\System32\smss.exe
D:\Windows\system32\csrss.exe
D:\Windows\system32\wininit.exe
D:\Windows\system32\csrss.exe
D:\Windows\system32\services.exe
D:\Windows\system32\lsass.exe
D:\Windows\system32\lsm.exe
D:\Windows\system32\svchost.exe
D:\Windows\system32\svchost.exe
D:\Windows\System32\svchost.exe
D:\Windows\system32\Ati2evxx.exe
D:\Windows\System32\svchost.exe
D:\Windows\System32\svchost.exe
D:\Windows\system32\svchost.exe
D:\Windows\system32\winlogon.exe
D:\Windows\system32\SLsvc.exe
D:\Windows\system32\svchost.exe
D:\Windows\system32\svchost.exe
D:\Windows\system32\Ati2evxx.exe
D:\Windows\System32\spoolsv.exe
D:\Windows\system32\svchost.exe
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Windows\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
D:\Windows\system32\svchost.exe
D:\Windows\system32\svchost.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Windows\system32\svchost.exe
D:\Windows\System32\svchost.exe
D:\Windows\system32\SearchIndexer.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Windows\SOUNDMAN.EXE
D:\Program Files\Grisoft\AVG7\avgcc.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Windows\system32\wbem\wmiprvse.exe

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISTray] "D:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgwlntf - D:\Windows\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - D:\Windows\System32\DreamScene.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - D:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 5139 bytes
 
What stopped you from erasing the file? Did it say Access Denied or Another person or user is using this program?
Please download Pocket Killbox and save it to desktop it should be there when you enter safe mode. Use that tool in order to erase the file.
Good luck!
 
nervana1, please post the contents of C:\qoobox\ComboFix2.txt and C:\qoobox\ComboFix3.txt. I'd like to see what ComboFix has done to date.

Please delete the version of ComboFix you have and download an updated one from http://download.bleepingcomputer.com/sUBs/ComboFix.exe and save it to your Desktop.

  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
D:\Windows\system32\drivers\core.cache.dsk
D:\Windows\System32\drivers\Dot44.sys
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
ceewi1

Thank you very much that dot4 file was the culprit behind the reappearance of this nuisance.

Thank you guys!
 
You're welcome.

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
 
You must log in or register to reply here.
Back
Top