core.cache.dsk

[AkinaGod]

I keep getting the malware core.cache.dsk. I seem to have more after I ran ComboFix.exe. It didn't remove the core.cache.dsk file though. I am having big trouble browsing the web and my computer runs horribly slow. I have run Panda software, spybot SD, Ad Aware, AVG, Kill, and ComboFix. I have to log onto another computer to use the internet otherwise mine will just spaz out due to all the popups and freeze. Is there anything out there that will get rid of this damn program? Spybot calls it "smit" something. Please help!

 

[Punk]

Smitfraud?

Let's see that:
Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
• Click Save to save the log file and then the log will open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

then

If you already have Smitfraudfix, please delete this copy and download it again as it's being updated regularly.

Please download SmitFraudFix.exe by S!Ri and save it to the desktop.

If you can't download it, please download it from these alternative sites:

From Geekstogo
From Security Cadets
From Zebulon

1. Double click on SmitfraudFix.exe.
2. Press 1 then hit the Enter key.
3. It will create a report named rapport.txt, usually at C drive.
4. Please post back this log in your next reply.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Read more here

In your next reply please post:

• The Hijackthis log
• The SmitfraudFix log

 

[AkinaGod]

Hijack log



Logfile of HijackThis v1.99.1
Scan saved at 10:50:58 AM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0111E17F-A0E7-4E44-A554-9F6477DBFBAC} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {5027B960-7509-4351-9E26-FB299F9262C1} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\gebxwtu.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://mail.yahoo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194201304156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194197676764
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: gebaaaw - gebaaaw.dll (file missing)
O20 - Winlogon Notify: gebxwtu - gebxwtu.dll (file missing)
O20 - Winlogon Notify: lpbxlgll - lpbxlgll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

[AkinaGod]

SmitFraudFix v2.274

Scan done at 10:54:22.29, Sat 01/12/2008
Run from C:\Documents and Settings\Dreamer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dreamer


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dreamer\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Dreamer\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92F3ACC4-C4F7-4419-A9F1-EF842F55ACE1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92F3ACC4-C4F7-4419-A9F1-EF842F55ACE1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[Punk]

OK this is not a Smitfraud infection.
Did you had any Vundo infections? We have some left overs from a Vundo Infection. It says "file missing" but let's make sure it is removed.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Webbenji

 

[AkinaGod]

Yea I keep running Spybot and it says I still have the smit thing. But when the vundo thing is done scanning ill do another hijack and post the results.

 

[AkinaGod]

Vundo did not come up with anything. It was completely blank. And I still have all the problems. What now?

 

[evilfantasy]

Open HijackThis and select Do a system scan only then place a check mark next to:

O2 - BHO: (no name) - {0111E17F-A0E7-4E44-A554-9F6477DBFBAC} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {5027B960-7509-4351-9E26-FB299F9262C1} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\gebxwtu.dll (file missing)
O20 - Winlogon Notify: gebaaaw - gebaaaw.dll (file missing)
O20 - Winlogon Notify: gebxwtu - gebxwtu.dll (file missing)
O20 - Winlogon Notify: lpbxlgll - lpbxlgll.dll (file missing)

Close all windows except for HijackThis and click Fix checked

Exit Hijackthis.

---------------

Now uninstall the version of HijackThis you have and cownload the new one.

Download HijackThis

--------------

Download Superantispyware (SAS) SUPERAntispyware Free Edition

Install it and double-click the icon on your desktop to run it.

• It will ask if you want to Update the program definitions, click Yes.
• Under Configuration and Preferences, click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
• On the main screen, under Scan for Harmful Software click Scan your computer.
• On the left check C:\Fixed Drive.
• On the right, under Complete Scan, choose Perform Complete Scan.
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK.
• Make sure everything in the white box has a check next to it, then click Next.
• It will quarantine what it found and if it asks if you want to reboot, click Yes.
• To retrieve the removal information please do the following:
  • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
• Save the log somewhere you can easily find it. (normally the desktop)
• Click close and close again to exit the program.
• Please add the log along with a new HijackThis log in the next post.

---------------

Next post please add.
SuperAntispyware log
New HijackThis log

 

[Punk]

Thanks evilfantasy... Why not try not to make the user confuse between your instructions and mine??!!

Let's see your combofix:

Step <insert number>: Download and Run ComboFix

• Download this file from either of the two below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://subs.geekstogo.com/ComboFix.exe
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

I need to see a new HJT and your combofix AkinaGod

Thanks

 

[AkinaGod]

Ok the first Super Anti spyware scan was:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 10:24 AM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 01:12:05

Memory items scanned : 292
Memory threats detected : 0
Registry items scanned : 5049
Registry threats detected : 0
File items scanned : 67124
File threats detected : 10

Adware.k8l
C:\PROGRAM FILES\COMPLUS APPLICATIONS\ZYSOQA.HTML

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GCAKYWR.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP295\A0068922.DLL

Adware.eZula
C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP253\A0052967.EXE

Trojan.Downloader-Gen/Hammer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP254\A0053097.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP254\A0053105.DLL

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP293\A0065829.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP295\A0068998.VBS

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP293\A0065830.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP293\A0065831.EXE

 

[AkinaGod]

2nd scan of spyware was:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 12:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 01:11:15

Memory items scanned : 283
Memory threats detected : 0
Registry items scanned : 5052
Registry threats detected : 0
File items scanned : 67040
File threats detected : 0

 

[AkinaGod]

and the most recent hijack after the two spyware scans is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:41 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://mail.yahoo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194201304156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194197676764
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4538 bytes

 

[AkinaGod]

Computer seems to be running like it was before the problem started. THanks for the help. Let me know if the hijack thing still has detected a problem.

 

[AkinaGod]

Ok so it looks like my computer is cleaned up. I guess my problem kept coming from a P2P file shairing program I had. I thought I cleaned the program up but I guess not. So I was wondering if anyone can recommend me a really good P2P file sharing program that is free and is able to download Japanese vids, American vids, music, etc. I used to use limwire but it doesn't seem to download ANY movies at all and the music always seemed to get about 50% - 80% complete and then stop and I would have to start all over again because it never found the file later on. Could anyone assist? I will also start this in another forum index for the reason of topic.

 

[GameMaster]

Same answer, hope you read on General Software. Not allowed to talk.

 

[evilfantasy]

Same answer, hope you read on General Software. Not allowed to talk.

Ditto. Torrents are illegal and any respectable forum will not tolerate discussions on their use. The best advice, buy your music and movies.

The log is clean.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /u
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

---------

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally.

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

----------

This is a good time to clear your infected system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and click Next.
• Next, go to Start > Run and type in cleanmgr
• Select the More options tab
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

----------

Apologies to webbenji. I didn't mean to hijack your instructions, I just thought I could help progress the fix.

EF

 

[GameMaster]

Hey evil you still didn't tell me where did you get those canned speeches?
I mean you don't have to answer me, but I'd like to know...

 

[evilfantasy]

I remember, just forgot to answer.

The ones I use mainly are made by me. Although I have some that are posted throughout the web for people to use. Like the smitfraud and vundofix ones. I have found it easier to make new ones though. So many of the spyware scanners and online virus scanners are different then they were a year or two years ago so they are outdated.

I have a Google documents account that I keep them all categorized in. I am always modifying or just remaking one here and there.

P.S. There is a new Java version (Java 6 Update 4) so update your info on that.

 

[GameMaster]

Hey thanks!

throughout the web for people to use. Like the smitfraud and vundofix

I can try and google for such speeches, but did you mean some forums and sth?
Because, my source of canned speeches isn't bad, but really is full of outdated speeches. It's always nice to have correct speeches 5 seconds of navigating+posting...
Anyway don't want to bother too much so just...asnwer that one please.

 

[Hey it's me]

I too am infected with TWO Trojan Horses! PLEASE HELP!

I have been infected with TratBHO and Smitfraud. I ahve downloaded numerous fixes but nothing is working!! I'm trying to avoid reinstalling my op system. I have Avast, Smitfraudfix, Hijack This, Norton 2004, Ad-Aware 2007, AVG and...I have tried numerous times to clean them out!
I am sooo frustrated! I can't delete no how, no way the core.cache.dsk file in my drivers section (which I know is the Smitfraud bastard!) Tratbho had come come up in one of my searches and I checked the boxes with BHO files and they were deleted but I still am getting pop ups and warnings. I've also been in safe mode. Didn't do anything.

Please help me! I'm losing my mind!

here's the latest result fof Smitfraudfix:

SmitFraudFix v2.274

Scan done at 10:26:46.14, Mon 01/14/2008
Run from C:\Documents and Settings\Eve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avast4\Alwil Software\ashSimpl.exe
C:\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
D:\NU\NDD32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\NSWSETUP.EXE
C:\WINDOWS\system32\msiexec.exe
D:\Support\Prescan\Prescan.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eve


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eve\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Eve\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



thanks