*Sigh* core.cache.dsk removal

D

diamondclub

New Member
I know, i know, i know. Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 10:06:09 AM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\stealthp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [StealthPlug Control Panel] "C:\WINDOWS\system32\stealthp.exe" -min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
Punk

Punk

Moderator
Staff member
hello,

We've had a few core.cache.dsk infections here and got rid of it :)

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
D

diamondclub

New Member
Here is my combofix report.

ComboFix 08-01-30.6 - J2 2008-01-30 12:02:22.2 - NTFSx86
Running from: C:\Documents and Settings\J2\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://gpdl.google.com
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 10:48 . 2008-01-30 10:52 <DIR> d-------- C:\MGtools
2008-01-30 10:48 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-01-30 10:39 . 2008-01-30 10:40 1,238,674 --a------ C:\MGtools.exe
2008-01-30 10:31 . 2008-01-30 10:31 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-01-30 10:23 . 2008-01-30 10:30 <DIR> d-------- C:\ComboFix[1]
2008-01-30 10:00 . 2008-01-30 10:00 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 09:56 . 2008-01-30 09:56 <DIR> d-------- C:\WINDOWS\Google Toolbar
2008-01-30 09:55 . 2008-01-30 09:55 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-01-30 09:39 . 2008-01-30 10:30 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-30 08:22 . 2008-01-30 09:30 354,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 08:22 . 2008-01-30 09:30 10,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-30 08:22 . 2008-01-30 09:30 5,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-30 08:22 . 2008-01-30 09:30 2,036 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-30 08:19 . 2008-01-30 08:19 <DIR> d-------- C:\KAV
2008-01-30 03:06 . 2008-01-30 03:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-30 03:02 . 2008-01-30 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-30 03:01 . 2008-01-30 03:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-30 03:01 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-30 03:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 23:42 . 2008-01-29 23:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-29 23:42 . 2008-01-29 23:42 <DIR> d-------- C:\Documents and Settings\J2\Application Data\PC Tools
2008-01-29 23:42 . 2008-01-30 12:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-29 23:42 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-29 23:42 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-29 23:42 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-29 23:42 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-29 23:01 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-01-29 22:00 . 2008-01-29 22:00 <DIR> d---s---- C:\Documents and Settings\J2\UserData
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 17:40 . 2008-01-29 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-29 17:39 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-29 17:39 . 2008-01-29 17:40 537 --ah----- C:\IPH.PH
2008-01-29 13:56 . 2008-01-29 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-01-29 12:55 . 2008-01-29 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-29 11:05 . 2008-01-29 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iTunes
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iPod
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Apple Computer
2008-01-29 10:27 . 2008-01-30 09:54 <DIR> d-------- C:\Program Files\Google
2008-01-29 10:27 . 2008-01-30 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-29 10:27 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 10:26 . 2008-01-29 10:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-29 10:12 . 2008-01-30 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 09:49 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-29 09:49 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-29 09:49 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-29 09:34 . 2008-01-29 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-29 09:31 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Conduit
2008-01-29 09:28 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\MSBuild
2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-29 09:23 . 2008-01-29 09:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-29 09:21 . 2008-01-30 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-29 09:20 . 2008-01-29 09:20 <DIR> dr-h----- C:\MSOCache
2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-29 00:54 . 2008-01-29 00:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\VstPlugIns
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\DigiDesign
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Documents and Settings\J2\Application Data\InstallShield
2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\system32\w3data.vss
2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\msocreg32.dat
2008-01-29 00:15 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\IK Multimedia
2008-01-29 00:15 . 2006-10-06 10:51 499,712 --a------ C:\WINDOWS\system32\stealthp.exe
2008-01-29 00:15 . 2006-10-06 10:51 77,824 --------- C:\WINDOWS\system32\IKStealthPlugASIO.dll
2008-01-29 00:15 . 2006-10-06 10:51 60,416 --a------ C:\WINDOWS\system32\drivers\IKStealthPlugLL.sys
2008-01-29 00:15 . 2006-10-06 10:51 49,152 --------- C:\WINDOWS\system32\IKStealthPlugAPI.dll
2008-01-29 00:15 . 2006-10-06 10:51 40,960 --a------ C:\WINDOWS\system32\IKClsCoInst.dll
2008-01-28 23:52 . 2008-01-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-28 23:36 . 2008-01-28 23:36 86,144 --a------ C:\WINDOWS\system32\drivers\mouclasss.sys
2008-01-28 23:32 . 2008-01-28 23:51 <DIR> d-------- C:\Program Files\PowerISO
2008-01-28 23:23 . 2008-01-29 23:49 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Azureus
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Java
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-28 23:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-28 23:07 . 2008-01-30 08:58 <DIR> d-------- C:\Program Files\QuickTime
2008-01-28 23:04 . 2008-01-28 23:04 <DIR> d-------- C:\Program Files\Azureus
2008-01-28 22:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-28 22:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-28 22:49 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Bonjour
2008-01-28 22:44 . 2008-01-28 22:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-28 22:34 . 2008-01-29 12:52 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-28 22:24 . 2004-11-17 13:27 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.dll
2008-01-28 22:24 . 2004-11-17 13:27 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 05:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-29 05:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 01:47 --------- d-----w C:\Program Files\Broadcom
2008-01-29 01:39 --------- d-----w C:\Program Files\CONEXANT
2008-01-29 01:37 --------- d-----w C:\Program Files\Intel
2008-01-29 01:35 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-29 01:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-29 01:17 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-29 10:27 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704]
"StealthPlug Control Panel"="C:\WINDOWS\system32\stealthp.exe" [2006-10-06 10:51 499712]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53 29744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-29 10:27:27 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

R1 mouclasss;mouclasss;C:\WINDOWS\system32\drivers\mouclasss.sys [2008-01-28 23:36]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53]
S3 IKStealthPlug;IK Multimedia StealthPlug Low-Level Driver;C:\WINDOWS\system32\Drivers\IKStealthPlugLL.sys [2006-10-06 10:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 15:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 12:12:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\stealthp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
.
**************************************************************************
.
Completion time: 2008-01-30 12:15:41 - machine was rebooted [J2]
ComboFix-quarantined-files.txt 2008-01-30 17:15:37
.
2008-01-30 08:08:01 --- E O F ---
 
Punk

Punk

Moderator
Staff member
COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\drivers\core.cache.dsk
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScript.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
 
Last edited:
D

diamondclub

New Member
ComboFix 08-01-30.6 - J2 2008-01-30 14:00:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.233 [GMT -5:00]
Running from: C:\Documents and Settings\J2\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\J2\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-30 10:48 . 2008-01-30 10:52 <DIR> d-------- C:\MGtools
2008-01-30 10:48 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-01-30 10:39 . 2008-01-30 10:40 1,238,674 --a------ C:\MGtools.exe
2008-01-30 10:31 . 2008-01-30 10:31 100 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-01-30 10:23 . 2008-01-30 10:30 <DIR> d-------- C:\ComboFix[1]
2008-01-30 10:00 . 2008-01-30 10:00 <DIR> d-------- C:\Program Files\CCleaner
2008-01-30 09:56 . 2008-01-30 09:56 <DIR> d-------- C:\WINDOWS\Google Toolbar
2008-01-30 09:55 . 2008-01-30 09:55 <DIR> d-------- C:\WINDOWS\system32\runtime
2008-01-30 09:39 . 2008-01-30 10:30 167,545 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-30 08:22 . 2008-01-30 09:30 354,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 08:22 . 2008-01-30 09:30 10,272 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-30 08:22 . 2008-01-30 09:30 5,828 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-30 08:22 . 2008-01-30 09:30 2,036 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-30 08:19 . 2008-01-30 08:19 <DIR> d-------- C:\KAV
2008-01-30 03:06 . 2008-01-30 03:06 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-01-30 03:02 . 2008-01-30 03:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-30 03:01 . 2008-01-30 03:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-30 03:01 . 2004-08-03 18:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-30 03:01 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-29 23:42 . 2008-01-29 23:46 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-29 23:42 . 2008-01-29 23:42 <DIR> d-------- C:\Documents and Settings\J2\Application Data\PC Tools
2008-01-29 23:42 . 2008-01-30 12:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-29 23:42 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-29 23:42 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-29 23:42 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-29 23:42 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-29 23:01 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Cool YouTube Downloader
2008-01-29 22:00 . 2008-01-29 22:00 <DIR> d---s---- C:\Documents and Settings\J2\UserData
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-29 17:40 . 2008-01-29 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-29 17:40 . 2008-01-29 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-01-29 17:39 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-01-29 17:39 . 2008-01-29 17:40 537 --ah----- C:\IPH.PH
2008-01-29 13:56 . 2008-01-29 13:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-01-29 12:55 . 2008-01-29 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-01-29 11:05 . 2008-01-29 11:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iTunes
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Program Files\iPod
2008-01-29 10:29 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Apple Computer
2008-01-29 10:27 . 2008-01-30 09:54 <DIR> d-------- C:\Program Files\Google
2008-01-29 10:27 . 2008-01-30 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-29 10:27 . 2008-01-29 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 10:26 . 2008-01-29 10:26 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-29 10:25 . 2008-01-29 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-29 10:12 . 2008-01-30 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 09:49 . 2007-02-28 04:55 2,182,144 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-01-29 09:49 . 2007-02-28 04:53 2,137,600 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-01-29 09:49 . 2007-02-28 04:15 2,017,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-01-29 09:34 . 2008-01-29 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-29 09:31 . 2008-01-30 09:31 <DIR> d-------- C:\Program Files\Conduit
2008-01-29 09:28 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\MSBuild
2008-01-29 09:27 . 2008-01-29 09:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-01-29 09:23 . 2008-01-29 09:27 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-01-29 09:21 . 2008-01-30 03:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-29 09:20 . 2008-01-29 09:20 <DIR> dr-h----- C:\MSOCache
2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-01-29 01:01 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-29 01:01 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2008-01-29 01:01 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2008-01-29 01:00 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-29 00:54 . 2008-01-29 00:54 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\VstPlugIns
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\DigiDesign
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-01-29 00:18 . 2008-01-29 00:18 <DIR> d-------- C:\Documents and Settings\J2\Application Data\InstallShield
2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\system32\w3data.vss
2008-01-29 00:18 . 2008-01-29 21:31 16 --a------ C:\WINDOWS\msocreg32.dat
2008-01-29 00:15 . 2008-01-29 00:18 <DIR> d-------- C:\Program Files\IK Multimedia
2008-01-29 00:15 . 2006-10-06 10:51 499,712 --a------ C:\WINDOWS\system32\stealthp.exe
2008-01-29 00:15 . 2006-10-06 10:51 77,824 --------- C:\WINDOWS\system32\IKStealthPlugASIO.dll
2008-01-29 00:15 . 2006-10-06 10:51 60,416 --a------ C:\WINDOWS\system32\drivers\IKStealthPlugLL.sys
2008-01-29 00:15 . 2006-10-06 10:51 49,152 --------- C:\WINDOWS\system32\IKStealthPlugAPI.dll
2008-01-29 00:15 . 2006-10-06 10:51 40,960 --a------ C:\WINDOWS\system32\IKClsCoInst.dll
2008-01-28 23:52 . 2008-01-30 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-28 23:36 . 2008-01-28 23:36 86,144 --a------ C:\WINDOWS\system32\drivers\mouclasss.sys
2008-01-28 23:32 . 2008-01-28 23:51 <DIR> d-------- C:\Program Files\PowerISO
2008-01-28 23:23 . 2008-01-29 23:49 <DIR> d-------- C:\Documents and Settings\J2\Application Data\Azureus
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\WINDOWS\Sun
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Java
2008-01-28 23:22 . 2008-01-28 23:22 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-28 23:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-28 23:07 . 2008-01-30 08:58 <DIR> d-------- C:\Program Files\QuickTime
2008-01-28 23:04 . 2008-01-28 23:04 <DIR> d-------- C:\Program Files\Azureus
2008-01-28 22:57 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-28 22:57 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-28 22:49 . 2008-01-30 08:54 <DIR> d-------- C:\Program Files\Bonjour
2008-01-28 22:44 . 2008-01-28 22:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-28 22:34 . 2008-01-29 12:52 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-28 22:24 . 2004-11-17 13:27 1,654,784 --a------ C:\WINDOWS\system32\W29MLRES.dll
2008-01-28 22:24 . 2004-11-17 13:27 13 --a------ C:\WINDOWS\system32\drivers\verfile.tic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 05:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-29 05:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 01:47 --------- d-----w C:\Program Files\Broadcom
2008-01-29 01:39 --------- d-----w C:\Program Files\CONEXANT
2008-01-29 01:37 --------- d-----w C:\Program Files\Intel
2008-01-29 01:35 --------- d--h--w C:\Program Files\Uninstall Information
2008-01-29 01:21 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-29 01:17 --------- d-----w C:\Program Files\Windows Media Connect 2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-29 10:27 68856]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46 624248]
"Adobe_ID0EYTHM"="C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05 200704]
"StealthPlug Control Panel"="C:\WINDOWS\system32\stealthp.exe" [2006-10-06 10:51 499712]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53 29744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-01-29 10:27:27 125624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

R1 mouclasss;mouclasss;C:\WINDOWS\system32\drivers\mouclasss.sys [2008-01-28 23:36]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 09:53]
S3 IKStealthPlug;IK Multimedia StealthPlug Low-Level Driver;C:\WINDOWS\system32\Drivers\IKStealthPlugLL.sys [2006-10-06 10:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 15:27:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 14:05:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\stealthp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
.
**************************************************************************
.
Completion time: 2008-01-30 14:08:50 - machine was rebooted [J2]
ComboFix-quarantined-files.txt 2008-01-30 19:08:47
ComboFix2.txt 2008-01-30 17:15:41
.
2008-01-30 08:08:01 --- E O F ---
 
Punk

Punk

Moderator
Staff member
Hmm didn't work.
Let's try this:

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Drivers to unload:
mouclasss

Files to delete:
C:\WINDOWS\system32\drivers\mouclasss.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.
 
Last edited:
You must log in or register to reply here.
Top