Hey it's me
New Member
So, here's another question, should I remove the "catchme" folder that has the core.cache.dsk in it? the folder is within the Qoobox generated by Combofix.
TratBHO and Smitfraud (core.cache.dsk) HELLLLLP! please
- Thread starter Hey it's me
- Start date
Hey it's me
New Member
You are never going to believe this!! Avast seems to have found the WIN32:TRATBHO virus AGAIN??? UCH! what the heck doe this mean? 
evilfantasy
New Member
ceewi1 must have the magic touch.
Leave everything as it is until the Super completes. We will clean up the mess in the closing steps.
If you are saying you have two antivirus installed then yes uninstall one and leave the other. Either Avast! or AVG Antivirus (not to be confused with AVG Antispyware) But not until Super is done scanning.
The Hijacktis log looks fine. Post the Super log and then we can most likely wrap this up.
Thanks ceewi1!!!!!
Leave everything as it is until the Super completes. We will clean up the mess in the closing steps.
If you are saying you have two antivirus installed then yes uninstall one and leave the other. Either Avast! or AVG Antivirus (not to be confused with AVG Antispyware) But not until Super is done scanning.
The Hijacktis log looks fine. Post the Super log and then we can most likely wrap this up.
Thanks ceewi1!!!!!
evilfantasy
New Member
You are never going to believe this!! Avast seems to have found the WIN32:TRATBHO virus AGAIN??? UCH! what the heck doe this mean?
It depends on where it found it. It could be in a quarantine folder somewhere.
GameMaster
New Member
Possible that Avast! found a Trojan quarantined in AVG, because two antiviruses interfere...
Possible?
Possible?
Hey it's me
New Member
yes, I think that detected virus was in fact quarantined, there were a bunch of things quarantined in the SAS folder that I just removed for GOOD! The core.cache.dsk and vundo and tons of spyware. I think it's ok after all. PFEW! I was nervous. I actually think every thing's ok now. My stars that was insane! So, evil, how do I thank you? You were great as my platoon captain. And yes, Ceewi gave us the final golden egg, ceewi rules! I really, am grateful!
I'm running SAS right now. I'll post its log, I'm so confused with all the programs I have, does it HAVE a log? Or do I run HJT and give you than in the end? or both? Oh, I'm also running that F-secure in IE to see what it comes up with, it came up with 2 spyware found already. we'll see and as for deciding which protective to run when all is said and done, I'm just not sure? Like I said, I've been using avast since I got this computer 2 years ago. It was fine until THIS! But, perhaps free AVG is better? I don't know?
I'm running SAS right now. I'll post its log, I'm so confused with all the programs I have, does it HAVE a log? Or do I run HJT and give you than in the end? or both? Oh, I'm also running that F-secure in IE to see what it comes up with, it came up with 2 spyware found already. we'll see and as for deciding which protective to run when all is said and done, I'm just not sure? Like I said, I've been using avast since I got this computer 2 years ago. It was fine until THIS! But, perhaps free AVG is better? I don't know?
evilfantasy
New Member
Again, STOP doing so much at once. You are going to cause errors by manually doing what the running programs are already doing. Or have them conflict with one another.
Take it easy, let everything complete and post the Super log.
We will then clean up everything.
Take it easy, let everything complete and post the Super log.
We will then clean up everything.
Hey it's me
New Member
I know, sorry about that, I have been told many times int he past to keep myself in check with the multi-tasking. Anyway, I DID stop the other programs and stepped away. here is he only log I could get from Superspyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/15/2008 at 03:46 PM
Application Version : 3.9.1008
Core Rules Database Version : 3379
Trace Rules Database Version: 1373
Scan type : Quick Scan
Total Scan Time : 00:49:01
Memory items scanned : 478
Memory threats detected : 0
Registry items scanned : 825
Registry threats detected : 0
File items scanned : 28907
File threats detected : 0
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/15/2008 at 03:46 PM
Application Version : 3.9.1008
Core Rules Database Version : 3379
Trace Rules Database Version: 1373
Scan type : Quick Scan
Total Scan Time : 00:49:01
Memory items scanned : 478
Memory threats detected : 0
Registry items scanned : 825
Registry threats detected : 0
File items scanned : 28907
File threats detected : 0
Hey it's me
New Member
I JUST realized something...that was a QUICK Scan NOT a Complete scan. Complete takes longer. For Pete's Sake! I just started the complete, but I may not be able to stay for it today. If I stay here, I won't get anything done and that's not good! grrrrr It's my own stupid fault. Anyway, while it's canning, you know what Evil, I'd really like to do whatever needs to be done to completely remove that core.cache.dsk from my computer, even IF it's now contained in Combofixes Catchme folder. Can we go forward with that? Is it possible? Unless this SAS scans brilliantly quick, when I get back tomorrow I'll run it again. What do you think?
Hey it's me
New Member
Oh, and don't be cross, i did another HJT log (it's becoming compulsive):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:50 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Eve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Eve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
--
End of file - 4498 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:50 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Eve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Eve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
--
End of file - 4498 bytes
Hey it's me
New Member
hey, btw? do you know what is MSECACHE? it's in my program files and I'm not sure what it is.
Hey it's me
New Member
oh, forget it, i see it's some kind of a program from Microsoft (an update of sorts) that's supposed to help clean up.
Hey it's me
New Member
you know what? the AVG I have is not antivirus, it's anti spyware. I have AvASt 4 which runs always. so, with that said, what should I do? I'm also heading out right now. I was hoping to be able to go over with you (Evil) how to remove that quarantined Qoobox (combofix). it has the nasty core.cache.dsk file, plus others and I hate to leave my computer with it still in it. But, 1 hour and 11 minutes later, SAS is still not done with the complete scan (though I'm convinced all's well) and I really have to go. SO far nothing detected. I'm not sure i I should just leave it scanning till I return tomorrow afternoon or not.
Hey it's me
New Member
OK! well Evil, it turns out I was dilly dadling before i got out of here and the scan finished, here is the result. I'll do the clean up tomorrow. just leave instructions. Thanks! ttyl
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/15/2008 at 05:28 PM
Application Version : 3.9.1008
Core Rules Database Version : 3379
Trace Rules Database Version: 1373
Scan type : Complete Scan
Total Scan Time : 01:35:53
Memory items scanned : 473
Memory threats detected : 0
Registry items scanned : 6113
Registry threats detected : 0
File items scanned : 72878
File threats detected : 0
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/15/2008 at 05:28 PM
Application Version : 3.9.1008
Core Rules Database Version : 3379
Trace Rules Database Version: 1373
Scan type : Complete Scan
Total Scan Time : 01:35:53
Memory items scanned : 473
Memory threats detected : 0
Registry items scanned : 6113
Registry threats detected : 0
File items scanned : 72878
File threats detected : 0
evilfantasy
New Member
Leave them both. Do a scan weekly alternating between AVG and SuperAntispyware.
---------------
Time to do some cleanup and secure the work you have done.
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
- The above procedure will:
- Delete the following:
- ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
-----------------
Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally.
Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.
1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
- When finished exit out of OTMoveIt2
------------------
If you don't have CCLeaner then download and install it HERE.
Run CCleaner.
------------------
Here are some great tools to help you keep from getting infected again.
Spybot Search & Destroy - A safe and effective spyware scanner.
* Official Spybot Tutorial
* Spybot FAQ
AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
* AVG Anti-Spyware User Manual
SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* SpywareBlaster Tutorial
Comodo BOClean - Stops trojans and many more malicious attacks.
Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
* Click here for a list of free firewalls.
UPDATE UPDATE UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates
Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
Let us know if anything else comes up.
evilfantasy
New Member
Also MSECACHE is safe.
Hey it's me
New Member
Evil (and ceewi) Thank you sooo much! I am forever grateful for this!! everything is groovy now!
evilfantasy
New Member
Good to hear.
Safe surfing..........
Safe surfing..........
M0LD0V4N
New Member
I fixed my a different way but it was like 3 months ago.
I fixed mine by Downloading (SAS) Scanned and Found core.cache.dsk as a rootkit.
I deleted it with (SAS) and then did a restart .. But |I restarted into SafeMode and Ran a scan with |(SAS) |And ComboBox.. They All came up clean so, I restarted the computer and core.cache.dsk was erased... Since then no popups or core.cache.dsk
I fixed mine by Downloading (SAS) Scanned and Found core.cache.dsk as a rootkit.
I deleted it with (SAS) and then did a restart .. But |I restarted into SafeMode and Ran a scan with |(SAS) |And ComboBox.. They All came up clean so, I restarted the computer and core.cache.dsk was erased... Since then no popups or core.cache.dsk
Hey it's me
New Member
thanks M0ld0, that was actually attempted, it didn't work for me.
Fortunately, it was cracked and beaten down by the good guys here!
Evil, if you;re still looking at this thread, can you tell me one more thing, should I and how do I remove Smitfraudfix from my computer? There's no uninstall icon.
Thanks!
Fortunately, it was cracked and beaten down by the good guys here!
Evil, if you;re still looking at this thread, can you tell me one more thing, should I and how do I remove Smitfraudfix from my computer? There's no uninstall icon.
Thanks!