Results 1 to 5 of 5

Thread: PLEASE HELP. Can't Remove Smitfraud-C.CoreService

  1. 2007-11-23, 23:50 #1
    elitanglewood
    elitanglewood is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    3

    Angry PLEASE HELP. Can't Remove Smitfraud-C.CoreService

    I'm having a problem when ever i open opera I get pop ups in internet explorer opening and spy bot can't delete Smitfraud-C.CoreService

    PLEASE HELP ME

    here is my log file

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:44:14 PM, on 11/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll (file missing)
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
    O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189398406289
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    --
    End of file - 7373 bytes
  2. 2007-11-24, 00:05 #2
    random/random
    random/random is offline
    Security Expert: Visiting Fellow
    Join Date
    Jul 2007
    Posts
    703

    Default

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
  3. 2007-11-24, 01:39 #3
    elitanglewood
    elitanglewood is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    3

    Default

    here is my report.txt and my hjt log

    ///////HJT LOG///////
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:36:00 PM, on 11/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\system32\ZuneBusEnum.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
    C:\WINDOWS\notepad.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll (file missing)
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
    O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
    O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O10 - Unknown file in Winsock LSP: winrnr2.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189398406289
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemp...veSecurity.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    --
    End of file - 7352 bytes
  4. 2007-11-24, 01:40 #4
    elitanglewood
    elitanglewood is offline
    Junior Member
    Join Date
    Nov 2007
    Posts
    3

    Default

    ///////SDFix Log///////

    SDFix: Version 1.115

    Run by Administrator on Fri 11/23/2007 at 07:03 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    core

    Path:
    system32\drivers\core.sys

    core - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...

    Service xpdx - Deleted after Reboot

    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\D.EXE - Deleted
    C:\815134~1 - Deleted
    C:\WINDOWS\XELSZGNU.exe.tmp - Deleted
    C:\d.exe - Deleted
    C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
    C:\WINDOWS\system32\drivers\core.sys - Deleted
    C:\WINDOWS\system32\win\klog.dat - Deleted
    C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
    C:\WINDOWS\system32\xpdx.sys - Deleted




    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-23 19:13:32
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\Liquid.6\\Program\\RM.exe"="C:\\Program Files\\Liquid.6\\Program\\RM.exe:*:Enabled:Render Manager"
    "C:\\Program Files\\Liquid.6\\Program\\Studiou.mod"="C:\\Program Files\\Liquid.6\\Program\\Studiou.mod:*:Enabled:Liquid"
    "C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
    "C:\\Program Files\\eXeem\\eXeem.exe"="C:\\Program Files\\eXeem\\eXeem.exe:*:Enabled:eXeem"
    "C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Enabled:SoulSeek Client"
    "C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
    "C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe:*:Enabled:Dreamweaver MX"
    "C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"="C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp:*:Enabled:KazaaLite"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
    "C:\\Program Files\\AIM\\daclone.exe"="C:\\Program Files\\AIM\\daclone.exe:*:Enabled:AOL Instant Messenger"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealPlayer"
    "C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
    "C:\\Program Files\\XLink Kai Evolution 7\\kaiLaunch.exe"="C:\\Program Files\\XLink Kai Evolution 7\\kaiLaunch.exe:*:Enabled:XLink Kai Evolution 7 Launcher"
    "C:\\Program Files\\XLink Kai Evolution 7\\kaiLaunchTemp.exe"="C:\\Program Files\\XLink Kai Evolution 7\\kaiLaunchTemp.exe:*:Enabled:XLink Kai Evolution 7 Launcher"
    "C:\\Program Files\\XLink Kai Evolution 7\\kaiEngine.exe"="C:\\Program Files\\XLink Kai Evolution 7\\kaiEngine.exe:*:Enabled:XLink Kai Evolution 7 Engine"
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\neXBC\\neXBC.exe"="C:\\Program Files\\neXBC\\neXBC.exe:*:Enabled:XBConnect"
    "C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
    "C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
    "C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
    "C:\\Program Files\\GlobalSCAPE\\CuteFTP Pro\\TE\\ftpte.exe"="C:\\Program Files\\GlobalSCAPE\\CuteFTP Pro\\TE\\ftpte.exe:*:Enabled:FTP Transfer Engine"
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
    "C:\\Program Files\\XBC\\neXBC.exe"="C:\\Program Files\\XBC\\neXBC.exe:*:Enabled:XBConnect"
    "C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\Soulseek-Test\\slsk.exe"="C:\\Program Files\\Soulseek-Test\\slsk.exe:*:Enabled:SoulSeek"
    "C:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe"="C:\\Program Files\\Proxy Switcher Standard\\ProxySwitcher.exe:*:Enabled:Proxy Switcher"
    "C:\\Program Files\\Invisible Browsing\\InvisibleBrowsing.exe"="C:\\Program Files\\Invisible Browsing\\InvisibleBrowsing.exe:*:Enabled:Invisible Browsing"
    "C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:Nero ProductSetup"
    "C:\\Documents and Settings\\Jordan F\\Local Settings\\Temp\\Nero Web\\SetupXu.exe"="C:\\Documents and Settings\\Jordan F\\Local Settings\\Temp\\Nero Web\\SetupXu.exe:*:Enabled:Nero ProductSetup"
    "C:\\Program Files\\NewsBin\\nbpro.exe"="C:\\Program Files\\NewsBin\\nbpro.exe:*:Enabled:Newsbin"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    Remaining Files:
    ---------------

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Thu 27 Nov 2003 56 A.SH. --- "C:\redir.sys"
    Fri 11 Jan 2030 1,537 A.SH. --- "C:\WINDOWS\page files\maxmeg.sys"
    Tue 20 Jan 2004 56 ..SHR --- "C:\WINDOWS\system32\6CC1AFD893.sys"
    Sun 8 Feb 2004 2,828 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
    Sat 29 Nov 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Sat 29 Nov 2003 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
    Wed 1 Aug 2007 37,888 ...H. --- "C:\Documents and Settings\Jordan F\My Documents\~WRL0231.tmp"
    Sun 21 Jul 2002 418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
    Fri 19 Jul 2002 390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
    Fri 19 Jul 2002 574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
    Tue 20 Aug 2002 430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
    Tue 23 Jul 2002 390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
    Fri 22 Nov 2002 399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
    Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
    Fri 19 Jul 2002 388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
    Fri 19 Jul 2002 388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
    Thu 5 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Mon 5 May 2003 348,160 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\AACMP4.EXE"
    Sat 20 Jul 2002 45,056 A..H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\AC3ENC.DLL"
    Wed 20 Feb 2002 98,304 A..H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\AZID.DLL"
    Thu 7 Feb 2002 94,208 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\lpaccodec.dll"
    Fri 2 Feb 2001 40,960 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\lpac_codec_api.dll"
    Tue 13 Apr 2004 212,992 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\OFR.EXE"
    Fri 17 Jan 2003 278,528 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PNCRT.dll"
    Mon 5 May 2003 16,384 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\RMADEC.EXE"
    Sun 21 Jul 2002 45,056 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\AC3\AC3ENC.DLL"
    Wed 20 Feb 2002 98,304 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\AC3\AZID.DLL"
    Fri 11 Apr 2003 73,766 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\atrc3260.dll"
    Fri 11 Apr 2003 45,099 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\auth3260.dll"
    Fri 11 Apr 2003 65,575 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\cook3260.dll"
    Fri 11 Apr 2003 102,437 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv13260.dll"
    Fri 11 Apr 2003 176,165 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv23260.dll"
    Fri 11 Apr 2003 208,935 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv33260.dll"
    Fri 11 Apr 2003 217,127 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\drv43260.dll"
    Tue 15 Apr 2003 976,896 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnen3260.dll"
    Fri 11 Apr 2003 348,203 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnvi3260.dll"
    Fri 11 Apr 2003 53,289 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\pnxr3260.dll"
    Fri 11 Apr 2003 45,101 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\ramf3260.dll"
    Fri 11 Apr 2003 135,213 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rare3260.dll"
    Mon 14 Oct 2002 57,344 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rims3290.dll"
    Fri 11 Apr 2003 163,885 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmff3260.dll"
    Mon 14 Oct 2002 737,280 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmse3290.dll"
    Mon 14 Oct 2002 245,760 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rmwr3260.dll"
    Fri 11 Apr 2003 245,805 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rnlt3260.dll"
    Mon 14 Oct 2002 245,760 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rorw3290.dll"
    Mon 14 Oct 2002 114,688 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtae3290.dll"
    Mon 14 Oct 2002 65,536 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtin3290.dll"
    Mon 14 Oct 2002 163,840 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rtve3290.dll"
    Fri 11 Apr 2003 45,093 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv103260.dll"
    Fri 11 Apr 2003 98,341 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv203260.dll"
    Fri 11 Apr 2003 94,247 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv303260.dll"
    Fri 11 Apr 2003 90,151 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rv403260.dll"
    Fri 11 Apr 2003 159,785 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\rvre3260.dll"
    Mon 14 Oct 2002 102,400 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\sipr3260.dll"
    Fri 11 Apr 2003 61,485 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\smpl3260.dll"
    Fri 11 Apr 2003 106,541 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\vsrl3260.dll"
    Fri 11 Apr 2003 86,061 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\xmlp3261.dll"
    Fri 11 Apr 2003 159,787 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Common\zipf3260.dll"
    Sun 23 Feb 2003 64,512 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPDEC.EXE"
    Sat 26 Oct 2002 79,360 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\MusePack\MPPENC.EXE"
    Mon 4 Mar 2002 352,299 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PsyTEL\AACENC.EXE"
    Mon 5 May 2003 348,160 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PsyTEL\AACMP4.EXE"
    Mon 4 Mar 2002 221,184 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PsyTEL\FASTENC.EXE"
    Thu 6 Sep 2001 688,128 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\PsyTEL\IA32MATH.DLL"
    Fri 14 Feb 2003 910,152 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Shorten\CYGWIN1.DLL"
    Sun 20 Apr 2003 60,928 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Shorten\SHORTEN.EXE"
    Wed 8 Oct 2003 75,264 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Speex\speexdec.exe"
    Wed 8 Oct 2003 77,312 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\Speex\speexenc.exe"
    Tue 18 Feb 2003 103,936 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\WavPack\WAVPACK.EXE"
    Tue 18 Feb 2003 102,912 ...H. --- "C:\Program Files\Common Files\Ahead\AudioPlugins\WavPack\WVUNPACK.EXE"

    Finished!
  5. 2007-11-24, 13:00 #5
    random/random
    random/random is offline
    Security Expert: Visiting Fellow
    Join Date
    Jul 2007
    Posts
    703

    Default

    Then please upload this file:

    C:\WINDOWS\system32\winrnr2.dll

    To either jotti or virustotal & post the results as a reply to this topic
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules