View Full Version : smitfraud-c.coreservice
blaubaer
2008-01-21, 10:50
Hello,
I´v got the same problem as GOREgasm (http://forums.spybot.info/showthread.php?t=22868&)
Spybot found smitfraud-c.coreservice in core.cache.dsk (windows/system32/drivers) but everytime i delete/restart it appears again.
I read some Threads here and tried a few things but nothing helped
I´ll post my HJT logfile (Kaspersky Online Virus Scanner doesnt work for me), hope you can help me in a way
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:45, on 21.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - c:\xampp\apache\bin\apache.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 4714 bytes
ps.:please excuse if my english :P
blaubaer
2008-01-21, 10:53
please excuse if my english is bad no edit-button.. :fear:
blaubaer
2008-01-21, 21:40
sry for tripple post but now i have the kaspersky online log if you need it (xp-antispy prevented it...)
maybe its not important but i forgot to tell that i-net-explorer pops up with strange urls irregular
pskelley
2008-01-23, 16:33
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I may want the Kaspersky scan later.
If your issue is not resolved, read and follow the directions carefully, the tool will not work unless you do.
tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
blaubaer
2008-01-24, 12:21
ComboFix 08-01-23.2 - Andre 2008-01-24 12:02:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.669 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Andr‚\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . Nicht in der Lage zu löschen
.
((((((((((((((((((((((( Dateien erstellt von 2007-12-24 bis 2008-01-24 ))))))))))))))))))))))))))))))
.
2008-01-24 12:07 . 2008-01-24 12:07 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-21 16:26 . 2008-01-21 16:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 10:24 . 2008-01-21 10:24 2,608 --a------ C:\WINDOWS\system32\settings.aaw
2008-01-21 10:24 . 2008-01-21 10:24 896 --a------ C:\WINDOWS\system32\history.aaw
2008-01-21 10:20 . 2008-01-21 10:20 <DIR> d-------- C:\Programme\Trend Micro
2008-01-21 10:13 . 2008-01-21 10:26 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2008-01-21 07:24 . 2008-01-21 07:24 <DIR> d-------- C:\Programme\Lavasoft
2008-01-21 07:23 . 2008-01-21 10:13 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-01-20 21:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 20:48 . 2008-01-20 20:48 <DIR> d-------- C:\VundoFix Backups
2008-01-20 18:36 . 2008-01-20 18:36 86,144 --a------ C:\WINDOWS\system32\drivers\PRISMA000.sys
2008-01-20 17:40 . 2008-01-20 17:40 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-16 19:46 . 2008-01-20 21:05 <DIR> d-------- C:\Programme\Raxco
2008-01-13 20:57 . 2008-01-19 00:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-13 20:57 . 2008-01-13 20:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 19:35 . 2008-01-02 19:35 858,534 --a------ C:\Clipboard01.bmp
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 10:51 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-01-23 20:48 --------- d-----w C:\Programme\Steam
2008-01-23 10:43 --------- d-----w C:\Programme\World of Warcraft
2008-01-21 07:38 --------- d-----w C:\Programme\a-squared Free
2008-01-20 21:15 --------- d-----w C:\Programme\SpywareBlaster
2008-01-17 20:08 --------- d-----w C:\Programme\UI Central
2008-01-16 19:50 --------- d-----w C:\Programme\Netzwerkdaten
2008-01-12 16:00 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-01-08 10:31 --------- d-----w C:\Programme\DivX
2007-12-17 15:40 --------- d-----w C:\Programme\JetAudio
2007-12-17 09:10 --------- d-----w C:\Programme\Gemeinsame Dateien\COWON
2007-12-06 20:48 --------- d-----w C:\Programme\Derive 6
2007-11-28 09:42 --------- d-----w C:\Programme\Warcraft III
.
((((((((((((((((((((((((((((( snapshot@2008-01-20_21.28.22.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 20:15:17 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 11:02:11 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 20:15:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 11:02:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 20:15:17 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 11:02:11 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 20:15:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 11:02:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 20:15:17 12,689,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 11:02:11 12,906,496 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 20:15:17 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 11:02:11 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-11-25 17:58:23 6,687 ----a-w C:\WINDOWS\mozver.dat
+ 2008-01-22 14:33:17 7,175 ----a-w C:\WINDOWS\mozver.dat
+ 2007-07-11 12:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 11:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 11:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-14 10:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:57 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-02 07:29 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:57 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Programme\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"pr2agqwb"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent"="C:\Programme\BitTorrent\bittorrent.exe" --force_start_minimized
"DAEMON Tools"="C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SunJavaUpdateSched"="C:\Programme\Java\jre1.5.0_08\bin\jusched.exe"
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
R1 PRISMA000;PRISMA000;C:\WINDOWS\system32\drivers\PRISMA000.sys [2008-01-20 18:36]
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-06-05 12:04]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-06-12 12:47]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;C:\Programme\Testit\Letit\VMLaunch\BuddyVM.sys []
S2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" []
S3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys [2003-05-22 21:44]
S3 pnicml;pnicml;C:\DOKUME~1\ANDR~1\LOKALE~1\Temp\pnicml.sys []
S3 PRISM_A00;PRISM 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2004-01-16 09:31]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-07-26 20:57]
S4 ps6agqwb;Loki Synchronization Driver (ps6agqwb);C:\WINDOWS\system32\drivers\ps6agqwb.sys [2007-07-04 17:06]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 12:07:49
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
blaubaer
2008-01-24, 12:22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - c:\xampp\apache\bin\apache.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 4878 bytes
blaubaer
2008-01-24, 12:23
ComboFix created a catchme.log and a catchme.zip
the log:
file zipped: C:\WINDOWS\system32\drivers\core.cache.dsk -> catchme.zip -> core.cache.dsk ( 167545 bytes )
error: C:\WINDOWS\system32\drivers\core.cache.dsk is not a PE file
PE file "C:\WINDOWS\system32\drivers\core.cache.dsk" killed successfully
pskelley
2008-01-24, 14:18
Thanks for posting your information and the feedback. Because malware is constantly changing, sUBs is constantly changing this tool, but I am not aware that will remove the problem. Let's be sure like this:
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
PRISMA000
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\PRISMA000.sys
Folder::
C:\VundoFix Backups
Save this as
CFScript
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Thanks
blaubaer
2008-01-24, 21:21
ComboFix 08-01-23.2 - Andre 2008-01-24 20:32:03.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.748 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Andr‚\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Andr‚\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\PRISMA000.sys
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\PRISMA000.sys
.
---- Previous Run -------
.
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . Nicht in der Lage zu löschen
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_PRISMA000
-------\PRISMA000
((((((((((((((((((((((( Dateien erstellt von 2007-12-24 bis 2008-01-24 ))))))))))))))))))))))))))))))
.
2008-01-21 16:26 . 2008-01-21 16:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-21 10:24 . 2008-01-21 10:24 2,608 --a------ C:\WINDOWS\system32\settings.aaw
2008-01-21 10:24 . 2008-01-21 10:24 896 --a------ C:\WINDOWS\system32\history.aaw
2008-01-21 10:20 . 2008-01-21 10:20 <DIR> d-------- C:\Programme\Trend Micro
2008-01-21 10:13 . 2008-01-21 10:26 <DIR> d-------- C:\Programme\SUPERAntiSpyware
2008-01-21 07:24 . 2008-01-21 07:24 <DIR> d-------- C:\Programme\Lavasoft
2008-01-21 07:23 . 2008-01-21 10:13 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-01-20 21:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-20 17:40 . 2008-01-20 17:40 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-16 19:46 . 2008-01-20 21:05 <DIR> d-------- C:\Programme\Raxco
2008-01-13 20:57 . 2008-01-19 00:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-13 20:57 . 2008-01-13 20:57 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-02 19:35 . 2008-01-02 19:35 858,534 --a------ C:\Clipboard01.bmp
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 11:55 --------- d-----w C:\Programme\Steam
2008-01-24 10:51 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-01-23 10:43 --------- d-----w C:\Programme\World of Warcraft
2008-01-21 07:38 --------- d-----w C:\Programme\a-squared Free
2008-01-20 21:15 --------- d-----w C:\Programme\SpywareBlaster
2008-01-17 20:08 --------- d-----w C:\Programme\UI Central
2008-01-16 19:50 --------- d-----w C:\Programme\Netzwerkdaten
2008-01-12 16:00 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-01-08 10:31 --------- d-----w C:\Programme\DivX
2007-12-17 15:40 --------- d-----w C:\Programme\JetAudio
2007-12-17 09:10 --------- d-----w C:\Programme\Gemeinsame Dateien\COWON
2007-12-06 20:48 --------- d-----w C:\Programme\Derive 6
2007-11-28 09:42 --------- d-----w C:\Programme\Warcraft III
.
((((((((((((((((((((((((((((( snapshot@2008-01-20_21.28.22.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 20:15:17 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 19:31:51 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 20:15:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 19:31:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-20 20:15:17 1,425,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 19:31:51 1,429,504 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 20:15:17 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 19:31:51 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-20 20:15:17 12,689,408 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-24 19:31:52 12,910,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-20 20:15:17 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 19:31:52 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-11-25 17:58:23 6,687 ----a-w C:\WINDOWS\mozver.dat
+ 2008-01-22 14:33:17 7,175 ----a-w C:\WINDOWS\mozver.dat
+ 2007-07-11 12:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 11:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 11:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-14 10:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:57 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-02 07:29 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:57 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programme\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 15:57 282624 C:\Programme\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"pr2agqwb"=2 (0x2)
"BlueSoleil Hid Service"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent"="C:\Programme\BitTorrent\bittorrent.exe" --force_start_minimized
"DAEMON Tools"="C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SunJavaUpdateSched"="C:\Programme\Java\jre1.5.0_08\bin\jusched.exe"
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-06-05 12:04]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-06-12 12:47]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;C:\Programme\Testit\Letit\VMLaunch\BuddyVM.sys []
S2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" []
S3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys [2003-05-22 21:44]
S3 pnicml;pnicml;C:\DOKUME~1\ANDR~1\LOKALE~1\Temp\pnicml.sys []
S3 PRISM_A00;PRISM 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2004-01-16 09:31]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2006-07-26 20:57]
S4 ps6agqwb;Loki Synchronization Driver (ps6agqwb);C:\WINDOWS\system32\drivers\ps6agqwb.sys [2007-07-04 17:06]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 21:18:13
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
blaubaer
2008-01-24, 21:22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:22, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - c:\xampp\apache\bin\apache.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 4878 bytes
blaubaer
2008-01-24, 21:25
again the catchme.log (dont know if its necessary) :
file zipped: C:\WINDOWS\system32\drivers\core.cache.dsk -> catchme.zip -> core.cache.dsk ( 167545 bytes )
error: C:\WINDOWS\system32\drivers\core.cache.dsk is not a PE file
PE file "C:\WINDOWS\system32\drivers\core.cache.dsk" killed successfully
file zipped: C:\WINDOWS\system32\drivers\PRISMA000.sys -> catchme.zip -> PRISMA000.sys ( 86144 bytes )
file "C:\WINDOWS\system32\drivers\PRISMA000.sys" replaced successfully
file zipped: C:\WINDOWS\system32\drivers\core.cache.dsk -> catchme.zip -> core.cache.dsk ( 167545 bytes )
error: C:\WINDOWS\system32\drivers\core.cache.dsk is not a PE file
PE file "C:\WINDOWS\system32\drivers\core.cache.dsk" killed successfully
file zipped: C:\WINDOWS\system32\drivers\core.cache.dsk -> catchme.zip -> core.cache.dsk ( 167545 bytes )
error: C:\WINDOWS\system32\drivers\core.cache.dsk is not a PE file
PE file "C:\WINDOWS\system32\drivers\core.cache.dsk" killed successfully
pskelley
2008-01-24, 21:34
Thanks for returning your information, everything looks good, any malware issues?
These lines can be removed with HJT if you did not set them that way?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
Let me know if you want those removed, they are not malware. You saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
If you wish to install "Recovery Console, now is the time to do so. This information explains what it is and what it does and how to install it. Start reading here:
How to install and use the Windows XP Recovery Console
Let me know, I would like to run a Kaspersky scan but wish to remove combofix first.
Thanks
blaubaer
2008-01-24, 22:32
That was all? x_X Cant believe it!
Thx a lot lot lot if this is real :-D
ps.:About the Recovery Console...It´s working for me, dont know why ComboFix complains :O
pps: blank i-explorer start page is allright, if this is meant with
...\Main,Start Page = about:blank
pskelley
2008-01-24, 22:48
Sounds good, let's have Kaspersky Online Scan take a look and get you on your way:cowboy:
Delete combofix and the C:\qoodox\quarantine\ folder and then use these settings.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
blaubaer
2008-01-24, 23:39
Kaspersky is at 20%, but i have to go to school in ~7 Hours... So i will finish the scan tommorow. Hope you understand ;)
Thanks again for help. Everything seems fine so far
pskelley
2008-01-24, 23:42
No problem:bigthumb: post the report only if you have questions, here is the closing information.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.