# TratBHO and Smitfraud (core.cache.dsk) HELLLLLP! please



## Hey it's me (Jan 14, 2008)

I have been infected with TratBHO and Smitfraud. I ahve downloaded numerous fixes but nothing is working!! I'm trying to avoid reinstalling my op system. I have Avast, Smitfraudfix, Hijack This, Norton 2004, Ad-Aware 2007, AVG and...I have tried numerous times to clean them out!
I am sooo frustrated! I can't delete no how, no way the core.cache.dsk file in my drivers section (which I know is the Smitfraud *******!) Tratbho had come come up in one of my searches and I checked the boxes with BHO files and they were deleted but I still am getting pop ups and warnings. I've also been in safe mode. Didn't do anything.

Please help me! I'm losing my mind! I use Firefox (sometimes I have no choice BUT to use IE though) and IE keeps popping up randomly. I fear my something terrible is looming in this virus and it will either hack into my computer and steal private info or cause a crash. Not sure if I should just throw it all in and reinstall.


here's the latest result of Smitfraudfix:

SmitFraudFix v2.274

Scan done at 10:26:46.14, Mon 01/14/2008
Run from C:\Documents and Settings\Eve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avast4\Alwil Software\ashSimpl.exe
C:\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
D:\NU\NDD32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\NSWSETUP.EXE
C:\WINDOWS\system32\msiexec.exe
D:\Support\Prescan\Prescan.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eve


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eve\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Eve\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



thanks


----------



## evilfantasy (Jan 14, 2008)

Need a Hijackthis log.

Download  *HijackThis* (HJT)​
 Double-click on HJTInstall.
 Click on the *Install* button.
 It will automatically place HJT in *C:\Program Files\TrendMicro\HijackThis\HijackThis.exe*.
 Upon install, HijackThis should open for you.

_If using Windows Vista, be sure to_* Run As Administrator*
Click on the *Do a system scan and save a log file* button
 HijackThis will scan and then a log will open in notepad.
* Copy and then paste the log in your post*.
* Don't* have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


----------



## Hey it's me (Jan 14, 2008)

Hi evil, that info I included in my post is FROM Hijackthis which I downloaded last night based on the postings I was reading on this site (you guys).  I'm confused.


----------



## Hey it's me (Jan 14, 2008)

oops!  no, it was off of smitfraudfix...oy, I have downloaded some many spyware removals and virus removals I'm confused indeed!
I will post the HJT result...
gimme a sec.


----------



## Hey it's me (Jan 14, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:51 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avast4\Alwil Software\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\system32\fxssvc.exe
D:\NSWSETUP.EXE
D:\Support\Prescan\Prescan.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {A1C77420-D2AF-4A94-88DA-77CE0C551BED} - C:\WINDOWS\system32\xxyabaw.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Startup: Norton Disk Doctor.LNK = D:\NU\NDD32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xxyabaw - C:\WINDOWS\SYSTEM32\xxyabaw.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 6497 bytes


----------



## Hey it's me (Jan 14, 2008)

sorry it took so long I was having trouble...(uhm, right...that's the issue consuming me!!)  where's the complete teary smily...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:38 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avast4\Alwil Software\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\system32\fxssvc.exe
D:\NSWSETUP.EXE
D:\Support\Prescan\Prescan.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avast4\Alwil Software\setup\avast.setup

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {A1C77420-D2AF-4A94-88DA-77CE0C551BED} - C:\WINDOWS\system32\xxyabaw.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Startup: Norton Disk Doctor.LNK = D:\NU\NDD32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: xxyabaw - C:\WINDOWS\SYSTEM32\xxyabaw.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 6522 bytes


----------



## evilfantasy (Jan 14, 2008)

No worries, we will get there eventually.


You still have some old Norton entries. Run the  *Norton Removal Tool* to remove everything left over.

----------

Open HijackThis and select *Do a system scan only* then place a check mark next to:

*O2 - BHO: (no name) - {A1C77420-D2AF-4A94-88DA-77CE0C551BED} - C:\WINDOWS\system32\xxyabaw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)*

Close all windows except for HijackThis and click *Fix checked*

Exit Hijackthis.

----------

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)
*Link #1*
 *Link #2*
 *Link #3*
*IMPORTANT* - Combofix.exe *MUST* be saved to your your *Desktop*.
 Close any open Web browsers. (Firefox, Internet Explorer, etc)
 Close/disable *all anti virus and anti malware programs* so they do not interfere with Combofix. *<-- IMPORTANT*
 _Click on  *this link* to see a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask._

 Double click combofix.exe & follow the prompts.

[*]_ From the keyboard select *1* and press *Enter*_

 When finished, it will produce a log for you.
 *Post that log in your next reply.*
*Do not mouseclick combofix's window while it's running.*
*The scan will temporarily disable your desktop.
If interrupted it may leave your computer frozen.
If this occurs, please reboot to restore the desktop.
*
----------

Run a new Hijackthis scan and post the log.

----------

*Next post please add
Combofix log
New Hijackthis log*


----------



## Hey it's me (Jan 14, 2008)

Ok, 1st off THANK YOU so much Evil, for helping me. it's very much appreciated.  
As for what's happening...it's such a mess!  I swear I'm getting Mac next time.  In the meantime...I'm attaching the HJT log.  I have noticed it's different.  not sure which thing did it since I have SOOO uany things running and trying to hit the attack.  one thing is the BHo file is not there any more, HOWEVER, I'm still getting IE pop ups.  I'll try and post the Combofix log too but I fear it may shut down my computer.  that's what it seems to do??

here's HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:24 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 5782 bytes


OH and I need to see if the core.cache.dsk file is still in the, Windows\system32\drivers folder.  That's the Smitfraud bugger.


Oh and as for Norton?  I was running that off a disk.  I didn;t do anything more about it but take out the disk.  it seems SUPERAntispyware may have been effective in Some way??? or was it AVG, or avast finally?) or could combofix have done something to remove that one BHO file?  

ok, here's this post and I'll try and get the combofix report too now...


----------



## evilfantasy (Jan 14, 2008)

After this I will need you to follow the steps in order. Combofix run first, then run a Hijackthis scan.

It does more good to see a Hijackthis log _after_ the other tools have done their cleaning.

The log does look better, you can have Hijackthis fix this entry.

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

I am curious also if this was done by you?


> O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg


----------



## Hey it's me (Jan 14, 2008)

here, is the combfix...I'm STILL getting those insidious IE pop-ups.  especially ones from wallst.com (or something like that)
as to your question....I'm not that literate to understand the inquiry.  I know the path, but not sure what I'm looking for.
again.THANK YOU!  I'm so grateful for this help.  even if it ends up I have to reinstall windows, I need guidance.  This BITES!


ComboFix 08-01-14.4 - Eve 2008-01-14 14:34:20.2 - NTFSx86
Running from: C:\Documents and Settings\Eve\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-14 to 2008-01-14  )))))))))))))))))))))))))))))))
.

2008-01-14 14:42 . 2008-01-14 14:42	<DIR>	d----c---	C:\temp\tn3
2008-01-14 13:31 . 2000-08-31 08:00	51,200	--a--c---	C:\WINDOWS\NirCmd.exe
2008-01-14 12:19 . 2008-01-14 12:19	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 12:18 . 2008-01-14 14:19	<DIR>	d----c---	C:\Program Files\SUPERAntiSpyware
2008-01-14 12:18 . 2008-01-14 12:18	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\SUPERAntiSpyware.com
2008-01-14 09:27 . 2008-01-14 09:27	<DIR>	d----c---	C:\Program Files\Lavasoft
2008-01-14 09:27 . 2008-01-14 09:27	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 09:24 . 2008-01-14 12:16	<DIR>	d----c---	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 08:32 . 2008-01-14 14:41	932	-----c---	C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-13 22:05 . 2008-01-13 22:05	<DIR>	d----c---	C:\Program Files\Trend Micro
2008-01-13 21:38 . 2008-01-13 21:38	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\Grisoft
2008-01-13 21:38 . 2008-01-13 21:38	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 21:38 . 2007-05-30 07:10	10,872	--a--c---	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-13 21:30 . 2008-01-14 10:28	1,550	--a--c---	C:\WINDOWS\system32\tmp.reg
2008-01-13 21:26 . 2007-09-05 23:22	289,144	--a--c---	C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 21:26 . 2006-04-27 16:49	288,417	--a--c---	C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 21:26 . 2007-12-20 23:11	81,920	--a--c---	C:\WINDOWS\system32\IEDFix.exe
2008-01-13 21:26 . 2003-06-05 20:13	53,248	--a--c---	C:\WINDOWS\system32\Process.exe
2008-01-13 21:26 . 2004-07-31 17:50	51,200	--a--c---	C:\WINDOWS\system32\dumphive.exe
2008-01-13 21:26 . 2007-10-03 23:36	25,600	--a--c---	C:\WINDOWS\system32\WS2Fix.exe
2008-01-11 17:36 . 2008-01-11 18:22	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 17:14 . 2008-01-11 17:14	<DIR>	d----c---	C:\Program Files\Plato Video To PSP Converter
2008-01-11 16:49 . 2007-12-11 13:14	151,552	--a--c---	C:\WINDOWS\system32\rushlqll.exe
2008-01-11 16:49 . 2007-12-11 13:14	151,552	--a--c---	C:\WINDOWS\system32\bkmoopob.exe
2008-01-11 16:49 . 2007-12-13 12:25	139,264	--a--c---	C:\WINDOWS\system32\mobjchku.exe
2008-01-11 16:49 . 2008-01-11 16:49	54,033	--a--c---	C:\WINDOWS\system32\memouint.exe
2008-01-11 16:48 . 2008-01-11 16:48	86,016	--a--c---	C:\WINDOWS\system32\drivers\redbookk.sys
2008-01-11 16:47 . 2008-01-14 10:16	<DIR>	d----c---	C:\WINDOWS\system32\vt8
2008-01-11 16:47 . 2008-01-11 16:47	<DIR>	d----c---	C:\WINDOWS\system32\ob3
2008-01-11 16:47 . 2008-01-11 16:47	<DIR>	d----c---	C:\WINDOWS\system32\nz0
2008-01-11 16:47 . 2008-01-11 16:47	<DIR>	d----c---	C:\WINDOWS\system32\mp2
2008-01-11 16:47 . 2008-01-11 19:06	<DIR>	d----c---	C:\WINDOWS\system32\ez4
2008-01-11 16:47 . 2008-01-11 16:47	<DIR>	d----c---	C:\WINDOWS\system32\che9
2008-01-11 16:47 . 2008-01-11 16:47	692,149	--a--c---	C:\temp\liHco0109.exe
2008-01-11 16:46 . 2008-01-11 16:46	<DIR>	d----c---	C:\WINDOWS\system32\edcA16
2008-01-11 16:46 . 2008-01-11 16:47	<DIR>	d----c---	C:\temp\Ryuan1
2008-01-11 16:46 . 2008-01-11 16:46	111,835	--a--c---	C:\WINDOWS\system32\ope58.exe
2008-01-11 16:46 . 2008-01-11 16:46	0	--a--c---	C:\WINDOWS\system32\ope58.tmp
2008-01-11 16:44 . 2008-01-11 16:44	352,410	--a--c---	C:\WINDOWS\system32\ope4F.exe
2008-01-11 16:44 . 2008-01-11 16:44	0	--a--c---	C:\WINDOWS\system32\ope4F.tmp
2008-01-11 16:44 . 2008-01-11 16:44	0	--a--c---	C:\WINDOWS\ope55.tmp
2008-01-11 12:04 . 2008-01-11 15:52	54,156	--ah-c---	C:\WINDOWS\QTFont.qfn
2008-01-11 12:04 . 2008-01-11 12:04	1,409	--a--c---	C:\WINDOWS\QTFont.for
2008-01-11 12:03 . 2008-01-11 12:03	<DIR>	d----c---	C:\Program Files\iPod
2008-01-11 10:11 . 2008-01-11 15:12	<DIR>	d----c---	C:\Program Files\uTorrent
2008-01-11 10:10 . 2008-01-14 08:50	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\uTorrent
2008-01-10 12:40 . 2008-01-10 12:40	<DIR>	d----c---	C:\Program Files\MAPILab Ltd
2008-01-10 12:40 . 2008-01-10 12:40	<DIR>	d----c---	C:\Program Files\Common Files\MAPILab Ltd
2008-01-05 00:22 . 2008-01-05 00:22	<DIR>	d----c---	C:\Program Files\AWS
2008-01-04 10:09 . 2008-01-04 10:09	<DIR>	d----c---	C:\Program Files\Microsoft Silverlight
2008-01-03 19:34 . 2008-01-11 15:03	<DIR>	d----c---	C:\iPodMusic
2008-01-03 19:26 . 2008-01-03 19:26	<DIR>	d----c---	C:\Program Files\iDumpPro
2008-01-03 19:26 . 2008-01-03 19:26	1,521,113	--a--c---	C:\WINDOWS\iDumpPro Uninstaller.exe
2008-01-03 19:26 . 2008-01-03 19:26	3,120	--a--c---	C:\WINDOWS\system32\2bad2884-02a9-488c-9f8c-13fecc7c77f9.dll
2008-01-03 19:26 . 2008-01-03 19:26	3,120	--a--c---	C:\WINDOWS\db7a9e38-547e-4544-bf7c-a4beabe1c61a.ocx
2007-12-25 21:31 . 2007-12-25 21:31	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\EPSON
2007-12-23 14:35 . 2007-11-02 09:36	1,763,248	--a--c---	C:\WINDOWS\system32\Codejock.CommandBars.v11.2.1.ocx
2007-12-23 14:35 . 2007-11-02 09:37	518,064	--a--c---	C:\WINDOWS\system32\Codejock.SkinFramework.v11.2.1.ocx
2007-12-23 14:33 . 2007-10-02 05:47	849,920	--a--c---	C:\WINDOWS\system32\AdjMmsEng.dll
2007-12-23 14:33 . 2007-10-01 07:38	827,392	--a--c---	C:\WINDOWS\system32\asrecmms.ocx
2007-12-23 14:33 . 2007-10-01 05:43	425,984	--a--c---	C:\WINDOWS\system32\amp3dj.ocx
2007-12-20 09:16 . 2007-12-20 09:16	<DIR>	d----c---	C:\Program Files\MailWasher Pro

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 19:10	---------	dc----w	C:\Documents and Settings\Eve\Application Data\MailWasherPro
2008-01-14 15:19	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Symantec
2008-01-11 18:03	---------	dc----w	C:\Program Files\itunes
2008-01-11 17:01	---------	dc----w	C:\Program Files\QuickTime
2008-01-11 16:35	---------	dc----w	C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-01-11 16:34	---------	dc----w	C:\Program Files\Jasc Software Inc
2008-01-11 16:00	---------	dc----w	C:\Program Files\Dell
2008-01-11 15:35	---------	dc-h--w	C:\Program Files\InstallShield Installation Information
2008-01-11 15:35	---------	dc----w	C:\Program Files\Common Files\Nikon
2008-01-11 15:30	---------	dc----w	C:\Documents and Settings\Eve\Application Data\ArcSoft
2008-01-11 15:18	---------	dc----w	C:\Program Files\Azureus
2008-01-11 15:18	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Azureus
2008-01-09 20:41	---------	dc----w	C:\Program Files\Google
2008-01-08 02:06	---------	dc----w	C:\Program Files\WeatherBug
2007-12-07 17:30	---------	dc----w	C:\Documents and Settings\All Users\Application Data\SiComponents
2007-12-07 17:05	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Jasc Software Inc
2007-12-06 19:37	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Final Draft
2007-12-06 14:28	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Final Draft
2007-12-06 14:07	---------	dc----w	C:\Program Files\SteepAndCheap
2007-12-04 19:00	---------	dc----w	C:\Program Files\Eusing Free Registry Cleaner
2007-12-04 18:59	---------	dc----w	C:\Program Files\Skype
2007-12-04 16:33	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Skype
2007-12-04 14:56	93,264	-c--a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:56	32	-c--a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-04 14:56	---------	dc----w	C:\Program Files\Common Files\Skype
2007-12-04 14:56	---------	dc----w	C:\Documents and Settings\Eve\Application Data\skypePM
2007-12-04 14:56	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Skype
2007-12-04 14:55	94,544	-c--a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	-c--a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	-c--a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	-c--a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04	837,496	-c--a-w	C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54	95,608	-c--a-w	C:\WINDOWS\system32\AVASTSS.scr
2007-11-25 15:59	688	-c--a-w	C:\WINDOWS\Fonts\CompleteinHim-TOU.txt
2007-11-20 23:47	---------	dc----w	C:\Program Files\Soulseek
2007-11-07 09:26	721,920	-c--a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35	1,287,680	-c--a-w	C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40	227,328	-c--a-w	C:\WINDOWS\system32\wmasf.dll
2007-10-17 11:24	2,526,800	-c--a-w	C:\WINDOWS\Install_B4Playing.exe
2006-12-21 03:27	92,064	-c--a-w	C:\Documents and Settings\Eve\mqdmmdm.sys
2006-12-21 03:27	9,232	-c--a-w	C:\Documents and Settings\Eve\mqdmmdfl.sys
2006-12-21 03:27	79,328	-c--a-w	C:\Documents and Settings\Eve\mqdmserd.sys
2006-12-21 03:27	66,656	-c--a-w	C:\Documents and Settings\Eve\mqdmbus.sys
2006-12-21 03:27	6,208	-c--a-w	C:\Documents and Settings\Eve\mqdmcmnt.sys
2006-12-21 03:27	5,936	-c--a-w	C:\Documents and Settings\Eve\mqdmwhnt.sys
2006-12-21 03:27	4,048	-c--a-w	C:\Documents and Settings\Eve\mqdmcr.sys
2006-12-21 03:27	25,600	-c--a-w	C:\Documents and Settings\Eve\usbsermptxp.sys
2006-12-21 03:27	22,768	-c--a-w	C:\Documents and Settings\Eve\usbsermpt.sys
2006-03-24 15:18	56	-csh--r	C:\WINDOWS\system32\EBEAD39BB3.sys
2006-03-24 15:18	2,516	-csha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.
Files Infected -  Win32.Agent.zb
.

(((((((((((((((((((((((((((((   snapshot@2008-01-14_14.05.52.54   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-14 19:41:53	16,384	-c--atw	C:\WINDOWS\Temp\Perflib_Perfdata_618.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe" [2007-12-04 08:00 79224]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 05:00 158208]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Eve\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher Pro\MailWasher.exe [2007-12-20 09:16:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SAC-Desktop-Alert.lnk]
backup=C:\WINDOWS\pss\SAC-Desktop-Alert.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eve^Start Menu^Programs^Startup^Norton Disk Doctor.LNK]
path=C:\Documents and Settings\Eve\Start Menu\Programs\Startup\Norton Disk Doctor.LNK
backup=C:\WINDOWS\pss\Norton Disk Doctor.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]
--a--c--- 2007-12-13 12:25 139264 C:\WINDOWS\system32\mobjchku.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a--c--- 2004-07-30 11:04 245760 C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2004-08-10 04:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX8400 Series]
--a--c--- 2007-02-15 06:00 179200 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-07-19 23:06 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-07-19 23:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-07-19 23:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCamPro.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-23 00:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a--c--- 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2007-07-18 20:04 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2005-06-07 13:58 1339392 C:\Program Files\WeatherBug\Weather.exe

R1 redbookk;redbookk;C:\WINDOWS\system32\drivers\redbookk.sys [2008-01-11 16:48]
R2 NMSAccessU;NMSAccessU;C:\Program Files\iDumpPro\NMSAccessU.exe [2007-10-12 04:34]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 20:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 14:42:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-01-14 14:46:15 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-14 19:46:12
ComboFix2.txt  2008-01-14 19:06:14
.
2008-01-09 20:46:04	--- E O F ---


----------



## Hey it's me (Jan 14, 2008)

Ok Evil, I fixed the inquiry you made and the one you requested I fix and here's the latest HJT log.  
mind you I did some tweaking the other day when this virus hit.  Stupid tings like deleting programs I don;t need and downloading things I thought i needed, but then realized they may have been the culprit (example...I heard adobe acrobat took up a lot of space and I tried to download foxit. I'm suspicious that was it...not sure there were other things)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:43 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe

--
End of file - 5511 bytes


----------



## evilfantasy (Jan 14, 2008)

Delete these files/folders, as follows:

1. Please *open Notepad*. It _must_ be Notepad, not Wordpad.

 Click *Start* , then *Run*
 Type *notepad.exe* in the Run Box.
2. Copy the quoted text below by highlighting all the text and pressing *Ctrl+C*



> KillAll::
> 
> Driver::
> core.cache.dsk
> ...



3. Go to the Notepad window and click *Edit* > *Paste*
4. Then click *File* > *Save*
5. Name the file *CFScript.txt* - Save the file to your Desktop
6. Then drag the *CFScript* (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. *Important:* Perform this instruction carefully!






ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: *Do not mouseclick combofix's window while it is running. That may cause your system to freeze*

----------

*Next post
Combofix log*


----------



## Hey it's me (Jan 14, 2008)

ok, here's the log as a result to your instructions.  you should know that as soon as I opened firefox to get to you, an IE window popped up.  the problem is STILL alive.  It's hard to believe it can survive such aggressive action.  This is just so bad! 



ComboFix 08-01-14.4 - Eve 2008-01-14 15:40:16.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.838 [GMT -5:00]
Running from: C:\Documents and Settings\Eve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eve\Desktop\CFScript.txt
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE
C:\temp\liHco0109.exe
C:\WINDOWS\ope55.tmp
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\mobjchku.exe
C:\WINDOWS\system32\ope4F.exe
C:\WINDOWS\system32\ope4F.tmp
C:\WINDOWS\system32\ope58.exe
C:\WINDOWS\system32\ope58.tmp
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\rushlqll.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\liHco0109.exe
C:\temp\Ryuan1
C:\temp\Ryuan1\tepU.log
C:\temp\tn3
C:\WINDOWS\ope55.tmp
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\che9
C:\WINDOWS\system32\che9\farstadcom2.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\edcA16
C:\WINDOWS\system32\edcA16\edcA162291.exe
C:\WINDOWS\system32\ez4
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\mobjchku.exe
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\nz0\jetzcomz22.exe
C:\WINDOWS\system32\ob3
C:\WINDOWS\system32\ope4F.exe
C:\WINDOWS\system32\ope4F.tmp
C:\WINDOWS\system32\ope58.exe
C:\WINDOWS\system32\ope58.tmp
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\rushlqll.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2007-12-14 to 2008-01-14  )))))))))))))))))))))))))))))))
.

2008-01-14 15:46 . 2008-01-14 15:46	<DIR>	d----c---	C:\temp\tn3
2008-01-14 13:31 . 2000-08-31 08:00	51,200	--a--c---	C:\WINDOWS\NirCmd.exe
2008-01-14 12:19 . 2008-01-14 12:19	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 12:18 . 2008-01-14 15:13	<DIR>	d----c---	C:\Program Files\SUPERAntiSpyware
2008-01-14 12:18 . 2008-01-14 12:18	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\SUPERAntiSpyware.com
2008-01-14 09:27 . 2008-01-14 09:27	<DIR>	d----c---	C:\Program Files\Lavasoft
2008-01-14 09:27 . 2008-01-14 09:27	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 09:24 . 2008-01-14 12:16	<DIR>	d----c---	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 08:32 . 2008-01-14 15:45	932	-----c---	C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-13 22:05 . 2008-01-13 22:05	<DIR>	d----c---	C:\Program Files\Trend Micro
2008-01-13 21:38 . 2008-01-13 21:38	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\Grisoft
2008-01-13 21:38 . 2008-01-13 21:38	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 21:38 . 2007-05-30 07:10	10,872	--a--c---	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-11 17:36 . 2008-01-11 18:22	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 17:14 . 2008-01-11 17:14	<DIR>	d----c---	C:\Program Files\Plato Video To PSP Converter
2008-01-11 16:48 . 2008-01-11 16:48	86,016	--a--c---	C:\WINDOWS\system32\drivers\redbookk.sys
2008-01-11 12:04 . 2008-01-11 15:52	54,156	--ah-c---	C:\WINDOWS\QTFont.qfn
2008-01-11 12:04 . 2008-01-11 12:04	1,409	--a--c---	C:\WINDOWS\QTFont.for
2008-01-11 12:03 . 2008-01-11 12:03	<DIR>	d----c---	C:\Program Files\iPod
2008-01-11 10:11 . 2008-01-11 15:12	<DIR>	d----c---	C:\Program Files\uTorrent
2008-01-11 10:10 . 2008-01-14 08:50	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\uTorrent
2008-01-10 12:40 . 2008-01-10 12:40	<DIR>	d----c---	C:\Program Files\MAPILab Ltd
2008-01-10 12:40 . 2008-01-10 12:40	<DIR>	d----c---	C:\Program Files\Common Files\MAPILab Ltd
2008-01-04 10:09 . 2008-01-04 10:09	<DIR>	d----c---	C:\Program Files\Microsoft Silverlight
2008-01-03 19:34 . 2008-01-11 15:03	<DIR>	d----c---	C:\iPodMusic
2008-01-03 19:26 . 2008-01-03 19:26	<DIR>	d----c---	C:\Program Files\iDumpPro
2008-01-03 19:26 . 2008-01-03 19:26	1,521,113	--a--c---	C:\WINDOWS\iDumpPro Uninstaller.exe
2008-01-03 19:26 . 2008-01-03 19:26	3,120	--a--c---	C:\WINDOWS\system32\2bad2884-02a9-488c-9f8c-13fecc7c77f9.dll
2008-01-03 19:26 . 2008-01-03 19:26	3,120	--a--c---	C:\WINDOWS\db7a9e38-547e-4544-bf7c-a4beabe1c61a.ocx
2007-12-25 21:31 . 2007-12-25 21:31	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\EPSON
2007-12-23 14:35 . 2007-11-02 09:36	1,763,248	--a--c---	C:\WINDOWS\system32\Codejock.CommandBars.v11.2.1.ocx
2007-12-23 14:35 . 2007-11-02 09:37	518,064	--a--c---	C:\WINDOWS\system32\Codejock.SkinFramework.v11.2.1.ocx
2007-12-23 14:33 . 2007-10-02 05:47	849,920	--a--c---	C:\WINDOWS\system32\AdjMmsEng.dll
2007-12-23 14:33 . 2007-10-01 07:38	827,392	--a--c---	C:\WINDOWS\system32\asrecmms.ocx
2007-12-23 14:33 . 2007-10-01 05:43	425,984	--a--c---	C:\WINDOWS\system32\amp3dj.ocx
2007-12-20 09:16 . 2007-12-20 09:16	<DIR>	d----c---	C:\Program Files\MailWasher Pro

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 20:21	---------	dc----w	C:\Documents and Settings\Eve\Application Data\MailWasherPro
2008-01-14 15:19	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Symantec
2008-01-11 18:03	---------	dc----w	C:\Program Files\itunes
2008-01-11 17:01	---------	dc----w	C:\Program Files\QuickTime
2008-01-11 16:35	---------	dc----w	C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-01-11 16:34	---------	dc----w	C:\Program Files\Jasc Software Inc
2008-01-11 16:00	---------	dc----w	C:\Program Files\Dell
2008-01-11 15:35	---------	dc-h--w	C:\Program Files\InstallShield Installation Information
2008-01-11 15:35	---------	dc----w	C:\Program Files\Common Files\Nikon
2008-01-11 15:30	---------	dc----w	C:\Documents and Settings\Eve\Application Data\ArcSoft
2008-01-11 15:18	---------	dc----w	C:\Program Files\Azureus
2008-01-11 15:18	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Azureus
2008-01-09 20:41	---------	dc----w	C:\Program Files\Google
2007-12-07 17:30	---------	dc----w	C:\Documents and Settings\All Users\Application Data\SiComponents
2007-12-07 17:05	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Jasc Software Inc
2007-12-06 19:37	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Final Draft
2007-12-06 14:28	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Final Draft
2007-12-04 19:00	---------	dc----w	C:\Program Files\Eusing Free Registry Cleaner
2007-12-04 18:59	---------	dc----w	C:\Program Files\Skype
2007-12-04 16:33	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Skype
2007-12-04 14:56	93,264	-c--a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:56	32	-c--a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-04 14:56	---------	dc----w	C:\Program Files\Common Files\Skype
2007-12-04 14:56	---------	dc----w	C:\Documents and Settings\Eve\Application Data\skypePM
2007-12-04 14:56	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Skype
2007-12-04 14:55	94,544	-c--a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	-c--a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	-c--a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	-c--a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04	837,496	-c--a-w	C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54	95,608	-c--a-w	C:\WINDOWS\system32\AVASTSS.scr
2007-11-25 15:59	688	-c--a-w	C:\WINDOWS\Fonts\CompleteinHim-TOU.txt
2007-11-20 23:47	---------	dc----w	C:\Program Files\Soulseek
2007-11-07 09:26	721,920	-c--a-w	C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35	1,287,680	-c--a-w	C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40	227,328	-c--a-w	C:\WINDOWS\system32\wmasf.dll
2007-10-17 11:24	2,526,800	-c--a-w	C:\WINDOWS\Install_B4Playing.exe
2006-12-21 03:27	92,064	-c--a-w	C:\Documents and Settings\Eve\mqdmmdm.sys
2006-12-21 03:27	9,232	-c--a-w	C:\Documents and Settings\Eve\mqdmmdfl.sys
2006-12-21 03:27	79,328	-c--a-w	C:\Documents and Settings\Eve\mqdmserd.sys
2006-12-21 03:27	66,656	-c--a-w	C:\Documents and Settings\Eve\mqdmbus.sys
2006-12-21 03:27	6,208	-c--a-w	C:\Documents and Settings\Eve\mqdmcmnt.sys
2006-12-21 03:27	5,936	-c--a-w	C:\Documents and Settings\Eve\mqdmwhnt.sys
2006-12-21 03:27	4,048	-c--a-w	C:\Documents and Settings\Eve\mqdmcr.sys
2006-12-21 03:27	25,600	-c--a-w	C:\Documents and Settings\Eve\usbsermptxp.sys
2006-12-21 03:27	22,768	-c--a-w	C:\Documents and Settings\Eve\usbsermpt.sys
2006-03-24 15:18	56	-csh--r	C:\WINDOWS\system32\EBEAD39BB3.sys
2006-03-24 15:18	2,516	-csha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe" [2007-12-04 08:00 79224]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 05:00 158208]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Eve\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher Pro\MailWasher.exe [2007-12-20 09:16:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SAC-Desktop-Alert.lnk]
backup=C:\WINDOWS\pss\SAC-Desktop-Alert.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eve^Start Menu^Programs^Startup^Norton Disk Doctor.LNK]
backup=C:\WINDOWS\pss\Norton Disk Doctor.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a--c--- 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]
C:\WINDOWS\system32\mobjchku.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a--c--- 2004-07-30 11:04 245760 C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2004-08-10 04:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX8400 Series]
--a--c--- 2007-02-15 06:00 179200 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-07-19 23:06 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-07-19 23:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-07-19 23:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCamPro.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-23 00:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a--c--- 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2007-07-18 20:04 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

R1 redbookk;redbookk;C:\WINDOWS\system32\drivers\redbookk.sys [2008-01-11 16:48]
R2 NMSAccessU;NMSAccessU;C:\Program Files\iDumpPro\NMSAccessU.exe [2007-10-12 04:34]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 20:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 15:46:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-01-14 15:50:02 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-14 20:50:00
ComboFix2.txt  2008-01-14 19:46:15
ComboFix3.txt  2008-01-14 19:06:14
.
2008-01-09 20:46:04	--- E O F ---


----------



## evilfantasy (Jan 14, 2008)

That driver is proving to be hard to crack.

Download *SDFix.exe* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following:


 Restart your computer
 After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
 Instead of Windows loading as normal, the Advanced Options Menu should appear;
 Select the first option, to run Windows in Safe Mode, then press *Enter*.
 Choose your usual account.
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard).
 Finally add the contents of the *Report.txt* in your next post.


----------



## Hey it's me (Jan 14, 2008)

Ok Evil I'm about to do that..in the meantime I ran smitfraud again.  This really IS a hard one to crack, huh?  I know it's ALL CONSUMING! It's maddening!  If there was a way to get the people that send these viruses out to the world, I swear, they deserve it bad!  andway:


SmitFraudFix v2.274

Scan done at 16:03:25.35, Mon 01/14/2008
Run from C:\Documents and Settings\Eve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done. 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



brb with the other results form the new instructions you've so kindly given!


----------



## Hey it's me (Jan 14, 2008)

did my last post work?


----------



## evilfantasy (Jan 14, 2008)

Please stop downloading and running things. It adds entries to the logs we are using and can get very confusing.


----------



## Hey it's me (Jan 14, 2008)

ok


----------



## Hey it's me (Jan 14, 2008)

hi Evil,  sorry about the silliness before  here's the SDFix log.  Also, again, you should know as soon as I reopened FF IE popped up.  ARRRGHHH!!!
I refuse to lose hair over this!  This is so heinous, I just don't understand how this can be?  once again, thank you thank you thank you for going into WAR with me.


SDFix: Version 1.126

Run by Eve on Mon 01/14/2008 at 04:30 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Eve\Desktop\SDFix

Safe Mode:
Checking Services: 


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files: 

No Trojan Files Found




Folder C:\Temp\tn3 - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found. 

C:\WINDOWS\system32
No streams found. 

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



                                 Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 16:37:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{92C041E2-1F38-4238-A3E1-E960C8134B5E}]
"DhcpRetryStatus"=dword:00000002

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

Fri 24 Mar 2006            56 ..SHR --- "C:\WINDOWS\system32\EBEAD39BB3.sys"
Fri 24 Mar 2006         2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun  6 Nov 2005         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun  6 Nov 2005         4,348 A..H. --- "C:\Documents and Settings\Eve\My Documents\License Backup\drmv1key.bak"
Sat 28 Jan 2006            20 A..H. --- "C:\Documents and Settings\Eve\My Documents\License Backup\drmv1lic.bak"
Fri 27 Jan 2006           400 A.SH. --- "C:\Documents and Settings\Eve\My Documents\License Backup\drmv2key.bak"
Sun 16 Oct 2005             8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sun 16 Oct 2005             8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sun 16 Oct 2005             8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Tue  1 Nov 2005             8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!


----------



## Hey it's me (Jan 14, 2008)

Also, sadly, the core.cache.dsk file is STILL there, and strangely enough at some point today it went from 164 MB to 134 MB and now it's back up to 164MB.


----------



## evilfantasy (Jan 14, 2008)

Were going to need to run a more thorough scanners. These will take longer then the others have, just follow the instructions and relax while they run. Do them separately, one right after the other.

* First:

*                  Please download ATF Cleaner by Atribune.  *ATF Cleaner.exe* 

Make sure that *all* browser windows are closed.
 Double-click ATF-Cleaner.exe to run the program.
 Under Main choose: *Select All* and *UNCHECK* Cookies.
 Click the *Empty Selected* button.
If you use *Firefox* browser
 Click Firefox at the top and choose: *Select All* and *UNCHECK* Cookies.
 Click the *Empty* Selected button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
If you use *Opera* browser
 Click *Opera* at the top and choose: *Select All* and *UNCHECK* Cookies.
 Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main ATF Cleaner menu to close the program.

*Second:

*                                                                        Please download *DrWeb CureIt* & save it to your desktop. 

*Scan with DrWeb-CureIt as follows:*
Double-click on *drweb-cureit.exe* and then click *Start*.
An *Express Scan of your PC* notice will appear.
Under *Start the Express Scan Now* Click *OK* to start.
This is a short scan that will scan the files currently running in memory.
 If or when something is found, click the *Yes* button when it asks you if you want to cure it.

Once the short scan has finished, Click *Options > Change settings*
Choose the *Scan tab* and *UNcheck* *Heuristic analysis* and click *OK*
Back at the main window, select the *Complete scan* button.
Then click the *Green Arrow *



*Start Scanning* button on the right and the scan will start.
Click *Yes to all* if it asks if you want to cure/move any file(s).

When the scan is done.
In the Dr.Web CureIt menu on top left, click *File* and choose *Save report list*.
Save the *DrWeb.csv* report to your *Desktop*.
Exit Dr.Web Cureit.

*Important!* Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

After reboot, *Right-click* the Dr.Web log on the desktop and choose *Open With > Notepad*
Copy and paste that log in the next reply
*Third:

*Please run the *F-Secure Online Scanner*

Note: *This Scanner works with Internet Explorer Only!*
 Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
 Allow the Active X control to be installed on your computer, then click the Accept button
 Click *Full System Scan* and allow the components to download and the scan to complete.
 If malware is found, check *Submit samples to F-Secure* then select *Automatic cleaning*
 When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
 Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click *Cancel*, then *New Scan*

 When the cleaning option is presented, *Uncheck* Submit samples to F-Secure
 Click *Automatic cleaning*
 When cleaning has finitished, click *Show report* (this will open an Internet Explorer window containing the report)
 Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
 This scan can take quite some time, so please be patient
*Next post:
Dr. Web log
F-Secure log
*


----------



## Hey it's me (Jan 14, 2008)

thanks. yeah I had already figured I'm not going anywhere today.  be back as soon as I'm done.


----------



## evilfantasy (Jan 14, 2008)

No problem, these will take a while. We will pick it up when they are done.


----------



## Hey it's me (Jan 14, 2008)

the scan froze...I stopped it and restarted.  it was 95% finished.  It said it found a virus.  UGH!


----------



## Hey it's me (Jan 14, 2008)

also, Evil, I selected only the main drive, C rather than the extra drive I have in my computer. That drive doesn't have any drivers on it. I use it for back up and space. Anyway, the scan is going quickly and it got stuck on a program I don't use but keep on that other drive.


----------



## evilfantasy (Jan 14, 2008)

It is probably getting stuck on the driver. If it happens again we will need to try something else.


----------



## evilfantasy (Jan 14, 2008)

I know for a fact that SuperAntispyware removes the core.cache.dsk as I just finished with a log from another forum where it was removed.

You may need to boot into *Safe Mode* and let SuperAntispyware do a full scan and remove what is found that way.


----------



## Hey it's me (Jan 14, 2008)

so should i stop the dr web scan and run antispyware  in safe mode?


----------



## evilfantasy (Jan 14, 2008)

Let Dr. Web finish if it can. You may need to try it in safe mode also.


----------



## Hey it's me (Jan 15, 2008)

ok cool.


----------



## ceewi1 (Jan 15, 2008)

evilfantasy, my apologies for jumping in, but that driver really needs to be removed in order to kill the file.

Hey it's me, please do the following:


Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:


```
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\redbookk.sys
C:\WINDOWS\system32\EBEAD39BB3.sys

Folder::
C:\temp\tn3

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\comup]

Driver::
redbookk
```

Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.








Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.  Please copy and paste the contents of the log in your next reply, along with a new HijackThis log.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.


----------



## evilfantasy (Jan 15, 2008)

No problem ceewi1

I was a little lost on the redbookk (I should have known by the spelling) and combofix is unable to delete the core.cache.dsk.

Seems these always pop up in pairs for me. I was able to get the core.cache.dsk on another forum earlier with The Avenger. 

Step in anytime. I welcome your knowledge!!!!!


----------



## Hey it's me (Jan 15, 2008)

OK guys, thanks Ceewi (also) I went to bed last night I was delirious from stressing about this. When i woke up I saw the result from Superspyware which I ran in safe mode.  It said it found two trojans which were DIFFERENT from the ones other anti virus programs are saying I have when run in regular mode.  One is the Vundo which I've been seeing all over the forums. I can't recall the the other and since the program said restart to receive a log, I did but I didn't get a log.  Also, in safe mode, Core.cache.dsk didn't show up in my drivers, however, now back in regular mode, it's there!  After Superspware says it was removing everything bad in safe mode too.    Oh AND...I'm still getting pop ups and NOW I wasn't able to  come back to this site, yes THIS specific site Computerforum.com. so I chose Chached version in a google search for computerforum.com and somehow I followed links that brought me back to my posting and you guys.  
With all that said, I'm going to try ceewi's instructions and if it doesn't work I think I'm going to have to throw in the towel.  I'm overwhlemed by this and I guess I'll just reinstall the op system.  I just want to make sure I'm saving everything on my two external hard drives (that I need to)  I mean, if you guys could please let me know if there are files I need to move form the c drive that will assure I am back up and running without a lot of loss (I've backed up MY DOCUMENTS, office .pst [archived too] and well, that's really it) I'm concerned there are files somewhere I don't know about that are essential for me. 

Anyway, perhaps ceewi's instructions will do the trick.  Let's hope so Evil, after all the time we've put in!

here it goes!


----------



## evilfantasy (Jan 15, 2008)

If that doesn't get the driver we can try one more tool which I mentioned earlier. It worked for another computer yesterday so should work now as well.

Let us know......


----------



## Hey it's me (Jan 15, 2008)

ok cool I will, I've actually been backing up some more files onto one of the externals.  I got up while close to completion of both the programs files (I know there will missing important missing files, bu t I wanted to do it because I'm very forgetful and might miss something to reinstall (If I end up having to do that).  I was also moving my itunes folder which is FULL of TONS of music and podcasts.  I suppose there is a way to have avoided moving all that, but, I'm on my own here and really don;t want to lose anything.  Anyway, I got up from my desk to walk away and disconnected the usb wire and had to re-copy those folders.  I'm surprised it's taking so long again, but it's half way there, so I'm just doing some studying off of a study website for an important licensing exam I need to take next month.  when there copying is done I'm going to do the combofix thing, then I'll be back here to continue with you and sure, if the combofix doesn't work we'll try that one last thing Evil and then I have to give it up.  I have to be out of the house later today by like 4 at the latest anyway.  
*sigh*


----------



## evilfantasy (Jan 15, 2008)

Sounds good. The next try will only take a couple of minutes to complete.


----------



## Hey it's me (Jan 15, 2008)

Here it is!:


ComboFix 08-01-14.4 - Eve 2008-01-15 13:13:41.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.645 [GMT -5:00]
Running from: C:\Documents and Settings\Eve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Eve\Desktop\CFScript.txt
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\redbookk.sys
C:\WINDOWS\system32\EBEAD39BB3.sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\redbookk.sys
C:\WINDOWS\system32\EBEAD39BB3.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_REDBOOKK
-------\redbookk


(((((((((((((((((((((((((   Files Created from 2007-12-15 to 2008-01-15  )))))))))))))))))))))))))))))))
.

2008-01-15 10:30 . 2008-01-15 10:30	754	--a--c---	C:\WINDOWS\WORDPAD.INI
2008-01-14 17:08 . 2008-01-14 17:08	<DIR>	d----c---	C:\Documents and Settings\Eve\DoctorWeb
2008-01-14 17:07 . 2008-01-14 17:07	<DIR>	d----c---	C:\Program Files\Windows Installer Clean Up
2008-01-14 17:06 . 2008-01-14 17:06	<DIR>	d----c---	C:\Program Files\MSECACHE
2008-01-14 16:28 . 2008-01-14 16:28	<DIR>	d----c---	C:\WINDOWS\ERUNT
2008-01-14 16:10 . 2008-01-14 17:05	<DIR>	d----c---	C:\Program Files\SDFix
2008-01-14 16:03 . 2008-01-14 16:03	1,550	--a--c---	C:\WINDOWS\system32\tmp.reg
2008-01-14 13:32 . 2008-01-14 15:50	<DIR>	d----c---	C:\Program Files\QooBox
2008-01-14 13:31 . 2000-08-31 08:00	51,200	--a--c---	C:\WINDOWS\NirCmd.exe
2008-01-14 12:19 . 2008-01-14 12:19	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-14 12:18 . 2008-01-14 20:40	<DIR>	d----c---	C:\Program Files\SUPERAntiSpyware
2008-01-14 12:18 . 2008-01-14 12:18	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\SUPERAntiSpyware.com
2008-01-14 09:27 . 2008-01-14 09:27	<DIR>	d----c---	C:\Program Files\Lavasoft
2008-01-14 09:27 . 2008-01-14 09:27	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-14 09:24 . 2008-01-14 12:16	<DIR>	d----c---	C:\Program Files\Common Files\Wise Installation Wizard
2008-01-13 22:05 . 2008-01-13 22:05	<DIR>	d----c---	C:\Program Files\Trend Micro
2008-01-13 21:38 . 2008-01-13 21:38	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\Grisoft
2008-01-13 21:38 . 2008-01-13 21:38	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 21:38 . 2007-05-30 07:10	10,872	--a--c---	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-13 21:25 . 2008-01-13 21:25	<DIR>	d----c---	C:\Program Files\SmitfraudFix
2008-01-13 21:24 . 2008-01-13 21:23	1,062,501	--a--c---	C:\Program Files\SmitfraudFix.zip
2008-01-11 17:36 . 2008-01-11 18:22	<DIR>	d----c---	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 17:14 . 2008-01-11 17:14	<DIR>	d----c---	C:\Program Files\Plato Video To PSP Converter
2008-01-11 12:04 . 2008-01-11 15:52	54,156	--ah-c---	C:\WINDOWS\QTFont.qfn
2008-01-11 12:04 . 2008-01-11 12:04	1,409	--a--c---	C:\WINDOWS\QTFont.for
2008-01-11 12:03 . 2008-01-11 12:03	<DIR>	d----c---	C:\Program Files\iPod
2008-01-11 10:11 . 2008-01-11 15:12	<DIR>	d----c---	C:\Program Files\uTorrent
2008-01-11 10:10 . 2008-01-14 08:50	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\uTorrent
2008-01-10 12:40 . 2008-01-10 12:40	<DIR>	d----c---	C:\Program Files\MAPILab Ltd
2008-01-10 12:40 . 2008-01-10 12:40	<DIR>	d----c---	C:\Program Files\Common Files\MAPILab Ltd
2008-01-03 19:26 . 2008-01-03 19:26	<DIR>	d----c---	C:\Program Files\iDumpPro
2008-01-03 19:26 . 2008-01-03 19:26	1,521,113	--a--c---	C:\WINDOWS\iDumpPro Uninstaller.exe
2008-01-03 19:26 . 2008-01-03 19:26	3,120	--a--c---	C:\WINDOWS\system32\2bad2884-02a9-488c-9f8c-13fecc7c77f9.dll
2008-01-03 19:26 . 2008-01-03 19:26	3,120	--a--c---	C:\WINDOWS\db7a9e38-547e-4544-bf7c-a4beabe1c61a.ocx
2007-12-25 21:31 . 2007-12-25 21:31	<DIR>	d----c---	C:\Documents and Settings\Eve\Application Data\EPSON
2007-12-23 14:35 . 2007-11-02 09:36	1,763,248	--a--c---	C:\WINDOWS\system32\Codejock.CommandBars.v11.2.1.ocx
2007-12-23 14:35 . 2007-11-02 09:37	518,064	--a--c---	C:\WINDOWS\system32\Codejock.SkinFramework.v11.2.1.ocx
2007-12-23 14:33 . 2007-10-02 05:47	849,920	--a--c---	C:\WINDOWS\system32\AdjMmsEng.dll
2007-12-23 14:33 . 2007-10-01 07:38	827,392	--a--c---	C:\WINDOWS\system32\asrecmms.ocx
2007-12-23 14:33 . 2007-10-01 05:43	425,984	--a--c---	C:\WINDOWS\system32\amp3dj.ocx
2007-12-20 09:16 . 2007-12-20 09:16	<DIR>	d----c---	C:\Program Files\MailWasher Pro

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 15:18	---------	dc----w	C:\Documents and Settings\Eve\Application Data\MailWasherPro
2008-01-14 15:19	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Symantec
2008-01-11 18:03	---------	dc----w	C:\Program Files\itunes
2008-01-11 17:01	---------	dc----w	C:\Program Files\QuickTime
2008-01-11 16:35	---------	dc----w	C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-01-11 16:34	---------	dc----w	C:\Program Files\Jasc Software Inc
2008-01-11 16:00	---------	dc----w	C:\Program Files\Dell
2008-01-11 15:35	---------	dc-h--w	C:\Program Files\InstallShield Installation Information
2008-01-11 15:35	---------	dc----w	C:\Program Files\Common Files\Nikon
2008-01-11 15:30	---------	dc----w	C:\Documents and Settings\Eve\Application Data\ArcSoft
2008-01-11 15:18	---------	dc----w	C:\Program Files\Azureus
2008-01-11 15:18	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Azureus
2008-01-09 20:41	---------	dc----w	C:\Program Files\Google
2007-12-07 17:30	---------	dc----w	C:\Documents and Settings\All Users\Application Data\SiComponents
2007-12-07 17:05	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Jasc Software Inc
2007-12-06 19:37	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Final Draft
2007-12-06 14:28	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Final Draft
2007-12-04 19:00	---------	dc----w	C:\Program Files\Eusing Free Registry Cleaner
2007-12-04 18:59	---------	dc----w	C:\Program Files\Skype
2007-12-04 16:33	---------	dc----w	C:\Documents and Settings\Eve\Application Data\Skype
2007-12-04 14:56	93,264	-c--a-w	C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:56	32	-c--a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-04 14:56	---------	dc----w	C:\Program Files\Common Files\Skype
2007-12-04 14:56	---------	dc----w	C:\Documents and Settings\Eve\Application Data\skypePM
2007-12-04 14:56	---------	dc----w	C:\Documents and Settings\All Users\Application Data\Skype
2007-12-04 14:55	94,544	-c--a-w	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53	23,152	-c--a-w	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51	42,912	-c--a-w	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49	26,624	-c--a-w	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-25 15:59	688	-c--a-w	C:\WINDOWS\Fonts\CompleteinHim-TOU.txt
2007-11-20 23:47	---------	dc----w	C:\Program Files\Soulseek
2007-10-17 11:24	2,526,800	-c--a-w	C:\WINDOWS\Install_B4Playing.exe
2006-12-21 03:27	92,064	-c--a-w	C:\Documents and Settings\Eve\mqdmmdm.sys
2006-12-21 03:27	9,232	-c--a-w	C:\Documents and Settings\Eve\mqdmmdfl.sys
2006-12-21 03:27	79,328	-c--a-w	C:\Documents and Settings\Eve\mqdmserd.sys
2006-12-21 03:27	66,656	-c--a-w	C:\Documents and Settings\Eve\mqdmbus.sys
2006-12-21 03:27	6,208	-c--a-w	C:\Documents and Settings\Eve\mqdmcmnt.sys
2006-12-21 03:27	5,936	-c--a-w	C:\Documents and Settings\Eve\mqdmwhnt.sys
2006-12-21 03:27	4,048	-c--a-w	C:\Documents and Settings\Eve\mqdmcr.sys
2006-12-21 03:27	25,600	-c--a-w	C:\Documents and Settings\Eve\usbsermptxp.sys
2006-12-21 03:27	22,768	-c--a-w	C:\Documents and Settings\Eve\usbsermpt.sys
2006-03-24 15:18	2,516	-csha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe" [2007-12-04 08:00 79224]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Eve\Start Menu\Programs\Startup\
MailWasherPro.lnk - C:\Program Files\MailWasher Pro\MailWasher.exe [2007-12-20 09:16:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SAC-Desktop-Alert.lnk]
backup=C:\WINDOWS\pss\SAC-Desktop-Alert.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eve^Start Menu^Programs^Startup^Norton Disk Doctor.LNK]
backup=C:\WINDOWS\pss\Norton Disk Doctor.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a--c--- 2007-06-11 04:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2007-04-27 16:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a--c--- 2004-07-30 11:04 245760 C:\Program Files\Creative\Shared Files\CAMTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2004-08-10 04:04 59392 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX8400 Series]
--a--c--- 2007-02-15 06:00 179200 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a--c--- 2005-07-19 23:06 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a--c--- 2005-07-19 23:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-07-19 23:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a--c--- 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a--c--- 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCamPro.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-23 00:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a--c--- 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 00:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a--c--- 2007-07-18 20:04 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

R2 NMSAccessU;NMSAccessU;C:\Program Files\iDumpPro\NMSAccessU.exe [2007-10-12 04:34]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2004-07-29 20:55]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 13:19:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-01-15 13:23:37 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-15 18:23:35
ComboFix2.txt  2008-01-14 20:50:02
.
2008-01-09 20:46:04	--- E O F ---


----------



## Hey it's me (Jan 15, 2008)

OMG! OMG!  OMG!  The core.cache.dsk...it's GONE!  WOOWOOOWOWOOWOOWOWOOWOOWOOWOO!  could this mean?  that my computer is clean again?  That I don;t have to reinstall after all?  let me surf a little a see if I keep getting pop ups?  I'll be back.  I'm going to run Supersyware to see if detects anything too.  that one seems to be the best for detection.  AM I right?  Also, should I keep AVG running?  I've always had avast (free version) but that did a whole lot of nothing...I'm not sure I'd feel comfortable NOT running avast however.  ???  brb with more info.

I'd put a smiley emotion but, though the site says they're enabled, i can't see them any longer next to the "post reply" box.  
whatever.

I'm psyched right now!


----------



## Hey it's me (Jan 15, 2008)

here's my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:01 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe

--
End of file - 4343 bytes


----------



## Hey it's me (Jan 15, 2008)

Evil (and ceewi) I'm doing a Superspyware scan right now and it has come up with 7 threats already.  What does THAT mean?  will I be able to completely rove whatever it is when it's done scanning/  So far while surfing on Firefox, I still have no gotten ANY IE popups!  I'm sooooo relieved about this!  it's turning into a much better day!


----------



## Hey it's me (Jan 15, 2008)

So, here's another question, should I remove the "catchme" folder that has the core.cache.dsk in it? the folder is within the Qoobox generated by Combofix.


----------



## Hey it's me (Jan 15, 2008)

You are never going to believe this!!  Avast seems to have found the WIN32:TRATBHO virus AGAIN??? UCH!  what the heck doe this mean?


----------



## evilfantasy (Jan 15, 2008)

ceewi1 must have the magic touch.

Leave everything as it is until the Super completes. We will clean up the mess in the closing steps.

If you are saying you have two antivirus installed then yes uninstall one and leave the other. Either Avast! or AVG Antivirus (not to be confused with AVG Antispyware) But not until Super is done scanning.

The Hijacktis log looks fine. Post the Super log and then we can most likely wrap this up.

Thanks ceewi1!!!!!


----------



## evilfantasy (Jan 15, 2008)

Hey it's me said:


> You are never going to believe this!!  Avast seems to have found the WIN32:TRATBHO virus AGAIN??? UCH!  what the heck doe this mean?



It depends on where it found it. It could be in a quarantine folder somewhere.


----------



## GameMaster (Jan 15, 2008)

Possible that Avast! found a Trojan quarantined in AVG, because two antiviruses interfere...
Possible?


----------



## Hey it's me (Jan 15, 2008)

yes, I think that detected virus was in fact quarantined, there were a bunch of things quarantined in the SAS folder that I just removed for GOOD!  The core.cache.dsk and vundo and tons of spyware.  I think it's ok after all.  PFEW!  I was nervous.  I actually think every thing's ok now.  My stars that was insane!  So, evil, how do I thank you?  You were great as my platoon captain. And yes, Ceewi gave us the final golden egg, ceewi rules!  I really, am grateful! 
I'm running SAS right now.  I'll post its log, I'm so confused with all the programs I have, does it HAVE a log? Or do I run HJT and give you than in the end?  or both?  Oh, I'm also running that F-secure in IE to see what it comes up with, it came up with 2 spyware found already. we'll see and as for deciding which protective to run when all is said and done, I'm just not sure?  Like I said, I've been using avast since I got this computer 2 years ago.  It was fine until THIS!  But, perhaps free AVG is better?  I don't know?


----------



## evilfantasy (Jan 15, 2008)

Again, STOP doing so much at once. You are going to cause errors by manually doing what the running programs are already doing. Or have them conflict with one another.

Take it easy, let everything complete and post the Super log.

We will then clean up everything.


----------



## Hey it's me (Jan 15, 2008)

I know, sorry about that, I have been told many times int he past to keep myself in check with the multi-tasking.  Anyway, I DID stop the other programs and stepped away.  here is he only log I could get from Superspyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/15/2008 at 03:46 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type       : Quick Scan
Total Scan Time : 00:49:01

Memory items scanned      : 478
Memory threats detected   : 0
Registry items scanned    : 825
Registry threats detected : 0
File items scanned        : 28907
File threats detected     : 0


----------



## Hey it's me (Jan 15, 2008)

I JUST realized something...that was a QUICK Scan NOT a Complete scan.  Complete takes longer.  For Pete's Sake!  I just started the complete, but I may not be able to stay for it today.  If I stay here, I won't get anything done and that's not good! grrrrr It's my own stupid fault.  Anyway, while it's canning, you know what Evil, I'd really like to do whatever needs to be done to completely remove that core.cache.dsk from my computer, even IF it's now contained in Combofixes Catchme folder. Can we go forward with that?  Is it possible?  Unless this SAS scans brilliantly quick, when I get back tomorrow I'll run it again. What do you think?


----------



## Hey it's me (Jan 15, 2008)

Oh, and don't be cross, i did another HJT log (it's becoming compulsive):


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:50 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Eve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Eve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.npr.org/templates/rundowns/rundown.php?prgId=3
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe

--
End of file - 4498 bytes


----------



## Hey it's me (Jan 15, 2008)

hey, btw? do you know what is MSECACHE?  it's in my program files and I'm not sure what it is.


----------



## Hey it's me (Jan 15, 2008)

oh, forget it, i see it's some kind of a program from Microsoft (an update of  sorts) that's supposed to help clean up.


----------



## Hey it's me (Jan 15, 2008)

you know what? the AVG I have is not antivirus, it's anti spyware.  I have AvASt 4 which runs always.  so, with that said, what should I do?  I'm also heading out right now.  I was hoping to be able to go over with you (Evil) how to remove that quarantined Qoobox (combofix).  it has the nasty core.cache.dsk file, plus others and I hate to leave my computer with it still in it.  But, 1 hour and 11 minutes later, SAS is still not done with the complete scan (though I'm convinced all's well) and I really have to go.  SO far nothing detected.  I'm not sure i I should just leave it scanning till I return tomorrow afternoon or not.


----------



## Hey it's me (Jan 15, 2008)

OK!  well Evil, it turns out I was dilly dadling before i got out of here and the scan finished, here is the result.  I'll do the clean up tomorrow.  just leave instructions.  Thanks! ttyl

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/15/2008 at 05:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type       : Complete Scan
Total Scan Time : 01:35:53

Memory items scanned      : 473
Memory threats detected   : 0
Registry items scanned    : 6113
Registry threats detected : 0
File items scanned        : 72878
File threats detected     : 0


----------



## evilfantasy (Jan 15, 2008)

Hey it's me said:


> you know what? the AVG I have is not antivirus, it's anti spyware.  I have AvASt 4 which runs always.  so, with that said, what should I do?





evilfantasy said:


> If you are saying you have two antivirus installed then yes uninstall one and leave the other. Either Avast! or AVG Antivirus (*not to be confused with AVG Antispyware*)



Leave them both. Do a scan weekly alternating between AVG and SuperAntispyware.

---------------

Time to do some cleanup and secure the work you have done.

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox
 Make sure there's a space between Combofix and /u
 Then hit *Enter*.






 The above procedure will:
 Delete the following:
 ComboFix and its associated files and folders.
 Reset the clock settings.
 Hide file extensions, if required.
 Hide System/Hidden files, if required.
 Set a new, clean Restore Point.

-----------------

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally.

Please download OTMoveIt2 by OldTimer  *OTMoveIt2.exe* and place it on your desktop.

1. Double click *OTMoveIt2.exe* to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click *YES* at the next prompt (list downloaded, Do you want to begin cleanup process?)

 When finished exit out of OTMoveIt2

------------------

If you don't have CCLeaner then download and install it  *HERE*. 

Run CCleaner.

------------------

*Here are some great tools to help you keep from getting infected again.*

 *Spybot Search & Destroy* - A safe and effective spyware scanner.
*  *Official Spybot Tutorial*
*  *Spybot FAQ*

 *AVG Anti-Spyware Free Edition* - Very reliable with a high detection rate.
*  *AVG Anti-Spyware User Manual*

 *SpywareBlaster* - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  *SpywareBlaster Tutorial*

 *Comodo BOClean* - Stops trojans and many more malicious attacks.

*Use a Firewall* - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. 
*  *Click here* for a list of free firewalls.

UPDATE UPDATE UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
*  *Help with Windows updates*

Learn more about how to protect yourself while on the internet read this article by Tony Klien:  *So how did I get infected in the first place?* 



Let us know if anything else comes up.


----------



## evilfantasy (Jan 15, 2008)

Also MSECACHE is safe.


----------



## Hey it's me (Jan 17, 2008)

Evil (and ceewi) Thank you sooo much!  I am forever grateful for this!!  everything is groovy now!


----------



## evilfantasy (Jan 17, 2008)

Good to hear.


Safe surfing..........


----------



## M0LD0V4N (Jan 17, 2008)

I fixed my a different way but it was like 3 months ago. 
I fixed mine by Downloading (SAS) Scanned and Found core.cache.dsk as a rootkit.
I deleted it with (SAS) and then did a restart .. But |I restarted into SafeMode and Ran a scan with |(SAS) |And ComboBox.. They All came up clean so, I restarted the computer and core.cache.dsk was erased... Since then no popups or core.cache.dsk


----------



## Hey it's me (Jan 17, 2008)

thanks M0ld0, that was actually attempted, it didn't work for me.  
Fortunately, it was cracked and beaten down by the good guys here!

Evil, if you;re still looking at this thread, can you tell me one more thing, should I and how do I remove Smitfraudfix from my computer?  There's no uninstall icon.

Thanks!


----------



## ceewi1 (Jan 20, 2008)

Glad to play a part.

You can safely delete the Smitfraudfix executable and the associated Smitfraudfix folder if it wasn't removed by the OTMoveIt2 CleanUp!


----------

