# core.cache.dsk



## AkinaGod (Jan 11, 2008)

I keep getting the malware core.cache.dsk.  I seem to have more after I ran ComboFix.exe.  It didn't remove the core.cache.dsk file though.  I am having big trouble browsing the web and my computer runs horribly slow.  I have run Panda software, spybot SD, Ad Aware, AVG, Kill, and ComboFix.  I have to log onto another computer to use the internet otherwise mine will just spaz out due to all the popups and freeze.  Is there anything out there that will get rid of this damn program?  Spybot calls it "smit" something.  Please help!


----------



## Punk (Jan 11, 2008)

Smitfraud?

Let's see that:
*Click here* to download *HJTsetup.exe*
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Additional Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

then

*If you already have Smitfraudfix, please delete this copy and download it again as it's being updated regularly.*

Please download *SmitFraudFix.exe* by S!Ri and save it to the desktop.

If you can't download it, please download it from these alternative sites:

*From Geekstogo*
*From Security Cadets*
*From Zebulon*


Double click on *SmitfraudFix.exe*.
Press *1* then hit the Enter key.
It will create a report named *rapport.txt*, usually at C drive.
Please post back this log in your next reply.

*Note:* process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. *Read more here*

In your next reply please post:

The Hijackthis log
The SmitfraudFix log


----------



## AkinaGod (Jan 12, 2008)

Hijack log



Logfile of HijackThis v1.99.1
Scan saved at 10:50:58 AM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0111E17F-A0E7-4E44-A554-9F6477DBFBAC} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {5027B960-7509-4351-9E26-FB299F9262C1} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\gebxwtu.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://mail.yahoo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194201304156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194197676764
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: gebaaaw - gebaaaw.dll (file missing)
O20 - Winlogon Notify: gebxwtu - gebxwtu.dll (file missing)
O20 - Winlogon Notify: lpbxlgll - lpbxlgll.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


----------



## AkinaGod (Jan 12, 2008)

SmitFraudFix v2.274

Scan done at 10:54:22.29, Sat 01/12/2008
Run from C:\Documents and Settings\Dreamer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dreamer


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dreamer\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Dreamer\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92F3ACC4-C4F7-4419-A9F1-EF842F55ACE1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92F3ACC4-C4F7-4419-A9F1-EF842F55ACE1}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Punk (Jan 12, 2008)

OK this is not a Smitfraud infection.
Did you had any Vundo infections? We have some left overs from a Vundo Infection. It says "file missing" but let's make sure it is removed.

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.

Webbenji


----------



## AkinaGod (Jan 12, 2008)

Yea I keep running Spybot and it says I still have the smit thing.  But when the vundo thing is done scanning ill do another hijack and post the results.


----------



## AkinaGod (Jan 12, 2008)

Vundo did not come up with anything.  It was completely blank.  And I still have all the problems.  What now?


----------



## evilfantasy (Jan 13, 2008)

Open HijackThis and select *Do a system scan only* then place a check mark next to:

*O2 - BHO: (no name) - {0111E17F-A0E7-4E44-A554-9F6477DBFBAC} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {5027B960-7509-4351-9E26-FB299F9262C1} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\gebxwtu.dll (file missing)
O20 - Winlogon Notify: gebaaaw - gebaaaw.dll (file missing)
O20 - Winlogon Notify: gebxwtu - gebxwtu.dll (file missing)
O20 - Winlogon Notify: lpbxlgll - lpbxlgll.dll (file missing)*

Close all windows except for HijackThis and click *Fix checked*

Exit Hijackthis.

---------------

Now uninstall the version of HijackThis you have and cownload the new one.

Download  *HijackThis*

--------------

Download Superantispyware (SAS)  *SUPERAntispyware Free Edition*

Install it and double-click the icon on your desktop to run it.
  It will ask if you want to *Update* the program definitions, click *Yes*.
  Under *Configuration and Preferences*, click the *Preferences* button.
  Click the *Scanning Control* tab.
  Under *Scanner Options* make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
*Please leave the others unchecked*.
Click the *Close* button to leave the control center screen.

  On the main screen, under *Scan for Harmful Software* click *Scan your computer*.
  On the left check *C:\Fixed Drive*.
  On the right, under *Complete Scan*, choose *Perform Complete Scan*.
  Click *Next* to start the scan. Please be patient while it scans your computer.
  After the scan is complete a summary box will appear. Click *OK*.
  Make sure everything in the white box has a check next to it, then click *Next*.
  It will quarantine what it found and if it asks if you want to reboot, click *Yes*.
  To retrieve the removal information please do the following:
After reboot, double-click the SUPERAntiSpyware icon on your desktop.
Click *Preferences*. Click the *Statistics/Logs* tab.
Under Scanner Logs, double-click *SUPERAntiSpyware Scan* Log.
It will open in your default text editor (such as Notepad/Wordpad).
Save the notepad file to your desktop by clicking (in notepad) "*File*" "*Save As*"

 Save the log somewhere you can easily find it. (normally the desktop)
  Click close and close again to exit the program.
  Please add the log along with a new HijackThis log in the next post.
---------------

*Next post please add.
SuperAntispyware log
New HijackThis log*


----------



## Punk (Jan 13, 2008)

Thanks evilfantasy...  Why not try not to make the user confuse between your instructions and mine??!!

Let's see your combofix:

*Step <insert number>: Download and Run ComboFix*

*Download this file* from either of the two below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

I need to see a new HJT and your combofix AkinaGod

Thanks


----------



## AkinaGod (Jan 13, 2008)

Ok the first Super Anti spyware scan was:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 10:24 AM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type       : Complete Scan
Total Scan Time : 01:12:05

Memory items scanned      : 292
Memory threats detected   : 0
Registry items scanned    : 5049
Registry threats detected : 0
File items scanned        : 67124
File threats detected     : 10

Adware.k8l
	C:\PROGRAM FILES\COMPLUS APPLICATIONS\ZYSOQA.HTML

Unclassified.Unknown Origin
	C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\GCAKYWR.DLL.VIR
	C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP295\A0068922.DLL

Adware.eZula
	C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP253\A0052967.EXE

Trojan.Downloader-Gen/Hammer
	C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP254\A0053097.DLL
	C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP254\A0053105.DLL

Trojan.Unknown Origin
	C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP293\A0065829.VBS
	C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP295\A0068998.VBS

Adware.WebBuying Assistant-Installer
	C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP293\A0065830.EXE
	C:\SYSTEM VOLUME INFORMATION\_RESTORE{566872FF-BE1B-48B3-B92B-D46B34DA1E95}\RP293\A0065831.EXE


----------



## AkinaGod (Jan 13, 2008)

2nd scan of spyware was:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 12:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type       : Complete Scan
Total Scan Time : 01:11:15

Memory items scanned      : 283
Memory threats detected   : 0
Registry items scanned    : 5052
Registry threats detected : 0
File items scanned        : 67040
File threats detected     : 0


----------



## AkinaGod (Jan 13, 2008)

and the most recent hijack after the two spyware scans is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:41 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://mail.yahoo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194201304156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194197676764
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4538 bytes


----------



## AkinaGod (Jan 13, 2008)

Computer seems to be running like it was before the problem started.  THanks for the help.  Let me know if the hijack thing still has detected a problem.


----------



## AkinaGod (Jan 13, 2008)

Ok so it looks like my computer is cleaned up.  I guess my problem kept coming from a P2P file shairing program I had.  I thought I cleaned the program up but I guess not.  So I was wondering if anyone can recommend me a really good P2P file sharing program that is free and is able to download Japanese vids, American vids, music, etc.  I used to use limwire but it doesn't seem to download ANY movies at all and the music always seemed to get about 50% - 80% complete and then stop and I would have to start all over again because it never found the file later on.  Could anyone assist?  I will also start this in another forum index for the reason of topic.


----------



## GameMaster (Jan 13, 2008)

Same answer, hope you read on General Software. Not allowed to talk.


----------



## evilfantasy (Jan 13, 2008)

GameMaster said:


> Same answer, hope you read on General Software. Not allowed to talk.



Ditto. Torrents are illegal and any respectable forum will not tolerate discussions on their use. The best advice, buy your music and movies.

The log is clean.

Go to *Start* > *Run* and copy and paste next command in the field:

*ComboFix /u*

Make sure there's a space between Combofix and /u
Then hit *Enter*.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

---------

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally.

Please download OTMoveIt2 by OldTimer  *OTMoveIt2.exe* and place it on your desktop.

1. Double click *OTMoveIt2.exe* to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click *YES* at the next prompt (list downloaded, Do you want to begin cleanup process?)

 When finished exit out of OTMoveIt2

----------

This is a good time to clear your infected system restore points and establish a new clean restore point:

 Go to *Start* > *All Programs* > *Accessories* > *System Tools* > *System Restore*
 Select *Create a restore point*, and click *Next*.
 Next, go to *Start* > *Run* and type in *cleanmgr*
 Select the *More options* tab
 Next to System Restore click *Clean up...*
This will remove all restore points except the new one you just created.

----------

Apologies to webbenji. I didn't mean to hijack your instructions, I just thought I could help progress the fix.

EF


----------



## GameMaster (Jan 13, 2008)

Hey evil you still didn't tell me where did you get those canned speeches? 
I mean you *don't have* to answer me, but I'd like to know...


----------



## evilfantasy (Jan 13, 2008)

I remember, just forgot to answer. 

The ones I use mainly are made by me. Although I have some that are posted throughout the web for people to use. Like the smitfraud and vundofix ones. I have found it easier to make new ones though. So many of the spyware scanners and online virus scanners are different then they were a year or two years ago so they are outdated. 

I have a Google documents account that I keep them all categorized in. I am always modifying or just remaking one here and there.

P.S. There is a new Java version (Java 6 Update 4) so update your info on that.


----------



## GameMaster (Jan 13, 2008)

Hey thanks! 


> throughout the web for people to use. Like the smitfraud and vundofix


I can try and google for such speeches, but did you mean some forums and sth?
Because, my source of canned speeches isn't bad, but really is full of outdated speeches. It's always nice to have correct speeches 5 seconds of navigating+posting...
Anyway don't want to bother too much so just...asnwer that one please.


----------



## Hey it's me (Jan 14, 2008)

*I too am infected with TWO Trojan Horses! PLEASE HELP!*

I have been infected with TratBHO and Smitfraud.  I ahve downloaded numerous fixes but nothing is working!!  I'm trying to avoid reinstalling my op system.  I have Avast, Smitfraudfix, Hijack This, Norton 2004, Ad-Aware 2007, AVG and...I have tried numerous times to clean them out!  
I am sooo frustrated!  I can't delete no how, no way the core.cache.dsk file in my drivers section (which I know is the Smitfraud bastard!)  Tratbho had come come up in one of my searches and I checked the boxes with BHO files and they were deleted but I still am getting pop ups and warnings. I've also been in safe mode.  Didn't do anything.  

Please help me!  I'm losing my mind!

here's the latest result fof Smitfraudfix:

SmitFraudFix v2.274

Scan done at 10:26:46.14, Mon 01/14/2008
Run from C:\Documents and Settings\Eve\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\Alwil Software\aswUpdSv.exe
C:\Program Files\Avast4\Alwil Software\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ALWILS~1\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\Alwil Software\ashMaiSv.exe
C:\Program Files\Avast4\Alwil Software\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Avast4\Alwil Software\ashSimpl.exe
C:\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
D:\NU\NDD32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\NSWSETUP.EXE
C:\WINDOWS\system32\msiexec.exe
D:\Support\Prescan\Prescan.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1	legal-at-spybot.info
127.0.0.1	www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eve


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Eve\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Eve\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/Eve/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92C041E2-1F38-4238-A3E1-E960C8134B5E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



thanks


----------



## evilfantasy (Jan 14, 2008)

Hey it's me


Start a new post with a Hijackthis log in it. Tacking on to the end of another thread isn't going to work.

Thanks.


----------



## Hey it's me (Jan 14, 2008)

every site is different. this one i have to start a new thread, it seems the others  I have t be on an active thread.  No problem..done!
thanks


----------



## Caltheos (Feb 29, 2008)

*Blocking core.cache.dsk*

I haven't had time to do a full clean of my system, but found a quick dirty fix that helped in the interim. 

If you boot into safe mode and delete c:\windows\system32\drivers\core.cache.dsk then create an empty file with that name and set it to read-only, the problem does not return on reboot (no more pop-ups).  I know this doesn't remove the problem from the computer, but is a viable quick fix.


----------



## AkinaGod (Aug 5, 2008)

*.png movie player*

downloaded some anime that was zipped into png files. Don't have a player that can play it nor can I find one. Anyone got a link to a free non demo verson? Found a lot of buy'm sites.


----------



## AkinaGod (Aug 5, 2008)

Woops I am sorry I just realized I accidently put that in the wrong thread.


----------

