1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: core.cache.dsk infection

Discussion in 'Virus & Other Malware Removal' started by jospeh-, Jul 10, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    ive read some of the posts with the same infection and got the combofix when i run i it tell me it cannot find regedit.exe my regedit is workin fine though
     
  2. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    adding a few thing im also runnin zone alarm soybots&d which found the infected files and ad aware
     
  3. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, jospeh-.:)

    Welcome to TSG.

    [​IMG]Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  4. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:53:33 PM, on 7/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - (no file)
    O2 - BHO: (no name) - {343D12F3-D56B-FDBC-4F12-898DBD2684BD} - C:\WINDOWS\system32\jqfykaq.dll
    O2 - BHO: (no name) - {506BD552-EA5C-4197-A9A7-1F38E7AE528C} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {93b5e2b6-36f0-4416-8973-1b71a1f7bd8a} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idolmind
    O17 - HKLM\Software\..\Telephony: DomainName = idolmind
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = idolmind
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idolmind
    O20 - Winlogon Notify: opnnoom - opnnoom.dll (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 4407 bytes
     
  5. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    i might as well mention ive had and ran avg it wasnt picking anything up ive pretty much gotten it down this far and i was still gettin popups on my firefox so i started searchin for stuff and found spybot which found these issues.
     
  6. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, jospeh- :)

    Lets try those programs again and post their reports or error messages:

    [​IMG] Your Java seems to be out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u2.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    Please download VundoFix.exe to your desktop.

    Note: In the event you already have Vundofix, this is a new version that I need you to download.
    • Double-click VundoFix.exe to run it.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt in your next reply.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

    Download ComboFix from Here or Here to your Desktop.

    Note: In the event you already have Combofix, this is a new version that I need you to download.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Download Superantispyware (SAS)
    1. Install it and double-click the icon on your desktop to run it.
    2. It will ask if you want to update the program definitions, click Yes.
    3. Under Configuration and Preferences, click the Preferences button.
    4. Click the Scanning Control tab.
    5. Under Scanner Options make sure the following are checked:
      • Close browsers before scanning
      • Scan for tracking cookies
      • Terminate memory threats before quarantining.
      • Please leave the others unchecked.
      • Click the Close button to leave the control center screen.
    6. On the main screen, under Scan for Harmful Software click Scan your computer.
    7. On the left check C:\Fixed Drive.
    8. On the right, under Complete Scan, choose Perform Complete Scan.
    9. Click Next to start the scan. Please be patient while it scans your computer.
    10. After the scan is complete a summary box will appear. Click OK.
    11. Make sure everything in the white box has a check next to it, then click Next.
    12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
    13. To retrieve the removal information, please do the following:
      • After reboot, double-click the SUPERAntispyware icon on your desktop.
      • Click Preferences. Click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • It will open in your default text editor (such as Notepad/Wordpad).
      • Please highlight everything in the notepad, then right-click and choose copy.
    14. Click close and close again to exit the program.
    15. Please paste that information in your next reply along with a fresh HijackThis log.
     
  7. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    it wont allow me to uninstall it i got an error. Error1316.A netowrk error occured while attempting to read from the file C:\WINDOWS\Installer\Java 2 Runtime Enviroment, SE v1.4.2.msi
     
  8. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Ok, work on the rest.
     
  9. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/10/2007 at 06:57 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3267
    Trace Rules Database Version: 1278

    Scan type : Complete Scan
    Total Scan Time : 00:22:46

    Memory items scanned : 377
    Memory threats detected : 0
    Registry items scanned : 4579
    Registry threats detected : 8
    File items scanned : 24258
    File threats detected : 9

    Adware.ClickSpring/Resident
    HKLM\Software\Classes\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}
    HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}
    HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}\InprocServer32
    HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}\InprocServer32#ThreadingModel
    HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}\Programmable
    HKCR\CLSID\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}\TypeLib
    C:\WINDOWS\SYSTEM32\JQFYKAQ.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{343D12F3-D56B-FDBC-4F12-898DBD2684BD}

    Adware.Vundo Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{DC192567-65F9-4AB6-ADB7-E13575F81726}

    Adware.Tracking Cookie
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
    C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

    Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
    C:\WINDOWS\system32\drivers\FOPN.sys

    Trojan.Downloader-ClickSpring/NDrv
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP461\A0300306.DLL

    Adware.WebBuying Assistant-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP461\A0300309.EXE

    Trojan.Unknown Origin
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP464\A0307485.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP464\A0307489.EXE

    Trojan.Rootkit-TnCore
    C:\WINDOWS\SYSTEM32\DRIVERS\CORE.SYS
     
  10. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Now that the rootkit Core was taken care by SuperAntispyware, can you run Combofix?
     
  11. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    after running superanti spyware i posted that log and then it asked to reboot so i did but with all the other problems ive been having my pc doesnt want to shut down on its own mostly all of the time its rebooted maybe twice on its own i usually have to hold the button because it will just hang on the windows is shutting down window so i had to do it then when i turned it back on it loaded normaly, gateway splash screen and restore screen it then flashed a blue screen i couldnt tell you what it said but then it went to windows didnt open properly so i tried it agian to open normally it failled agian with the same blue screen flash at which point i had to open windows by the last good config spybot s&d ran at start up and picked up smithfraud or whatever it is after that scan the superantispy popped open a windows and said the console window was corrupt it is working though, im scanning agian right now
     
  12. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    can you post the link for it please Combo fix
     
  13. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Download ComboFix from Here or Here to your Desktop.

    Note: In the event you already have Combofix, this is a new version that I need you to download.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  14. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    ive got anouther adware on this scan adware.clickspring/resident what would you recommend if i have to reboot it agian?
     
  15. jospeh-

    jospeh- Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    49
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/10/2007 at 07:46 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3267
    Trace Rules Database Version: 1278

    Scan type : Complete Scan
    Total Scan Time : 00:23:56

    Memory items scanned : 301
    Memory threats detected : 0
    Registry items scanned : 4778
    Registry threats detected : 0
    File items scanned : 24246
    File threats detected : 1

    Adware.ClickSpring/Resident
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP468\A0313417.DLL
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/594157

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice