Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Join the Team

Live Tag Cloud
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » HJT- Cant Delete Adware

[Fixed] Hijackthis! Logs - HJT- Cant Delete Adware posted in the Security & Safety forums; I have a add pop up on things i search, and it is annoying. I know what file to delete, but i cant beacuse its always in use, and i ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
  #1  
Old 01-21-2008
Ackmed's Avatar
Bronze Member
  
Join Date: Jan 2008
Posts: 13
PC Experience: Some Experience
Ackmed - See this Members User comments on their Profile page
Default HJT- Cant Delete Adware
I have a add pop up on things i search, and it is annoying. I know what file to delete, but i cant beacuse its always in use, and i tried safe mode, with a lot of anti spyware programs, but I cant kill it

its called

core.cache.dsk. its in my drivers folder in system 32

here is my log
Attached Files
File Type: log hijackthis.log (8.4 KB, 2 views)


  #2  
Old 01-22-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,938
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: HJT- Cant Delete Adware
Why are you running an an illegal software crack used to bypass copy protection for Windows.?????


Download http://downloads.andymanchesta.com/R...SDFix.exeSDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.


__________________
  • An Australian Member of
  • and
My real name is Eddy
Last edited by Pancake; 01-22-2008 at 01:54 AM.
  #3  
Old 01-25-2008
Ackmed's Avatar
Bronze Member
  
Join Date: Jan 2008
Posts: 13
PC Experience: Some Experience
Ackmed - See this Members User comments on their Profile page
Default Re: HJT- Cant Delete Adware
SDFix: Version 1.131
Run by HOME on 2008-01-24 at 05:39
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:
C:\PROGRA~1\ONLINE~1\LAWUHE - Deleted
C:\Temp\1cb\syscheck.log - Deleted

Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk
Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 05:54:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,4a,54,c9,30,32,45,0c,3d,c5,83,e9,a2 ,8e,b8,1b,3d,bc,16,57,42,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:a8,15,f3,a7,78,53,5f,2a,29,de,d2,14,63 ,73,6a,a4,46,22,c5,e0,4d,..
"a0"=hex:20,01,00,00,ba,39,7a,b3,a3,9a,de,ac,4e,ba ,e3,3e,0a,c8,d9,66,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:f8,9b,02,00,75,d4,bd,dd,18,7f,79,2c,a2 ,4d,a4,86,ee,31,54,66,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,4a,54,c9,30,32,45,0c,3d,c5,83,e9,a2 ,8e,b8,1b,3d,bc,16,57,42,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:a8,15,f3,a7,78,53,5f,2a,29,de,d2,14,63 ,73,6a,a4,46,22,c5,e0,4d,..
"a0"=hex:20,01,00,00,ba,39,7a,b3,a3,9a,de,ac,4e,ba ,e3,3e,0a,c8,d9,66,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:f8,9b,02,00,75,d4,bd,dd,18,7f,79,2c,a2 ,4d,a4,86,ee,31,54,66,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,4a,54,c9,30,32,45,0c,3d,c5,83,e9,a2 ,8e,b8,1b,3d,bc,16,57,42,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:a8,15,f3,a7,78,53,5f,2a,29,de,d2,14,63 ,73,6a,a4,46,22,c5,e0,4d,..
"a0"=hex:20,01,00,00,ba,39,7a,b3,a3,9a,de,ac,4e,ba ,e3,3e,0a,c8,d9,66,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:f8,9b,02,00,75,d4,bd,dd,18,7f,79,2c,a2 ,4d,a4,86,ee,31,54,66,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,4a,54,c9,30,32,45,0c,3d,c5,83,e9,a2 ,8e,b8,1b,3d,bc,16,57,42,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:a8,15,f3,a7,78,53,5f,2a,29,de,d2,14,63 ,73,6a,a4,46,22,c5,e0,4d,..
"a0"=hex:20,01,00,00,ba,39,7a,b3,a3,9a,de,ac,4e,ba ,e3,3e,0a,c8,d9,66,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:f8,9b,02,00,75,d4,bd,dd,18,7f,79,2c,a2 ,4d,a4,86,ee,31,54,66,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,4a,54,c9,30,32,45,0c,3d,c5,83,e9,a2 ,8e,b8,1b,3d,bc,16,57,42,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:a8,15,f3,a7,78,53,5f,2a,29,de,d2,14,63 ,73,6a,a4,46,22,c5,e0,4d,..
"a0"=hex:20,01,00,00,ba,39,7a,b3,a3,9a,de,ac,4e,ba ,e3,3e,0a,c8,d9,66,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:f8,9b,02,00,75,d4,bd,dd,18,7f,79,2c,a2 ,4d,a4,86,ee,31,54,66,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]
"s1"=dword:454d47db
"s2"=dword:6b88637f
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:3c,1b,7d,3e,ee,f6,1b,46,eb,9f,db,ac,e1 ,b9,5a,95,fa,53,fc,84,44,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001]
"khjeh"=hex:a8,15,f3,a7,78,53,5f,2a,29,de,d2,14,63 ,73,6a,a4,46,22,c5,e0,4d,..
"a0"=hex:20,01,00,00,ba,39,7a,b3,a3,9a,de,ac,4e,ba ,e3,3e,0a,c8,d9,66,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001\0Jf40]
"khjeh"=hex:56,9f,0c,15,f7,fc,d2,02,83,2a,43,88,28 ,8c,89,82,f7,a2,cf,02,94,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:3c,1b,7d,3e,ee,f6,1b,46,eb,9f,db,ac,e1 ,b9,5a,95,fa,53,fc,84,44,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:a8,15,f3,a7,78,53,5f,2a,29,de,d2,14,63 ,73,6a,a4,46,22,c5,e0,4d,..
"a0"=hex:20,01,00,00,ba,39,7a,b3,a3,9a,de,ac,4e,ba ,e3,3e,0a,c8,d9,66,fc,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:56,9f,0c,15,f7,fc,d2,02,83,2a,43,88,28 ,8c,89,82,f7,a2,cf,02,94,..
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell Extensions\Approved\{7F2A5A8B-FF2E-2DEC-FD9A-5DD9B2E85420}]
"kaekikhkmnmnpffpgddjdm"=hex:67,61,65,6b,6d,6b,6c, 6e,6b,65,66,6d,64,6c,00,00
"kaekikhkmnmnpffpgddjam"=hex:66,61,65,70,6c,6d,69, 6a,69,63,68,6c,00,70
"maenlfgcdbmlmepomdfbahhcfe"=hex:62,61,68,6a,0 0,fa
scanning hidden files ...
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp .edb
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Documents and Settings\\HOME\\Desktop\\utorrent.exe"="C:\\Docume nts and Settings\\HOME\\Desktop\\utorrent.exe:*:Enabled:µT orrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc. exe"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
C:\WINDOWS\system32\drivers\core.cache.dsk Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sat 28 Jul 2007 1,772,766 A.SH. --- "C:\WINDOWS\system32\qqstv.tmp"
Sat 24 Feb 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 24 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 23 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c4 06b1d7e0f5c1e6f6d44a3f6e\BIT32.tmp"
Sun 23 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc 8132a10b438ce6e2b49d4652\BIT30.tmp"
Sun 23 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111 678c52099a3b3123b12f2325\BIT34.tmp"
Sun 23 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5 109d0f8b0dee9fab84906813\BIT33.tmp"
Sun 23 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b 8fed23dd91f50d167cce60d3\BIT35.tmp"
Sun 23 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916b b150f8a929e7a4ffdfbc120f\BIT31.tmp"
Sat 12 Jan 2008 444 ...HR --- "C:\Documents and Settings\HOME\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sat 24 Feb 2007 4,348 ...H. --- "C:\Documents and Settings\HOME\My Documents\My Music\License Backup\drmv1key.bak"
Mon 31 Dec 2007 20 A..H. --- "C:\Documents and Settings\HOME\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 17 May 2007 11,754 A.SH. --- "C:\Documents and Settings\HOME\My Documents\My Music\License Backup\drmv2key.bak"
Finished!
  #4  
Old 01-25-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,938
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: HJT- Cant Delete Adware
Before we start cleaning we will need to do some updating .Download SP1a. and install it.

Windows XP Service Pack 1a


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #5  
Old 01-27-2008
Ackmed's Avatar
Bronze Member
  
Join Date: Jan 2008
Posts: 13
PC Experience: Some Experience
Ackmed - See this Members User comments on their Profile page
Default Re: HJT- Cant Delete Adware
Why do I have to Download SP1a? I have Sp2, My problem only consists of core.cache.dsk, which seems undeleteable
  #6  
Old 01-27-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 2,938
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: HJT- Cant Delete Adware
Its just that I did not see a service pack listed in SDfix...ok,no problem.


Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: A guide and tutorial on using ComboFix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.


__________________
  • An Australian Member of
  • and
My real name is Eddy

Reply
Satellite TV on your PC - over 3000 Channels! Click Here!

Bookmarks

« PC slow boot, long wait for programs to start | Malware/VideoCodec crippling my PC! Help! »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Fixed] Multiple pop ups, freezes my pc sometimes NeryCastillo21 [Fixed] Hijackthis! Logs 24 07-27-2007 03:14 PM
Background Problem kzm007 [Fixed] Hijackthis! Logs 34 07-24-2007 07:59 AM
Trojan.Vundo -- Tried everything!!! Slow2die [Fixed] Hijackthis! Logs 49 07-20-2007 01:08 PM
[Fixed] heres yet another hijackthis log genie3251 [Fixed] Hijackthis! Logs 15 07-01-2006 05:42 AM

Contact Us - PC Help Forum - Site Map - Privacy Statement - Top

All times are GMT +1. The time now is 05:20 PM.
Powered by vBulletin
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC7
All Graphics & Content Copyright © 2004-2008 - PC Help Forum.com


Back to Top