Ive run Adaware, Spybot SD, SuperAntiSpyware, and AVG antispyware and they all come back clean. Ive run ATH cleaner and Vundofix. ComboFix comes back clean in safe mode but when I reboot in normal mode, core.cache.dsk is still there and Combofix cant delete it and all my attempts to manually delete it have failed. Every time I reboot it makes IE my default browser (I use Firefox), and I get IE popups every 5 mins or so when I'm browsing, most of the time the popups hang and dont actually connect to anything. I'm at my wits end here, any help would be greatly appreciated.

Attached are my Combofix and HJT logs

Hello ammexico.

I'll be handling your logs to help you get cleaned up. Please give me some time to look them over.

kk

Please do the following...

Step 1:

Please open Notepad
Click Start, then Run
Type notepad.exe in the Run Box.
Click OK.Step 2:

Now Copy & Paste the entire content of the codebox below into the Notepad window

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\ascc.sys
C:\WINDOWS\mrofinu572.exe.tmp

Folder::
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Temp\tn3
C:\WINDOWS\system32\tip4
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\lis6
C:\WINDOWS\system32\kps5
C:\WINDOWS\system32\hs9

Driver::
asccSave the above to your Desktop as CFScript.txt

Step 3:

Close ALL open windows/programs.

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Step 4:

After reboot, ( in case it asks to reboot ), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log

Seems to have got it. I really appreciate it.

Hello, ammexico.

You're right, it's gone! :clap:


Please do the following....


You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix.


Step 1:

Download to your Desktop

ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
AVG Anti-Spyware (http://download.grisoft.cz/filedir/inst/avgas-setup-7.5.1.43-3339.exe)

Step 2:

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 3:

Install and update AVG Anti-Spyware

After the installation, a free 30-day trial version containing all the extensions of the full version will be activated. At the end of the trial, these extensions will be deactivated and the program will turn into a feature-limited freeware version.
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Do not automatically generate report"
Un-Select "Only if threats were found" Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Step 4:

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.Step 5:

Scan your system with AVGAS

Important: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess.
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.

Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Waiting your reply :)

Are you there, ammexico. :)

Sorry, I dont know how I missed your post. I run AVG, Spybot SD, and Trend Micro PC-cillin at least once a week, and the occasional ATH. Which is why I was so perplexed on how I got so badly infected.

Anyway I ran AVG just now, came back clean. Here is the log.

Very good. :)

There is some unneeded startup items, and you can safely fix them if you want to. This might speed up Windows boot time a bit.

To fix them, do following:

You are running HijackThis from an unsafe location. Remove HijackThis located on your Desktop.

Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan button.Check the boxes next to all the entries you want fix

O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifi er.exe
O4 - HKCU\..\Run: "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546). I recommend that you remove the Viewpoint products; however, decide for yourself.

To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
Click [B]Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
Do the same for each Viewpoint component.
----------------------------------------------------

Please let me know how your computer is working.

I didnt know that about viewpoint, I went ahead and removed it from my system. Everything is running fine.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

For cookies issue, see here (http://www.spybot.info/en/faq/37.html)

Next we remove all used tools.

Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com/) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

(http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:

Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan (http://icrontic.com/forum/private.php?do=newpm&u=2703) with a link to your thread.

If you are not the user who started this thread, you must start your own Thread (http://icrontic.com/forum/newthread.php?do=newthread&f=57) instead (grin)
_______________________________


Have we helped you with any issues you have had with your PC's or other items? If so, you can now help us by Joining Team 93 (http://icrontic.com/forum/showthread.php?t=29803) and fold for a cure.