Tech Problem Aggregator

Smitfraud-C.CoreService, completed the 5 STEPS

Q: Smitfraud-C.CoreService, completed the 5 STEPS

Hi

Just the other night while reading a forum I regularly visit, popups started to happen, a TAG (SearchUs) icon appeared on the desktop, Outerinfo appeared in the task bar, MS Office install window pops up, and a few others.

I have AVG, SpywareBlaster, Spybot, and a few other on my PC. After running them Spybot was able to remove a few but the Smitfraud-C.CoreService remained. All of the above symptoms are still happening about every 15 minutes or so.

I completed the first 5 basic steps from this forum you are supposed to do before posting a log. AdAware detected nothing. Panda detected 1 Virus, 37 Spyware, and 6 Hacking Tools/Rootkits. Hopefully somebody can help me. Here is the info...

PANDA:

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vturppm.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mljjk.dll
Adware:adware/cws Not disinfected C:\Documents and Settings\Brian\Favorites\health
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\!Submit\mllmj.dll
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\a1rb7b21.default\cookies.txt[.com.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Profiles\a1rb7b21.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Brian\Cookies\[email protected][1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Brian\Cookies\[email protected][2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brian\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brian\Desktop\X Files\SDFix.exe[SDFix\apps\Process.exe]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.go.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.overture.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\025t0t33.default\cookies.txt[citi.bridgetrack.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1078081533-261478967-725345543-1004\Dc10.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1078081533-261478967-725345543-1004\Dc6\apps\Process.exe
Virus:Trj/Downloader.OVJ Disinfected C:\WINDOWS\retadpu2000219.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected

DSS Main:

Deckard's System Scanner v20070611.50
Run by Brian on 2007-06-13 at 16:38:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-06-13 20:38:04 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Brian.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:39:00 PM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\c2c145.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Brian\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Brian.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://post-gazette.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r6.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r6.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7CD3CBB0-1DB0-4EC4-84D2-CD5DC4758AA8} - C:\WINDOWS\system32\mljjk.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\vturppm.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [c2c145] C:\WINDOWS\c2c145
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\phadtult.dll",realset
O4 - HKCU\..\Run: [dmcompos] C:\WINDOWS\system32\dmcompos.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Brian\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://www.viidoo.tv/TVUAx.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1127310759828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll
O20 - Winlogon Notify: vturppm - C:\WINDOWS\SYSTEM32\vturppm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 core - c:\windows\system32\drivers\core.sys
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 3c1807pd (U.S. Robotics V.92 Fax Win Int) - c:\windows\system32\drivers\3c1807pd.sys <Not Verified; U.S. Robotics Corporation; U.S. Robotics Modem Driver>
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 TnIDriver - c:\docume~1\brian\locals~1\temp\tni177.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>


-- Files created between 2007-05-13 and 2007-06-13 -----------------------------

2007-06-13 15:43:59 0 d-------- C:\WINDOWS\LastGood
2007-06-13 14:49:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-06-13 12:09:51 124436 --a------ C:\WINDOWS\system32\phadtult.dll
2007-06-13 03:19:12 1808567 ---hs---- C:\WINDOWS\system32\kjjlm.bak1
2007-06-13 03:18:54 263220 ---hs---- C:\WINDOWS\system32\mljjk.dll
2007-06-13 01:08:56 72832 -----n--- C:\WINDOWS\system32\drivers\core.sys
2007-06-13 01:08:54 33302 --a------ C:\WINDOWS\system32\vturppm.dll
2007-06-13 01:08:54 0 d-------- C:\WINDOWS\system32\o02PrEz
2007-06-12 16:11:46 192512 --a------ C:\WINDOWS\c2c145.exe <Not Verified; ; c2c145>
2007-06-06 17:25:02 53248 --a------ C:\WINDOWS\112uninst.exe <Not Verified; ; 112uninst>
2007-06-06 17:22:22 53248 --a------ C:\WINDOWS\uni_eh42.exe <Not Verified; ; uni_eh42.exe>
2007-06-04 15:18:48 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
2007-06-04 15:17:02 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys <Not Verified; Lavasoft AB; Ad-Watch Registry Protection>
2007-06-04 15:14:56 6272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys <Not Verified; Lavasoft AB; Ad-Watch Beta>


-- Find3M Report ---------------------------------------------------------------

2007-06-13 16:28:49 0 d-------- C:\Program Files\SpywareBlaster
2007-06-13 14:49:26 0 d-------- C:\Program Files\Lavasoft
2007-06-13 14:49:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-13 15:19:52 7680 --a------ C:\WINDOWS\system32\lsdelete.exe


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} C:\Program Files\Outerinfo\Outerinfo.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{7CD3CBB0-1DB0-4EC4-84D2-CD5DC4758AA8} C:\WINDOWS\system32\mljjk.dll
{8A61098D-612B-4EF2-943D-64E920684061} C:\WINDOWS\system32\vturppm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"USRpdA"=""
"3c1807pd"="C:\\WINDOWS\\SYSTEM32\\3cmlink.exe RunServices \\Device\\3cpipe-3c1807pd"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"c2c145"="C:\\WINDOWS\\c2c145"
"GPLv3"="rundll32.exe \"C:\\WINDOWS\\system32\\phadtult.dll\",realset"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"dmcompos"="C:\\WINDOWS\\system32\\dmcompos.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{8A61098D-612B-4EF2-943D-64E920684061}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljjk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturppm

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-06-13 at 16:40:19 ---------

EXTRA.TXT Attached:

A: Smitfraud-C.CoreService, completed the 5 STEPS

PS: It took me 5 hours to do the above (yes... 5 hours) and do the 5 steps.

I took the time to follow the forum rules when posting logs and asking for help.

I hope somebody takes the time to help so the hours I invested don't go to waste.

Many thanks.

8 more replies
Answer Match 102.9%

Hi there. A couple of days ago I was visiting one of the forums I frequent when I started to get popups coming up. Every 3-10 minutes or so 1-2 popups will come up from IE (I use Firefox). If I disconnect my DSL the popups won't come up at all.

I have AVG which scans every night, AdAware, and Spybot which I don't run as often as I should. Following the steps I added SpywareBlaster and ZonedOut for IE too.

I didn't realize until step four that my automatic updates had turned off as well. It seemed odd that I hadn't gotten updates in the last few weeks but when I went to MS Updater it started back up again and I got the updates rolling again.

The last few days AVG has picked up several trojans but continues to delete them. Also when running Spybot it detects Smitfraud-C.CoreService but can't delete it. Panda scan detected quite a few things but I don't remember offhand what they are. The logs are attached as specified.

It would not surprise me if some of this were remnants of when this computer was my brother's. He inherited it when my grandmother died six years ago or so and his roommate ended up getting loads of bad things on it. He had me come over about four years ago because the computer was going very slow. When I got there the wallpaper was screwed up and it took a good ten minutes to load up IE. Eventually I got Spybot and Adaware downloaded and removed over 1000 entries. I've had the computer for about two and a half years now.

If there's anything else ... Read more

A:Smitfraud-C.CoreService, five steps are done

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Enhancement Browser Tools Targetedbanner

---------------------------------------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal... Read more

18 more replies
Answer Match 72.24%

I accidentally infected my computer with security toolbar 7.1. I have done the 5 steps and i did not get a log from that first scan but here is the log it gave me on the last one.

Deckard's System Scanner v20071014.68
Run by Alan Hickman on 2007-10-21 13:33:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
98: 2007-10-21 18:33:54 UTC - RP572 - Deckard's System Scanner Restore Point
97: 2007-10-21 10:02:26 UTC - RP571 - Software Distribution Service 3.0
96: 2007-10-21 09:56:58 UTC - RP570 - Installed Windows Defender
95: 2007-10-21 09:24:44 UTC - RP569 - Restore Operation
94: 2007-10-20 09:03:00 UTC - RP568 - System Checkpoint


-- First Restore Point --
1: 2007-08-01 05:41:11 UTC - RP475 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-10-21 13:35:50
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.ex... Read more

A:Completed five steps...here is the log.

Bump!

3 more replies
Answer Match 72.24%

Avast seems to find a new malware every 20 min. I could not complete a panda activescan because the update would stall and hang at 19 %

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-30 21:04:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
102: 2008-05-31 01:04:12 UTC - RP583 - Deckard's System Scanner Restore Point
101: 2008-05-30 21:19:31 UTC - RP582 - Restore Operation
100: 2008-05-30 21:12:31 UTC - RP581 - Restore Operation
99: 2008-05-30 21:09:59 UTC - RP580 - Restore Operation
98: 2008-05-30 21:07:03 UTC - RP579 - Restore Operation


-- First Restore Point --
1: 2008-03-02 21:51:33 UTC - RP482 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-30 2111
Platform: Windows XP Service Pack 3 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Awar... Read more

A:I have completed the 5 steps!

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.
Download SDFix and save it to your desktop.
Do not do anything with this yet!


Reboot
Reboot your system in Safe Mode.Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.


SDBot FixRight click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the ... Read more

7 more replies
Answer Match 72.24%

Deckard's System Scanner v20070804.61
Run by HP_Owner on 2007-08-05 at 16:46:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:16 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Common Files\AOL\1128887343\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Softw... Read more

A:Completed the 5 Steps

Please stay with this thread, and only post here for this problem. Do not start a new thread, otherwise it is too confusing...

Use Post Reply - left bottom corner. Thanks!!


Next, download ComboFix.exe

Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Please post the ComboFix.txt, and a new HijackThis log in your reply.[/QUOTE]

19 more replies
Answer Match 72.24%

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:14 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtutq.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run... Read more

A:Completed 2/5 steps - please look over this and tell me what to do

Hello

I needed you to go all the way through the steps. We prefer a more comprehensive set of logs to assist in detecting any malware that may be present. As noted in the final step (Step 5) of our sticky topic (Updated!) IMPORTANT - Read This Before Posting A Log, download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review.
DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
Please attach extra.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer"... Read more

19 more replies
Answer Match 71.4%

Hello and thank you for any help you may be able to give. I've gone through the five required steps before posting my logs for help.

I've run Spybot, Adaware and SuperAntiSpyware and can't seem to clear up whatever the issue is.

Following are the required log files (as well as the "extra" text file attached):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:02 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vtsphlxp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program File... Read more

A:HijackThis Log - completed 5 steps

bump

anyone?

19 more replies
Answer Match 71.4%

Deckard's System Scanner v20070905.67
Run by Tom Roach on 2007-10-01 10:32:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
104: 2007-10-01 14:32:38 UTC - RP355 - Deckard's System Scanner Restore Point
103: 2007-10-01 14:17:25 UTC - RP354 - Installed WinZip 11.1
102: 2007-09-30 07:00:16 UTC - RP353 - Software Distribution Service 3.0
101: 2007-09-29 17:11:48 UTC - RP352 - Removed Adobe? Photoshop? Album Starter Edition 3.2
100: 2007-09-29 16:55:46 UTC - RP351 - Installed Windows Internet Explorer 7.


-- First Restore Point --
1: 2007-09-24 19:33:06 UTC - RP252 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Tom Roach.exe) -------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-10-01 10:39:35
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\syst... Read more

A:WinAntiVirusPro - 5 steps completed

1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

13 more replies
Answer Match 71.4%

ok, i know i have malware on my computer. i read the 5 steps to do first....

step one-
i ran ad-aware (i have pro edition), no problems found,
aswell as spy bot s& d and cwschredder, all fine

syep two-i have norton and avg, no problems

step 3-none from that list

step 4-none from that list

step 5-can't update from windows, just get errors

here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:51 AM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.JBOOGY\Local Settings\Temporary Internet Files\Content.IE5\ZQQBBUH0\stng260[1].exe
C:\Program Files\a-squared\a2guard.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Documents and Settings\Administrator.JBOOGY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Inte... Read more

A:ok, difinitely need help. i have completed the five steps

Hi,

Quote:




If you are seeking help for spyware/antivirus issues, or wish to have your Hijack This log checked, please do not post here!




Post it at the HijackThis Log Help section. I think I mod will move this post.

5 more replies
Answer Match 71.4%

I recently had a virus and used HP recovery and now I don't have any sound. I originally posted this in the sound card forum and was instructed by deejay100six to go through the five steps of identifying a virus. I completed those steps and below is my Panda Scan results. I have the hijackthis results when ever you need them. I originally went through all of the basic steps to fixing the sound problem but nothing worked. Thanks again in advance.

ANALYSIS: 2008-08-16 02:24:44
PROTECTIONS: 1
MALWARE: 19
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1229 [VPS 080815-0] 4.8.1229 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;==============================================================================================... Read more

A:No Sound/5 steps completed

I need some help here guys. Below is my hijackthis results.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:50 AM, on 8/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\... Read more

4 more replies
Answer Match 71.4%

log listed below : DO YOU WANT THE PANDA SCAN SCAN ALSO?

had constant pop ups- they have stopped- system very slow..avast found virus in operating system-win32:agent-PSG [drp] and vtutr.dll -
trojans




I just know how to computer surf- my son goes to online school- so we really need this computer
log listed below

Deckard's System Scanner v20071014.68
Run by wpccs on 2008-02-03 18:09:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-02-03 23:09:39 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 248 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-03 18:13:54
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WI... Read more

A:hijackthis log- completed 5 steps

Hi dorimom, and welcome to TSF.

Sorry for the delay in looking into your log, as we are extremely busy as you may have noticed. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------


Please download HijackThis. This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Install" button. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Close HiJackThis

--------------------------------------------------------------


Since it has been awhile... Please run Deckard's System Scanner (dss.exe) again, and post the resulting log.

--------------------------------------------------------------

Please include the following in your next reply:

C:\Deckard\System Scanner\main.txt

5 more replies
Answer Match 71.4%

Computer has a very slow startup. I cannot get rid of this Kodak Easyshare. Internet response time a bit faster, page to page.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 05:44, on 2008-03-19Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Common Files\AOL\1101823440\ee\services\safetyCore\ver210_5_2_1\aolavupd.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\lxczcoms.exeC:\WINDOWS\Explorer.EXEC:\Program Files\mcafee.com\personal firewall\MPFService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\system32\fxssvc.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\MUSICMATCH\... Read more

A:All Steps Completed Up To Hijack

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

1 more replies
Answer Match 70.56%

I am experiencing Browser hijacking and pop ups in new tabs.
nothing else yet, that I know of, except a ding (like the one we hear when we click on something that won't work) that just sounds for no reason.
Attached is the requested logs. Thank you so much, in advance.
**All scans were done in safe-mode**

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Owner at 13:01:21.76 on Mon 07/12/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.363 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {B5510F6F-87E1-47F7-A411-360BC453007C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://www... Read more

A:First Steps completed, ready for analysis

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it sh... Read more

12 more replies
Answer Match 70.56%

And by completed the steps i mean i wasnt able to partially do any of the five steps

Step 1: I cant access the add/remove programs option on the control panel, it comes up with this message.

This file does not have a program associated with it for performing this action. Create an association in the folder options control panel.

Step 2: I cant use email on the computer, keeps saying cookies are disabled even though i put it to allow all.

Step 3: Well i never cleaned the system so why bother trying to install these programs? I probably wouldnt be able to install them anyway.

Step 4: When i go to the update site, it says it cant continue because one of the following programs isnt working
Automatic Updates
BITS
event log
i follow there directions, my computer refuses to allow me to enable automatic updates

Step 5: im not downloading that program because the way it looks im gonna have restore my system

so is my system completly messed up or can you guys help me out?

More replies
Answer Match 70.56%

I'm using Windows XP, I installed, Spybot Search and Destroy and Spyware Blaster (basically completed all 5 steps).
The problem that I'm having is that my computer takes forever to turn on. Then there are alot of error messages (windows has encountered a problem in " " program and has to close), there are about 20 of these messages, all referring to windows/system32/XXXX.exe where xxxx are all different program files. Most of this started when my kids were playing an online game called Maple story (from Nexon) and a game called Banned story. I've also deleted a program called Absolute start up (that still seems to be lingering, as well as AOL instant messaging (aol always gives me problems). Also hard to get rid of is Spyware bot (as opposed to Spybot search and destroy). Previous to this mess that you see in my log, I ran my Mcafee virus scan and detected (& removed) several viruses (trojans, worms). I hope you can help me clean my mess! Please let me know if you need more info! I've attached the extra.txt. thank you!!!


Deckard's System Scanner v20070905.67
Run by Sandra on 2007-09-13 15:20:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
44: 2007-09-13 19:20:39 UTC - RP44 - Deckard's System Scann... Read more

A:Computer bogged down, I've completed the 5 steps

Hi.
Quite a bit to tidy up....



Go to Start > Run and type

cmd

and OK. Type the below commands and hit "Enter" after each line

sc stop g6euuloz4omli7
sc delete g6euuloz4omli7


Type Exit to close.


=================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Open *notepad* and copy/paste the text in the quotebox below into it:



Quote:





File::

C:\WINDOWS\system32\bi.exe
C:\WINDOWS\system32\i.exe
C:\WINDOWS\system32\zpoaktwskm.exe
C:\WINDOWS\system32\hklsyrutqdfb.exe
C:\WINDOWS\system32\zkxl.exe
C:\WINDOWS\system32\bxhrwlxbmfmk.exe
C:\WINDOWS\system32\snu.exe
C:\WINDOWS\system32\mzzen.exe
C:\WINDOWS\system32\uxlahgmomyk.exe
O C:\WINDOWS\system32\eni.exe
C:\WINDOWS\system32\aoebviepf.exe
C:\WINDOWS\system32\saqxdpoh.exe
C:\WINDOWS\system32\vlxriufvzco.exe
C:\WINDOWS\system32\szwdlrxb.exe
C:\WINDOWS\system32\xijw.exe
C:\WINDOWS\system32\ftmvqslxii.exe
C:\WINDOWS\system32\rlpawdwuggsf.exe
C:\WINDOWS\system32\mih.exe
C:\WINDOWS\system32\kdepcd.exe
C:\WINDOWS\system32\dqwdsti.exe
C:\WINDOWS\system32\dvbeqh.exe
C:... Read more

15 more replies
Answer Match 70.14%

I have tried to get as far as I could on my own.
ComboFix 07-06-11.3 - C:\Documents and Settings\Dad\Desktop\ComboFix.exe
"Dad" - 2007-06-11 15:35:52 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\teiujdrg.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Dad\APPLIC~1.\curity~1
C:\Program Files\asembl~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Messenger\profsy.html
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent
((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))
2007-06-11 15:35 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 15:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-11 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-08 16:28 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-06-08... Read more

A:SMitfraud-c.coreservice

Hi, Welcome to TSG!!

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Download and scan with SUPERAntiSpyware Free for Home Users
Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, unde... Read more

1 more replies
Answer Match 70.14%

Machine Windows 2000 (in the 'boys' room), used for surfing and internet gaming.
After complaints of 'need new computer because this one is too slow' I investigated.
1) A remote scan using Norton AV 2007 removed 64 wrms,viruses,trojans.
2) Local scan using Avast v4.7 picked up several more on repeated scans.
3) Spybot-S&D removed numerous issues. Sticky issues were 'webcast' and 'smitfraud'. Some were resolved on a boot level scan/repair. Failed to resolve the smitfraud-c.coreservice hijacking of the microsoft IE browser.
4) the combofix.exe recommended on this site ran and fixed the smitfraud issues. See below for its log.txt file
5) rerunning spybot and avast to double check, but browser is back running okay.
Thanks...
 

A:smitfraud-c.coreservice

Hi, Welcome to TSG!!
Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

1 more replies
Answer Match 70.14%

UGHHH!! I have a fairly new system and I have inadvertantly gotten a virus or two with something that I have downloaded. All of a sudden I had trouble with winsock (found this out when I couldn't connect to anything via IE or FF) and the system would have to reboot. Sometimes that will work, other times would have to reboot again. I am getting new browser windows opening up that are taking me to random sites. Even if I use FF, IE will still open up as well when I go to a site. I have followed the guide here and done various scans as requested before posting here.smitfraud-c.coreservice showed up with spybot in C:\WINDOWS\system32\drivers\core.cache.dskI would really appreciate if someone can help me. Really am stressing here No matter how many times I scan with spybot, smitfraud-c.coreservice keeps showing up even though I repair/delete and it says done. Still getting numerous IE opening up taking me here, there, everywhere HiJackThis log follows.....Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:22:14 AM, on 2/2/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\L... Read more

A:Smitfraud-c.coreservice

Hello aussiewench,We will run ComboFix. You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running. To disable AVG antivirus: Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: ) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.When you need to enable the AVG Resident Shield, ( I???ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.I see you are running Teatimer.Please disable it because it can interfere with the changes you'll make on your system.If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it. How to disable TeaTimer during HijackThis Cleanup Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT Post the ComboFix log.

3 more replies
Answer Match 70.14%

Hi there,

I'm having a horrible time getting rid of this virus. I have run spybot search and destroy and it is not able to get rid of it. I just constantly get pop-ups. I have read through the forums here and see a few others have gotten this virus, but I'm not sure if I should be following the instructions they were given.

I would be very grateful for any help. Thank you!

Tiffany
 

A:Smitfraud-C.CoreService Please help!

16 more replies
Answer Match 70.14%

Hi,
I detected Smitfraud-C.CoreService among other malware with spybot. Spybot helped my remove all but Smitfraud. I have tried using smitfraudfix, but have been unsuccessful. I have run it several times in safemode. After I have run smitfraudfix in safemode I have run spybot in safemode and spybot does not detect anything, however upon rebooting to normal windows core.cahce.dsk has been regenerated in C:\windows\system32\drivers\. This version of smitfraud is causing internet explorer windows to pop up when I am on the net with firefox. I believe that I got this because my girlfriend was trying to download stuff off of limewire. I have since uninstalled limewire, and tried rerunning smitfraudfix, and spybot since. Thanks in advance for your help and here is a copy of my HJT log.
-GMFH-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:09:11, on 11/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\U... Read more

A:I need help with Smitfraud-C.CoreService

9 more replies
Answer Match 70.14%

It might also be left overs from a Win32 Virus. Any help you could give would be great. Deckard's System Scanner v20071014.68Run by Cuz on 2008-07-23 23:24:34Computer is in Normal Mode.--------------------------------------------------------------------------------Total Physical Memory: 503 MiB (512 MiB recommended).-- HijackThis (run as Cuz.exe) -------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:24:46, on 7/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Analog Devices\SoundMAX\SMTray.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Support.com\bin\tgcmd.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\Trend Micro\I... Read more

A:Smitfraud-c.coreservice = So Many Pop Ups

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.NEXTPlease visit below webpage for instructions for downloading and running ComboFixhttp://www.bleepingcomputer.com/combofix/how-to-use-combofixThis includes installing the Windows XP Recovery Console in case you have not installed it yet.For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.Regardsfenzodahl512

7 more replies
Answer Match 70.14%

Terrible popups. I include my logfile.Will be glad to work with anyone.

Logfile of HijackThis v1.99.1
Scan saved at 06:49:45, on 11/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IE... Read more

A:Smitfraud-C.CoreService

Hi Welcome to TSG!!
Download SDFix and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool ... Read more

1 more replies
Answer Match 70.14%

This trojan is making windows pop up when I am browsing the internet. Most of the windows contain information of registry defender, stating that my computer is infected.

I dont know how to manually remove it as spybot is stating in its description of it so im coming here. HJT log/DSS below

Smitfraud-C.CoreService
(SBI $9C656B9A) Data
C:\WINDOWS\system32\drivers\core.cache.dsk

Product: Smitfraud-C.CoreService
Threat: Trojan

This trojan horse gets installed as a driver and constantly runs in background and connects to malicious servers without any user consent. Removal may require to manually close the file handles of the core.cahce.dsk and core.sys residing in the folder \windows\system32\drivers\.

DirectTrack
Tracking Cookie (Iexplorer: Administrator)

DoubleClick
Tracking Cookie (Iexplorer: Administrator)

Right Media
Tracking Cookie (Iexplorer: Administrator)

Zedo
Tracking Cookie (Iexplorer: Administrator)

Attained from Spybot S&D


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:10 AM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Device... Read more

A:Smitfraud-C.CoreService

Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

If you're not receiving help elsewhere, and still require assistance for this issue, and since it has been a few days since you first posted, please do this:

Please run Deckard's System Scanner once again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.

---------------------------------------------------------------------------------------------

Thank you.

1 more replies
Answer Match 70.14%

When my win xp stars sometimes an explorer pop-up opens or when i´m navigating on web. Spybot couldn´t remove this smitfraud. I´m using winxp.
and in Spyboy the smitfraud-c.coreservice is pointed to the following lines:

C:\WINDOWS\system32\drivers\core.cache.dsk

Anyone can help me?
and my log is...
 

A:Help wth smitfraud-c.coreService

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 4/3/2006 15:47:30 262144 C:\Arquivos de programas\unst0_0.exe ()

Checking %WinDir% folder...
UPX! 22/8/2004 17:04:56 69120 C:\WINDOWS\daemon.dll ()

Checking %System% folder...
UPX! 8/2/2007 13:49:44 668672 C:\WINDOWS\SYSTEM32\AdjMmsEng.dll (MultiMedia Soft)
WSUD 14/5/2004 07:26:34 14268928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
aspack 18/3/2005 17:19:58 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
aspack 26/5/2005 16:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll (Microsoft Corporation)
aspack 22/7/2005 19:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll (Microsoft Corporation)
aspack 5/12/2005 18:09:18 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll (Microsoft Corporation)
aspack 3/2/2006 08:43:16 2332368 C:\WINDOWS\SYSTEM32\d3dx9_29.dll (Microsoft Corporation)
aspack 31/3/2006 12:40:58 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll (Microsoft Corporation)
aspack 28/9/2006 16:05:20 2414360 C:\WINDOWS\SYSTEM32\d3dx9_31.dll (Microsoft Corporation)
aspack 29/11/2006 13:06:18 3426072 C:\WINDOWS\SYSTEM32\d3dx9_32.dll (Microsoft Corporation)
PEC2 28/10/2001 17:06:18 41128 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PEC2 14/7/2003 19:57:20 31744 C:\WINDOWS\SYSTEM32\flt1chk2.dll ()
UPX! 4/8/2004 01:45:46 848384 C:\WINDOWS\SYSTEM32\ir41_32.ax (Intel Corporation)
UPX! 5/11/2005 21:... Read more

3 more replies
Answer Match 70.14%

Hey I'm new to the forums and I've been getting tons of pop ups on internet explorer whileI use Opera. I ran spybot search and destroy and this could not be removed can someone please help me!

here is a log I got of hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:14 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Owner\My Documents\Programs\HiJackThis.exe

O2 - BHO: (no name) - {0D498F79-F... Read more

A:SmitFraud-C.CoreService

can anyone help me?
 

1 more replies
Answer Match 70.14%

We've been having to do some serious purging on my PC, and it seems the only thing left is "Smitfraud-C Coreservice." Spybot S&D keeps saying it can't delete it, and I have no idea what to do. Pop up ads keep breaching my anti-pop up software, and I often get redirected to unrelated sites when searching google. Every time we do a scan, more adware has appeared on my computer, and while I may have little knowledge of computers, I just know that this Smitfraud thing is behind it.

If it's any help, I'm using Spybot S&D ver. 1.4.
 

A:Smitfraud-C Coreservice help, please

7 more replies
Answer Match 70.14%

Bok ljudi, trebam vašu pomo&#263;!

Imam originalnu verziju NOD32 2.7, ali mi on ne registrira nikakav virus...

Pa su mi prijatelji preporu&#269;ili da skinem Spybot.
Spybot mi je vratio 2 "virusa" a jedan mi uvijek ostaje neizbrisan.

Spybot ga naziva:
//
Product: Smitfraud-C.CoreService
Threat: Trojan
Functionality
Supposed to be some kind of driver

Description
This trojan horse gets installed as a driver and constantly runs in background and connects to malicious servers without any user consent. Removal may require to manually close the file handles of the core.cahce.dsk and core.sys residing in the folder \windows\system32\drivers\. To receive help on this please contact Team Spybot S&D via forums or email.
//

Kako da ga maknem ?

Koje vam informacije trebaju još da bi mi mogli pomo&#263;i ?

Skinuo sam i "hijackthis" pa vam mogu log poslat ako treba...

Hvala unaprijed, željno is&#269;ekujem odgovor...

P.S.-nisam baš neki poznavatelj informati&#269;kog slenga pa bi molio da mi se obra&#263;a kao malom djetetu u vezi postupaka koje moram poduzeti
 

More replies
Answer Match 70.14%

Yeah, cant seem to get rid of this. I'm new to this forum too, so you might have to tell me what to do step by step! I found this with Spybot Search and Destroy.
 

A:Smitfraud-C.CoreService

13 more replies
Answer Match 70.14%

Hy
i have a big problem with smitfraud.... spybot found it but it isn´t able to remove!!
help me!

but remember, i don´t speak english well ^^

thx
 

A:Smitfraud-C.CoreService

16 more replies
Answer Match 70.14%

I need some help getting rid of SmitFraud-C.CoreService on Windows Vista Ultimate. I know the fact that it even got on my vista system is rather sad but the fact of the matter is it got there.
Code:
Smitfraud-C.CoreService: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

Smitfraud-C.CoreService: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\core

Smitfraud-C.CoreService: Data (File, nothing done)
C:\Windows\System32\drivers\core.cache.dsk

Smitfraud-C.CoreService: System file (File, nothing done)
C:\Windows\System32\drivers\core.sys
Here is my HiJackThis Log
Code:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:20:07 PM, on 7/8/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\syste... Read more

A:SmitFraud-C.CoreService

I fixed the problem myself sorry for the trouble.

For vista it seems that you can just boot into safe mode and use spybot S&D to remove it. I have read many times that even in safe mode it wouldn't remove it. But it did for me.
 

1 more replies
Answer Match 70.14%

I have searched numerous places and found what appear to be fixes for smitfraud-C.CoreService but I am not very tech savvy and the pages might as well be written in Latin!

I'm smart and should do well if walked through step by step, but looking at everything all at once is enough to make my brain explode.

I have a Dell Dimension E310 (don't ask, I hate it too.)

Windows XP Home Edition

Spybot S&D, Windows Live OneCare & Windows Defender (both good-for-nothing, so far)

Spybot keeps finding Smitfraud and Virtumonde and can't delete either of them. I think I'll be able to fix the virtumonde but the smitfraud is here to stay unless someone can help me. Also maybe suggest another program to run with my spybot for some added protection?

the pop ups are opening in IE 7.0 although I run Firefox 2 as my browser. One recurring one is a blank page and a windows notification that says "windows cannot find filename 'null' please revise your search" or something along those lines... will post the exact next time it comes up.

Help?!
 

A:Smitfraud-C.CoreService

* Click here to download HJTsetup.exe.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

3 more replies
Answer Match 70.14%

i seem to have picked up the spyware smitfraud-c.coreservice. i've checked out other threads and it seems that removing it is a little different in each case so i thought i'd post my HijackThis log and hopefully you guys could help me out in getting rid of this nasty thing. i've noticed that removing the "file missing" and "no file" is similar in some cases, but some expert help wouldn't hurt. thanks alot.

Logfile of HijackThis v1.99.1
Scan saved at 2:07:04 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe... Read more

A:smitfraud-c.coreservice

9 more replies
Answer Match 70.14%

Hello,
Thank you for visiting my post. I keep having problems like popups on my computer and spybot says I have Smitfraud-C.CoreService, but when it deletes it, it's still there. I read somewhere tht that's because it recreates itself if it's deleted. Here's my log of hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 10:01:56 PM, on 12/12/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Windows\sttray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Users\JCS\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsof... Read more

More replies
Answer Match 70.14%

I have tried many things to get rid of this virus. I have run spybot and it will remove everything but this...it just won't go away.

I have tried deleting the windows/system32/drivers/core.cache....but to no avail.

Can someone please help me ... all these pop up windows keep coming up!

Thank you!

More replies
Answer Match 70.14%

This is maddening. Please help me. I'm not a cpu genius. I've followed the instructions as far as running a wide assortment of anti spyware software and othersoftware. Spybot keeps finding me this crap about Smitfraud, etc. 4 errors, I think. Then pop up after pop up initiated by Spybot keeps coming up asking me for random permissions and then to restart. Upon restart spybot runs again only to reinform me that it can't delete or fix my problems (as it also said previously). I go on to my desktop and dialogue boxes pop up and disappear and a whole other mess ensues. I'm going to throw this cpu at the wall over and over to fix this. Here's a Hijack Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:48:59 PM, on 2/24/2008Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16609)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MT6451R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:... Read more

A:Smitfraud-c.coreservice

Hi and welcome,

Sorry for delay and I hope you didn't toss your computer upside the wall yet.

If you still need help please post a fresh hijackthios log here and let me know if spybot is still detecting same issur(s).

Thanks

1 more replies
Answer Match 70.14%

Hi,

I have some problems with my laptop.
I'm running WINXP. Computer is running very slow. A lot of pop ups appear when connected to the internet. And since a few days, I can not run WIN in normal mode but only in safe mode, because in normal mode I get a BSOD : driver_irql_not_less_or_equal immediately after starting up.

I have run :
* virus scan with avast
* scan with Spybot

Some malware and viruses were detected, but the programs could solve everything ... except the SmitFraud-C.CoreService. Spybot kept saying that it could not be removed.
It's mentioned on your forum not to do anything yourself. I read this to late. So after searching the internet for a solution, I ran the programs Smitfraudfix.exe and Combofix.exe.
Now Spybot doesn't find any malware or viruses. I don't know if my problem is solved because I keep getting the BOSD on startup. I don't even know if the BOSD has something to do with malware or viruses. I didn't install new hardware since at least 6 months. A few games were installed lately.

I hope I didn't ruin the system by 'doing it myself'.

Anyway, I include here the HJT log. I tried to use DSS, but it gave me an error report which I could send to Microsoft.
I noticed that the log mentions a normal boot mode. On my screen it says although safe mode.

Can anybody help me please ?
Thanks.


----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:12, on 2007-08-15
Platform: Windows XP... Read more

A:help with Smitfraud-C.CoreService (?)

Me again,

I tried DSS again and now it worked.
Please find the files herunder and in attachment.




Deckard's System Scanner v20070809.63
Run by Toshiba on 2007-08-15 at 15:40:57
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
20: 2007-08-14 09:27:22 UTC - RP63 - Verwijderd: HP Software Update
19: 2007-08-14 09:24:38 UTC - RP62 - Verwijderd Touch and Launch
18: 2007-08-14 09:23:45 UTC - RP61 - Verwijderd TOSHIBA-handleidingen
17: 2007-08-14 09:22:04 UTC - RP60 - Verwijderd TOSHIBA Controls
16: 2007-08-14 09:21:41 UTC - RP59 - Verwijderd ConfigFree


-- First Restore Point --
1: 2007-05-16 12:55:55 UTC - RP44 - Controlepunt van systeem


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Toshiba.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:05, on 2007-08-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Syste... Read more

10 more replies
Answer Match 70.14%

I'm getting random popups. When i run spybot in safemode it detects no problems, but when i run in normal mode the only thing it couldn't fix was Smitfraud-C.CoreService C:\WINDOWS\system32\drivers\core.cache.dsk .I ran VundoFix and it no longer have any files to remove, but im still getting popups. I used SDfix in safemode, still ddnt fix it.Also used SmitFraudfix (normal mode), still ddnt fix it.Not sure what to do. I tried manually deleting "core.cache" in the "C:\WINDOWS\system32\drivers" but it says "Cannot delete core.cache: It is being used by another person or program. Close any programs that might be using the file and try again."Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:51:20 PM, on 1/11/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Spyware Doctor\SDTrayApp.exeC:\Program Files&... Read more

A:Smitfraud-c.coreservice

Welcome to the BleepingComputer HijackThis Logs and Analysis forum KKelvinMy name is Richie and i'll be helping you to fix your problems.It appears you've no virus protection installed,which is somewhat suicidal.Please download/install Avira AntiVir Personal Edition Classic[Free]: http://www.free-av.com/Perform a full scan with Avira and allow it to delete everything it detects.Restart your pc when you've done.After restart,open Avira Antivirus and select "Reports".Then double click the report from the full scan you have just completed. Click the "Report File" button,then copy and paste the report into your next reply.If you have previously downloaded ComboFix,please delete that version now.WarningYou should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert,not for private use. Using this tool incorrectly could render your system/pc inoperable.Now download Combofix by sUBs and save to your desktop:Note It is important that it is saved directly to your desktop Close any open browsers.Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.NoteIn case your Antivirus... Read more

53 more replies
Answer Match 70.14%

Hi..

since last month i been trying to clear my new pc
avg-antispyware , doesnt recognize C:\Windows\System32\drivers\core.cache.dsk
spybot s&d..recognize, doesnt clean...
killbox, fixvundo...also...

i dont know what to do.

thanks
Eduardo
hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:07 a.m., on 24/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\System32\mstsc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\W... Read more

More replies
Answer Match 70.14%

Help,Getting ad pop up windows. Followed all the instructions in "Preparation Guide for use before posting a HijackThis Log" and ran all the virus/spyware removal tools that were listed. Not sure what type of adware I have, but each time I run spybot search and destroy it comes up with "Smitfraud-C.CoreService. Below if the Hijack This Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:05:09 PM, on 2/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Java\jre1.5.0_11\bin\jusched.exeC:&#... Read more

A:Smitfraud-c.coreservice?

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Download Combofix to your Desktop.Double click combofix.exeFollow the prompts that are displayed. Don't click on the window while the fix is running, because that will cause your system to hang.When finished, it should produce a log, combofix.txt. Post that in your next reply with a fresh HijackThis log.

3 more replies
Answer Match 70.14%

I would appreciate assistance with the following problem: Spybot repeatedly detects Smitfraud-C.coreservice (c:\windows\system32\drivers\core.cache.dsk). I have taken the steps referenced in the "Preparation Guide for use before posting a HijackThis Log."I also ran SmitFraudFix v2.274.Here is the HijackThis log.Thanks in advance.SpiedLogfile of Trend Micro HijackThis v2.0.2Scan saved at 2:32:57 PM, on 1/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\basfipm.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32 ... Read more

A:Smitfraud-c.coreservice

Hi Spied,Please download ComboFix to your desktopDouble click combofix.exe and follow the promptsNote: Do not click ComboFix's window while it's running - it may cause it to stall!If after ComboFix finishes you do not have internet access, then reboot your computer to restore itWhen finished, it shall produce a log for you, please post it in your next responseNow open HijackThis, select Open the Misc Tools sectionPress the Open Uninstall Manager... button, then press Save list...Save the Uninstall log to your Desktop and include a copy in your next response.Now press Back and Scan and then Save log to create and save a new HijackThis log.Once complete, please post the ComboFix report, the uninstall list and a new HijackThis log.

14 more replies
Answer Match 70.14%

Smitfraud-C.CoreService: [SBI $9C656B9A] Data (File, fixed)
C:\Windows\System32\drivers\core.cache.dsk
plse help me remove thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:15 PM, on 2/8/2008
Platform: Windows Vista SP1, v.668 (WinNT 6.00.1905)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Minefield\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D... Read more

A:Smitfraud-c.coreservice

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are extremely busy.If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.If you still require help,please post a new Hijackthis log into this topic in your next reply.Also post a detailed description of the issues you're experiencing.*Note*Post all reports/logs directly into this topic,not as attachments,thanks.

1 more replies
Answer Match 70.14%

Started getting IE popups in firefox so i scanned with spyboth S&D and found i had this spyware SmitFraud-C.CoreService here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:44 PM, on 9/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Documents and Settings\All Users\Application Data\Zwangi\zwangi110.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zwangi\zwangi.exe
... Read more

A:SmitFraud-C.CoreService

Bump...still need help
 

1 more replies
Answer Match 70.14%

Can someone please walk me through the steps of removing the Smitfraud-C.CoreService from my computer. According to Spybot the location of the spyware is the following: Data: C:\\WINDOWS\system32\drivers\core.cache.dskSystem file: C:\\WINDOWS\system32\drivers\core\sysSettings: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\coreSettings: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\coreHere is my HJT log:Logfile of HijackThis v1.99.1Scan saved at 7:00:37 PM, on 6/26/2007Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\System32\ctfmon.exeC:\Documents and Settings\Fazal Khan\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaptest.com/myhome.jhtml;jsessi..... Read more

A:Smitfraud-c.coreservice! Please Help Me!

Welcome to the BleepingComputer HijackThis Logs and Analysis forum FAZAL Before we can provide you with any further assistance,you first need to go here and install Service Pack 1;http://www.microsoft.com/windowsxp/downloa...p1/default.mspxThis will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system. As your machine stands right now it's exremely vulnerable to infection. You need to get these updates installed first before we can proceed or we?ll both be wasting our time.Note:Do not install Service pack 2.If you install SP 2 on an infected machine it will cause serious problems within the operating system. When you've finished the above,post a new Hijackthis log in your next reply.

11 more replies
Answer Match 70.14%

My spybot picked this item up and could not repair. Appears to be in the system deep.

Noticed another post where it was indicated that a hijack this log be posted - so here it is, thanks in advance to anyone who helps.

Logfile of HijackThis v1.99.1
Scan saved at 6:24:18 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\wspan\swgw\FilterAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\DllHost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C... Read more

A:SMITFRAUD c.coreservice

Hi, Welcome to TSG!!
Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 

1 more replies
Answer Match 70.14%

Hey guys, i noticed i was getting lots of random pop-ups so i ran Spybot - S&D. it came up with smitfraud-c.coreservice which it couldn't remove.

This is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:35:50, on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Teleca Share... Read more

More replies
Answer Match 70.14%

Hi, I've had an infection of Smitfraud which I have successfully removed, but I also have this coreservice thing which is being picked up by SpyBot S&D and I can't figure out how to remove it - it wasn't removed along with the regular smitfraud. Here is a HijackThis log if anyone can help me - thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 11:06:02 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Common Files\R... Read more

A:Smitfraud-c. coreservice

Also meant to add that targetsaver is being flagged by spybot. It claims to have removed it but each time I run it, it flags it again. I don't know if the two issues are related. I also have something which is preventing me from opening task manager. Any ideas would be gratefully appreciated!
 

2 more replies
Answer Match 69.72%

Hello and this is my first post.. I'm using an account a friend let me use.

Earlier this week I was viewing a page in Internet Explorer(Mind that I don't prefer IE, I mainly use Firefox) and something attacked my system and started bringing up popups about a "free spyware remover" program, telling me my computer was infected. Knowing this was a hoax, I closed them, only to find that they'd uploaded something to my system. It seemed like adware. There was an icon in the taskbar that would not go away, saying the same thing as the popups- "Your computer is infected! Click here to download spyware remover!" On top of that, the files or whatever have disabled most administrative capabilities I once had, like the Control Panel, Add/Remove programs, and even the Desktop Properties menu.

Now I've tried at least 4 programs to rid myself of this annoying problem- Norton, SpyBot S&D, and none have fixed it.

A friend recommended me to you guys and it looks like you really know what you're doing. I've completed steps 1-5 to the best of my abilities as of now. I couldn't even do step 1 due to the fact that the malicious stuff has disabled my Control Panel. Step 2 concerning the Panda ActiveScan was unsuccessful, as the popup window doing the scan mysteriously closed part-way through the scan.

Anyway, here's the DSS and HijackThis reports. Any help is greatly appreciated. I want my computer back! And REVENGE!

Deckard's System Scanner v20070826.66
R... Read more

A:Spyware/Malware/SOMETHING Steps 1-5 completed(kind of)

Sorry for the double post, there doesn't seem to be an edit button.

Also try to keep it in layman's terms, I'm not that much of a computer wizard- just a gamer.

16 more replies
Answer Match 69.72%

Hi all,

this is my first post and I wish it was on better terms. I am getting pop ups telling me that I have Win32.trojan.rx My back round on my desk top turned red and I have no access to my task manager.

I have tried downloading DSS but cannot.

Things I have already tried (hopes this helps in coming to a quicker resolution)

1) Run Adaware in safe mode
2) Run Spybot in safe mode
3) Run Ez Armor virus scanner in safe mode
4) Run cc Cleaner in safe mode
5) Delete temporary internet files
6) down loaded but have not yet run AVG anti virus.
7) Looked for suppicious items in control panel (ad remove programs) found slotchbar but cannot remove it.
8) Made hidden files viewable

My biggest fear is that this trojan got a hold of my banking and credit information. Is there anyway to confirm?

Listed below is my Hijack this log. I know you are all very busy and appreciate your help.

Logfile of HijackThis v1.97.7
Scan saved at 2:34:58 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDO... Read more

A:Win32.trojan.rx Need help (completed basic steps)

Update:

I also ran SmitFraudFix and had it clean files as well.

I dont know if the problem is fixed but I now have access to my back round and task manager. My computer is also NOT alerting me any more telling me I have a virus.

Im skeptical to think I am cured but I posted both the smitfraud fix log and a new Hijackthis log below. Please review and let me know. Thanks for your help.

SmitFraudFix v2.194[/B]

Scan done at 15:10:25.20, Sat 06/09/2007
Run from C:\Documents and Settings\John Pagnotta\Desktop\Antivirus\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

???????????????????????? SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

???????????????????????? Killing process


???????????????????????? hosts


127.0.0.1 localhost


???????????????????????? Generic Renos Fix

GenericRenosFix by S!Ri


???????????????????????? Deleting infected files

C:\WINDOWS\susp.exe Deleted

???????????????????????? DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{80D56E64-E792-4579-957C-DFA59D348CD8}: DhcpNameServer=167.206.245.71 167.206.245.70 167.206.245.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{80D56E64-E792-4579-957C-DFA59D348CD8}: DhcpNameServer=167.206.245.71 167.206.245.70 167.206.245.7
HKLM\SYSTEM\CS2\Services\Tcpip\..\{80D56E64-E792-4579-957C-DFA59D348CD8}: DhcpN... Read more

14 more replies
Answer Match 69.72%

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:27:43 PM, on 3/11/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exeC:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exeC:\Program Files\Common Files\AOL\1133363615\ee\AOLSoftware.exeC:\Program Files\Yahoo!\Antivirus\CAVTray.exeC:\Program Files\Yahoo!\Antivirus\CAVRID.exeC:\PROGRA~1\Yahoo!\YOP\yop.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Yahoo!\Search Protection\SearchProtection.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\CreataCard\Gold\FMRemind.exeC:\Prog... Read more

A:Hijack This Report-prior Steps Completed

Hello bigdaddy43 and welcome to the BleepingComputer Forums. Since it has been a few days, please post a new HijackThis log.Please tell me what is wrong with this computer. Thank you for your patience.

6 more replies
Answer Match 69.3%

When I run Spybot it detects Smitfraud-C.CoreService and also Virtumonde but can never rid it self completely of either. Smithfraud has a registry key which I can not be rid of though I did get rid of two Smithfraud files in safe mode. Virtumonde keeps finding files such as efcyyaa.dll and jkkjh.dll but I can not delete them even in safe mode. This is all set off by the fact that after going at least a full year without dealing with pop-ups, they starting appearing very frequently. Not constantly, but enough "pop up" that it's incredibly annoying. I hope all this helps. Thanks in advance. I have followed the 5 advance steps and here is what I've come up with:

Deckard's System Scanner v20070603.47
Run by Al on 2007-06-09 at 00:28:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 3 Restore Point(s) --
3: 2007-03-02 09:40:49 UTC - RP4 - Spybot-S&D Spyware removal
2: 2007-03-02 08:08:33 UTC - RP3 - Removed Picture Package
1: 2007-03-02 08:06:06 UTC - RP2 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Al.exe) --------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:29:26 AM, on 6/9/2007
Platform: Windows XP SP2 (W... Read more

A:Smitfraud-C.CoreService/Virtumonde plus Pop-ups

1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

12 more replies
Answer Match 69.3%

I've done a ton of searching and tried a lot of different things to try and get rid of this but it keeps popping up in spybot. Spybot will not remove it. I guess I start with a HJT log. Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:18 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\LEXBCES.EXE
F:\WINNT\system32\spoolsv.exe
F:\WINNT\system32\LEXPPS.EXE
F:\WINNT\Explorer.EXE
F:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
F:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
F:\WINNT\system32\ctfmon.exe
F:\Program Files\Nikon\PictureProject\NkbMonitor.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\WINNT\System32\nvsvc32.exe
F:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
F:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
F:\WINNT\System32\svchost.exe
F:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
F:\Program Files\internet explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Doc... Read more

A:Solved: smitfraud-c.coreservice help

14 more replies
Answer Match 69.3%

HIi get internet explorer popups from time to time. after running antivirus programs and adaware, spybot found that i had the "smitfraud-c.coreservice" trojan. spybot says it successfully removes it but then it comes back on the next scan.here is this hijack this logthank you in advanceLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:04:50 AM, on 2/4/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files&#... Read more

A:Smitfraud-c.coreservice Infection

Hi and welcome,

Sorry for delay. If you still need help please post a fresh hijackthis log here and let me know if core.cache.dsk is still giving Spybot troubles.

Thanks

17 more replies
Answer Match 69.3%

I read a thread from the resolved area and proceeded to follow some f the steps. I ran Hijackthis before I started and is posted below. I next ran ComboFix.exe and have included that log and a fresh HJT log. Please advise as to any further stps required.

Before HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:10 AM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\KENSIN~1\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\explorer32\WinsysMngr32.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
F:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Logitech\Desktop Messenger\88764... Read more

A:Smitfraud-C.CoreService Removal

Welcome crichtberg

Set windows to show hidden extensions file's and folder's.
click for> instructions<.

Manualy delete these files and folders
C:\WINDOWS\wqkz
C:\Program Files\Common Files\wqkz
C:\WINDOWS\RElWMDg
C:\bintheredunthat
C:\Documents and Settings\ALL USERS\APPLICACTION DATA\FUNKMAILMEDIASPAM
C:\Program Files\BurnBindMath
C:\Documents and Settings\Family\APPLICACTION DATA\BurnBindMath
C:\Documents and Settings\admin\3643.bat
C:\Documents and Settings\admin\x.exe
C:\Program Files\MessengerPlus! 3
C:\WINDOWS\Winload3232.exe


Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}]

;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information.
Once you get a successful message delete fixme.reg.



Start Hijackthis Scan and place a check next to these items If there.
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

and this also unless you installed it intensionaly and intend to keep >
O4 - Global Startup:... Read more

5 more replies
Answer Match 69.3%

recently my laptop started popping up fake messages that it was infected and that i needed to download anti-malware software. i ran spybot s&d and it found a bunch of things that it was able to remove. however, it couldn't get rid of the Smitfraud.C Coreservice. i haven't gotten the popups recently, but i've kept the computer off for the most part. also, the Smitfraud.C Coreservice is preventing me from navigating to a lot of sites, including this one so i'm using another computer to post this. i've downloaded and run the dds program and am posting the dds.txt file contents below. i'd really appreciate any help you could give me in getting rid of this. i was hoping to give this laptop to my mother at some point, but i can't give her a sick computer. thanks very much.
- jonah
DDS (Version 1.1.0) - NTFSx86
Run by Owner at 20:43:08.73 on Sat 01/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.905 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
sv... Read more

A:infected by Smitfraud.C Coreservice

anyone? help please?

6 more replies
Answer Match 69.3%

Hello,I noticed a couple of days ago that I was getting excessive pop-ups when I tried to get onto the internet (both Firefox and Internet Explorer). I did a Spybot S&D scan to find multiple problems. I was able to permanently remove all of them but "Smitfraud-C.Coreservice". After coming to the forum I followed all of the instructions located in the "before you post" link, yet the little monster was still there. I am ready (definitely) and able (hopefully) to follow any instructions you may have to help me. Thanks in advance!HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:29:48 PM, on 2/29/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:�... Read more

A:Infected With Smitfraud-c.coreservice

Hi and welcome,

Sorry for delay.

Several infections present.
If you still need help please post a fresh hijackthis log here.

Thanks

22 more replies
Answer Match 69.3%

Hi,

I have been having popups deluding my computer when I start using internet explorer. I have McAfee antivirus software and firewall installed and running. On a friend's suggestion I recently ran Spybot search and destroy and it identified and removed a whole lot of stuff. But in the end it could not remove Smitfraud-C.CoreService. There were 2 registey entries and 2 files in Spybot window associated with Smitfraud. I ran spybot on restart of computer and it still could not remove smitfraud.

I also ran SmitfraudFix that aslo did not get rid of it. Now I am hoping someone on this forum can help me. As per instructions on topic 34773 I downloaded and ran dss.exe. It created 2 log files main.txt and extra.txt which I have attached to the post. Please let me know what to do next.

Thanks,
yezdi

A:Smitfraud-c.coreservice Infection

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

13 more replies
Answer Match 69.3%

Please help me to clean my PC...I am going crazy with this item
DDS.txt

DDS (Version 1.1.0) - NTFSx86
Run by SWETA at 21:50:02.84 on Tue 12/30/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.454 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\... Read more

A:infected with Smitfraud-c. CoreService

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instructed to do so! Let me know if any of the links do not work or if any of the tools do not work. Tell me about problems or symptoms that occur during the fix. Do not run any other programs or open any other windows while doing a fix. Ask any questions that you have regarding the fix(es... Read more

10 more replies
Answer Match 69.3%

My first time here, so Hello - and I hope I'm doing this right.
I have browsed several other users' cases: it seems I'm not the only one who has been infected. I have downloaded many different programs in the past few days. They all say they can get rid of viruses/malware/spyware/whatever it is, but every time I restart and SpyBot tells me it's still there. I'm seeing multiple popups (full-size browser windows, but always empty - it just says "Connecting"). I have tried my PC-Cillin (pre-installed on this Dell XPS 420) but that isn't helping either. So, I have created the HiJackThis log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:43 PM, on 2/25/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\syste... Read more

A:Persistent Smitfraud-c.coreservice

Hi and welcome,

If you still need help and have not been helped elsewhere please post a fresh hijackthis log here.

thanks

1 more replies
Answer Match 69.3%

I have constant pop-ups in Windows Internet Explorer--even when I am using FireFox the Explorer windows still pop-up.

I have done the 5 step process on this website which was a big help, and I have also run Norton, AdAware, and Spybot on my computer, but there is something on my computer that none of this will get rid of and it seems to be something in my registry.

Any help would be greatly appreciated. Thank you!!

Here is the information from Deckard's System Scanner:

Deckard's System Scanner v20071014.68
Run by Jessica Holbrook on 2008-01-05 12:11:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
102: 2008-01-05 17:12:02 UTC - RP102 - Deckard's System Scanner Restore Point
101: 2008-01-05 06:01:22 UTC - RP101 - Last known good configuration
100: 2008-01-05 06:01:18 UTC - RP100 - Installed Ad-Aware 2007
99: 2008-01-05 06:01:18 UTC - RP99 - Removed Windows Defender
98: 2008-01-05 06:01:18 UTC - RP98 - Last known good configuration


-- First Restore Point --
1: 2008-01-05 06:01:13 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jessica Holbrook.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved... Read more

A:Constant Pop-Ups: Smitfraud-C.CoreService

I posted a post about pop-ups on Saturday with my log after I finished the 5 step process listed on the forum. Click here to see that post.

But, just a few minutes ago everything on my screen started flying by 100 miles an hour and wouldn't stop. Everything on my screen was moving horizontally from left to right and would not stop until I turned off my computer. Has anyone ever seen this before?

Please help!

13 more replies
Answer Match 69.3%

I started getting Internet Explorer pop-ups while using Firefox (it also happens with IE). I ran AdAware, SpybotS&D, Trend Micro's Housecall Scanner, etc. Everything appears to be clean now except SpybotS&D is detecting "Smitfraud-C.CoreService" and a drivers file "Core.Cache.DSK". SpybotS&D doesn't get rid of it, it just comes back.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:04 PM, on 11/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cndt
R1 - HKCU\Software... Read more

More replies
Answer Match 69.3%

I have tryed combofix, vundofix, smitfraudfix and sdfix but spybot keeps finding Smitfraud-C.CoreService and is unable to delete it. Thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 12:15:27 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Memeo\AutoBackup\MemeoService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Raxco\PerfectDisk\PDAgent.exe
F:\WINDOWS\System32\HPZipm12.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\Program Files\ATI... Read more

A:Help needed Smitfraud-C.CoreService

9 more replies
Answer Match 69.3%

You have addressed this issue in various places throughout this forum, but due to forum security I am required to start a new thread.

Basically, after running spy sweeper, spybot, Ad-Aware, AVG AV, AVG root-kit. I am able to clean/eliminate all malware, spyware, grayware from my machine, except for Smitfraud-C.CoreService. In reading the other threads concerning this issue, I have run HJThis and saved a log:

---
Logfile of HijackThis v1.99.1
Scan saved at 1:24:08 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe... Read more

A:Smitfraud-C.CoreService Removal

Welcome to TSG

Please download RogueRemover from this link.
http://www.malwarebytes.org/rogueremover.php

Unzip to a convenient location such as C:\RogueRemover.
Navigate to the folder you unzipped the files to and double click on the file named RogueRemover.exe.
Let the program update its database.
Finally, select Scan and the program will walk you through the remaining steps.

Re-boot after and please post a new H/T log.
 

3 more replies
Answer Match 69.3%

Hi I have downloaded spybot and it keeps picking this plus other things up. It fixes other issues but this remains, I'm going out of my mind at this stage.
Can anybody help me please, tia
Su
 

A:Solved: Please help Smitfraud-C.CoreService

16 more replies
Answer Match 69.3%

Hi, i've been having the same problem as many others with the subject file name, can anyone please help me out with removing this?

I'm using Vista Basic on my PC and have the following AV/Spyware programs, F-Secure(Beta), Spybot, Killbox, Popgun.

Below is a recent HJT scan result:

Logfile of HijackThis v1.99.1
Scan saved at 18:03:16, on 30/05/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\PopGun\PopGunFull122.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Softwa... Read more

A:Remove Smitfraud-C. Coreservice

Can anyone help me with this please?
 

1 more replies
Answer Match 69.3%

I have been infected with something? Malware - Virus....I'm not sure. I initially had Lavasoft AdAware and SpyBot Search and Destroy. Both show that I have problems that cannot be deleted. Since then I have been downloading various spyware detectors in order to solve this and nothing seems to work. When I run SpyBot S&D it says that it cannot delete Smitfraud-C. CoreService. I almost tried some of the other users advice, but I am overwhelmed by how many people have similar problems, but almost all were solved in different ways. So I am stepping out of my comfort zone and posting my own thread. Thanks for your help in advance!

Here is a copy of my Hijack This Report

Logfile of HijackThis v1.99.1
Scan saved at 10:02:20 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program F... Read more

A:Solved: SmitFraud-C. CoreService

9 more replies
Answer Match 69.3%

For a few weeks now i've had numerous pop ups appear on my pc and can't get rid off the cause. I am using firefox 2 as my browser but my pc trys to open up the pop ups through Internet Explorer.I have tried a variety of different ways to remove this virus but have come to a dead end.Whilst doing a search with Spybot S&D I get the following file which I cannot remove:"Smitfraud-C. Coreservice" which has 4 other files contained within it. When I try to remove it, one of the files can be deleted and the other 3 can't. It then asks if I want to do another scan on boot and i've tried this aswell but still can't remove these files.I have the following antivirus/spyware programs on my pc:Spybot S&D, Pop Gun, Kill box, F-Secure(Beta version for Vista).I have also had AVG Antivirus on my pc and tried to remove it with this but this didn't work either, this is when I actually caught the virus.Could someone kindly assist me in removing this from my pc?I've posted in another couple of forums but had no reply.Below is a recent Hijack This Scan I did:Logfile of HijackThis v1.99.1Scan saved at 10:10:38, on 04/06/2007Platform: Unknown Windows (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16386)Running processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Acer\Empowering Technology&#... Read more

A:Remove Smitfraud-c. Coreservice

Hi,aren't you getting help here: http://forum.securitycadets.com/index.php?showtopic=3022 ?If not, please post either here or in the thread at SecurityCadets where that you want to be helped.In that case we don't have to do the same work twice.Regards,Rosty.

2 more replies
Answer Match 69.3%

Followed your initial suggestions, but Spybot still picks up 4 instances of this and can't fix them. I'm running Vista, so Smitfraud Fix, etc., don't work.HJT Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:37:04 PM, on 8/29/2007Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\DellSupport\DSAgnt.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\SearchFilterHost.exeC:\Users\Carolyn\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Inte... Read more

A:Infected --- Smitfraud-c.coreservice

Hi

Please post a fresh hjt log.

2 more replies
Answer Match 69.3%

As soon as I startup I receive "userinit.exe error message" and taskbar does not appear. I use task manager to open browser. Many webpages open in new browers, some explicit which is a concern as I have young children in the room where the computer is. I have run spybot, but twice per scan I receive the error message: There were problems in the include file C:\Program Files\Spybot - Search_Destroy\Includes\Trojans.sbi See 'Include errors.log' for details.which I am not able to locate. I only scanned the "Critical Areas' using the Kaspersky scan.Thanks in advance for your help and guidance!---------------------------------------------------------------------------------------------------Deckard's System Scanner v20071014.68Run by HP_Administrator on 2008-08-04 15:55:41Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --54: 2008-08-04 22:55:51 UTC - RP660 - Deckard's System Scanner Restore Point53: 2008-08-04 19:34:19 UTC - RP659 - System Checkpoint52: 2008-08-02 03:37:00 UTC - RP658 - System Checkpoint51: 2008-07-31 02:29:12 UTC - RP657 - System Checkpoint50: 2008-07-29 20:13:26 UTC - RP656 - System Checkpoint-- First Restore Point -- 1: 2008-07-26 02:07:53 UTC - RP607 - System CheckpointBacked u... Read more

A:Infected With Smitfraud-c.coreservice

Hello dec512Welcome to BleepingComputer ========================Since you are working through the task manager you can save combofix to your C:\Drive as well as the Recovery Console file you can then right click on the Recovery Console file and choose Copy and then paste it Onto Combofix to run it.==========Please visit this web page for instructions for downloading and running Combofix >ComboFix InstructionsThis includes installing the Windows Recovery Console. Vista users do not need to do thisThe Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

19 more replies
Answer Match 69.3%

After the last run of Spybot Search&Destroy, it seems my popups have at least temporarily disappeared, but - as you've well-documented in these forums - the Smitfraud files cannot be dealt with by S&D. I don't know if will cause problems, but I suspect I should seek help to eliminate it based on what I've read. I use Firefox almost exclusively, but not everyone in my family does. A HijackThis log follows, in the event you elect to assist me at your convenience.

Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 11:40:43 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Pand... Read more

A:Smitfraud-C.CoreService Remaining

7 more replies
Answer Match 69.3%

Spybot indicates an infection with Smitfraud-C.CoreService & Virtumonde that I'm unable to remove. Symptoms include slow boot, aggressive popups, non-responsive IE and firefox. Started at 1842 on 4-14-08 and I need help removing infection.ThanksJamesmain.txtDeckard's System Scanner v20071014.68Run by Owner on 2008-04-27 19:51:05Computer is in Normal Mode.--------------------------------------------------------------------------------System Drive C: has 2.77 GiB (less than 15%) free.-- HijackThis (run as Owner.exe) -----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:51:29 PM, on 4/27/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\... Read more

A:Smitfraud-c.coreservice & Virtumonde

Hello and welcome to Bleeping Computer.My name is km2357 and I will be helping you to remove any infection(s) that you may have.I will be giving you a series of instructions that need to be followed in the order in which I give them to you.If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.Please do not start another thread or topic, I will assist you at this thread until we solve your problems.Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log and an Uninstall List (instructions forthcoming)Step # 1 Download CCleanerDownload CCleaner from here to clean temp files from your computer. Double click on the ccsetup.exe file to start the installation of the program. Select your language and click OK, then next. Read the license agreement and click I Agree. Click next to use the default install location. Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box. Click Install then finish to complete installation.Step # 2 Retrieve the Installed Programs List from CCleaner Open CCleaner if it's not already running. In t... Read more

3 more replies
Answer Match 69.3%

I am very thankful for any time you can spend on this. Thanks for any help in removing this nasty infection!!! Log belowLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:08, on 2007-11-17Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\RTHDCPL.EXEC:\iTunes\iTunesHelper.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\[email protected]\winFAH.exeC:\Program Files\Gigabyte\ET5Pro\GUI.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\[email protected]\FahCore_82.exeC:\WINDOWS\system32\wuauclt.e... Read more

A:Infected With Smitfraud-c.coreservice

Hello and welcome aboard! One or more of the identified infections is a backdoor trojan -> http://www.sophos.com/security/analyses/trojvbdxp.htmlThis allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I cannot guarantee it will be 100% secure afterwards. Let me know if you want to try and rid it off the system.

4 more replies
Answer Match 69.3%

Hi,
I ran spybot and adaware and cannot get rid of this annoying spyware on Vista. Smitfraudfix wont work on Vista. I am a newbie to this forum so here is my hijackthis log. If someone can help me it would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 10:13:17 PM, on 8/6/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\WerCon.exe
C:\DOWNLOADS\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Mai... Read more

More replies
Answer Match 69.3%

How do i remove this trojans..Please help ThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:10:29 AM, on 9/17/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\windows\system\hpsysdrv.exeC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\ALCXMNTR.EXEC:\WINDOWS\system32\ps2.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\... Read more

A:Infected With Smitfraud-c.coreservice

Hello, soken. to BleepingComputer.comMy name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.If you would still like help, please post a new HiJack This log below, as things may have changed on your system.If you do not still need help, please let me know, so that I can move on to other users who still need help.Please take note of the following:While a HJT Team member is working with you, please refrain from making any changes to your computer.Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Please reply using the button in the lower left hand corner of your screen.Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of ... Read more

11 more replies
Answer Match 69.3%

Hey everyone.. im like a complete n00b at cleaning my computer from viruses, trojans etc...
Anyways, i was doing my weekly scan of my laptop with Spybot-Search and Destroy, and this program Smitfraud-C.CoreService just appeared. I clicked on 'Fix selected problems' but it didn't go away. A pop up appeared asking if i wanted Spybot to run on startup. I clicked yes, restarted in Safe Mode and, alas, it wouldn't go away. I searched the web for a few hours on how to get rid of it. I found a program called SmitfraudFix.exe and i ran it. But it wouldn't remove the entries, saying i didn't have Admin privileges... but i only have one account on my laptop, and it was a Admin account. I dont know why but.... it didnt work... and now, as im writing this thread, im getting literally hundreds of pop ups. Please, anybody, help me. I've even taken the liberty of producing a HJT log.
Please help a distressed Grade 11 person finish off his History homework in peace.

Daniel

The HijackThis! Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:22 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe... Read more

A:Smitfraud-C.CoreService wont go away! HELP!!!

16 more replies
Answer Match 69.3%

I really can't get rid of it. I've ran Spyware S&D, Adaware, Spydoctor among with a bunch of other freebies and this pest won't shake. Thanks in advance for all the help..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:43 AM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\... Read more

A:Solved: Smitfraud-C.Coreservice

15 more replies
Answer Match 69.3%

I've got windows xp, I have Spybot- Search & Destroy and it says Smitfraud-C.CoreService. I tell it to get rid of it, i doesn't get rid of it, it asks to run when you reboot your computer. PLEASE HELP!
 

A:Solved: Smitfraud-C.CoreService Help!

16 more replies
Answer Match 69.3%

I've ran Spybot and AVG. I cannot get rid of Smitfraud-C.CoreService. Could someone please help me? Here is a current Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:34 AM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla FireFox\firefox.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM... Read more

A:Can't remove Smitfraud-C.CoreService

Hi, Disasterc

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------​

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
 

3 more replies
Answer Match 69.3%

I have ran adaware2007 and spybotS%D and both can get rid of everything but Smitfraud-C.CoreService

any help would be appreciated thanks.
 

A:Solved: Smitfraud-C.CoreService help please

6 more replies
Answer Match 69.3%

I have run spybot multiple times and everytime it comes up with a few things, among them these two in particular. i get popups even when im not browsing and there are some other error messages that come up every now and then. i am at my wits end. only thing is i dont know how to run hijack this...im not at all familiar with it. PLEASE HELP!
 

A:smitfraud-c.coreservice and hotbar

16 more replies
Answer Match 69.3%

Hi,

I've been infected with the 'Smitfraud-C.CoreService Trojan" and need help removing it. I'm not able to access the internet on it either but I can login into my network where i can download files needed to do so and transfer them over to that computer. I also have "Command Service" which spybot is unable to fix. Says you have to stop it from running but it won't let me.

I'm attaching a copy of my hijackthis.log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:01:56 PM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\timbuktu pro\tb2launch.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Drmz\Local ... Read more

More replies
Answer Match 69.3%

I scanned computer with the latest version of Spybot Search&Destroy and it said that i had been infected with Smitfraud-C.CoreService trojan. i've been unsuccesful in trying to delete this trojan and I really need some help with this and i appreciate the hard work you guys are doing. below is the HiJackthis log. Thanks again in advance

Computer info: MS Windows XP SP2 Intel Celeron CPU 2.70GHz, 247MB RAM, Intel 82845G/GL/GE/PE/GV Graphics controller
--------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:54 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging... Read more

More replies
Answer Match 69.3%

i have looked over the forum and it appears that you have solved this problem several times before but it also appears that it is unique each time so here i am asking...
I run Spybot S&D also i try to run pest patrol but it fails part way through.

My background has changed from normal to a light blue screen that said warning their are several fatal errors with your computer run a full system scan at once. It also supplies a link to a sight where it suggests i buy virus smashing programs. Also my computer is running very sluggishly and redirects me when i tried the internet initially.

Spybot says i have smitfraud-c.coreservice, toolbarcc, win32.small.azl and ny and alot of other small stuff like doubleclick and coolWWWsearch which my friend assures me is no big deal.

My friend also says that i should unplug my computer from the network through which i access the internet because i may spread it to the other computers. I am currently on a non-infected computer and i'm wondering
1 other people seem not to disconect their computers without much trouble cause they are messaging on their infected computers. Is this a bad idea?
2 Should i include a hijackthis log (this problem is mostly based on the first question about connecting to my network/internet)
The reason i keep editing this is because i was told that doing another one would push me to the back of the list. I did a hijackthis and these are the results.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at... Read more

A:Solved: smitfraud-c.coreservice

8 more replies
Answer Match 69.3%

Hi, I did a Spybot scan that says I have SmitFraud-C.CoreService. When I clean everything, I still get popups, and Spybot still says I have the malware. Apparently it's a common issue...

Here's the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:39 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\Documents and Sett... Read more

A:Solved: smitfraud-c.coreservice

11 more replies
Answer Match 69.3%

Spybot will not rid me of this, nor can Avast using a boot-time scan. I need help to do this correctly. Symptoms so far include Internet Exporer popping up with blank pages. I normally use FireFox or Netscape.
Pop-ups occur when I access one of the other browsers.

A:Infected With Smitfraud-c. Coreservice

This infection is basically a rootkit found with certain smitfraud infections and identified by Spybot S&D as Smitfraud-C.CoreService. It is sometimes protected by a driver which must be identified and removed in order to remove the infection so the following fix may not work.Please download SDFix by AndyManchesta and save it to your desktop.alternate zipped versionWhen using this tool, you must use the Administrator's account or an account with "Administrative rights"Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results". Click on this link to see a list of programs that should be disabled. The list is not all inclusive.Disconnect from the Internet before running SDFix.Double click SDFix.exe and it will extract the files to %systemdrive%(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".Open the SDFix folder and double click RunThis.bat to start the script.Type Y to begin the cleanup process.It will remov... Read more

4 more replies
Answer Match 69.3%

I run on Windows XP and sometime around Friday was bombarded with a load of pop-up ads. Immediately went about running Spybot and Adaware but couldn't seem to get rid of the problem and they just kept coming. I'm a firefox user but all the windows popping up seem to be in explorer...which I never use. Alot of the time they are blank but sometimes they are general add sites or sites with videos playing(I get sound a good few minuets before the window shows...or just get random audio with nothing running) as well as other pop-up adds. It also seems to be inviting all its nasty friends to play since I keep running all these things and ending up with new stuff in no time at all! After some googling and such I'm guessing my main problem is smitfraud-c.coreservice...and I cannot get rid of it!

I'm not overly good with technical things myself but can usually fumble about alright...I do have a more experienced friend willing to help me with logmein though and we need help! We tried to rename the file core.cache.dsk in safemode but it didn't work...it just seemed to re-create itself upon reboot. I couldn't even find the core.sys file which I've seen mentioned. I ran hijackthis and will post that below...hoping to get any help I can!

Let me know if I left anything out or did somethig wrong...sometimes I fumble.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:38 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet... Read more

A:Cannot remove smitfraud-c.coreservice

9 more replies
Answer Match 69.3%

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
69: 2008-01-31 01:28:43 UTC - RP952 - Deckard's System Scanner Restore Point
68: 2008-01-30 17:13:30 UTC - RP951 - Software Distribution Service 3.0
67: 2008-01-29 04:16:44 UTC - RP950 - System Checkpoint
66: 2008-01-28 02:45:48 UTC - RP949 - Installed Ad-Aware 2007
65: 2008-01-27 08:45:23 UTC - RP948 - System Checkpoint


-- First Restore Point --
1: 2008-01-23 03:35:38 UTC - RP884 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 127 MiB (512 MiB recommended).
System Drive C: has 2.41 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-30 19:33:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDO... Read more

A:Spyware and viruses slowing computer (completed all five steps)

BUMP

Did I do something wrong? This is my third post and nobody has answered, I really need help.

2 more replies
Answer Match 69.3%

Deckard's System Scanner v20071014.68
Run by David Anderson on 2008-01-27 11:16:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
16: 2008-01-27 18:13:39 UTC - RP1115 - Software Distribution Service 3.0
15: 2008-01-27 17:26:16 UTC - RP1114 - Software Distribution Service 3.0
14: 2008-01-26 23:57:46 UTC - RP1113 - Software Distribution Service 3.0
13: 2008-01-26 23:04:19 UTC - RP1112 - Software Distribution Service 3.0
12: 2008-01-26 22:56:02 UTC - RP1111 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-01-11 13:37:32 UTC - RP1100 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-27 11:39:58
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\Ap... Read more

A:spyguard pro infection (steps completed and logs are included)

Bump!

2 more replies
Answer Match 69.3%

Hi,

I have picked up a virus that has deleted my anti-virus programs and prevents me from installing any new ones. I can install them, but the "exe" file is immediately deleted. I am also prevented from booting into safe mode-I get a message that states there have been hardware or software changes that prevent this. I am also unable to activate my firewall protection. I would certainly appreciate any assistance!!!

Deckard's System Scanner v20070809.63
Run by rickir on 2007-08-15 at 07:28:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
97: 2007-08-15 12:28:55 UTC - RP796 - Deckard's System Scanner Restore Point
96: 2007-08-14 19:18:09 UTC - RP795 - Installed AVG 7.5
95: 2007-08-14 19:05:17 UTC - RP794 - Installed AVG 7.5
94: 2007-08-14 18:48:19 UTC - RP793 - Installed AVG 7.5
93: 2007-08-14 18:43:12 UTC - RP792 - Installed AVG 7.5


-- First Restore Point --
1: 2007-05-17 22:53:35 UTC - RP700 - Installed WordPerfect Lightning.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as rickir.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:39 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE:... Read more

A:Virus deletes antivius progs-steps 1-5 completed

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I'd advise you to first back up any valued data now. If you really have a file infector, your OS may be in serious jeopardy. That said, you were able to run DSS, so it may just be that the infection is disabling the AV, not deleting it. I still see services from Avast in your logs.

---------------------------------------------------------------------------------------------

Please disable Winpatrol, as it may hinder the removal of some entries. You can re-enable it after you're clean.
Right click the running icon of winpatrol, and choose exit.

---------------------------------------------------------------------------------------------

Open HijackThis and click o... Read more

15 more replies
Answer Match 68.46%

Hello,Great forum by the way! I have found tons of useful information here but unfortunately I am still experiencing some issues. A few days ago the computer was infected with Antispyware Soft. I received all of the typical infection signs and went through the manual self-removal steps. This stopped the issue of the false warnings but shortly after I noticed that I was experiencing the same redirect issue that others have experienced with this infection. I went through the manual steps including removing the Doc&Settings folders it created as well as the registry values. In the registry, there were some values listed as Antispyware Suite in addition to the 'Soft'. I also went through the steps on another forum's post before finding this one. None of the removers can locate anything now and I even ran a rootkit download tool that was recommended. It found one item, removed it and everything worked normally for a few minutes then more of the same redirect issue. Nothing so far has found anything else. Yet every time I try to perform a search, I get redirected. Sometimes without even running a search: just scrolling on a page will cause a redirect to one of several different sites but all seem to pertain to shopping, advertising or search sites.I have run so many things that I cannot remember them all now but I do know there is something definitely still on the computer but nothing is finding it. This is even causing the internet connection to go undetected a... Read more

A:Antispyware Soft Infection: Removal steps completed but still having issues....

Hello, KarenReyWelcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.If you do not make a reply in 4-5 days, we will have to close your topic.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if th... Read more

13 more replies
Answer Match 68.46%

Hello
I have been having an issue with Winantivirus pop-ups which have led to various spyware and adware infections. I have seen many variations to the pop-up including winantivius, winantiviruspro, errorprotection, winantispyware, as well as many pop-up and new browser window ads. I have also noticed minor degradation in system performance.

I have completed the 5 steps and have all logs from scans available.
Below is the main text file and attached is the extra text file from the Deckard scan.

I am not sure what additional information would be helpful to the analyst. One concern i have is that SP2 has already been installed. If anyone could assist I would greatly appreciate it.

Thanks
Matt

Deckard's System Scanner v20070905.67
Run by Matthew on 2007-09-07 18:52:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-09-07 22:52:52 UTC - RP217 - Deckard's System Scanner Restore Point
3: 2007-09-07 22:30:56 UTC - RP216 - Software Distribution Service 3.0
2: 2007-09-07 18:22:20 UTC - RP215 - Removed Get High Speed Internet!
1: 2007-09-07 16:32:35 UTC - RP214 - Installed Windows Internet Explorer 7.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Matthew.exe) ------... Read more

A:Winantivirus and related PUP adware spyware issues. 5 steps completed

Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

==============================

Please download Combofix from HERE

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

9 more replies
Answer Match 68.46%

I haven't really scanned this computer ever, but the school I went to offered free antivirus software called Counterspy which I've used to scan recently. It detected a whole lot (with updated definitions) such as various pieces of spyware, and some trojans in my Outlook email, which I just ended up deleting as a whole, but I had a feeling there is much more going on.

I followed the steps and the only thing notable to point out about step 1 is that I had the viewpoint media player, which I uninstalled. I have no clue how that even got installed.

Here are the logs:

dss main.txt:
Deckard's System Scanner v20070826.66
Run by Admin on 2007-09-05 13:42:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).
System Drive C: has 1.71 GiB (less than 15%) free.


-- HijackThis (run as Admin.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:00 AM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Mi... Read more

A:Slow Computer..Kaspersky reveals 15 viruses.. HELP! 5 steps completed.

Please download Combofix from HERE

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

================================

Download Superantispyware (SAS) free home version from HERE


Install it and double-click the icon on your desktop to run it.
? It will ask if you want to update the program definitions, click Yes.
? Under Configuration and Preferences, click the Preferences button.
? Click the Scanning Control tab.
? Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others as they were.
o Click the Close button to leave the control center screen.
? On the main screen, under Scan for Harmful Software click Scan your computer.
? On the left check C:\Fixed Drive.
? On the right, under Complete Scan, choose Perform Complete Scan.
? Click Next to start the scan. Please be patient while it scans your computer.
? After the scan is complete a summary box will appear. Click OK.
? Make sure everything in the white box has a check next to it, then click Next.
? It will quarantine what it found and if it asks if ... Read more

5 more replies