Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Smitfraud C_Core Service removal

  1. 2008-01-19, 05:54 #1
    sassy1
    sassy1 is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    7

    Default Smitfraud C_Core Service removal

    I am desperately seeking to remove Smitfraud C_Core Service that has infected my computer. I am plagued by Internet Explorer popping up trying to connect to websites that I do not desire to see. I have used numerous scanners to remove it and none has been able to. Spy Bot says to have removed the file, only for it to reappear after reboot. I have found the file, core.cache.dsk located in my system32 drivers. Please help!!!!!!!! Attached is my HackerThis log. I also have Kapersky scan file log if you need it. Your help is much appreciated.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 4:02:39 PM, on 1/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\HP\KBD\KBD.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    D:\Program Files\em2.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\HP_Owner\Desktop\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
    O2 - BHO: On The Net Search Helper - {4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A} - C:\WINDOWS\system32\memoegou.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - E:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
    O2 - BHO: (no name) - {99136C11-9CA1-4FF1-88D9-B965D72FDE45} - C:\Program Files\Windows Media Player\safepC:\WINDOWS\system32\vt8\tycodllz83122.exe.dll (file missing)
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O3 - Toolbar: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [EasyMessage] D:\Program Files\em2.exe
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [comup] C:\WINDOWS\system32\mobjchku.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.storageguardsoft.com
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com/onager.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1191129674343
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191129576734
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 11667 bytes
  2. 2008-01-21, 16:31 #2
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    1. Download this file -
    combofix.exe to your desktop.
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your
    next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause
    it to stall
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  3. 2008-01-22, 01:05 #3
    sassy1
    sassy1 is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    7

    Default Smitfraud C-Core Service: reply to request

    Here is the log file that you requested:
    ComboFix 08-01-20.1 - HP_Owner 2008-01-21 17:12:07.1 - NTFSx86
    Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\setup.exe
    C:\temp\tn3
    C:\WINDOWS\system32\drivers\core.cache(2).dsk
    C:\WINDOWS\system32\drivers\core.cache(3).dsk
    C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
    .

    2008-01-21 17:36 . 2008-01-21 17:36 <DIR> d-------- C:\Temp\tn3
    2008-01-21 17:36 . 2008-01-21 17:36 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
    2008-01-21 17:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-18 17:42 . 2008-01-21 17:37 2,820,640 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-01-18 17:42 . 2008-01-20 01:29 39,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-01-18 17:42 . 2008-01-20 01:29 6,944 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-01-18 17:42 . 2008-01-20 01:29 2,768 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-01-18 17:36 . 2008-01-20 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-01-14 20:55 . 2008-01-14 20:55 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-01-14 20:32 . 2004-08-11 22:09 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2008-01-14 20:32 . 2004-08-12 00:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-01-14 20:32 . 2004-08-11 22:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-01-14 20:32 . 2007-06-09 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Desperate Housewives
    2008-01-14 20:32 . 2004-08-11 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-01-14 19:59 . 2008-01-14 19:59 <DIR> d--hs---- C:\found.001
    2008-01-11 23:28 . 2008-01-14 22:40 292 --a------ C:\WINDOWS\wininit.ini
    2008-01-11 22:07 . 2008-01-11 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-01-10 19:07 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushendt.exe
    2008-01-10 19:07 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
    2008-01-10 19:07 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
    2008-01-10 19:07 . 2008-01-10 19:07 54,033 --a------ C:\WINDOWS\system32\memouint.exe
    2008-01-10 19:06 . 2008-01-20 01:02 425,984 --a------ C:\WINDOWS\system32\memoegou.dll
    2008-01-10 19:05 . 2008-01-10 19:05 <DIR> d-------- C:\WINDOWS\system32\vt8
    2008-01-10 19:05 . 2008-01-12 13:55 <DIR> d-------- C:\WINDOWS\system32\ob3
    2008-01-10 19:05 . 2008-01-10 19:05 <DIR> d-------- C:\WINDOWS\system32\nz0
    2008-01-10 19:05 . 2008-01-10 20:55 <DIR> d-------- C:\WINDOWS\system32\mp2
    2008-01-10 19:05 . 2008-01-12 13:54 <DIR> d-------- C:\WINDOWS\system32\edcA01
    2008-01-10 19:05 . 2008-01-10 19:05 <DIR> d-------- C:\WINDOWS\system32\che9
    2008-01-10 19:05 . 2008-01-10 19:05 <DIR> d-------- C:\Temp\Ryuan1
    2008-01-10 19:05 . 2008-01-18 21:25 86,016 --a------ C:\WINDOWS\system32\drivers\pciidexx.sys
    2007-12-26 23:06 . 2008-01-21 16:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-26 23:06 . 2007-12-26 23:06 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-26 23:03 . 2007-12-26 23:04 <DIR> d-------- C:\Program Files\iTunes
    2007-12-26 23:03 . 2007-12-26 23:03 <DIR> d-------- C:\Program Files\iPod
    2007-12-26 22:56 . 2007-12-26 22:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2007-12-26 22:56 . 2007-12-26 22:56 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-12-26 22:55 . 2007-12-26 22:55 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-12-26 22:55 . 2007-12-26 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-12-25 19:24 . 2007-12-25 19:24 <DIR> d-------- C:\Documents and Settings\HP_Owner\Saved Games
    2007-12-25 19:23 . 2007-12-25 19:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\iWin
    2007-12-25 19:22 . 2007-12-25 19:22 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Media Center Programs
    2007-12-25 19:22 . 2007-12-25 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-15 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
    2008-01-13 03:55 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
    2008-01-12 19:10 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-01-12 19:09 --------- d-----w C:\Program Files\Yahoo!
    2008-01-02 01:16 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
    2007-12-27 05:01 --------- d-----w C:\Program Files\QuickTime
    2007-12-27 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-12-17 23:32 --------- d-----w C:\Program Files\Game Elements PC Recoil Pad
    2007-12-16 03:50 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Disney Interactive Studios
    2007-12-16 03:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2005-02-20 07:47 598 ----a-w C:\Program Files\EarthLink TotalAccessactions.met
    2004-12-05 00:51 457 ----a-w C:\Program Files\INSTALL.LOG
    2005-02-16 04:59 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]
    2008-01-20 01:02 425984 --a------ C:\WINDOWS\system32\memoegou.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
    2008-01-18 21:17 78848 --a------ E:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99136C11-9CA1-4FF1-88D9-B965D72FDE45}]
    C:\Program Files\Windows Media Player\safepC:\WINDOWS\system32\vt8\tycodllz83122.exe.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
    "comup"="C:\WINDOWS\system32\mobjchku.exe" [2007-12-13 12:25 139264]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" []
    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-11 20:36 32881]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
    "HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
    "HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-03 19:43 118784]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 03:21 50176 C:\WINDOWS\ALCXMNTR.EXE]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 14:19 4841472]
    "nwiz"="nwiz.exe" [2003-07-28 14:19 323584 C:\WINDOWS\system32\nwiz.exe]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 19:42 579072]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20 866584]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "EasyMessage"="D:\Program Files\em2.exe" [2004-06-27 14:13 538624]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59 224248]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
    "AVP"="E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-28 16:47 219136]
    "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]

    C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-02-19 10:32:37 45056]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38 241664]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
    backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Screen Saver Control.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Screen Saver Control.lnk
    backup=C:\WINDOWS\pss\Screen Saver Control.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Desperate Housewives Registration.lnk]
    path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Desperate Housewives Registration.lnk
    backup=C:\WINDOWS\pss\Desperate Housewives Registration.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Sid Registration.lnk]
    path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Sid Registration.lnk
    backup=C:\WINDOWS\pss\Sid Registration.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Webshots.lnk]
    path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Webshots.lnk
    backup=C:\WINDOWS\pss\Webshots.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
    C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ELNKProxy]
    --a------ 2004-06-18 22:15 385024 C:\WINDOWS\surfmonkey\smproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
    C:\Program Files\ICQLite\ICQLite.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magentic]
    --a------ 2006-06-18 08:56 311340 C:\PROGRA~1\Magentic\bin\Magentic.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
    C:\Program Files\AWS\WeatherBug\Weather.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    C:\Program Files\Yahoo!\Messenger\ypager.exe

    R1 pciidexx;pciidexx;C:\WINDOWS\system32\drivers\pciidexx.sys [2008-01-18 21:25]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-12-27 04:57:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-01-14 03:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (ROBYNSA705W-HP_Owner).job"
    - c:\program files\mcafee.com\vso\mcmnhdlr.exe
    "2008-01-21 23:40:23 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-21 17:37:55
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-21 17:54:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-21 23:54:19
  4. 2008-01-22, 07:05 #4
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi


    Do you have both AVG7 and Kaspersky Anti-Virus installed? Decide which one to keep and delete the other one. It's not recommended to have more than one anti-virus product installed in same system.

    Disable Spybot's TeaTimer
    • Run Spybot-S&D in Advanced Mode
    • If it is not already set to do this, go to the Mode menu
      select
      Advanced Mode
    • On the left hand side, click on Tools
    • Then click on the Resident icon in the list
    • Uncheck
      Resident TeaTimer
       and OK any prompts.
    • Restart your computer



    Start hjt, click do a system scan only, check:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.imageservr.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.storageguardsoft.com
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...02/Coupons.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab

    Close browsers and other windows. Click fix checked.

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Driver::
pciidexx

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\rushendt.exe
C:\WINDOWS\system32\bkmoopob.exe
C:\WINDOWS\system32\mobjchku.exe
C:\WINDOWS\system32\memouint.exe
C:\WINDOWS\system32\memoegou.dll
C:\WINDOWS\system32\drivers\pciidexx.sys

Folder::
C:\Temp\tn3
C:\WINDOWS\system32\vt8
C:\WINDOWS\system32\ob3
C:\WINDOWS\system32\nz0
C:\WINDOWS\system32\mp2
C:\WINDOWS\system32\edcA01
C:\WINDOWS\system32\che9
C:\Temp\Ryuan1
E:\PROGRA~1\IWINGA~1
C:\WINDOWS\surfmonkey

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E8F5D76-EF5B-46C8-B35B-C86F8BD6621A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99136C11-9CA1-4FF1-88D9-B965D72FDE45}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"comup"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
"AlcxMonitor"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ELNKProxy]

    Save this as
    CFScript




    Refering to the picture above, drag CFScript into ComboFix.exe



    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.



    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
    • The program will launch and start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings and select the following:
    Scan using the following Anti-Virus database:
    • Extended (If available, otherwise Standard)
    Scan Options:
    • Scan Archives
    • Scan Mail Bases
    • Click OK.
    • Under
      select a target to scan
      , select My Computer.
    • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
    Once the scan is complete:
    • Click on the Save as Text button.
    • Save the file to your desktop.
    • Copy and paste that information into your next post if the AV content will fit into one post only. Post also ComboFix resultant log & a fresh hjt log.
    • If the results of the anti virus scan itself will take more than one post to contain, you may upload it to http://rapidshare.com



    Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

    If having a problme doing the above

    Make sure that your Internet security settings are set to default values.

    To set default security settings for Internet Explorer:

    * Open Internet Explorer.
    * Go to the Tools menu, then choose Internet Options.
    * Click on the Security tab.
    * Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  5. 2008-01-24, 03:52 #5
    sassy1
    sassy1 is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    7

    Default Smitfraud CoreC-Service removal results

    Here are the results from your instruction in previous post, Kaspersky scan report on rapidshare.com:

    Wednesday, January 23, 2008 8:32:06 PM
    ComboFix 08-01-20.1 - HP_Owner 2008-01-23 15:22:57.2 - NTFSx86
    Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\system32\bkmoopob.exe
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\pciidexx.sys
    C:\WINDOWS\system32\memoegou.dll
    C:\WINDOWS\system32\memouint.exe
    C:\WINDOWS\system32\mobjchku.exe
    C:\WINDOWS\system32\rushendt.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Temp\Ryuan1
    C:\Temp\Ryuan1\tepU.log
    C:\temp\tn3
    C:\WINDOWS\surfmonkey
    C:\WINDOWS\surfmonkey\epevents.dll
    C:\WINDOWS\surfmonkey\EStream.dll
    C:\WINDOWS\surfmonkey\IMClient.dll
    C:\WINDOWS\surfmonkey\RedLight.dll
    C:\WINDOWS\surfmonkey\SMProxy.exe
    C:\WINDOWS\system32\bkmoopob.exe
    C:\WINDOWS\system32\che9
    C:\WINDOWS\system32\che9\farstadcom2.exe
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\pciidexx.sys
    C:\WINDOWS\system32\edcA01
    C:\WINDOWS\system32\memoegou.dll
    C:\WINDOWS\system32\memouint.exe
    C:\WINDOWS\system32\mobjchku.exe
    C:\WINDOWS\system32\mp2
    C:\WINDOWS\system32\nz0
    C:\WINDOWS\system32\nz0\jetzcomz22.exe
    C:\WINDOWS\system32\ob3
    C:\WINDOWS\system32\rushendt.exe
    C:\WINDOWS\system32\vt8
    C:\WINDOWS\system32\vt8\tycodllz83122.exe
    E:\PROGRA~1\IWINGA~1
    E:\PROGRA~1\IWINGA~1\AdminWorker.exe
    E:\PROGRA~1\IWINGA~1\firefox\chrome.manifest
    E:\PROGRA~1\IWINGA~1\firefox\chrome\iwinarcade.jar
    E:\PROGRA~1\IWINGA~1\firefox\install.rdf
    E:\PROGRA~1\IWINGA~1\firefox\iWinArcadeLauncher.exe
    E:\PROGRA~1\IWINGA~1\ftdownload.dat
    E:\PROGRA~1\IWINGA~1\host.cfg
    E:\PROGRA~1\IWINGA~1\iWinGames.exe
    E:\PROGRA~1\IWINGA~1\iWinGamesHookIE.dll
    E:\PROGRA~1\IWINGA~1\pages\blank.html
    E:\PROGRA~1\IWINGA~1\pages\blank2.html
    E:\PROGRA~1\IWINGA~1\pages\error.html
    E:\PROGRA~1\IWINGA~1\pages\iwin_logo.gif
    E:\PROGRA~1\IWINGA~1\sounds\animation.wav
    E:\PROGRA~1\IWINGA~1\sounds\animationBack.wav
    E:\PROGRA~1\IWINGA~1\sounds\button_click.wav
    E:\PROGRA~1\IWINGA~1\sounds\download_completed.wav
    E:\PROGRA~1\IWINGA~1\sounds\start.wav
    E:\PROGRA~1\IWINGA~1\Uninstall.exe
    E:\PROGRA~1\IWINGA~1\WebInstaller.exe
    E:\PROGRA~1\IWINGA~1\WebUpdater.bmp
    E:\PROGRA~1\IWINGA~1\WebUpdater.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_PCIIDEXX
    -------\pciidexx


    ((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
    .

    2008-01-21 17:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-18 17:42 . 2008-01-23 13:54 2,883,360 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-01-18 17:42 . 2008-01-23 13:54 40,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-01-18 17:42 . 2008-01-23 13:54 14,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-01-18 17:42 . 2008-01-23 13:54 3,464 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-01-14 20:55 . 2008-01-14 20:55 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-01-14 20:32 . 2004-08-11 22:09 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2008-01-14 20:32 . 2004-08-12 00:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2008-01-14 20:32 . 2004-08-11 22:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
    2008-01-14 20:32 . 2007-06-09 17:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Desperate Housewives
    2008-01-14 20:32 . 2004-08-11 22:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-01-14 19:59 . 2008-01-14 19:59 <DIR> d--hs---- C:\found.001
    2008-01-11 23:28 . 2008-01-23 14:56 356 --a------ C:\WINDOWS\wininit.ini
    2008-01-11 22:07 . 2008-01-11 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-26 23:06 . 2008-01-23 15:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-26 23:06 . 2007-12-26 23:06 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-26 23:03 . 2007-12-26 23:04 <DIR> d-------- C:\Program Files\iTunes
    2007-12-26 23:03 . 2007-12-26 23:03 <DIR> d-------- C:\Program Files\iPod
    2007-12-26 22:56 . 2007-12-26 22:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
    2007-12-26 22:56 . 2007-12-26 22:56 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-12-26 22:55 . 2007-12-26 22:55 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-12-26 22:55 . 2007-12-26 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-12-25 19:24 . 2007-12-25 19:24 <DIR> d-------- C:\Documents and Settings\HP_Owner\Saved Games
    2007-12-25 19:23 . 2007-12-25 19:23 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\iWin
    2007-12-25 19:22 . 2007-12-25 19:22 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Media Center Programs
    2007-12-25 19:22 . 2007-12-25 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-15 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
    2008-01-13 03:55 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
    2008-01-12 19:10 --------- d-----w C:\Program Files\Common Files\Scanner
    2008-01-12 19:09 --------- d-----w C:\Program Files\Yahoo!
    2008-01-02 01:16 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Apple Computer
    2007-12-27 05:01 --------- d-----w C:\Program Files\QuickTime
    2007-12-27 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2007-12-17 23:32 --------- d-----w C:\Program Files\Game Elements PC Recoil Pad
    2007-12-16 03:50 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Disney Interactive Studios
    2007-12-16 03:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2005-02-20 07:47 598 ----a-w C:\Program Files\EarthLink TotalAccessactions.met
    2004-12-05 00:51 457 ----a-w C:\Program Files\INSTALL.LOG
    2005-02-16 04:59 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-21_17.53.26.98 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 23:11:02 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-23 21:22:20 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    - 2008-01-21 23:11:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-23 21:22:20 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    - 2008-01-21 23:11:03 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-23 21:22:21 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
    - 2008-01-21 23:11:03 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-23 21:22:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    - 2008-01-21 23:11:05 7,585,792 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
    + 2008-01-23 21:22:21 7,585,792 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
    - 2008-01-21 23:11:05 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-23 21:22:21 24,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    + 2000-08-31 14:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VTTimer"="VTTimer.exe" []
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2004-08-11 20:36 32881]
    "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 21:43 233472]
    "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 17:57 81920]
    "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
    "HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 19:53 49152]
    "HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42 659456]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-03 19:43 118784]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 18:06 88363 C:\WINDOWS\AGRSMMSG.exe]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-07-28 14:19 4841472]
    "nwiz"="nwiz.exe" [2003-07-28 14:19 323584 C:\WINDOWS\system32\nwiz.exe]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-20 19:42 579072]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20 866584]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
    "EasyMessage"="D:\Program Files\em2.exe" [2004-06-27 14:13 538624]
    "YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59 224248]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-28 16:47 219136]
    "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]

    C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
    Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-02-19 10:32:37 45056]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 06:31:38 241664]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
    backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Screen Saver Control.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Screen Saver Control.lnk
    backup=C:\WINDOWS\pss\Screen Saver Control.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Desperate Housewives Registration.lnk]
    path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Desperate Housewives Registration.lnk
    backup=C:\WINDOWS\pss\Desperate Housewives Registration.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Sid Registration.lnk]
    path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Sid Registration.lnk
    backup=C:\WINDOWS\pss\Sid Registration.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Webshots.lnk]
    path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Webshots.lnk
    backup=C:\WINDOWS\pss\Webshots.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
    C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
    C:\Program Files\ICQLite\ICQLite.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magentic]
    --a------ 2006-06-18 08:56 311340 C:\PROGRA~1\Magentic\bin\Magentic.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
    C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
    C:\Program Files\AWS\WeatherBug\Weather.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    C:\Program Files\Yahoo!\Messenger\ypager.exe


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-12-27 04:57:48 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2008-01-14 03:00:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (ROBYNSA705W-HP_Owner).job"
    - c:\program files\mcafee.com\vso\mcmnhdlr.exe
    "2008-01-23 21:43:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-23 15:40:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-23 15:55:22 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-23 21:55:16
    ComboFix2.txt 2008-01-21 23:54:27
  6. 2008-01-24, 03:53 #6
    sassy1
    sassy1 is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    7

    Default Smitfraud CoreC-Service removal results

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:45:03 PM, on 1/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\HP\KBD\KBD.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    D:\Program Files\em2.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\HP_Owner\Desktop\HiJackThis_v2.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
    O3 - Toolbar: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [EasyMessage] D:\Program Files\em2.exe
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://usfulfillment.puretracks.com/onager.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1191129674343
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1191129576734
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B542F7AE-E0A6-4494-B90D-B7804FF06E8A}: NameServer = 166.102.165.11 166.102.165.13
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 10473 bytes
  7. 2008-01-24, 16:38 #7
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Looks like you forgot to post link to Kaspersky log at RapidShare. Could you post it too, please?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  8. 2008-01-24, 22:26 #8
    sassy1
    sassy1 is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    7

    Default Kaspersky scan

    Ok.... Please forgive me for the really dumb question, how do I post the link? I uploaded my Kaspersky file and created an account. How do I get it so I make sure that you know which file is mine? I'm obviously computer iliterate when it comes to that part of it. Oh, by the way, so far things look good, no windows popping up today as soon as I open my homepage.
  9. 2008-01-25, 16:50 #9
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    You wouldn't have needed to create account there. Just upload the file and give link which is written next to Download-Link #1
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  10. 2008-01-25, 21:16 #10
    sassy1
    sassy1 is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    7

    Default Kaspersky scan results

    Sorry, over-complicating things. Thanks for your patience. Hope this helps:

    http://rapidshare.com/files/86585970..._scan.txt.html
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules