smitfraud-c.coreservices

**Carruthers9** · 2008-11-10, 19:25

I am having trouble getting rid of a virus on my computer. It is called smitfraud-c.coreservices and also under c:\windows\system32. I think i have been able to delete most of the files but none of my virus programs seem to be able to delete c:\windows\system32\drivers\core.cache.dsk.

The program was bringing up messages saying that i needed to download a virus program and that someone was trying to break into my computer (they greatly resembled the real windows). Those pop ups have stopped but i know that the one file has not been deleted. I am also having internet explorer pop-ups now and i dont even use explorer, i use mozilla.

I was reading in the forum someone else who had the same problems so i followed the advice on that one but it didnt work for me. So here is my combofix log.

ComboFix 08-11-09.04 - Owner 2008-11-10 11:27:29.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\snapsnet.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common Files\{28C7B~1
c:\program files\Common Files\{38C7B~1
c:\program files\Common Files\wnsxs~1
c:\program files\Common Files\ystem3~1
c:\program files\FBrowserAdvisor
c:\temp\tn3
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\system32\_003684_.tmp.dll
c:\windows\system32\_003685_.tmp.dll
c:\windows\system32\_003686_.tmp.dll
c:\windows\system32\_003687_.tmp.dll
c:\windows\system32\_003690_.tmp.dll
c:\windows\system32\_003691_.tmp.dll
c:\windows\system32\_003692_.tmp.dll
c:\windows\system32\_003693_.tmp.dll
c:\windows\system32\_003698_.tmp.dll
c:\windows\system32\_003699_.tmp.dll
c:\windows\system32\_003700_.tmp.dll
c:\windows\system32\_003701_.tmp.dll
c:\windows\system32\bund1
c:\windows\system32\bund1\temp.txt
c:\windows\system32\Drivers\TDSSpxwt.sys
c:\windows\system32\MSINET.oca
c:\windows\system32\msupdate.exe
c:\windows\system32\pac.txt
c:\windows\system32\TDSSoitu.dll
c:\windows\system32\u2
c:\windows\system32\version69ie7fix.dll
c:\windows\system32\winnb58.dll
c:\windows\system32\wintsvit.exe
D:\Autorun.inf
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://www.graboid.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLIENT_IP-IPX

((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-10 11:36 . 2008-11-10 11:36 <DIR> d-------- c:\temp\tn3
2008-11-10 11:35 . 2008-11-10 11:35 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-09 21:34 . 2008-11-10 11:32 58 --a------ c:\windows\system32\winwp.bmp
2008-11-09 21:25 . 2008-11-09 21:25 176,128 --a------ C:\oilgho.exe
2008-11-09 21:25 . 2008-11-09 21:25 150,528 --a------ c:\windows\system32\mkrnl.exe
2008-11-09 21:25 . 2008-11-09 21:25 7,680 --a------ C:\sydp.exe
2008-11-09 21:25 . 2008-11-09 21:25 2 --a------ C:\684175629
2008-11-09 21:24 . 2008-11-09 21:24 <DIR> d-------- c:\windows\system32\uvm
2008-11-09 21:24 . 2008-11-09 21:24 <DIR> d-------- c:\windows\system32\sX3i19
2008-11-09 21:24 . 2008-11-09 21:24 <DIR> d-------- c:\windows\system32\ert
2008-11-09 21:24 . 2008-11-09 23:57 <DIR> d-------- c:\windows\system32\db
2008-11-09 21:24 . 2008-11-09 23:57 <DIR> d-------- c:\windows\system32\AX5
2008-11-09 21:24 . 2008-11-09 21:24 <DIR> d-------- c:\temp\PRE45
2008-11-09 21:24 . 2008-11-09 21:24 86,400 --a------ c:\windows\system32\drivers\uagp355.sys
2008-11-09 21:24 . 2008-11-09 21:24 79,094 --a------ c:\windows\system32\cmlhqjauwqsnce.exe
2008-11-09 21:23 . 2008-11-09 21:27 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-09 18:17 . 2008-11-09 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2008-11-09 18:16 . 2008-11-09 18:17 <DIR> d-------- c:\documents and settings\Owner\Application Data\MozillaControl
2008-11-09 18:16 . 2008-11-09 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Launcher
2008-11-09 18:05 . 2008-11-10 00:46 <DIR> d-------- c:\program files\VideoLAN
2008-11-09 18:05 . 2008-11-10 00:44 <DIR> d-------- c:\program files\Graboid
2008-11-07 16:17 . 2008-11-07 16:17 <DIR> d-------- c:\program files\iTunes
2008-11-07 16:17 . 2008-11-07 16:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-03 23:30 . 2008-11-03 23:30 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-01 12:20 . 2008-11-01 12:20 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-01 12:20 . 2008-11-01 12:20 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-26 13:00 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 19:03 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-14 19:02 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 19:02 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 19:02 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 19:02 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 19:02 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-14 09:38 . 2008-10-14 09:38 171,520 --a------ c:\windows\system32\nrgsxmpgqkuaklc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 17:41 --------- d-----w c:\documents and settings\Owner\Application Data\Skype
2008-11-10 17:04 --------- d-----w c:\documents and settings\Owner\Application Data\skypePM
2008-11-10 17:03 --------- d-----w c:\documents and settings\Owner\Application Data\AVG7
2008-11-10 06:55 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 06:55 --------- d-----w c:\program files\Profile
2008-11-10 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-10 03:46 --------- d-----w c:\program files\iPod
2008-11-10 03:24 --------- d-----w c:\program files\Apple Software Update
2008-11-09 18:09 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2008-11-07 22:21 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-04 05:32 --------- d-----w c:\program files\Lavasoft
2008-11-04 05:28 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-08 20:13 --------- d-----w c:\program files\PartyGaming
2008-09-30 02:30 --------- d-----w c:\program files\Shockwave.com
2008-09-30 02:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-11 14:05 --------- d-----w c:\documents and settings\Owner\Application Data\MSN6
2008-08-28 07:46 74,752 ----a-w c:\windows\system32\msw3prt.dll
2008-08-28 07:46 104,960 ----a-w c:\windows\system32\win32spl.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-18 01:57 44,898 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-08-13 20:12 22 ----a-w c:\program files\b.zip
2007-08-13 20:03 22 ----a-w c:\program files\c.zip
2007-08-13 20:03 22 ----a-w c:\program files\a.zip
2007-08-07 16:33 25,214 ----a-w c:\program files\B.ico
2007-08-07 16:33 25,214 ----a-w c:\program files\A.ico
2007-03-15 21:50 114 ----a-w c:\documents and settings\Owner\hhjj.bat
2007-03-12 02:00 123 ----a-w c:\documents and settings\Owner\gdf.bat
2007-03-09 02:53 122 ----a-w c:\documents and settings\Owner\yyd.bat
2005-08-16 00:12 0 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-24 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-24 118784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-19 590848]
"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 69632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-31 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dllhost.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dllhost.exe
backup=c:\windows\pss\dllhost.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TK8 EasyNote 1.1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TK8 EasyNote 1.1.lnk
backup=c:\windows\pss\TK8 EasyNote 1.1.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
--a------ 2007-07-16 19:48 1334272 c:\program files\a-squared Anti-Dialer\a2adguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2004-09-17 07:24 61440 c:\program files\Lexmark 6200 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
--a------ 2004-11-22 11:29 299008 c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbumon.exe]
--a------ 2005-01-18 03:35 196608 c:\program files\Lexmark 6200 Series\lxbumon.exE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM2_Monitor]
--a------ 2008-05-15 17:29 95536 c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 14:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-09-23 14:17 21755688 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-13 09:04 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\CHL Network.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 uagp355;uagp355;c:\windows\system32\drivers\uagp355.sys [2008-11-09 86400]
R2 a2AntiDialer;a-squared Anti-Dialer Service;c:\program files\a-squared Anti-Dialer\a2service.exe [2007-07-17 226936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b049f911-0592-11dd-834d-00e0b8923acc}]
\shell\PlayWithPowerDVD\Command - "c:\program files\CyberLink\PowerDVD\PowerDVD.exe" "%L"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c498abd2-0858-11da-8053-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKU-Default-Run-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
HKCU-Explorer_Run-{28C7B10D-056D-1033-0224-051006200002} - c:\program files\Common Files\{28C7B10D-056D-1033-0224-051006200002}\Update.exe
HKU-Default-Explorer_Run-{28C7B10D-056D-1033-0224-051006200002} - c:\program files\Common Files\{28C7B10D-056D-1033-0224-051006200002}\Update.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-p2p networking - uy.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ecihpgqx.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://www.fanshaweonline.ca/
FF -: plugin - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ecihpgqx.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF -: plugin - c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 11:37:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\a-squared Free\a2service.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-11-10 11:44:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 17:44:40

Pre-Run: 22,363,971,584 bytes free
Post-Run: 22,539,898,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

258 --- E O F --- 2008-10-27 03:51:43

Thread: smitfraud-c.coreservices

Thread Tools

Display

Threaded View

smitfraud-c.coreservices

Posting Permissions