Smitfraud-C.CoreService.

**SuperSamDuh** · 2007-06-23, 23:09

I ran Spybot S&D several times in the past few days. My little sister has been using the computer, so when it started to get popups and slow down extremely, I was concerned. Spybot found and got rid of Command Service as well as many tracking cookies from various places, but it can't seem to get rid of the three entries of Smitfraud-C.CoreService

Any help would be greatly appreciated. Thank you. The HJT log is posted below:

Logfile of HijackThis v1.99.1
Scan saved at 5:01:47 PM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\aim6\anotify.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [imuk] C:\PROGRA~1\COMMON~1\imuk\imukm.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

**miekiemoes** · 2007-06-24, 10:46

Hello,

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Understanding and using firewalls

Reboot your computer afterwards.
After reboot, perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again in order to delete files that were in use previously.

Post a new HijackThislog in your next reply - then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

**SuperSamDuh** · 2007-06-25, 08:28

sorry it took so long to respond. Internet went down for a little while.. I downloaded avira and comodo and followed your instructions.. here is the new HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 2:17:05 AM, on 12/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [imuk] C:\PROGRA~1\COMMON~1\imuk\imukm.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

**miekiemoes** · 2007-06-25, 09:34

Hello,

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

**SuperSamDuh** · 2007-06-25, 19:11

I downloaded Combofix as you suggested and ran it. It completed the scan, but after reboot it never came back up. I wasn't sure if rerunning it would be helpful, but I did get the HTJ log which is below. Let me know if I should run combofix again.

Logfile of HijackThis v1.99.1
Scan saved at 13:09, on 2006-12-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\ComboFix\catchme.cfexe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [imuk] C:\PROGRA~1\COMMON~1\imuk\imukm.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

(also, I notice I have some old aol software running that doesn't affect AIM, I wasn't sure if this is a good thing since I can't seem to find any AOL program files... just curious)

**miekiemoes** · 2007-06-25, 19:20

Hi,

I see from your log that Combofix was still running after reboot. You really have to wait till the logfile opens.
Look on your C:\ if there's a combofix.txt present and copy and paste the contents here.

also, I notice I have some old aol software running that doesn't affect AIM, I wasn't sure if this is a good thing since I can't seem to find any AOL program files... just curious

Not sure what you mean here, but the aolsoftware.exe is a part of your AIM here.

**SuperSamDuh** · 2007-07-12, 23:32

Logfile of HijackThis v1.99.1
Scan saved at 5:30:25 PM, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\aim6\anotify.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HiJack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

"AJILON" - 2007-07-12 17:23:45 - ComboFix 07-07-12.3 - Service Pack 1 FAT32
Command switches used :: C:\Documents and Settings\AJILON\Desktop\CFScript.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\imuk
C:\WINDOWS\QUpJTE9O
C:\WINDOWS\QUpJTE9O\asappsrv.dll
C:\WINDOWS\QUpJTE9O\koDLnH6i.vbs

((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 )))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2006-10-23 07:25:12 25,808 ----a-w C:\DOCUME~1\AJILON\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-05-07 18:32:34 266 --sh--w C:\Program Files\desktop.ini
2003-05-07 18:32:34 11,079 ---h--w C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 15:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 11:35]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2006-12-01 02:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 04:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 17:37]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-12 17:27:01
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-12 17:28:09
C:\ComboFix2.txt ... 2006-12-17 22:19
C:\ComboFix-quarantined-files.txt ... 2007-07-12 17:28

--- E O F ---

**miekiemoes** · 2007-07-13, 00:09

Clean logs again.

Delete the C:\Qoobox folder.

Let me know how things are now.

**SuperSamDuh** · 2007-07-13, 04:21

New logs below, and everything seems much better now. I still have popups occasionally but it's just the result of a cookie or something simple. My computer is still a bit on the slow side, but it's getting older.. it's about 4 years old in the computer world... it was running just fine up until lately. I want to ask you about defragmenting it... someone I know suggested it... I don't think it's ever been done, and I don't really know a lot about it. I'm much more... software oriented.. I know little to none about the actual background workings of a computer.

"AJILON" - 2007-07-12 22:08:10 - ComboFix 07-07-12.3 - Service Pack 1 FAT32

((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 04:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2006-10-23 07:25:12 25,808 ----a-w C:\DOCUME~1\AJILON\APPLIC~1\GDIPFONTCACHEV1.DAT
2003-05-07 18:32:34 266 --sh--w C:\Program Files\desktop.ini
2003-05-07 18:32:34 11,079 ---h--w C:\Program Files\folder.htt

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 14:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2006-12-01 01:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-05-14 17:37]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-12 22:13:04
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-12 22:14:28
C:\ComboFix3.txt ... 2006-12-17 22:19
C:\ComboFix-quarantined-files.txt ... 2007-07-12 17:28
C:\ComboFix2.txt ... 2007-07-12 17:28

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 10:05:31 PM, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\aim6\anotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJack This\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

**miekiemoes** · 2007-07-13, 07:06

Hi,

Logs still look clean

Read here how to defragment: http://helpdesk.its.uiowa.edu/window...ons/defrag.htm
In your case, it may take a long time to defragment since you have never done it before and your system is a FAT32.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!

Thread: Smitfraud-C.CoreService.

Thread Tools

Display

Hybrid View

Smitfraud-C.CoreService.

Posting Permissions