Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Smitfraud-C.CoreService.

  1. #1
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Question Smitfraud-C.CoreService.

    I ran Spybot S&D several times in the past few days. My little sister has been using the computer, so when it started to get popups and slow down extremely, I was concerned. Spybot found and got rid of Command Service as well as many tracking cookies from various places, but it can't seem to get rid of the three entries of Smitfraud-C.CoreService

    Any help would be greatly appreciated. Thank you. The HJT log is posted below:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:01:47 PM, on 11/29/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AIM6\aolsoftware.exe
    c:\program files\aim6\anotify.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HiJack This\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [imuk] C:\PROGRA~1\COMMON~1\imuk\imukm.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  2. #2
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Hello,

    I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
    That's why I want you to install them first!!

    Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
    Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
    Comodo OR Kerio are FREE firewalls.

    Understanding and using firewalls

    Reboot your computer afterwards.
    After reboot, perform a full scan with your Antivirus and let it remove anything it is finding. Then reboot once again in order to delete files that were in use previously.

    Post a new HijackThislog in your next reply - then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

  3. #3
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    sorry it took so long to respond. Internet went down for a little while.. I downloaded avira and comodo and followed your instructions.. here is the new HJT log.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:17:05 AM, on 12/1/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HiJack This\HijackThis.exe

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [imuk] C:\PROGRA~1\COMMON~1\imuk\imukm.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  4. #4
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Hello,

    * Download Combofix to your desktop.
    Doubleclick combofix.exe
    Follow the prompts.
    Don't click on the window while the fix is running, because that will cause your system to hang.

    When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
    Post the contents of this log in your next reply together with a new hijackthislog.
    Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

  5. #5
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    I downloaded Combofix as you suggested and ran it. It completed the scan, but after reboot it never came back up. I wasn't sure if rerunning it would be helpful, but I did get the HTJ log which is below. Let me know if I should run combofix again.

    Logfile of HijackThis v1.99.1
    Scan saved at 13:09, on 2006-12-01
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\ComboFix\catchme.cfexe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HiJack This\HijackThis.exe

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [imuk] C:\PROGRA~1\COMMON~1\imuk\imukm.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



    (also, I notice I have some old aol software running that doesn't affect AIM, I wasn't sure if this is a good thing since I can't seem to find any AOL program files... just curious)

  6. #6
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Hi,

    I see from your log that Combofix was still running after reboot. You really have to wait till the logfile opens.
    Look on your C:\ if there's a combofix.txt present and copy and paste the contents here.

    also, I notice I have some old aol software running that doesn't affect AIM, I wasn't sure if this is a good thing since I can't seem to find any AOL program files... just curious
    Not sure what you mean here, but the aolsoftware.exe is a part of your AIM here.

  7. #7
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    There is a combofix.txt file but it's not showing as a txt file, it's showing as a batch file. I'm not really sure whats going on...

    in any case, I did wait.. I actually left my computer alone for about 7 hours to make sure.

  8. #8
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Ok, do next please..

    Download and Save blacklight to your desktop.
    F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
    (fsbl.exe - graphical user interface)
    Double-click fsbl.exe then accept the agreement.
    click > scan then > next,
    You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
    In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
    There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
    I need that log later.

    Then, * Download Deckard System Scanner to your Desktop.
    • Close all applications and windows.
    • Double-click on dds.exe to run it, and follow the prompts.
    • The scan may take a minute. When the scan is complete, a text file will open - main.txt
    • A folder (C:\Deckard\System Scanner) will also open which contains the main.txt and an extra.txt.
    • Copy and paste the contents of main.txt in your next reply. (Do not post the extra.txt - only post this when being asked) together with the log from blacklight.

  9. #9
    Junior Member
    Join Date
    Jun 2007
    Posts
    10

    Default

    The F-Secure Blacklight Log:

    12/02/06 17:35:56 [Info]: BlackLight Engine 1.0.64 initialized
    12/02/06 17:35:56 [Info]: OS: 5.1 build 2600 (Service Pack 1)
    12/02/06 17:35:57 [Note]: 7019 4
    12/02/06 17:35:57 [Note]: 7005 0
    12/02/06 17:35:59 [Note]: 7006 0
    12/02/06 17:35:59 [Note]: 7011 192
    12/02/06 17:36:01 [Note]: 7026 0
    12/02/06 17:36:02 [Note]: 7026 0
    12/02/06 17:36:32 [Note]: FSRAW library version 1.7.1022
    12/02/06 17:37:04 [Note]: 7007 0


    but the Deckard System Scanner stops right after like... 5% and displays the following error message:

    Line 0 (File "C:\Program Files\DDS\dss.exe"):
    Local $res= $objSR.CreateRestorePoint($ProgName & "Restore Point", 12, 100)
    Local $res= $objSR.CreateRestorePoint($ProgName & "Restore Point", 12, 100)
    ^ERROR

    Error: The requested action with this object has failed.

  10. #10
    Visiting Fellow miekiemoes's Avatar
    Join Date
    Oct 2005
    Location
    belgium
    Posts
    252

    Default

    Funny things going on there...

    Anyway, let's see if Combofix runs in Windows Safe mode, but first, I want you to remove the current Version of Combofix and redownload it again from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe. This version is updated and also since I want to be sure that all components are present and your Antivirus doesn't delete related components... because I've seen this as well, that some Antivirus may flag certain components dropped by Combofix which results in the tool not properly working.
    Do not run Combofix.exe yet.

    Then,

    * Reboot into Safe Mode`: ( without networking support !)
    °To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
    Choose Safe Mode from the menu that will appear and press Enter.
    If you can't get into Windows safe mode, using above method, please let me know. Don't force it by using other methods!

    Then run Combofix and post the log afterwards if present.
    Last edited by miekiemoes; 2007-06-27 at 12:19. Reason: added changed link for ComboFix since the other version hasn't been updated

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •