Trojan: Smitfraud-C.CoreServices

**010100** · 2008-02-24, 11:56

It seems I have picked up something. Spybot says there is a trojan called 'Smitfraud-C.coreservices' installed as a driver on my PC (which connects to malicious servers w/o permission).

It says Spybot can not remove the trojan, which needs to be manually removed by "closing the file handles for core.cache.dsk and core.sys"....

How does one go about resolving the extrication of this trojan from my PC?

I detail below my HJT log.... Appreciate any help.
-------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55:12, on 24/02/2008
Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Clean Expert\RCHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/?wa=wsignin1.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IE Privacy Keeper] "C:\Program Files\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9869] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6884] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingB7191] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1516] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7378 bytes

**pskelley** · 2008-02-24, 16:03

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Read the instructions but do not run and post the Kaspersky Online Scan now until I request it.
If you have any tool I run onboard, delete them and download them new from the links I provide.

MAKE SURE ALL OLD COPIES OF combofix ARE REMOVED FIRST

Tutorial if needed:
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

**010100** · 2008-02-24, 17:04

As requested the HJT & CombFix logs: The latter is in a second post as the forum is not permitting more than 2000 characters per reply. Thanks.

--------------------------------
HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:55, on 24/02/2008
Platform: Windows XP SP3, v.3244 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Clean Expert\RCHelper.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.live.com/?wa=wsignin1.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IE Privacy Keeper] "C:\Program Files\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegClean Expert Scheduler] "C:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6898 bytes

**010100** · 2008-02-24, 17:06

...and the ComboFix log:

---------------------------

ComboFix 08-02-24.4 - Anonymous 2008-02-24 20:22:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.548 [GMT 5:00]
Running from: C:\Documents and Settings\Anonymous\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\mff.sys
E:\RECYCLER\av7.0.6.4.3.2.rar
E:\RECYCLER\deny.php
E:\RECYCLER\index(1).htm
E:\RECYCLER\index.htm
E:\RECYCLER\NORTON360.part1.rar

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MFF
-------\mff

((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-23 23:13 . 2008-02-24 15:34 165 --a------ C:\WINDOWS\wininit.ini
2008-02-23 16:53 . 2008-02-09 17:56 2,577 --a------ C:\WINDOWS\system32\config.bak
2008-02-23 16:53 . 2001-08-23 17:00 1,688 --a------ C:\WINDOWS\system32\autoexec.bak
2008-02-23 15:33 . 2008-02-23 15:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-23 15:33 . 2008-02-23 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 04:07 . 2008-02-23 04:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-02-23 04:06 . 2008-02-23 04:06 <DIR> d-------- C:\Documents and Settings\Anonymous\Application Data\GRETECH
2008-02-23 04:04 . 2008-02-23 04:06 <DIR> d-------- C:\Program Files\GomPlayer
2008-02-19 22:56 . 2008-02-19 23:43 0 --a------ C:\WINDOWS\system32\10004.sks
2008-02-19 22:56 . 2008-02-19 23:43 0 --a------ C:\WINDOWS\system32\10003.sks
2008-02-19 22:56 . 2008-02-19 23:43 0 --a------ C:\WINDOWS\system32\10002.sks
2008-02-19 22:56 . 2008-02-19 23:43 0 --a------ C:\WINDOWS\system32\10001.sks
2008-02-19 22:54 . 2008-02-19 23:41 996 --a------ C:\WINDOWS\system32\BlockedCookies
2008-02-19 21:31 . 2008-02-19 21:31 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-19 21:31 . 2007-10-31 10:32 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-19 21:23 . 2008-02-19 21:23 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-02-19 21:23 . 2008-02-19 21:28 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-18 22:38 . 2008-02-18 22:38 765,415 --a------ C:\WINDOWS\system32\SKExecutables.zip
2008-02-18 22:36 . 2008-02-19 22:59 63 --a------ C:\WINDOWS\system32\SKVersion.ini
2008-02-18 22:35 . 2008-02-18 22:35 1,629,395 --a------ C:\WINDOWS\system32\SKSignatures.zip
2008-02-18 21:39 . 2008-02-19 23:42 1,325 --a------ C:\WINDOWS\system32\sk_bho.ini
2008-02-18 15:13 . 2008-02-18 15:13 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-18 15:11 . 2008-02-24 18:13 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-02-18 15:11 . 2008-02-24 18:13 <DIR> d-------- C:\Documents and Settings\Anonymous\Application Data\Spyware Terminator
2008-02-18 15:11 . 2008-02-24 00:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-02-18 15:10 . 2008-02-19 10:14 52,246 --a------ C:\WINDOWS\Run32A40.mch
2008-02-18 14:58 . 2008-02-19 10:14 <DIR> d-------- C:\WINDOWS\A4W_DATA
2008-02-18 14:58 . 2008-02-19 10:12 35 --a------ C:\WINDOWS\A4W.INI
2008-02-18 08:09 . 2008-02-18 08:09 1,409 --a------ C:\WINDOWS\system32\tmp722DD.FOT
2008-02-18 07:39 . 2008-02-18 07:39 <DIR> d-------- C:\Program Files\Scholastic
2008-02-18 00:43 . 2008-02-18 00:43 <DIR> d-------- C:\Documents and Settings\Anonymous\Application Data\HP
2008-02-17 17:25 . 2008-02-17 17:25 <DIR> d-------- C:\Documents and Settings\Anonymous\Incomplete
2008-02-17 17:25 . 2008-02-20 22:23 <DIR> d-------- C:\Documents and Settings\Anonymous\Application Data\FrostWire
2008-02-17 17:24 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-17 17:23 . 2008-02-17 17:24 <DIR> d-------- C:\Program Files\Java
2008-02-17 17:23 . 2008-02-17 17:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-17 17:11 . 2008-02-17 17:25 <DIR> d-------- C:\Program Files\FrostWire
2008-02-17 01:33 . 2008-02-17 01:33 116 -r-hs---- C:\WINDOWS\PCGWIN32.LI3
2008-02-17 01:00 . 2008-02-17 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-02-16 17:28 . 2008-02-16 17:28 <DIR> d-------- C:\Program Files\Common Files\HP
2008-02-16 17:28 . 2008-02-16 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-02-16 17:24 . 2008-02-16 17:24 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-02-16 17:23 . 2008-02-16 17:23 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-02-16 17:22 . 2005-03-14 12:03 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-02-16 17:22 . 2005-03-14 12:05 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-02-16 17:22 . 2005-03-08 11:55 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-02-16 17:22 . 2005-03-14 12:05 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-02-16 17:22 . 2005-03-14 13:39 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-02-16 17:22 . 2005-03-08 11:55 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-02-16 17:20 . 2008-02-16 17:27 <DIR> d-------- C:\Program Files\HP
2008-02-16 17:18 . 2008-02-16 17:32 110,171 --a------ C:\WINDOWS\hpoins08.dat
2008-02-16 17:18 . 2005-10-14 22:42 46,592 --a------ C:\WINDOWS\system32\hpzll43a.dll
2008-02-16 17:18 . 2006-01-25 04:46 7,577 --------- C:\WINDOWS\hpomdl08.dat
2008-02-16 17:17 . 2007-10-30 19:02 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-16 17:17 . 2007-10-30 19:02 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-16 17:17 . 2007-10-30 19:00 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-02-16 17:17 . 2007-10-30 19:00 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-02-16 17:16 . 2007-10-30 18:47 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-16 17:16 . 2007-10-30 18:47 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-16 16:53 . 2008-02-16 16:53 <DIR> d-------- C:\Program Files\SigmaTel
2008-02-16 16:53 . 2003-02-03 19:05 205,680 --a------ C:\WINDOWS\system32\drivers\STAC97.sys
2008-02-16 16:47 . 2008-02-16 16:47 <DIR> d-------- C:\Program Files\Intel
2008-02-16 16:46 . 2008-02-16 17:08 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-02-16 16:46 . 2008-02-16 16:46 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-02-16 16:18 . 2008-02-16 16:48 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-16 16:17 . 1998-04-23 23:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-02-16 14:17 . 2008-02-24 18:32 <DIR> d-------- C:\Program Files\Registry Clean Expert
2008-02-15 13:53 . 2008-02-15 13:53 85,814 --a------ C:\WINDOWS\loop.wav
2008-02-15 13:53 . 2008-02-15 13:53 34,530 --a------ C:\WINDOWS\loopend.wav
2008-02-15 13:53 . 2008-02-15 14:29 471 --a------ C:\WINDOWS\nast.ini
2008-02-15 07:21 . 2008-02-15 07:21 <DIR> d-------- C:\Program Files\The Learning Company
2008-02-15 07:21 . 1999-05-25 05:40 188,960 --a------ C:\WINDOWS\system32\WINGDE.DLL
2008-02-15 07:21 . 1999-05-25 05:40 92,208 --a------ C:\WINDOWS\system32\WING.DLL
2008-02-15 07:21 . 1999-05-25 05:40 41,984 --a------ C:\WINDOWS\rrpre.pls
2008-02-15 07:21 . 1999-05-25 05:40 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-02-15 07:21 . 1999-05-25 05:40 6,736 --a------ C:\WINDOWS\system32\WINGDIB.DRV
2008-02-15 07:21 . 1999-05-25 05:40 5,024 --a------ C:\WINDOWS\system32\WINGPAL.WND
2008-02-14 17:43 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-02-14 17:22 . 2008-02-16 16:18 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-11 18:28 . 2008-02-11 18:28 <DIR> d-------- C:\Documents and Settings\Anonymous\WINDOWS
2008-02-11 18:28 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-02-11 18:26 . 2008-02-11 18:26 0 --a------ C:\WINDOWS\SETUP32.INI
2008-02-10 18:43 . 2008-02-24 08:32 <DIR> d-------- C:\hegames
2008-02-10 18:42 . 2008-02-24 10:49 1,050 --a------ C:\WINDOWS\hegames.ini
2008-02-10 17:11 . 2008-02-24 20:20 <DIR> d-------- C:\Program Files\FlashGet
2008-02-10 15:58 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-10 15:58 . 2008-02-10 15:58 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-10 15:57 . 2008-02-10 15:57 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-10 15:56 . 2008-02-10 15:57 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-10 15:49 . 2008-02-10 15:49 <DIR> dr-h----- C:\MSOCache
2008-02-10 12:42 . 2008-02-10 12:42 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-10 12:36 . 2008-02-10 12:36 <DIR> d-------- C:\Program Files\IE Privacy Keeper
2008-02-10 12:36 . 2008-02-10 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\UnH Solutions
2008-02-10 05:11 . 2008-02-10 05:11 <DIR> d-------- C:\Documents and Settings\Anonymous\Application Data\Symantec
2008-02-10 03:03 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-10 03:03 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-10 03:03 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-10 01:03 . 2008-02-10 01:03 3,932,214 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-02-10 01:03 . 2008-02-10 01:03 64,422 --a------ C:\WINDOWS\BricoPackUninst.cmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-09 20:03 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-02-09 12:56 --------- d-----w C:\Program Files\microsoft frontpage
.

------- Sigcheck -------

833587fa90595d04c94c92dd1170aded C:\WINDOWS\explorer.exe
----a-w 975,872 2007-10-31 05:32:28 C:\WINDOWS\explorer.exe
-c--a-w 975,872 2007-10-31 05:32:28 C:\WINDOWS\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-10-31 10:32 15360]
"RegClean Expert Scheduler"="C:\Program Files\Registry Clean Expert\RCHelper.exe" [2008-01-31 02:09 604920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44 126976]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 02:59 115816]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
"IE Privacy Keeper"="C:\Program Files\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 14:52 1015808]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-02-18 15:12 2778112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-10-31 10:32 15360]

C:\Documents and Settings\Anonymous\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitTorrent\\BitTorrent.exe"= C:\\Program Files\\BitTorrent\\bittorrent.exe
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\AV-CLS\\WGET.EXE"=

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-02-18 15:13]
R2 dmsmbios;dmsmbios;C:\WINDOWS\system32\dmsmbios.sys [2000-05-02 18:42]

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 20:32:13
Windows 5.1.2600 Service Pack 3, v.3244 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
.
**************************************************************************
.
Completion time: 2008-02-24 20:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-24 15:35:16
.
2008-02-19 22:00:55 --- E O F ---

**pskelley** · 2008-02-24, 17:19

Thanks for returning your information. Looks to me like combofix remove your problem, how is the computer running now. Before we do a Kaspersky online scan for hidden malware, I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/comb...o-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.

Thanks

**010100** · 2008-02-25, 16:02

Thanks, it seems to have done the job...

Do not think there is need (at this juncture) to move with further checks

Your and the forum's help is much appreciated.

Thanks.

**010100** · 2008-02-25, 16:53

...OR do you believe there is a need to go through this exercise throughly in your opinion.

If so, I have no problem...

**pskelley** · 2008-02-25, 18:40

I believe Recovery Console can be a major tool to have in the event of a bad system failure and many folks do not have the Windows CD's needed to install it. I think you should read that information and make a decision if you wish to install it when combofix is still installed. If you install it or not, we will then remove the tools we have used and run a Kaspersky Online Scan to be sure nothing is hiding from us. I am holding the final cleanup for you, not for me.

Thanks

Thread: Trojan: Smitfraud-C.CoreServices

Thread Tools

Display

Trojan: Smitfraud-C.CoreServices

Posting Permissions