Smitfraud-C.CoreService

[Shaba]

Please then try this instead:

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

1. Check (tick) this box: YES, I accept the Terms of Use.
2. Click on the Start button next to it.
3. When prompted to run ActiveX. click Yes.
4. You will be asked to install an ActiveX. Click Install.
5. Once installed, the scanner will be initialized.
6. After the scanner is initialized, click Start.
7. Uncheck (untick) Remove found threats box.
8. Check (tick) Scan unwanted applications.
9. Click on Scan.
10. It will start scanning. Please be patient.
11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

[Ilxete]

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3916 (20090307)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=3c5d3bdf570069479961c547292fdb49
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-03-07 01:44:40
# local_time=2009-03-07 01:44:40 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=247311
# found=4
# scan_time=6211
C:\Documents and Settings\Gavin\Incomplete\T-5088466-peace anthem for palestine tim(192k 44100 stereo).snd a variant of WMA/TrojanDownloader.GetCodec.gen trojan 9AE203424218151D35D9BA635F3175BF
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\a.zip.vir Win32/TrojanDropper.VB.NAI trojan ED6C728E17F5A1DDFB3B5FCD6E373D75
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\a.zip.vir »ZIP »Setup.exe Win32/TrojanDropper.VB.NAI trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\Fonts\Setup.exe.vir Win32/TrojanDropper.VB.NAI trojan B431E5573134ADE2858D2AE4CF461BA8

[Shaba]

Empty these folders:

C:\Documents and Settings\Gavin\Incomplete
C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?

[Ilxete]

Have just re-run spybot, and guess what came back...:

CasaleMedia: Bookmark (Firefox: Gavin (default)) (Bookmark, nothing done)


CasaleMedia: Bookmark (Firefox: Gavin (default)) (Bookmark, nothing done)


Smitfraud-C.CoreService: Bookmark (Firefox: Gavin (default)) (Bookmark, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-30 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2007-01-02 unins000.exe (51.41.0.0)
2009-03-07 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-01-22 Includes\Adware.sbi (*)
2009-01-22 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-22 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2009-03-03 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2009-03-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-03-03 Includes\Malware.sbi (*)
2009-03-03 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-03-03 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-03-03 Includes\Trojans.sbi (*)
2009-03-03 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

[Shaba]

Yes but that one is bookmark in Firefox.

Unless spybot gives further details about that, go through every Firefox bookmark and delete those you don't recognize.

[Ilxete]

Unable to do so. I can open up 'organise bookmarks', and inside is a suspicious looking bookmark but I cannot delete it; the actual bookmarks spybot picks up are not there. I'm thinking reinstalling firefox completely might be worth a shot at this stage...

[Shaba]

Yes that is a good idea. Let me know if it helped.

[Ilxete]

Reinstalled and rescanned - all clear! Thank you for your help!!

Though, I'd like to ask a final (related) question. A program called AegisP.sys has been trying to contact the internet (generally trying to access something/somewhere called 'BOOTPC') from my system roughly since the trojan appeared on my computer. I don't use cisco systems products on my computer, so I'm suspicious about it... My system appears to run faster when I deny access, though it slows when it attempts to access the network (which is fairly frequently). Is aegisp.sys another component of the trojan, or is it a genuine process that has run an error?

Sorry for asking when you've already done so much, but I just want to be sure that I've sorted everything out.

[Shaba]

That file is part of Cisco and legit.

I'd give it access.

Other concerns left?

[Ilxete]

No, everything else is fine. Thank you very much for the help!!