Smitfraud

**cpedder** · 2007-09-14, 05:50

Spybot finds "Smitfraud-C.CoreService" but each attempt to remove it results (after several seconds) in my laptop shutting down and coming back to checkdisk etc. When I run Spybot again, the curse is still there.

**tashi** · 2007-09-14, 06:20

Hello.

Please run another scan and when the scan completes, right click on the results list, select "Copy results to clipboard".

Then paste (Ctrl+V) those results into this thread so we can see the path of the detection.

Regards.

**spybotsandra** · 2007-09-14, 09:34

Hello,

Do you already run Spybot - Search & Destroy version 1.5?

Best regards
Sandra
Team Spybot

**cpedder** · 2007-09-15, 01:04

Thanks for your follow up. Here is a copy of the report as requested. I had to edit down from 175,000 to 20,000 characters. Did not understand what was important so chopped from the bottom up. Spybot version 1.4 :-

--- Search result list ---
Smitfraud-C.CoreService: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

Smitfraud-C.CoreService: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\core

Smitfraud-C.CoreService: Data (File, nothing done)
C:\WINDOWS\system32\drivers\core.cache.dsk

Smitfraud-C.CoreService: System file (File, nothing done)
C:\WINDOWS\system32\drivers\core.sys

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2007-06-21 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 APORTS.DLL (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-05-23 advcheck.dll (1.5.3.0)
2007-07-31 Tools.dll (2.1.2.0)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-29 Includes\Malware.sbi (*)
2007-08-29 Includes\PUPS.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-29 Includes\Trojans.sbi (*)
2007-08-29 Includes\Cookies.sbi (*)
2007-08-29 Includes\Revision.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-08-29 Includes\TrojansC.sbi (*)
2007-08-29 Includes\SpybotsC.sbi (*)
2007-08-29 Includes\SecurityC.sbi (*)
2007-08-29 Includes\PUPSC.sbi (*)
2007-08-29 Includes\MalwareC.sbi (*)
2007-08-29 Includes\KeyloggersC.sbi (*)
2007-08-29 Includes\HijackersC.sbi (*)
2007-08-29 Includes\DialerC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Hotfix for Windows XP (KB929120)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931768)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB933360)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Hotfix for Windows XP (KB935448)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937143)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)

--- Startup entries list ---
Located: HK_LM:Run, Alcmtr
command: ALCMTR.EXE
file: C:\WINDOWS\ALCMTR.EXE
size: 69632
MD5: 8b4cbba1ea526830c7f97e7822e2493a

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
size: 421888
MD5: 8505728355747be7dda159c96a5323a1

Located: HK_LM:Run, AzMixerSel
command: C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
file: C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
size: 53248
MD5: ae09a7fad521da4e5781cb93f594fd3c

Located: HK_LM:Run, EPM-DM
command: c:\acer\epm\epm-dm.exe
file: c:\acer\epm\epm-dm.exe
size: 200704
MD5: d8896a908fc183ff63d16bfff5960ba1

Located: HK_LM:Run, ePowerManagement
command: C:\Acer\ePM\ePM.exe boot
file: C:\Acer\ePM\ePM.exe
size: 2893824
MD5: 5bd7ac79525975a097196891b4fd7170

Located: HK_LM:Run, eRecoveryService
command: C:\Program Files\Acer\eRecovery\Monitor.exe
file: C:\Program Files\Acer\eRecovery\Monitor.exe
size: 352256
MD5: 223426b9c171aae2c103b7324ba919bd

Located: HK_LM:Run, FusionRemote
command: C:\Program Files\DVICO\FusionHDTVUSB\Remote\FusionRc.exe
file: C:\Program Files\DVICO\FusionHDTVUSB\Remote\FusionRc.exe
size: 2271232
MD5: 71f5e83ab2449c4f1d2779b64b25b3d5

Located: HK_LM:Run, FusionUSBTrayAgent
command: C:\Program Files\DVICO\FusionHDTVUSB\FusionHdtvTray.exe
file: C:\Program Files\DVICO\FusionHDTVUSB\FusionHdtvTray.exe
size: 1618944
MD5: 44bb3dbf534579be25499b9904338d95

Located: HK_LM:Run, High Definition Audio Property Page Shortcut
command: HDAShCut.exe
file: C:\WINDOWS\system32\HDAShCut.exe
size: 61952
MD5: 9c3b2302b60fb0efb13bc880a5e3e93e

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 77824
MD5: 409f6851bdaec9accbdde692d56d5c87

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\system32\igfxtray.exe
file: C:\WINDOWS\system32\igfxtray.exe
size: 94208
MD5: a20723fa212faa76b5157ad8f434347b

Located: HK_LM:Run, IMJPMIG8.1
command: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
file: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
size: 208952
MD5: 7bbe4cf421aecc7f0226edd75f12079f

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 278528
MD5: ff95f200b0cb3810382b355cf9f0bed9

Located: HK_LM:Run, LaunchApp
command: Alaunch
file: C:\WINDOWS\Alaunch.exe
size: 520192
MD5: c7f4958a99983e2e4b435be798081dd8

Located: HK_LM:Run, LManager
command: C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
file: C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
size: 462848
MD5: f0b53e9cc63e9f392fcf4fc985045ac1

Located: HK_LM:Run, MSPY2002
command: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
file: C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe
size: 59392
MD5: 1b17e09c1223f6d17336d2dd7a1af4f4

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, OpwareSE2
command: "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
file: C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
size: 49152
MD5: 882539219b40107d5bc0557e0088dd79

Located: HK_LM:Run, PCMService
command: "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
file: C:\Program Files\Acer\Acer Arcade\PCMService.exe
size: 143360
MD5: 315908dae833e624319fca7e2168caf1

Located: HK_LM:Run, Persistence
command: C:\WINDOWS\system32\igfxpers.exe
file: C:\WINDOWS\system32\igfxpers.exe
size: 114688
MD5: 2d838f01650a630ae7a78c864315fbdc

Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 155648
MD5: 216b3acc656cda8a5a0c3071ec0a408b

Located: HK_LM:Run, RoxioDragToDisc
command: "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
file: C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
size: 1695744
MD5: c4047b312ae3cb197ba7bd44f0efac28

Located: HK_LM:Run, RTHDCPL
command: RTHDCPL.EXE
file: C:\WINDOWS\RTHDCPL.EXE
size: 14743552
MD5: 17fa0988cce29f473ea8a83bab4676e7

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
size: 49263
MD5: ffb2d7833002457d3801aa4422ffb44f

Located: HK_LM:Run, SynTPEnh
command: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
file: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
size: 688218
MD5: 55582f239914c8efccf89bd632639542

Located: HK_LM:Run, SynTPLpr
command: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
file: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
size: 98394
MD5: 3665ba88b993554db062ff96542d85ff

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74e6e96c6f0e2eca4edbb7f7a468f259

Located: HK_CU:Run, swg
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 68856
MD5: e616a6a6e91b0a86f2f6217cde835ffe

Located: HK_CU:Run, updateMgr
command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
size: 313472
MD5: 43f3f6d33c793089a7c32b45da16094b

Located: Startup (common), Adobe Gamma Loader.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, igfxcui
command: igfxdev.dll
file: igfxdev.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll

--- Browser helper object list ---
{37B4F963-6ED7-3F72-A349-1CE34FE8AAC9} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: jtlxs.dll

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar2.dll
Short name: GOOGLE~2.DLL
Date (created): 21/06/2007 10:51:46 PM
Date (last access): 15/09/2007
Date (last write): 19/01/2007 11:55:32 PM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\
Long name: swg.dll
Short name:
Date (created): 30/07/2007 9:11:40 AM
Date (last access): 15/09/2007
Date (last write): 30/07/2007 9:11:42 AM
Filesize: 325048
Attributes: archive
MD5: 1DC47CA76A0FFEAA25B45DE5706F2115
CRC32: E2052360
Version: 2.0.301.7164

--- ActiveX list ---

--- Process list ---
PID: 0 ( 0) [System]
PID: 612 ( 4) \SystemRoot\System32\smss.exe
PID: 676 ( 612) \??\C:\WINDOWS\system32\csrss.exe
PID: 700 ( 612) \??\C:\WINDOWS\system32\winlogon.exe
PID: 744 ( 700) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 756 ( 700) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 900 ( 744) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 968 ( 744) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1008 ( 744) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1048 ( 744) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
size: 86016
MD5: 5AE75738B957C2064566007487D973B6
PID: 1136 ( 744) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
size: 360521
MD5: 215DEEE103618F102263C8ECF4B8413E
PID: 1268 ( 744) C:\WINDOWS\system32\svchost.exe
size: 14336

**tashi** · 2007-09-15, 03:01

Hi there.

We are now at Spybot-S&D version 1.5

Spybot - Search & Destroy Version 1.5 Download

Uninstall previous version

Tutorial

Make sure you update after installation so you have the latest definitions, and then run another scan please.

**cpedder** · 2007-09-16, 01:46

Thanks again for the follow up. I did as you suggested, removed version 1.4, installed version 1.5, and redid the scan. Same result. Bad guy found, but when running "destroy" the laptop shuts down and reboots to disk check etc., and a new scan reveals that the issue is not resolved.
Here is a copy of the latest scan results :-

Smitfraud-C.CoreService: [SBI $C0D676DB] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

Smitfraud-C.CoreService: [SBI $B462702A] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\core

Smitfraud-C.CoreService: [SBI $9C656B9A] Data (File, nothing done)
C:\WINDOWS\system32\drivers\core.cache.dsk

Smitfraud-C.CoreService: [SBI $7635C656] System file (File, nothing done)
C:\WINDOWS\system32\drivers\core.sys

--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-09-16 unins000.exe (51.46.0.0)
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-09-12 Includes\Revision.sbi (*)
2007-09-12 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-12 Includes\DialerC.sbi (*)
2007-09-12 Includes\HijackersC.sbi (*)
2007-09-12 Includes\KeyloggersC.sbi (*)
2007-09-12 Includes\MalwareC.sbi (*)
2007-09-12 Includes\PUPSC.sbi (*)
2007-09-12 Includes\SecurityC.sbi (*)
2007-09-12 Includes\SpybotsC.sbi (*)
2007-09-12 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

**tashi** · 2007-09-16, 02:13

Hi there.

Files\Java\jre1.5.0_08\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

The latest version is Sun Java Runtime Environment (JRE) 6u2.

Vulnerabilities in old Sun Java versions may be partly responsible for Vundo/Winfixer infections, so let's take a different look at this.

Please follow the procedure in this link: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) to produce a HJT log.

Then start your own thread in the Malware Removal Forum

Once you have posted in the malware forum, let me know in this topic and I will ask a helper to take a look as soon as available.

Probably later on in the day, early morning, as we live in different time zones.

Thread: Smitfraud

Thread Tools

Display

Smitfraud

Smitfraud-C,CoreService

Smitfraud-C.CoreService

Posting Permissions