Over 1 million tech questions and answers.

Infected With Smitfraud-c.coreservice

Q: Infected With Smitfraud-c.coreservice

I am very thankful for any time you can spend on this. Thanks for any help in removing this nasty infection!!! Log belowLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:08, on 2007-11-17Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\RTHDCPL.EXEC:\iTunes\iTunesHelper.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\[email protected]\winFAH.exeC:\Program Files\Gigabyte\ET5Pro\GUI.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\[email protected]\FahCore_82.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\1HWCYYOF\HiJackThis[1].exeC:\Documents and Settings\Jake\Desktop\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe bootO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Tweaks\Spybot - Search & Destroy\TeaTimer.exeO4 - Startup: [email protected] 5.03.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Tweaks\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Tweaks\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195178261374O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195178739967O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 5376 bytes

RELEVANCY SCORE 200
Preferred Solution: Infected With Smitfraud-c.coreservice

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Infected With Smitfraud-c.coreservice

Hello and welcome aboard! One or more of the identified infections is a backdoor trojan -> http://www.sophos.com/security/analyses/trojvbdxp.htmlThis allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I cannot guarantee it will be 100% secure afterwards. Let me know if you want to try and rid it off the system.

Read other 4 answers
RELEVANCY SCORE 83.2

Please help me to clean my PC...I am going crazy with this item
DDS.txt

DDS (Version 1.1.0) - NTFSx86
Run by SWETA at 21:50:02.84 on Tue 12/30/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1006.454 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\... Read more

A:infected with Smitfraud-c. CoreService

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instructed to do so! Let me know if any of the links do not work or if any of the tools do not work. Tell me about problems or symptoms that occur during the fix. Do not run any other programs or open any other windows while doing a fix. Ask any questions that you have regarding the fix(es... Read more

Read other 10 answers
RELEVANCY SCORE 83.2

As soon as I startup I receive "userinit.exe error message" and taskbar does not appear. I use task manager to open browser. Many webpages open in new browers, some explicit which is a concern as I have young children in the room where the computer is. I have run spybot, but twice per scan I receive the error message: There were problems in the include file C:\Program Files\Spybot - Search_Destroy\Includes\Trojans.sbi See 'Include errors.log' for details.which I am not able to locate. I only scanned the "Critical Areas' using the Kaspersky scan.Thanks in advance for your help and guidance!---------------------------------------------------------------------------------------------------Deckard's System Scanner v20071014.68Run by HP_Administrator on 2008-08-04 15:55:41Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --54: 2008-08-04 22:55:51 UTC - RP660 - Deckard's System Scanner Restore Point53: 2008-08-04 19:34:19 UTC - RP659 - System Checkpoint52: 2008-08-02 03:37:00 UTC - RP658 - System Checkpoint51: 2008-07-31 02:29:12 UTC - RP657 - System Checkpoint50: 2008-07-29 20:13:26 UTC - RP656 - System Checkpoint-- First Restore Point -- 1: 2008-07-26 02:07:53 UTC - RP607 - System CheckpointBacked u... Read more

A:Infected With Smitfraud-c.coreservice

Hello dec512Welcome to BleepingComputer ========================Since you are working through the task manager you can save combofix to your C:\Drive as well as the Recovery Console file you can then right click on the Recovery Console file and choose Copy and then paste it Onto Combofix to run it.==========Please visit this web page for instructions for downloading and running Combofix >ComboFix InstructionsThis includes installing the Windows Recovery Console. Vista users do not need to do thisThe Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

Read other 19 answers
RELEVANCY SCORE 83.2

Spybot will not rid me of this, nor can Avast using a boot-time scan. I need help to do this correctly. Symptoms so far include Internet Exporer popping up with blank pages. I normally use FireFox or Netscape.
Pop-ups occur when I access one of the other browsers.

A:Infected With Smitfraud-c. Coreservice

This infection is basically a rootkit found with certain smitfraud infections and identified by Spybot S&D as Smitfraud-C.CoreService. It is sometimes protected by a driver which must be identified and removed in order to remove the infection so the following fix may not work.Please download SDFix by AndyManchesta and save it to your desktop.alternate zipped versionWhen using this tool, you must use the Administrator's account or an account with "Administrative rights"Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results". Click on this link to see a list of programs that should be disabled. The list is not all inclusive.Disconnect from the Internet before running SDFix.Double click SDFix.exe and it will extract the files to %systemdrive%(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".Open the SDFix folder and double click RunThis.bat to start the script.Type Y to begin the cleanup process.It will remov... Read more

Read other 4 answers
RELEVANCY SCORE 83.2

How do i remove this trojans..Please help ThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:10:29 AM, on 9/17/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\windows\system\hpsysdrv.exeC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\ALCXMNTR.EXEC:\WINDOWS\system32\ps2.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\... Read more

A:Infected With Smitfraud-c.coreservice

Hello, soken. to BleepingComputer.comMy name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.If you would still like help, please post a new HiJack This log below, as things may have changed on your system.If you do not still need help, please let me know, so that I can move on to other users who still need help.Please take note of the following:While a HJT Team member is working with you, please refrain from making any changes to your computer.Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Please reply using the button in the lower left hand corner of your screen.Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of ... Read more

Read other 11 answers
RELEVANCY SCORE 83.2

Followed your initial suggestions, but Spybot still picks up 4 instances of this and can't fix them. I'm running Vista, so Smitfraud Fix, etc., don't work.HJT Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:37:04 PM, on 8/29/2007Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\DellSupport\DSAgnt.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\SearchFilterHost.exeC:\Users\Carolyn\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Inte... Read more

A:Infected --- Smitfraud-c.coreservice

Hi

Please post a fresh hjt log.

Read other 2 answers
RELEVANCY SCORE 83.2

Hello,I noticed a couple of days ago that I was getting excessive pop-ups when I tried to get onto the internet (both Firefox and Internet Explorer). I did a Spybot S&D scan to find multiple problems. I was able to permanently remove all of them but "Smitfraud-C.Coreservice". After coming to the forum I followed all of the instructions located in the "before you post" link, yet the little monster was still there. I am ready (definitely) and able (hopefully) to follow any instructions you may have to help me. Thanks in advance!HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:29:48 PM, on 2/29/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:�... Read more

A:Infected With Smitfraud-c.coreservice

Hi and welcome,

Sorry for delay.

Several infections present.
If you still need help please post a fresh hijackthis log here.

Thanks

Read other 22 answers
RELEVANCY SCORE 83.2

recently my laptop started popping up fake messages that it was infected and that i needed to download anti-malware software. i ran spybot s&d and it found a bunch of things that it was able to remove. however, it couldn't get rid of the Smitfraud.C Coreservice. i haven't gotten the popups recently, but i've kept the computer off for the most part. also, the Smitfraud.C Coreservice is preventing me from navigating to a lot of sites, including this one so i'm using another computer to post this. i've downloaded and run the dds program and am posting the dds.txt file contents below. i'd really appreciate any help you could give me in getting rid of this. i was hoping to give this laptop to my mother at some point, but i can't give her a sick computer. thanks very much.
- jonah
DDS (Version 1.1.0) - NTFSx86
Run by Owner at 20:43:08.73 on Sat 01/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.905 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
sv... Read more

A:infected by Smitfraud.C Coreservice

anyone? help please?

Read other 6 answers
RELEVANCY SCORE 82.4

Starting 10/30, pop-ups (mostly false security warnings) have been invasive and I have lost access to my control panel and administration rights. I have tried to follow the directions for posting as well as I could. However, this virus seems to stick around anyway. I've run Ad-Aware several times, and it still finds stuff, even if it runs prior to start-up. I've run Spy-bot several times and it's Smitfraud-C.CoreService that it can't get rid of, no matter what, and it just regenerates all of the other files. I have also tried the Panda Anti-Virus (along with my McAfee) - the other 2 links provided didn't obtain a website. I have also run the Stinger. I then tried to follow up with HijackThis, but it never finishes, it just disappears. Can you help me at all?

A:Infected With Smitfraud-c.coreservice, Possibly More

Welcome to BC MarniaeSmitfraud-C.Core Service is a rootkit found with certain smitfraud infections and identified by Spybot S&D as Smitfraud-C.CoreService. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use them as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect your computer from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer i... Read more

Read other 3 answers
RELEVANCY SCORE 82.4

Hey,Yesterday I found out, after downloading and installing a torrent file (bsplayer pro+keygen for it) that it was infected with a trojan. I also keep getting annoying pop ups with IE (I never use IE myself, only firefox).I'm running Windows XP, SP2 and I use AVG as antivirus program. I have scanned my computer with AVG and it picked 4 trojans into quarantine, also I've scanned my whole computer with it several times afterwards and it doesn't find anything else. I also have spybot seek & destroy and ad-aware and I've scanned my system with those several times. Everytime ad-aware finds around 10-20 tracking cookies, I always remove them, but they come back again and again. When I ran spybot's scan, it always finds one file (Smitfraud-C.CoreService) and sometimes some other cookies as well. The file is named "core.cache.dsk" and it's in my WINDOWS\system32\drivers folder. I click to fix the problem, spybot said it's fixed and pops up this notification about registry entry change. It says "Entry: SpybotDeletingB4851" and New data: command /c del "C:\WINDOWS\system32.drivers\core.cache.dsk".. I click allow change as I'm guessing that it's trying to delete the file. It pops up few more of same kinda notifications with same information, AND sometimes one notification that says "Entry: LogiSPSetupNeedReboot", I can't remember right now what it says on the old data part. I clicked deny change on that as I didn't kn... Read more

A:Infected With Atleast Smitfraud-c.coreservice

Hi Deleng,Yes it can be difficult to remove, we will use a special tool to do the job.Temporarily disable Spybot's TeaTimer. This is a two step process.First:Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)Choose Exit Spybot S&D ResidentSecond:Open Spybot S&DClick Mode, check Advanced ModeGo To Left Panel, Click Tools, then also in left panel, click ResidentIf your firewall raises a question, say OKUncheck the box labeled Resident TeaTimer and OK any prompts.Use File, Exit to terminate Spybot.Reboot your machine for the changes to take effect.Then download ComboFix to your desktopDouble click combofix.exe and follow the promptsNote: Do not click ComboFix's window while it's running - it may cause it to stall!If after ComboFix finishes you do not have internet access, then reboot your computer to restore itWhen finished, it shall produce a log for you, please post it in your next responseNow open HijackThis, select Open the Misc Tools sectionPress the Open Uninstall Manager... button, then press Save list...Save the Uninstall log to your Desktop and include a copy in your next response.Now press Back and Scan and then Save log to create and save a new HijackThis log.Once complete, please post the ComboFix report, the uninstall list and a new HijackThis log.

Read other 3 answers
RELEVANCY SCORE 82.4

I am constantly getting popups in IE by cpvfeed.com. I ran bot search using Spybot S&D. and found "Smitfraud-C.CoreService". I was unable to remove this from my system. I went on to use Ad-Aware, Activescan, Bitdefender, and then McAfee Stinger. I rechecked with Spybot S&D and continue to have the same problem. Any help would be greatly appreciated! Below is my hijackthis log file:Logfile of HijackThis v1.99.1Scan saved at 4:37:29 AM, on 6/12/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16441)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exeC:\Program Files\Google\Common\Update\1.0.49.0\GoogleUpdate.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\system32\nvsvc32.exeC:\... Read more

A:My Computer Is Infected With Smitfraud-c.coreservice

You're infected with this infection:http://www.sophos.com/virusinfo/analyses/w32rbotgcv.htmlOne or more of the identified infections is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and Download and Execute filesI would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallHowever, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.Should you have any questions, please feel free to ask.Please let us know what you have decided to do in your next post.

Read other 1 answers
RELEVANCY SCORE 67.2

I have searched numerous places and found what appear to be fixes for smitfraud-C.CoreService but I am not very tech savvy and the pages might as well be written in Latin!

I'm smart and should do well if walked through step by step, but looking at everything all at once is enough to make my brain explode.

I have a Dell Dimension E310 (don't ask, I hate it too.)

Windows XP Home Edition

Spybot S&D, Windows Live OneCare & Windows Defender (both good-for-nothing, so far)

Spybot keeps finding Smitfraud and Virtumonde and can't delete either of them. I think I'll be able to fix the virtumonde but the smitfraud is here to stay unless someone can help me. Also maybe suggest another program to run with my spybot for some added protection?

the pop ups are opening in IE 7.0 although I run Firefox 2 as my browser. One recurring one is a blank page and a windows notification that says "windows cannot find filename 'null' please revise your search" or something along those lines... will post the exact next time it comes up.

Help?!
 

A:Smitfraud-C.CoreService

* Click here to download HJTsetup.exe.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

Read other 3 answers
RELEVANCY SCORE 67.2

Can someone please walk me through the steps of removing the Smitfraud-C.CoreService from my computer. According to Spybot the location of the spyware is the following: Data: C:\\WINDOWS\system32\drivers\core.cache.dskSystem file: C:\\WINDOWS\system32\drivers\core\sysSettings: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\coreSettings: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\coreHere is my HJT log:Logfile of HijackThis v1.99.1Scan saved at 7:00:37 PM, on 6/26/2007Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\System32\ctfmon.exeC:\Documents and Settings\Fazal Khan\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaptest.com/myhome.jhtml;jsessi..... Read more

A:Smitfraud-c.coreservice! Please Help Me!

Welcome to the BleepingComputer HijackThis Logs and Analysis forum FAZAL Before we can provide you with any further assistance,you first need to go here and install Service Pack 1;http://www.microsoft.com/windowsxp/downloa...p1/default.mspxThis will patch numerous security vulnerabilities in Internet Explorer and the Windows operating system. As your machine stands right now it's exremely vulnerable to infection. You need to get these updates installed first before we can proceed or we?ll both be wasting our time.Note:Do not install Service pack 2.If you install SP 2 on an infected machine it will cause serious problems within the operating system. When you've finished the above,post a new Hijackthis log in your next reply.

Read other 11 answers
RELEVANCY SCORE 67.2

This is maddening. Please help me. I'm not a cpu genius. I've followed the instructions as far as running a wide assortment of anti spyware software and othersoftware. Spybot keeps finding me this crap about Smitfraud, etc. 4 errors, I think. Then pop up after pop up initiated by Spybot keeps coming up asking me for random permissions and then to restart. Upon restart spybot runs again only to reinform me that it can't delete or fix my problems (as it also said previously). I go on to my desktop and dialogue boxes pop up and disappear and a whole other mess ensues. I'm going to throw this cpu at the wall over and over to fix this. Here's a Hijack Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:48:59 PM, on 2/24/2008Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16609)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...TB&M=MT6451R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:... Read more

A:Smitfraud-c.coreservice

Hi and welcome,

Sorry for delay and I hope you didn't toss your computer upside the wall yet.

If you still need help please post a fresh hijackthios log here and let me know if spybot is still detecting same issur(s).

Thanks

Read other 1 answers
RELEVANCY SCORE 67.2

Hi..

since last month i been trying to clear my new pc
avg-antispyware , doesnt recognize C:\Windows\System32\drivers\core.cache.dsk
spybot s&d..recognize, doesnt clean...
killbox, fixvundo...also...

i dont know what to do.

thanks
Eduardo
hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:07 a.m., on 24/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\System32\mstsc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\W... Read more

Read other answers
RELEVANCY SCORE 67.2

UGHHH!! I have a fairly new system and I have inadvertantly gotten a virus or two with something that I have downloaded. All of a sudden I had trouble with winsock (found this out when I couldn't connect to anything via IE or FF) and the system would have to reboot. Sometimes that will work, other times would have to reboot again. I am getting new browser windows opening up that are taking me to random sites. Even if I use FF, IE will still open up as well when I go to a site. I have followed the guide here and done various scans as requested before posting here.smitfraud-c.coreservice showed up with spybot in C:\WINDOWS\system32\drivers\core.cache.dskI would really appreciate if someone can help me. Really am stressing here No matter how many times I scan with spybot, smitfraud-c.coreservice keeps showing up even though I repair/delete and it says done. Still getting numerous IE opening up taking me here, there, everywhere HiJackThis log follows.....Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:22:14 AM, on 2/2/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\L... Read more

A:Smitfraud-c.coreservice

Hello aussiewench,We will run ComboFix. You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running. To disable AVG antivirus: Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: ) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.When you need to enable the AVG Resident Shield, ( I????ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.I see you are running Teatimer.Please disable it because it can interfere with the changes you'll make on your system.If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it. How to disable TeaTimer during HijackThis Cleanup Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT Post the ComboFix log.

Read other 3 answers
RELEVANCY SCORE 67.2

Help,Getting ad pop up windows. Followed all the instructions in "Preparation Guide for use before posting a HijackThis Log" and ran all the virus/spyware removal tools that were listed. Not sure what type of adware I have, but each time I run spybot search and destroy it comes up with "Smitfraud-C.CoreService. Below if the Hijack This Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:05:09 PM, on 2/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Java\jre1.5.0_11\bin\jusched.exeC:&#... Read more

A:Smitfraud-c.coreservice?

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Download Combofix to your Desktop.Double click combofix.exeFollow the prompts that are displayed. Don't click on the window while the fix is running, because that will cause your system to hang.When finished, it should produce a log, combofix.txt. Post that in your next reply with a fresh HijackThis log.

Read other 3 answers
RELEVANCY SCORE 67.2

Hi,

I have some problems with my laptop.
I'm running WINXP. Computer is running very slow. A lot of pop ups appear when connected to the internet. And since a few days, I can not run WIN in normal mode but only in safe mode, because in normal mode I get a BSOD : driver_irql_not_less_or_equal immediately after starting up.

I have run :
* virus scan with avast
* scan with Spybot

Some malware and viruses were detected, but the programs could solve everything ... except the SmitFraud-C.CoreService. Spybot kept saying that it could not be removed.
It's mentioned on your forum not to do anything yourself. I read this to late. So after searching the internet for a solution, I ran the programs Smitfraudfix.exe and Combofix.exe.
Now Spybot doesn't find any malware or viruses. I don't know if my problem is solved because I keep getting the BOSD on startup. I don't even know if the BOSD has something to do with malware or viruses. I didn't install new hardware since at least 6 months. A few games were installed lately.

I hope I didn't ruin the system by 'doing it myself'.

Anyway, I include here the HJT log. I tried to use DSS, but it gave me an error report which I could send to Microsoft.
I noticed that the log mentions a normal boot mode. On my screen it says although safe mode.

Can anybody help me please ?
Thanks.


----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:12, on 2007-08-15
Platform: Windows XP... Read more

A:help with Smitfraud-C.CoreService (?)

Me again,

I tried DSS again and now it worked.
Please find the files herunder and in attachment.




Deckard's System Scanner v20070809.63
Run by Toshiba on 2007-08-15 at 15:40:57
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
20: 2007-08-14 09:27:22 UTC - RP63 - Verwijderd: HP Software Update
19: 2007-08-14 09:24:38 UTC - RP62 - Verwijderd Touch and Launch
18: 2007-08-14 09:23:45 UTC - RP61 - Verwijderd TOSHIBA-handleidingen
17: 2007-08-14 09:22:04 UTC - RP60 - Verwijderd TOSHIBA Controls
16: 2007-08-14 09:21:41 UTC - RP59 - Verwijderd ConfigFree


-- First Restore Point --
1: 2007-05-16 12:55:55 UTC - RP44 - Controlepunt van systeem


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 192 MiB (512 MiB recommended).


-- HijackThis (run as Toshiba.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:05, on 2007-08-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Syste... Read more

Read other 10 answers
RELEVANCY SCORE 67.2

Hy
i have a big problem with smitfraud.... spybot found it but it isn´t able to remove!!
help me!

but remember, i don´t speak english well ^^

thx
 

A:Smitfraud-C.CoreService

Read other 16 answers
RELEVANCY SCORE 67.2

Smitfraud-C.CoreService: [SBI $9C656B9A] Data (File, fixed)
C:\Windows\System32\drivers\core.cache.dsk
plse help me remove thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:15 PM, on 2/8/2008
Platform: Windows Vista SP1, v.668 (WinNT 6.00.1905)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Minefield\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D... Read more

A:Smitfraud-c.coreservice

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are extremely busy.If you've already recieved help at another forum and your issues have been resolved,or you're presently recieving help elsewhere then please let us know.If you still require help,please post a new Hijackthis log into this topic in your next reply.Also post a detailed description of the issues you're experiencing.*Note*Post all reports/logs directly into this topic,not as attachments,thanks.

Read other 1 answers
RELEVANCY SCORE 67.2

Yeah, cant seem to get rid of this. I'm new to this forum too, so you might have to tell me what to do step by step! I found this with Spybot Search and Destroy.
 

A:Smitfraud-C.CoreService

Read other 13 answers
RELEVANCY SCORE 67.2

Machine Windows 2000 (in the 'boys' room), used for surfing and internet gaming.
After complaints of 'need new computer because this one is too slow' I investigated.
1) A remote scan using Norton AV 2007 removed 64 wrms,viruses,trojans.
2) Local scan using Avast v4.7 picked up several more on repeated scans.
3) Spybot-S&D removed numerous issues. Sticky issues were 'webcast' and 'smitfraud'. Some were resolved on a boot level scan/repair. Failed to resolve the smitfraud-c.coreservice hijacking of the microsoft IE browser.
4) the combofix.exe recommended on this site ran and fixed the smitfraud issues. See below for its log.txt file
5) rerunning spybot and avast to double check, but browser is back running okay.
Thanks...
 

A:smitfraud-c.coreservice

Hi, Welcome to TSG!!
Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

Read other 1 answers
RELEVANCY SCORE 67.2

i seem to have picked up the spyware smitfraud-c.coreservice. i've checked out other threads and it seems that removing it is a little different in each case so i thought i'd post my HijackThis log and hopefully you guys could help me out in getting rid of this nasty thing. i've noticed that removing the "file missing" and "no file" is similar in some cases, but some expert help wouldn't hurt. thanks alot.

Logfile of HijackThis v1.99.1
Scan saved at 2:07:04 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe... Read more

A:smitfraud-c.coreservice

Read other 9 answers
RELEVANCY SCORE 67.2

It might also be left overs from a Win32 Virus. Any help you could give would be great. Deckard's System Scanner v20071014.68Run by Cuz on 2008-07-23 23:24:34Computer is in Normal Mode.--------------------------------------------------------------------------------Total Physical Memory: 503 MiB (512 MiB recommended).-- HijackThis (run as Cuz.exe) -------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:24:46, on 7/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Analog Devices\SoundMAX\SMTray.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Support.com\bin\tgcmd.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\Trend Micro\I... Read more

A:Smitfraud-c.coreservice = So Many Pop Ups

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.NEXTPlease visit below webpage for instructions for downloading and running ComboFixhttp://www.bleepingcomputer.com/combofix/how-to-use-combofixThis includes installing the Windows XP Recovery Console in case you have not installed it yet.For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.Regardsfenzodahl512

Read other 7 answers
RELEVANCY SCORE 67.2

I have tried to get as far as I could on my own.
ComboFix 07-06-11.3 - C:\Documents and Settings\Dad\Desktop\ComboFix.exe
"Dad" - 2007-06-11 15:35:52 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\teiujdrg.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Dad\APPLIC~1.\curity~1
C:\Program Files\asembl~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Messenger\profsy.html
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T4
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\core
-------\Net Agent
((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))
2007-06-11 15:35 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 15:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-11 14:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-08 16:28 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-06-08... Read more

A:SMitfraud-c.coreservice

Hi, Welcome to TSG!!

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Download and scan with SUPERAntiSpyware Free for Home Users
Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, unde... Read more

Read other 1 answers
RELEVANCY SCORE 67.2

Hi there,

I'm having a horrible time getting rid of this virus. I have run spybot search and destroy and it is not able to get rid of it. I just constantly get pop-ups. I have read through the forums here and see a few others have gotten this virus, but I'm not sure if I should be following the instructions they were given.

I would be very grateful for any help. Thank you!

Tiffany
 

A:Smitfraud-C.CoreService Please help!

Read other 16 answers
RELEVANCY SCORE 67.2

I would appreciate assistance with the following problem: Spybot repeatedly detects Smitfraud-C.coreservice (c:\windows\system32\drivers\core.cache.dsk). I have taken the steps referenced in the "Preparation Guide for use before posting a HijackThis Log."I also ran SmitFraudFix v2.274.Here is the HijackThis log.Thanks in advance.SpiedLogfile of Trend Micro HijackThis v2.0.2Scan saved at 2:32:57 PM, on 1/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\basfipm.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\System32 ... Read more

A:Smitfraud-c.coreservice

Hi Spied,Please download ComboFix to your desktopDouble click combofix.exe and follow the promptsNote: Do not click ComboFix's window while it's running - it may cause it to stall!If after ComboFix finishes you do not have internet access, then reboot your computer to restore itWhen finished, it shall produce a log for you, please post it in your next responseNow open HijackThis, select Open the Misc Tools sectionPress the Open Uninstall Manager... button, then press Save list...Save the Uninstall log to your Desktop and include a copy in your next response.Now press Back and Scan and then Save log to create and save a new HijackThis log.Once complete, please post the ComboFix report, the uninstall list and a new HijackThis log.

Read other 14 answers
RELEVANCY SCORE 67.2

My spybot picked this item up and could not repair. Appears to be in the system deep.

Noticed another post where it was indicated that a hijack this log be posted - so here it is, thanks in advance to anyone who helps.

Logfile of HijackThis v1.99.1
Scan saved at 6:24:18 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\wspan\swgw\FilterAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\DllHost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C... Read more

A:SMITFRAUD c.coreservice

Hi, Welcome to TSG!!
Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 

Read other 1 answers
RELEVANCY SCORE 67.2

Hey guys, i noticed i was getting lots of random pop-ups so i ran Spybot - S&D. it came up with smitfraud-c.coreservice which it couldn't remove.

This is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:35:50, on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Teleca Share... Read more

Read other answers
RELEVANCY SCORE 67.2

This trojan is making windows pop up when I am browsing the internet. Most of the windows contain information of registry defender, stating that my computer is infected.

I dont know how to manually remove it as spybot is stating in its description of it so im coming here. HJT log/DSS below

Smitfraud-C.CoreService
(SBI $9C656B9A) Data
C:\WINDOWS\system32\drivers\core.cache.dsk

Product: Smitfraud-C.CoreService
Threat: Trojan

This trojan horse gets installed as a driver and constantly runs in background and connects to malicious servers without any user consent. Removal may require to manually close the file handles of the core.cahce.dsk and core.sys residing in the folder \windows\system32\drivers\.

DirectTrack
Tracking Cookie (Iexplorer: Administrator)

DoubleClick
Tracking Cookie (Iexplorer: Administrator)

Right Media
Tracking Cookie (Iexplorer: Administrator)

Zedo
Tracking Cookie (Iexplorer: Administrator)

Attained from Spybot S&D


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:10 AM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Device... Read more

A:Smitfraud-C.CoreService

Hello and Welcome.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

If you're not receiving help elsewhere, and still require assistance for this issue, and since it has been a few days since you first posted, please do this:

Please run Deckard's System Scanner once again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK
"%userprofile%\desktop\dss.exe" /config Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.

---------------------------------------------------------------------------------------------

Thank you.

Read other 1 answers
RELEVANCY SCORE 67.2

We've been having to do some serious purging on my PC, and it seems the only thing left is "Smitfraud-C Coreservice." Spybot S&D keeps saying it can't delete it, and I have no idea what to do. Pop up ads keep breaching my anti-pop up software, and I often get redirected to unrelated sites when searching google. Every time we do a scan, more adware has appeared on my computer, and while I may have little knowledge of computers, I just know that this Smitfraud thing is behind it.

If it's any help, I'm using Spybot S&D ver. 1.4.
 

A:Smitfraud-C Coreservice help, please

Read other 7 answers
RELEVANCY SCORE 67.2

Terrible popups. I include my logfile.Will be glad to work with anyone.

Logfile of HijackThis v1.99.1
Scan saved at 06:49:45, on 11/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IE... Read more

A:Smitfraud-C.CoreService

Hi Welcome to TSG!!
Download SDFix and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool ... Read more

Read other 1 answers
RELEVANCY SCORE 67.2

When my win xp stars sometimes an explorer pop-up opens or when i´m navigating on web. Spybot couldn´t remove this smitfraud. I´m using winxp.
and in Spyboy the smitfraud-c.coreservice is pointed to the following lines:

C:\WINDOWS\system32\drivers\core.cache.dsk

Anyone can help me?
and my log is...
 

A:Help wth smitfraud-c.coreService

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 4/3/2006 15:47:30 262144 C:\Arquivos de programas\unst0_0.exe ()

Checking %WinDir% folder...
UPX! 22/8/2004 17:04:56 69120 C:\WINDOWS\daemon.dll ()

Checking %System% folder...
UPX! 8/2/2007 13:49:44 668672 C:\WINDOWS\SYSTEM32\AdjMmsEng.dll (MultiMedia Soft)
WSUD 14/5/2004 07:26:34 14268928 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL (Realtek Semiconductor Corp.)
aspack 18/3/2005 17:19:58 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
aspack 26/5/2005 16:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll (Microsoft Corporation)
aspack 22/7/2005 19:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll (Microsoft Corporation)
aspack 5/12/2005 18:09:18 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll (Microsoft Corporation)
aspack 3/2/2006 08:43:16 2332368 C:\WINDOWS\SYSTEM32\d3dx9_29.dll (Microsoft Corporation)
aspack 31/3/2006 12:40:58 2388176 C:\WINDOWS\SYSTEM32\d3dx9_30.dll (Microsoft Corporation)
aspack 28/9/2006 16:05:20 2414360 C:\WINDOWS\SYSTEM32\d3dx9_31.dll (Microsoft Corporation)
aspack 29/11/2006 13:06:18 3426072 C:\WINDOWS\SYSTEM32\d3dx9_32.dll (Microsoft Corporation)
PEC2 28/10/2001 17:06:18 41128 C:\WINDOWS\SYSTEM32\dfrg.msc ()
PEC2 14/7/2003 19:57:20 31744 C:\WINDOWS\SYSTEM32\flt1chk2.dll ()
UPX! 4/8/2004 01:45:46 848384 C:\WINDOWS\SYSTEM32\ir41_32.ax (Intel Corporation)
UPX! 5/11/2005 21:... Read more

Read other 3 answers
RELEVANCY SCORE 67.2

Started getting IE popups in firefox so i scanned with spyboth S&D and found i had this spyware SmitFraud-C.CoreService here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:44 PM, on 9/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
C:\Program Files\PC Tools Internet Security\pctsSvc.exe
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Documents and Settings\All Users\Application Data\Zwangi\zwangi110.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zwangi\zwangi.exe
... Read more

A:SmitFraud-C.CoreService

Bump...still need help
 

Read other 1 answers
RELEVANCY SCORE 67.2

I need some help getting rid of SmitFraud-C.CoreService on Windows Vista Ultimate. I know the fact that it even got on my vista system is rather sad but the fact of the matter is it got there.
Code:
Smitfraud-C.CoreService: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

Smitfraud-C.CoreService: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\core

Smitfraud-C.CoreService: Data (File, nothing done)
C:\Windows\System32\drivers\core.cache.dsk

Smitfraud-C.CoreService: System file (File, nothing done)
C:\Windows\System32\drivers\core.sys
Here is my HiJackThis Log
Code:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:20:07 PM, on 7/8/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\syste... Read more

A:SmitFraud-C.CoreService

I fixed the problem myself sorry for the trouble.

For vista it seems that you can just boot into safe mode and use spybot S&D to remove it. I have read many times that even in safe mode it wouldn't remove it. But it did for me.
 

Read other 1 answers
RELEVANCY SCORE 67.2

Hey I'm new to the forums and I've been getting tons of pop ups on internet explorer whileI use Opera. I ran spybot search and destroy and this could not be removed can someone please help me!

here is a log I got of hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:14 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Owner\My Documents\Programs\HiJackThis.exe

O2 - BHO: (no name) - {0D498F79-F... Read more

A:SmitFraud-C.CoreService

can anyone help me?
 

Read other 1 answers
RELEVANCY SCORE 67.2

Hi, I've had an infection of Smitfraud which I have successfully removed, but I also have this coreservice thing which is being picked up by SpyBot S&D and I can't figure out how to remove it - it wasn't removed along with the regular smitfraud. Here is a HijackThis log if anyone can help me - thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 11:06:02 AM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Common Files\R... Read more

A:Smitfraud-c. coreservice

Also meant to add that targetsaver is being flagged by spybot. It claims to have removed it but each time I run it, it flags it again. I don't know if the two issues are related. I also have something which is preventing me from opening task manager. Any ideas would be gratefully appreciated!
 

Read other 2 answers
RELEVANCY SCORE 67.2

Bok ljudi, trebam vašu pomo&#263;!

Imam originalnu verziju NOD32 2.7, ali mi on ne registrira nikakav virus...

Pa su mi prijatelji preporu&#269;ili da skinem Spybot.
Spybot mi je vratio 2 "virusa" a jedan mi uvijek ostaje neizbrisan.

Spybot ga naziva:
//
Product: Smitfraud-C.CoreService
Threat: Trojan
Functionality
Supposed to be some kind of driver

Description
This trojan horse gets installed as a driver and constantly runs in background and connects to malicious servers without any user consent. Removal may require to manually close the file handles of the core.cahce.dsk and core.sys residing in the folder \windows\system32\drivers\. To receive help on this please contact Team Spybot S&D via forums or email.
//

Kako da ga maknem ?

Koje vam informacije trebaju još da bi mi mogli pomo&#263;i ?

Skinuo sam i "hijackthis" pa vam mogu log poslat ako treba...

Hvala unaprijed, željno is&#269;ekujem odgovor...

P.S.-nisam baš neki poznavatelj informati&#269;kog slenga pa bi molio da mi se obra&#263;a kao malom djetetu u vezi postupaka koje moram poduzeti
 

Read other answers
RELEVANCY SCORE 67.2

Hi,
I detected Smitfraud-C.CoreService among other malware with spybot. Spybot helped my remove all but Smitfraud. I have tried using smitfraudfix, but have been unsuccessful. I have run it several times in safemode. After I have run smitfraudfix in safemode I have run spybot in safemode and spybot does not detect anything, however upon rebooting to normal windows core.cahce.dsk has been regenerated in C:\windows\system32\drivers\. This version of smitfraud is causing internet explorer windows to pop up when I am on the net with firefox. I believe that I got this because my girlfriend was trying to download stuff off of limewire. I have since uninstalled limewire, and tried rerunning smitfraudfix, and spybot since. Thanks in advance for your help and here is a copy of my HJT log.
-GMFH-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:09:11, on 11/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\U... Read more

A:I need help with Smitfraud-C.CoreService

Read other 9 answers
RELEVANCY SCORE 67.2

Hello,
Thank you for visiting my post. I keep having problems like popups on my computer and spybot says I have Smitfraud-C.CoreService, but when it deletes it, it's still there. I read somewhere tht that's because it recreates itself if it's deleted. Here's my log of hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 10:01:56 PM, on 12/12/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Windows\sttray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Users\JCS\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsof... Read more

Read other answers
RELEVANCY SCORE 67.2

I'm getting random popups. When i run spybot in safemode it detects no problems, but when i run in normal mode the only thing it couldn't fix was Smitfraud-C.CoreService C:\WINDOWS\system32\drivers\core.cache.dsk .I ran VundoFix and it no longer have any files to remove, but im still getting popups. I used SDfix in safemode, still ddnt fix it.Also used SmitFraudfix (normal mode), still ddnt fix it.Not sure what to do. I tried manually deleting "core.cache" in the "C:\WINDOWS\system32\drivers" but it says "Cannot delete core.cache: It is being used by another person or program. Close any programs that might be using the file and try again."Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:51:20 PM, on 1/11/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Spyware Doctor\SDTrayApp.exeC:\Program Files&... Read more

A:Smitfraud-c.coreservice

Welcome to the BleepingComputer HijackThis Logs and Analysis forum KKelvinMy name is Richie and i'll be helping you to fix your problems.It appears you've no virus protection installed,which is somewhat suicidal.Please download/install Avira AntiVir Personal Edition Classic[Free]: http://www.free-av.com/Perform a full scan with Avira and allow it to delete everything it detects.Restart your pc when you've done.After restart,open Avira Antivirus and select "Reports".Then double click the report from the full scan you have just completed. Click the "Report File" button,then copy and paste the report into your next reply.If you have previously downloaded ComboFix,please delete that version now.WarningYou should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert,not for private use. Using this tool incorrectly could render your system/pc inoperable.Now download Combofix by sUBs and save to your desktop:Note It is important that it is saved directly to your desktop Close any open browsers.Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.NoteIn case your Antivirus... Read more

Read other 53 answers
RELEVANCY SCORE 67.2

I have tried many things to get rid of this virus. I have run spybot and it will remove everything but this...it just won't go away.

I have tried deleting the windows/system32/drivers/core.cache....but to no avail.

Can someone please help me ... all these pop up windows keep coming up!

Thank you!

Read other answers
RELEVANCY SCORE 66.4

I have ran adaware2007 and spybotS%D and both can get rid of everything but Smitfraud-C.CoreService

any help would be appreciated thanks.
 

A:Solved: Smitfraud-C.CoreService help please

Read other 6 answers
RELEVANCY SCORE 66.4

Hi, i've been having the same problem as many others with the subject file name, can anyone please help me out with removing this?

I'm using Vista Basic on my PC and have the following AV/Spyware programs, F-Secure(Beta), Spybot, Killbox, Popgun.

Below is a recent HJT scan result:

Logfile of HijackThis v1.99.1
Scan saved at 18:03:16, on 30/05/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\PopGun\PopGunFull122.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Softwa... Read more

A:Remove Smitfraud-C. Coreservice

Can anyone help me with this please?
 

Read other 1 answers
RELEVANCY SCORE 66.4

I scanned computer with the latest version of Spybot Search&Destroy and it said that i had been infected with Smitfraud-C.CoreService trojan. i've been unsuccesful in trying to delete this trojan and I really need some help with this and i appreciate the hard work you guys are doing. below is the HiJackthis log. Thanks again in advance

Computer info: MS Windows XP SP2 Intel Celeron CPU 2.70GHz, 247MB RAM, Intel 82845G/GL/GE/PE/GV Graphics controller
--------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:54 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging... Read more

Read other answers
RELEVANCY SCORE 66.4

I have tryed combofix, vundofix, smitfraudfix and sdfix but spybot keeps finding Smitfraud-C.CoreService and is unable to delete it. Thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 12:15:27 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Memeo\AutoBackup\MemeoService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files\Raxco\PerfectDisk\PDAgent.exe
F:\WINDOWS\System32\HPZipm12.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\Program Files\ATI... Read more

A:Help needed Smitfraud-C.CoreService

Read other 9 answers