Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.coreservice / TR/Rootkit.Gen [trojan]


  • This topic is locked This topic is locked
2 replies to this topic

#1 deadwomble

deadwomble

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 17 April 2010 - 12:39 PM

Hi - this is my first post (except my introduction) hope your having a good morning/afternoon/evening... I've read the preparation guide, so hopefully theres enough information here, but if I need anymore just let me know...

Tried Avira, Spybot SD and was going to use smitfraudfix but thought otherwise when I was reading what may go wrong... a lack of confidence in my computing ability also... so here I am..

Spybot SD finds smitfraud-c.coreservice, but then cannot remove it, Avira finds the TR/Rootkit.Gen but cannot remove it! Here is the info;

DDS (Ver_10-03-17.01) - FAT32x86
Run by WombleInc at 15:01:25.23 on 17/04/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.239.55 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINXP2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXP2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXP2\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINXP2\System32\svchost.exe -k imgsvc
C:\WINXP2\system32\dllhost.exe
C:\WINXP2\System32\dllhost.exe
C:\WINXP2\Explorer.EXE
C:\WINXP2\System32\00THotkey.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINXP2\system32\igfxtray.exe
C:\WINXP2\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINXP2\System32\svchost.exe -k HTTPFilter
C:\Program Files\Tirminal\Tirminal_Service_Process.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINXP2\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINXP2\system32\wuauclt.exe
C:\Documents and Settings\WombleInc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.16.228.236:80
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\winxp2\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [00THotkey] c:\winxp2\system32\00THotkey.exe
mRun: [PmProxy] c:\program files\analog devices\soundmax\PmProxy.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IgfxTray] c:\winxp2\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\winxp2\system32\hkcmd.exe
dRun: [CTFMON.EXE] c:\winxp2\system32\CTFMON.EXE
StartupFolder: c:\docume~1\womble~1\startm~1\programs\startup\tirminal.lnk - c:\program files\tirminal\Tirminal_Service_Process.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\winxp2\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winxp2\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\womble~1\applic~1\mozilla\firefox\profiles\7hzfjap8.default\
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-04-17 02:12:56 932 ----a-w- c:\winxp2\system32\drivers\core.cache.dsk
2010-04-17 01:57:42 1196000 ------w- c:\winxp2\system32\dllcache\sysmain.sdb
2010-04-17 01:57:37 470528 ------w- c:\winxp2\system32\dllcache\aclayers.dll
2010-04-17 01:47:24 153088 ------w- c:\winxp2\system32\dllcache\triedit.dll
2010-04-17 01:09:24 655872 ------w- c:\winxp2\system32\dllcache\mstscax.dll
2010-04-16 19:14:18 0 d-----w- C:\Program Downloads
2010-04-16 18:05:09 0 d-----w- C:\Martin
2010-04-16 18:04:47 0 d-----w- C:\Ed Folder
2010-04-16 18:00:37 0 d-----w- C:\Games
2010-04-15 12:52:52 4 ----a-w- c:\winxp2\6816Error.dat
2010-04-15 12:52:52 30720 ----a-w- c:\winxp2\6816White12.dat
2010-04-15 12:52:48 30720 ----a-w- c:\winxp2\6816Dark12.dat
2010-04-15 12:52:44 6 ----a-w- c:\winxp2\6816Exposure.dat
2010-04-15 12:52:44 3 ----a-w- c:\winxp2\6816Offset.dat
2010-04-15 12:52:44 3 ----a-w- c:\winxp2\6816Gain.dat
2010-04-15 12:52:28 414 ----a-w- c:\winxp2\Ausba4.ini
2010-04-15 12:41:15 87040 ----a-w- c:\winxp2\system32\wiafbdrv.dll
2010-04-15 12:41:15 87040 ----a-w- c:\winxp2\system32\dllcache\wiafbdrv.dll
2010-04-15 12:41:15 15104 ----a-w- c:\winxp2\system32\drivers\usbscan.sys
2010-04-15 12:41:15 15104 ----a-w- c:\winxp2\system32\dllcache\usbscan.sys
2010-04-15 12:38:07 8192 ------w- c:\winxp2\system32\drivers\Artec48.usb
2010-04-15 12:38:07 45056 ----a-w- c:\winxp2\GetKey.dll
2010-04-15 12:38:06 7168 ----a-w- c:\winxp2\system32\48UMicro.dll
2010-04-15 12:38:06 167936 ----a-w- c:\winxp2\A4.dll
2010-04-13 19:03:58 0 d-----w- c:\winxp2\system32\LogFiles
2010-04-13 02:23:15 155648 ----a-w- c:\winxp2\system32\igfxres.dll
2010-04-13 01:21:57 0 d-----w- c:\program files\Realtek WLAN Driver
2010-04-13 00:19:44 8704 ----a-w- c:\winxp2\system32\wdags48b.dll
2010-04-13 00:19:44 69632 ----a-w- c:\winxp2\system32\wcags48b.exe
2010-04-13 00:19:44 159744 ----a-w- c:\winxp2\system32\waags48b.dll
2010-04-13 00:19:44 156672 ----a-w- c:\winxp2\system32\drivers\wlags48b.sys
2010-04-10 21:17:54 0 d-----w- c:\winxp2\system32\URTTEMP
2010-04-10 20:33:46 0 d-----w- c:\winxp2\Tirminal
2010-04-10 20:33:38 0 d-----w- c:\program files\Tirminal
2010-04-10 20:33:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Tirminal
2010-04-10 20:32:15 0 d-----w- c:\temp\Tirminal Free Client
2010-04-07 20:00:55 0 d-----w- c:\docume~1\womble~1\applic~1\Avira
2010-04-06 11:58:01 664 ----a-w- c:\winxp2\system32\d3d9caps.dat
2010-04-06 11:02:25 60936 ----a-w- c:\winxp2\system32\drivers\avgntflt.sys
2010-04-06 11:01:58 0 d-----w- c:\program files\Avira
2010-04-06 11:01:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-06 10:31:42 12160 ----a-w- c:\winxp2\system32\drivers\mouhid.sys
2010-04-06 10:31:42 12160 ----a-w- c:\winxp2\system32\dllcache\mouhid.sys
2010-04-06 10:31:19 9600 ----a-w- c:\winxp2\system32\drivers\hidusb.sys
2010-04-06 10:31:19 9600 ----a-w- c:\winxp2\system32\dllcache\hidusb.sys
2010-04-06 09:48:40 0 d-sh--w- C:\FOUND.007
2010-03-31 18:43:53 53248 ----a-w- c:\winxp2\system32\Prounstl.exe
2010-03-31 18:43:53 5110 ----a-w- c:\winxp2\system32\e100b325.din
2010-03-31 18:43:53 23040 ----a-w- c:\winxp2\system32\IntelNic.dll
2010-03-31 18:43:53 16384 ----a-w- c:\winxp2\system32\e100bmsg.dll
2010-03-31 18:43:53 140800 ----a-w- c:\winxp2\system32\drivers\e100b325.sys
2010-03-31 18:43:53 140800 ----a-w- c:\winxp2\system32\dllcache\e100b325.sys
2010-03-31 18:43:52 0 d-----w- C:\Drivers
2010-03-31 18:29:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Atheros
2010-03-31 18:27:08 0 d-----w- c:\docume~1\womble~1\applic~1\WinBatch
2010-03-31 17:51:17 0 d-----w- c:\program files\eMule
2010-03-31 17:37:42 0 d-sh--w- C:\FOUND.006
2010-03-23 10:28:42 0 d-sh--w- C:\FOUND.005

==================== Find3M ====================

2005-03-12 08:40:32 4004352 ----a-w- c:\program files\Filerecovery.exe
2005-03-10 10:06:50 1394366 ----a-w- c:\program files\help.chm
2005-03-10 07:50:54 159406 ----a-w- c:\program files\Filerecovery.ico
2005-02-24 22:55:30 130556 ----a-w- c:\program files\PCIFR4_1000.dat
2005-02-24 22:55:24 130556 ----a-w- c:\program files\PCIFR4_7000.dat
2005-02-24 22:55:18 130556 ----a-w- c:\program files\PCIFR4_5000.dat
2005-02-24 22:55:14 130556 ----a-w- c:\program files\PCIFR4_13000.dat
2005-02-24 22:55:08 130556 ----a-w- c:\program files\PCIFR4_3000.dat

============= FINISH: 15:03:43.86 ===============



Thanks for reading, look forward to your reply

Attached Files



BC AdBot (Login to Remove)

 


#2 deadwomble

deadwomble
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 22 April 2010 - 08:23 AM

Hi all - I managed to fix it by using the method below - I plucked up courage to use smitfraudfix but unfortunately I didn't get it to remove the smitfraud trojan. So after searching round, I followed the advice below. I noticed that quite a few people had read the original post and downloaded the attachments, so in case they are interested, and have any advice/ worries on the method for me or anyone else, they would be welcomed. I have checked with antivir and spybot S&D and both report a clean system.

"Hi All

I seem to have successfully removed smitfraud-c.coreservice using the following procedure:

Reboot the computer in safe mode using f8 key as it boots.

go to directory c:\windows\system32\drivers

drag

core.cache.dsk and core.sys

onto the desktop and reboot.

Use the lasted updated version of spybot-search and destroy to remove the two registry entries for smitfraud-C.CoreService

If there is collateral damage from this procedure, I have not seen it yet but would appreciate any comments if anyone sees any problem with the approach.

Regards
Jim Carolan
jim.carolan@beam-reach.net
"


Link to original post here on computingnetwork;

http://www.computing.net/answers/security/...vice/21181.html

Hope this information helps anyone looking for a solution

deadwomble

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:15 AM

Posted 22 April 2010 - 07:50 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users