Computing.Net > Forums > Security and Virus > Smitfraud removal

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

The Lounge

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

Smitfraud removal

Reply to Message Icon
Original Message
Name: soyi3oy
Date: February 10, 2008 at 21:19:39 Pacific
Subject: Smitfraud removal
OS: Windows Vista Home Premiu
CPU/Ram: AMD Athalon 64X2 Dual Cor
Model/Manufacturer: HP m8200n
Comment:

Spybot S&D found Smitfraud - C.CoreService on my computer. I've followed the instructions of other sites but I still get popups and Spybot continues to find it even after I've removed it.

I've tried using SmitFradFix in safemode but I still had problems after that as well. I'm not too sure what else to do. I've downloaded Hijack This and ran a scan, but I'm not sure which files to delete and what not. Any help is appreciated. Thanks.



Report Offensive Message For Removal


Response Number 1
Name: jabuck
Date: February 11, 2008 at 03:16:56 Pacific
Subject: Smitfraud removal
Reply: (edit)

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Post you Hiajck This log.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 2
Name: soyi3oy
Date: February 11, 2008 at 13:54:09 Pacific
Subject: Smitfraud removal
Reply: (edit)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:06 PM, on 2/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA3988] command /c del "C:\Windows\System32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2888] cmd /c del "C:\Windows\System32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9791] command /c del "C:\Windows\System32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6358] cmd /c del "C:\Windows\System32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFE5E320-2567-4914-9095-529B2FA17B78}: NameServer = 68.105.28.12,68.105.29.12
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7813 bytes


----


ComboFix 08-02-12.1 - Zhong 2008-02-12 15:44:42.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2142 [GMT -6:00]
Running from: C:\Users\Zhong\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-10 23:04 . 2008-02-10 23:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 22:02 . 2008-02-10 22:26 <DIR> d-------- C:\Users\Zhong\SmitfraudFix
2008-02-10 22:02 . 2008-02-10 22:39 4,080 --a------ C:\Windows\System32\tmp.reg
2008-02-10 22:02 . 2008-02-10 23:05 165 --a------ C:\Windows\wininit.ini
2008-02-10 21:25 . 2008-02-10 21:25 691,545 --a------ C:\Windows\unins000.exe
2008-02-10 21:25 . 2008-02-10 21:25 3,442 --a------ C:\Windows\unins000.dat
2008-02-10 20:16 . 2008-02-10 20:16 <DIR> d-------- C:\Users\All Users\ALM
2008-02-10 20:16 . 2008-02-10 20:16 <DIR> d-------- C:\ProgramData\ALM
2008-02-10 19:11 . 2008-02-12 15:29 304,623,628 --a------ C:\Windows\MEMORY.DMP
2008-02-10 18:38 . 2008-02-10 18:38 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\Grisoft
2008-02-10 18:36 . 2007-05-30 06:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-02-10 18:29 . 2008-02-10 18:29 <DIR> d-------- C:\Users\All Users\Grisoft
2008-02-10 18:29 . 2008-02-10 18:29 <DIR> d-------- C:\ProgramData\Grisoft
2008-02-10 18:09 . 2008-02-10 18:09 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\AVG7
2008-02-10 18:08 . 2008-02-10 18:15 <DIR> d-------- C:\Users\All Users\avg7
2008-02-10 18:08 . 2008-02-10 18:15 <DIR> d-------- C:\ProgramData\avg7
2008-02-10 00:53 . 2008-02-10 00:53 <DIR> d-------- C:\Users\All Users\Real
2008-02-10 00:53 . 2008-02-10 00:53 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-06 17:07 . 2008-02-06 17:09 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\LimeWire
2008-02-06 17:07 . 2008-02-06 17:07 <DIR> d-------- C:\Program Files\LimeWire
2008-02-05 16:50 . 2008-02-05 16:50 130,346 --------- C:\Windows\hpoins13.dat.temp
2008-02-05 16:50 . 2007-01-22 10:05 811 --------- C:\Windows\hpomdl13.dat.temp
2008-02-04 15:05 . 2008-02-04 15:05 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-04 15:02 . 2008-02-04 15:02 <DIR> dr-h----- C:\MSOCache
2008-02-04 14:58 . 2008-02-04 14:59 <DIR> d-------- C:\Program Files\MagicDisc
2008-02-04 14:58 . 2007-09-05 01:46 92,544 --a------ C:\Windows\System32\drivers\mcdbus.sys
2008-02-04 14:55 . 2008-02-04 14:55 <DIR> d-------- C:\Program Files\MagicISO
2008-02-02 19:44 . 2008-02-02 19:44 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\Template
2008-02-02 19:44 . 2008-02-02 19:44 0 --a------ C:\Users\Zhong\AppData\Roaming\wklnhst.dat
2008-01-31 01:23 . 2007-01-03 19:20 1,732 --a------ C:\Windows\System32\drivers\nvphy.bin
2008-01-28 21:23 . 2008-01-28 21:23 1,099,839 --a------ C:\Windows\System32\TmpA6311940
2008-01-28 21:17 . 2008-01-28 21:18 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\Ableton
2008-01-28 21:17 . 2008-01-28 21:23 <DIR> d-------- C:\Program Files\Ableton
2008-01-28 21:15 . 2008-01-28 21:15 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2008-01-28 18:25 . 2008-02-10 21:22 <DIR> d-------- C:\Program Files\Bonjour
2008-01-28 18:16 . 2008-01-28 18:16 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-23 17:36 . 2008-01-23 17:37 <DIR> d-------- C:\Program Files\Zune
2008-01-17 11:41 . 2008-01-17 11:50 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\Dev-Cpp
2008-01-17 11:41 . 2008-01-17 11:41 <DIR> d-------- C:\Dev-Cpp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 06:48 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-11 04:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-11 02:27 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-11 02:27 --------- d-----w C:\Program Files\MSBuild
2008-02-07 16:55 --------- d-----w C:\Users\Zhong\AppData\Roaming\mIRC
2008-02-05 22:45 --------- d-----w C:\Users\Zhong\AppData\Roaming\Image Zone Express
2008-02-04 21:32 --------- d-----w C:\ProgramData\Lavasoft
2008-02-04 21:31 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-02-04 21:07 --------- d-----w C:\Program Files\Microsoft Works
2008-02-03 22:09 --------- d-----w C:\Users\Zhong\AppData\Roaming\.BitTornado
2008-01-29 00:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-14 00:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 23:54 245,664 ----a-w C:\Windows\System32\ZuneWlanCfgSvc.exe
2008-01-11 23:39 70,656 ----a-w C:\Windows\System32\ZuneIpTransport.dll
2008-01-11 23:39 62,464 ----a-w C:\Windows\System32\ZuneUsbTransport.dll
2008-01-11 23:39 35,840 ----a-w C:\Windows\System32\ZuneUsbCOnnection.dll
2008-01-11 23:39 145,408 ----a-w C:\Windows\System32\ZuneMTPZ.dll
2008-01-10 19:16 159,839 ----a-w C:\Windows\System32\xvidvfw.dll
2008-01-10 19:15 755,027 ----a-w C:\Windows\System32\xvidcore.dll
2008-01-10 15:28 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 05:37 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-10 05:37 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-10 05:37 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-10 05:37 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-10 05:37 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-10 05:36 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-10 05:36 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-10 05:36 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-10 05:36 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-10 05:36 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 05:36 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-10 05:36 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-10 05:36 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-10 05:36 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-10 05:36 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-01-10 05:36 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 05:36 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-10 05:36 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-10 05:36 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-10 05:36 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-05 03:28 --------- d-----w C:\Program Files\Yoplo
2007-12-31 21:21 --------- d-----w C:\ProgramData\Nero
2007-12-31 21:18 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-12-31 19:58 --------- d-----w C:\ProgramData\Roxio
2007-12-31 18:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-31 17:35 88,576 ----a-w C:\Windows\System32\infocardapi.dll
2007-12-31 17:35 779,800 ----a-w C:\Windows\System32\PresentationNative_v0300.dll
2007-12-31 17:35 579,584 ----a-w C:\Windows\System32\icardagt.exe
2007-12-31 17:35 350,744 ----a-w C:\Windows\System32\PresentationHost.exe
2007-12-31 17:35 33,304 ----a-w C:\Windows\System32\PresentationHostProxy.dll
2007-12-31 17:35 11,776 ----a-w C:\Windows\System32\icardres.dll
2007-12-31 17:35 106,520 ----a-w C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2007-12-31 17:31 96,760 ----a-w C:\Windows\System32\dfshim.dll
2007-12-31 17:31 84,480 ----a-w C:\Windows\System32\mscories.dll
2007-12-31 17:31 41,984 ----a-w C:\Windows\System32\netfxperf.dll
2007-12-31 17:31 282,112 ----a-w C:\Windows\System32\mscoree.dll
2007-12-31 17:31 158,720 ----a-w C:\Windows\System32\mscorier.dll
2007-12-31 17:10 --------- d-----w C:\Program Files\Windows Media Components
2007-12-29 04:35 --------- d-----w C:\Users\Zhong\AppData\Roaming\DeepBurner
2007-12-29 04:25 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-29 04:24 --------- d-----w C:\Program Files\Astonsoft
2007-12-29 04:23 --------- d-----w C:\Program Files\CCleaner
2007-12-28 06:29 --------- d-----w C:\Users\Zhong\AppData\Roaming\SteelBytes
2007-12-27 00:18 --------- d-----w C:\Users\Zhong\AppData\Roaming\DataCast
2007-12-27 00:18 --------- d-----w C:\Program Files\Samsung
2007-12-27 00:18 --------- d-----w C:\Program Files\MarkAny
2007-12-25 23:16 --------- d-----w C:\ProgramData\Age of Empires 3
2007-12-25 23:15 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-25 21:44 --------- d-----w C:\Program Files\Microsoft Games
2007-12-25 16:38 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
2007-12-25 16:25 715,248 ----a-w C:\Windows\system32\drivers\sptd.sys
2007-12-24 19:49 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2007-12-18 06:23 --------- d-----w C:\Program Files\Nero
2007-12-17 18:57 --------- d-----w C:\ProgramData\LightScribe
2007-12-17 18:44 --------- d-----w C:\Program Files\LightScribeTemplateLabeler
2007-12-17 18:33 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-12-17 17:37 47,360 ----a-w C:\Users\Zhong\AppData\Roaming\pcouffin.sys
2007-12-17 17:37 --------- d-----w C:\Users\Zhong\AppData\Roaming\Vso
2007-12-17 17:13 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2007-12-17 03:03 --------- d-----w C:\ProgramData\TEMP
2007-12-17 03:01 --------- d-----w C:\Users\Zhong\AppData\Roaming\Roxio
2007-12-14 23:19 40,960 ------w C:\Windows\System32\MAMACExtract.dll
2007-12-12 22:05 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 22:05 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 22:05 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 22:04 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 22:04 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 22:04 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 22:04 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 22:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 22:04 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 22:04 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 22:04 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-12 22:03 3,505,848 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 22:03 3,472,056 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-04 08:33 682,496 ----a-w C:\Windows\System32\divx.dll
2007-11-30 05:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2007-11-30 05:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2007-11-20 21:36 118,784 ----a-w C:\Windows\System32\MaDRM.dll
2007-11-18 00:13 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 23:36 1232896]
"Aim6"="" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-12-05 12:30 2295072]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-03 00:02 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 09:01 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 10:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 05:59 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 05:06 4669440 C:\Windows\RtHDVCpl.exe]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 14:13 71176]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 03:56 54936]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24 54840]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:15 81920]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 17:21 132624]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\Users\Zhong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-02-04 14:58:45 557568]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 20:40:10 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 10:44]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2007-06-11 03:49]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\Windows\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d89c52-8026-11dc-b3dd-001bb98def76}]
\shell\AutoRun\command - K:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 15:47:50
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-12 15:48:20
ComboFix-quarantined-files.txt 2008-02-12 21:48:19
ComboFix2.txt 2008-02-12 21:39:47
ComboFix3.txt 2008-02-12 21:33:02
.
2008-02-08 13:42:05 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 3
Name: soyi3oy
Date: February 11, 2008 at 14:15:39 Pacific
Subject: Smitfraud removal
Reply: (edit)

Log of the quarantined files from ComboFix first run:

2007-04-07 03:56 132760 --a------ C:\Qoobox\Quarantine\C\Windows\System32\jusched.exe.vir
2007-12-17 11:37 87608 --a------ C:\Qoobox\Quarantine\C\Users\Zhong\AppData\Roaming\inst.exe.vir
2008-02-10 18:06 167545 --a------ C:\Qoobox\Quarantine\C\Windows\System32\drivers\core.cache.dsk.vir
2008-02-12 15:25 1016 --a------ C:\Qoobox\Quarantine\Registry_backups\services_tdpipee.reg.dat
2008-02-12 15:25 1088 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_TDPIPEE.reg.dat
2008-02-12 15:25 241701 --a------ C:\Qoobox\Quarantine\catchme2008-02-12_153000.09.zip
2008-02-12 15:25 423 --a------ C:\Qoobox\Quarantine\catchme.log
2008-02-12 15:25 86144 --a------ C:\Qoobox\Quarantine\C\Windows\System32\drivers\tdpipee.sys.vir


Report Offensive Follow Up For Removal

Response Number 4
Name: jabuck
Date: February 11, 2008 at 15:41:00 Pacific
Subject: Smitfraud removal
Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "Folder::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\Qoobox
KILLALL::
Rootkit::
C\Windows\System32\drivers\core.cache.dsk

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix log and a new Hijack This log..


Report Offensive Follow Up For Removal

Response Number 5
Name: soyi3oy
Date: February 11, 2008 at 16:10:46 Pacific
Subject: Smitfraud removal
Reply: (edit)

ComboFix 08-02-12.1 - Zhong 2008-02-12 18:05:47.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1998 [GMT -6:00]
Running from: C:\Users\Zhong\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-10 23:04 . 2008-02-10 23:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 22:02 . 2008-02-10 22:26 <DIR> d-------- C:\Users\Zhong\SmitfraudFix
2008-02-10 22:02 . 2008-02-10 22:39 4,080 --a------ C:\Windows\System32\tmp.reg
2008-02-10 22:02 . 2008-02-10 23:05 165 --a------ C:\Windows\wininit.ini
2008-02-10 21:25 . 2008-02-10 21:25 691,545 --a------ C:\Windows\unins000.exe
2008-02-10 21:25 . 2008-02-10 21:25 3,442 --a------ C:\Windows\unins000.dat
2008-02-10 20:16 . 2008-02-10 20:16 <DIR> d-------- C:\Users\All Users\ALM
2008-02-10 20:16 . 2008-02-10 20:16 <DIR> d-------- C:\ProgramData\ALM
2008-02-10 19:11 . 2008-02-12 15:29 304,623,628 --a------ C:\Windows\MEMORY.DMP
2008-02-10 18:38 . 2008-02-10 18:38 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\Grisoft
2008-02-10 18:36 . 2007-05-30 06:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-02-10 18:29 . 2008-02-10 18:29 <DIR> d-------- C:\Users\All Users\Grisoft
2008-02-10 18:29 . 2008-02-10 18:29 <DIR> d-------- C:\ProgramData\Grisoft
2008-02-10 18:09 . 2008-02-10 18:09 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\AVG7
2008-02-10 18:08 . 2008-02-10 18:15 <DIR> d-------- C:\Users\All Users\avg7
2008-02-10 18:08 . 2008-02-10 18:15 <DIR> d-------- C:\ProgramData\avg7
2008-02-10 00:53 . 2008-02-10 00:53 <DIR> d-------- C:\Users\All Users\Real
2008-02-10 00:53 . 2008-02-10 00:53 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-06 17:07 . 2008-02-06 17:09 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\LimeWire
2008-02-06 17:07 . 2008-02-06 17:07 <DIR> d-------- C:\Program Files\LimeWire
2008-02-05 16:50 . 2008-02-05 16:50 130,346 --------- C:\Windows\hpoins13.dat.temp
2008-02-05 16:50 . 2007-01-22 10:05 811 --------- C:\Windows\hpomdl13.dat.temp
2008-02-04 15:05 . 2008-02-04 15:05 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-04 15:02 . 2008-02-04 15:02 <DIR> dr-h----- C:\MSOCache
2008-02-04 14:58 . 2008-02-04 14:59 <DIR> d-------- C:\Program Files\MagicDisc
2008-02-04 14:58 . 2007-09-05 01:46 92,544 --a------ C:\Windows\System32\drivers\mcdbus.sys
2008-02-04 14:55 . 2008-02-04 14:55 <DIR> d-------- C:\Program Files\MagicISO
2008-02-02 19:44 . 2008-02-02 19:44 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\Template
2008-02-02 19:44 . 2008-02-02 19:44 0 --a------ C:\Users\Zhong\AppData\Roaming\wklnhst.dat
2008-01-31 01:23 . 2007-01-03 19:20 1,732 --a------ C:\Windows\System32\drivers\nvphy.bin
2008-01-28 21:23 . 2008-01-28 21:23 1,099,839 --a------ C:\Windows\System32\TmpA6311940
2008-01-28 21:17 . 2008-01-28 21:18 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\Ableton
2008-01-28 21:17 . 2008-01-28 21:23 <DIR> d-------- C:\Program Files\Ableton
2008-01-28 21:15 . 2008-01-28 21:15 <DIR> d-------- C:\Program Files\DAMN NFO Viewer
2008-01-28 18:25 . 2008-02-12 16:28 <DIR> d-------- C:\Program Files\Bonjour
2008-01-28 18:16 . 2008-01-28 18:16 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-23 17:36 . 2008-01-23 17:37 <DIR> d-------- C:\Program Files\Zune
2008-01-17 11:41 . 2008-01-17 11:50 <DIR> d-------- C:\Users\Zhong\AppData\Roaming\Dev-Cpp
2008-01-17 11:41 . 2008-01-17 11:41 <DIR> d-------- C:\Dev-Cpp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 06:48 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-11 04:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-11 02:27 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-11 02:27 --------- d-----w C:\Program Files\MSBuild
2008-02-07 16:55 --------- d-----w C:\Users\Zhong\AppData\Roaming\mIRC
2008-02-05 22:45 --------- d-----w C:\Users\Zhong\AppData\Roaming\Image Zone Express
2008-02-04 21:32 --------- d-----w C:\ProgramData\Lavasoft
2008-02-04 21:31 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-02-04 21:07 --------- d-----w C:\Program Files\Microsoft Works
2008-02-03 22:09 --------- d-----w C:\Users\Zhong\AppData\Roaming\.BitTornado
2008-01-29 00:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-14 00:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 23:54 245,664 ----a-w C:\Windows\System32\ZuneWlanCfgSvc.exe
2008-01-11 23:39 70,656 ----a-w C:\Windows\System32\ZuneIpTransport.dll
2008-01-11 23:39 62,464 ----a-w C:\Windows\System32\ZuneUsbTransport.dll
2008-01-11 23:39 35,840 ----a-w C:\Windows\System32\ZuneUsbCOnnection.dll
2008-01-11 23:39 145,408 ----a-w C:\Windows\System32\ZuneMTPZ.dll
2008-01-10 19:16 159,839 ----a-w C:\Windows\System32\xvidvfw.dll
2008-01-10 19:15 755,027 ----a-w C:\Windows\System32\xvidcore.dll
2008-01-10 15:28 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 05:37 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-10 05:37 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-10 05:37 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-10 05:37 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-10 05:37 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-10 05:36 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-10 05:36 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-10 05:36 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-10 05:36 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-10 05:36 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 05:36 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-10 05:36 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-10 05:36 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-10 05:36 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-10 05:36 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-01-10 05:36 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 05:36 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-10 05:36 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-10 05:36 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-10 05:36 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-05 03:28 --------- d-----w C:\Program Files\Yoplo
2007-12-31 21:21 --------- d-----w C:\ProgramData\Nero
2007-12-31 21:18 --------- d-----w C:\Program Files\Common Files\muvee Technologies
2007-12-31 19:58 --------- d-----w C:\ProgramData\Roxio
2007-12-31 18:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-31 17:35 88,576 ----a-w C:\Windows\System32\infocardapi.dll
2007-12-31 17:35 779,800 ----a-w C:\Windows\System32\PresentationNative_v0300.dll
2007-12-31 17:35 579,584 ----a-w C:\Windows\System32\icardagt.exe
2007-12-31 17:35 350,744 ----a-w C:\Windows\System32\PresentationHost.exe
2007-12-31 17:35 33,304 ----a-w C:\Windows\System32\PresentationHostProxy.dll
2007-12-31 17:35 11,776 ----a-w C:\Windows\System32\icardres.dll
2007-12-31 17:35 106,520 ----a-w C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2007-12-31 17:31 96,760 ----a-w C:\Windows\System32\dfshim.dll
2007-12-31 17:31 84,480 ----a-w C:\Windows\System32\mscories.dll
2007-12-31 17:31 41,984 ----a-w C:\Windows\System32\netfxperf.dll
2007-12-31 17:31 282,112 ----a-w C:\Windows\System32\mscoree.dll
2007-12-31 17:31 158,720 ----a-w C:\Windows\System32\mscorier.dll
2007-12-31 17:10 --------- d-----w C:\Program Files\Windows Media Components
2007-12-29 04:35 --------- d-----w C:\Users\Zhong\AppData\Roaming\DeepBurner
2007-12-29 04:25 --------- d-----w C:\Program Files\SpywareBlaster
2007-12-29 04:24 --------- d-----w C:\Program Files\Astonsoft
2007-12-29 04:23 --------- d-----w C:\Program Files\CCleaner
2007-12-28 06:29 --------- d-----w C:\Users\Zhong\AppData\Roaming\SteelBytes
2007-12-27 00:18 --------- d-----w C:\Users\Zhong\AppData\Roaming\DataCast
2007-12-27 00:18 --------- d-----w C:\Program Files\Samsung
2007-12-27 00:18 --------- d-----w C:\Program Files\MarkAny
2007-12-25 23:16 --------- d-----w C:\ProgramData\Age of Empires 3
2007-12-25 23:15 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2007-12-25 21:44 --------- d-----w C:\Program Files\Microsoft Games
2007-12-25 16:38 --------- d-----w C:\Program Files\Super_DVD_Creator_9.5
2007-12-25 16:25 715,248 ----a-w C:\Windows\system32\drivers\sptd.sys
2007-12-24 19:49 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2007-12-18 06:23 --------- d-----w C:\Program Files\Nero
2007-12-17 18:57 --------- d-----w C:\ProgramData\LightScribe
2007-12-17 18:44 --------- d-----w C:\Program Files\LightScribeTemplateLabeler
2007-12-17 18:33 --------- d---a-w C:\Program Files\Common Files\LightScribe
2007-12-17 17:37 47,360 ----a-w C:\Users\Zhong\AppData\Roaming\pcouffin.sys
2007-12-17 17:37 --------- d-----w C:\Users\Zhong\AppData\Roaming\Vso
2007-12-17 17:13 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2007-12-17 03:03 --------- d-----w C:\ProgramData\TEMP
2007-12-17 03:01 --------- d-----w C:\Users\Zhong\AppData\Roaming\Roxio
2007-12-14 23:19 40,960 ------w C:\Windows\System32\MAMACExtract.dll
2007-12-12 22:05 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-12 22:05 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-12 22:05 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-12 22:04 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 22:04 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 22:04 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 22:04 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 22:03 3,505,848 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-12 22:03 3,472,056 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-04 08:33 682,496 ----a-w C:\Windows\System32\divx.dll
2007-11-30 05:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2007-11-30 05:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2007-11-20 21:36 118,784 ----a-w C:\Windows\System32\MaDRM.dll
2007-11-18 00:13 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-15 00:16 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 00:16 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 00:16 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 00:16 502,784 ----a-w C:\Windows\System32\wlansvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 23:36 1232896]
"Aim6"="" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 06:35 125440]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-12-05 12:30 2295072]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 06:36 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-03 00:02 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 09:01 65536]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 10:16 65536]
"OsdMaestro"="C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 05:59 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 05:06 4669440 C:\Windows\RtHDVCpl.exe]
"HP Health Check Scheduler"="c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 14:13 71176]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateReg"="C:\Windows\system32\jureg.exe" [2007-04-07 03:56 54936]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24 54840]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 20:15 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 20:15 8466432]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 20:15 81920]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 17:21 132624]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2008-01-11 17:54 166304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\Users\Zhong\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-02-04 14:58:45 557568]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 20:40:10 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= C:\PROGRA~1\MarkAny\CONTEN~1\MACSMA~1.DLL [2004-11-23 16:51 192512]

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-11-28 10:44]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2007-06-11 03:49]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\Windows\system32\ZuneWlanCfgSvc.exe [2008-01-11 17:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d89c52-8026-11dc-b3dd-001bb98def76}]
\shell\AutoRun\command - K:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 18:07:15
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-12 18:07:48
ComboFix-quarantined-files.txt 2008-02-13 00:07:46
ComboFix2.txt 2008-02-12 21:48:21
ComboFix3.txt 2008-02-12 21:39:47
ComboFix4.txt 2008-02-12 21:33:02
.
2008-02-08 13:42:05 --- E O F ---


----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:04, on 2008-02-12
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFE5E320-2567-4914-9095-529B2FA17B78}: NameServer = 68.105.28.12,68.105.29.12
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6940 bytes


Report Offensive Follow Up For Removal


Response Number 6
Name: soyi3oy
Date: February 11, 2008 at 16:12:08 Pacific
Subject: Smitfraud removal
Reply: (edit)

I haven't had a popup since I used ComboFix and SpyBot doesn't detect the Smitfraud virus anymore either. It seemed to have done the trick. Thanks a lot.

---

On another note, it seems that I have a lot of programs for virus/adware/spyware protection and registry cleaning. Perhaps I have too much? Spyware Blaster, Spybot Search & Destroy, Ad-Aware 2007, AVG, Windows Defender, and CCleaner. Do you think this is a good thing or should I uninstall a few for more efficient running or less conflict?


Report Offensive Follow Up For Removal

Response Number 7
Name: jabuck
Date: February 11, 2008 at 19:13:32 Pacific
Subject: Smitfraud removal
Reply: (edit)

Go to start> run> type in combofix /u then click ok. That should uninstall combofix.

Go to start> control panel>add/remove programs and uninstall "WIndows Defender"> doesn't defend from much.

Keep the others, remember to update Spywareblaster at least bi-weekly if you have the free version.

Glad we could help.


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Smitfraud removal

Comments:
            
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



How often do you use Computing.Net?

Every Day
Once a Week
Once a Month
This Is My First Time!


View Results

Poll Finishes In 3 Days.
Discuss in The Lounge


How google works

data recovery

P4 Overclock Help

set command and xcopy

Automatic Logging Off

All Posts Awaiting Replies