Smitfraud virus

Original Message

Name: SuzeeKuzee11
Date: January 22, 2008 at 14:35:43 Pacific
Subject: Smitfraud virus
OS: WINDOWS XP
CPU/Ram: UNKNOWN
Model/Manufacturer: UNKNOWN

Comment:

I tried all these and not one thing listed help me get rid of the smitfraud-c.coreservice. you run the different scans they find it say they deleted it and reboots than you go to see if its gone when you start up normal window and low and behold the stupid thing is still there. i have used ccleaner, superantispyware, avg, avg virus and worm elinantor, bitfender, cwshredder, error expert, registry easy and spybot plus zone alarm. plus what was listed above to no avail. the thing is in drivers so whenever you start to use your computer whatever runs using that just reloads it. and the safe mode drag and drop thing didn't work so any other suggestions cause i am sure i am not only that can not get rid of the thing.. thanks for any help. plus i am getting tired of loading things that dont work or need registered to work. why buy something you dont even know will help. yes i did
i run windows xp and firefox. i have done the scans in normal and safe modes and nothing. i get a command.com prompt window now too when it restarts dont know how to get rid of that. plus it wont allow me to change date of system restore. please dont tell me to download anything else unless its going to help for sure i have so many now its sad. thanks

Report Offensive Message For Removal

Response Number 1

Name: Beginner1
Date: January 22, 2008 at 15:13:29 Pacific
Subject: Smitfraud virus

Reply: (edit)

http://forums.techguy.org/malware-r...
Jim R

Report Offensive Follow Up For Removal

Response Number 2

Name: jabuck
Date: January 22, 2008 at 17:35:18 Pacific
Subject: Smitfraud virus

Reply: (edit)

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download SmitFraudFix from this link:
SmitfraudFix
Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Report Offensive Follow Up For Removal

Response Number 3

Name: SuzeeKuzee11
Date: January 22, 2008 at 20:39:07 Pacific
Subject: Smitfraud virus

Reply: (edit)

ok my hijackthis is updated already and i ran the smitfraudfix and it did nothing whats so ever. i could delete the core.cache.dsk but once i went to normal startup the dumb thing was right back to where it was before in sstem32\drivers. i have tried every which way to get rid of this and its a stubborn one. so any other ideas. what i think it is since yuo cant delete in nothing but safe mode but returns normal mode is there is something running that is keeping it there and i need to find the thing running to get rid of the whole crap. so any ideas on where to find whats running that shouldn't be? also when i go to normal start up i keep getting a box C;\WINDOWS\SYSTEM32\COMMAND.COM why is that???

Report Offensive Follow Up For Removal

Response Number 4

Name: btk1w1
Date: January 22, 2008 at 21:42:07 Pacific
Subject: Smitfraud virus

Reply: (edit)

Suzee,
This previous thread in computing.net has the answer for your coreservice problem.
Read response #8 here:
http://www.computing.net/security/w...
This should fix that particular problem but I would suggest following jabucks instructions as he is very good at malware removal, and if there is more lurking on your pc he will weed it out and help you repair.

Report Offensive Follow Up For Removal

Response Number 5

Name: jabuck
Date: January 23, 2008 at 03:25:47 Pacific
Subject: Smitfraud virus

Reply: (edit)

The purpose for requesting the logs is to determine the programs needed to be diabled prior to removing the malware successfully and to help find the bad files.
No logs no can help.

Report Offensive Follow Up For Removal


Smitfraud virus/spyware Smitfraud virus help Virus problem Microsoft Piracy Control/Smitfraud Smitfraud removal	Corrupt desktop properties/missing Bad virus! Smitfraud-C.Toolbar888! taskbar virus HELP! Smitfraud-C.CoreService Smitfraud is driveing me crazy

Response Number 6

Name: SuzeeKuzee11
Date: January 23, 2008 at 10:27:03 Pacific
Subject: Smitfraud virus

Reply: (edit)

here is my hijacklog yu requested:
Logfile of HijackThis v1.99.1
Scan saved at 1:27:32 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Suzanne\My Documents\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4620] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKLM\..\RunOnce: [SpybotDeletingA4943] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\RunOnce: [SpybotDeletingB2904] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD796] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Report Offensive Follow Up For Removal

Response Number 7

Name: jabuck
Date: January 23, 2008 at 14:37:12 Pacific
Subject: Smitfraud virus

Reply: (edit)

Go to the this link:
Disable Realtime Protection
Follow their directions to disable Spybot's tea timer and any other realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Don't run Combofix yet
Run Hijack this, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
O4 - HKLM\..\RunOnce: [SpybotDeletingC4620] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4943] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2904] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD796] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"

Exit Hijack This

Double-click combofix.exe icon.
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal

Response Number 8

Name: SuzeeKuzee11
Date: January 24, 2008 at 17:01:53 Pacific
Subject: Smitfraud virus

Reply: (edit)

here is the combofix report
ComboFix 08-01-23.1B - Suzanne 2008-01-24 19:48:21.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.175 [GMT -5:00]
Running from: C:\Documents and Settings\Suzanne\My Documents\ComboFix(2).exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
---- Previous Run -------
.
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.
2008-01-24 19:56 . 2008-01-24 19:56 <DIR> d-------- C:\Temp\tn3
2008-01-24 00:15 . 2008-01-24 19:54 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-23 23:35 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-01-23 23:31 . 2008-01-24 18:20 <DIR> d-------- C:\MGtools
2008-01-23 23:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 23:31 . 2008-01-24 18:20 35,714 --a------ C:\MGlogs.zip
2008-01-23 00:21 . 2008-01-23 00:21 <DIR> d-------- C:\Program Files\Ashampoo
2008-01-22 22:00 . 2008-01-22 23:00 2,404 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-22 21:59 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-22 21:59 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-22 21:59 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-22 21:59 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-22 21:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-22 10:40 . 2008-01-22 10:42 <DIR> d--hs---- C:\WINDOWS\system32\dllcache
2008-01-22 00:43 . 2008-01-22 00:43 87,952 --------- C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-01-22 00:30 . 2008-01-22 00:39 121 --a------ C:\WINDOWS\bdagent.INI
2008-01-21 23:51 . 2008-01-21 23:51 <DIR> d-------- C:\Program Files\BitDefender
2008-01-21 23:49 . 2008-01-23 13:39 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-01-20 19:48 . 2008-01-12 22:17 262,144 --a------ C:\Program Files\Uninstall Spy Blocker.dll
2008-01-20 03:04 . 2008-01-21 23:41 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-20 00:25 . 2008-01-20 00:26 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-20 00:25 . 2008-01-20 00:26 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-20 00:19 . 2008-01-20 00:23 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-20 00:14 . 2008-01-20 17:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-20 00:14 . 2008-01-20 00:24 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-18 02:17 . 2008-01-18 02:17 42 --a------ C:\WINDOWS\system32\RegistryEasy.lie
2008-01-18 02:04 . 2008-01-22 01:13 <DIR> d-------- C:\Program Files\Registry Easy
2008-01-18 01:14 . 2008-01-22 11:47 54 --a------ C:\WINDOWS\wininit.ini
2008-01-12 22:39 . 2008-01-24 19:55 22,992,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 22:39 . 2008-01-24 19:54 270,476 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 22:16 . 2008-01-12 22:20 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-12 22:15 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-12 22:15 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-12 22:13 . 2008-01-12 22:15 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-12 22:13 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-12 22:12 . 2008-01-24 19:54 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-12 22:12 . 2008-01-24 19:55 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-12 21:02 . 2008-01-18 10:17 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-12 15:32 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-11 21:12 . 2008-01-16 10:02 <DIR> d-------- C:\WINDOWS\system32\smvt3
2008-01-11 21:12 . 2008-01-11 21:12 <DIR> d-------- C:\WINDOWS\system32\omp2
2008-01-11 21:12 . 2008-01-11 21:12 <DIR> d-------- C:\WINDOWS\system32\obe3
2008-01-11 21:12 . 2008-01-16 10:02 <DIR> d-------- C:\WINDOWS\system32\ardCo16
2008-01-11 21:12 . 2008-01-11 21:12 <DIR> d-------- C:\WINDOWS\system32\ache3
2008-01-11 21:12 . 2008-01-11 21:12 <DIR> d-------- C:\Temp\cEeer12
2008-01-11 21:12 . 2008-01-24 19:56 <DIR> d-------- C:\Temp
2008-01-11 21:12 . 2008-01-11 21:12 111,831 --a------ C:\WINDOWS\system32\ope328.exe
2008-01-11 21:12 . 2008-01-11 21:12 86,016 --a------ C:\WINDOWS\system32\drivers\volsnapp.sys
2008-01-11 21:12 . 2008-01-11 21:12 0 --a------ C:\WINDOWS\system32\ope328.tmp
2008-01-11 21:11 . 2008-01-11 21:11 352,410 --a------ C:\WINDOWS\system32\ope321.exe
2008-01-11 21:11 . 2008-01-11 21:11 0 --a------ C:\WINDOWS\system32\ope321.tmp
2008-01-11 21:11 . 2008-01-11 21:11 0 --a------ C:\WINDOWS\ope326.tmp
2008-01-11 20:49 . 2008-01-11 20:49 <DIR> d-------- C:\Motorola USB Modem
2008-01-11 20:08 . 2008-01-22 01:23 <DIR> d-------- C:\Program Files\Error Expert
2008-01-04 21:23 . 2008-01-04 21:23 <DIR> d-------- C:\Program Files\DivX
2007-12-26 16:34 . 2007-12-26 16:37 <DIR> d-------- C:\Program Files\Snood
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 04:46 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-24 04:41 --------- d-----w C:\Program Files\Yahoo!
2008-01-22 22:00 --------- d-----w C:\Program Files\Trillian
2008-01-22 15:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 16:39 --------- d-----w C:\Program Files\Java
2008-01-21 04:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 00:56 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-21 00:48 --------- d-----w C:\Program Files\KeyText
2008-01-21 00:46 --------- d-----w C:\Program Files\Believe in Sandy Holiday Story
2008-01-18 06:40 482 ------w C:\Program Files\Shortcut to WinRAR.lnk
2008-01-12 20:03 --------- d-----w C:\Program Files\TrojanHunter 5.0
2007-12-13 19:52 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-06 13:01 --------- d-----w C:\Program Files\Logitech
2007-12-05 14:52 --------- d-----w C:\Program Files\Macrogaming
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 01:02 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-04 01:02 --------- d-----w C:\Program Files\AskPBar
2007-08-10 22:18 774,144 ------w C:\Program Files\RngInterstitial.dll
2007-07-17 23:26 805 ------w C:\Program Files\Shortcut to NvMixer.lnk
2007-07-17 23:25 684 ------w C:\Program Files\Shortcut to firefox.lnk
2007-07-17 23:19 656 ------w C:\Program Files\Shortcut to moviemk.lnk
2007-07-17 23:19 632 ------w C:\Program Files\Shortcut to conf.lnk
2007-07-17 16:19 2,128,150 ------w C:\Program Files\McAfeeAvert349Stinger.zip
2007-07-17 15:49 763,737 ------w C:\Program Files\unins000.exe
2007-07-16 17:02 578,786 ------w C:\Program Files\PBpro.exe
2007-07-10 14:33 8,148,208 ------w C:\Program Files\RegistrySmart.exe
2007-07-10 14:33 763,120 ------w C:\Program Files\Launcher.exe
2007-07-09 14:11 10,561 ------w C:\Program Files\license.rtf
2007-06-21 01:00 702,644 ------w C:\Program Files\JUN2007_d3dx10_34_x64.cab
2007-06-21 01:00 702,072 ------w C:\Program Files\JUN2007_d3dx10_34_x86.cab
2007-06-21 01:00 45,302 ------w C:\Program Files\dxdllreg_x86.cab
2007-06-21 01:00 200,722 ------w C:\Program Files\JUN2007_XACT_x64.cab
2007-06-21 01:00 156,509 ------w C:\Program Files\JUN2007_XACT_x86.cab
2007-06-21 01:00 1,611,374 ------w C:\Program Files\JUN2007_d3dx9_34_x64.cab
2007-06-21 01:00 1,610,886 ------w C:\Program Files\JUN2007_d3dx9_34_x86.cab
2007-06-21 00:40 976,020 ------w C:\Program Files\BDAXP.cab
2007-06-21 00:40 917,318 ------w C:\Program Files\Apr2006_MDX1_x86.cab
2007-06-21 00:40 88,102 ------w C:\Program Files\AUG2006_xinput_x64.cab
2007-06-21 00:40 87,989 ------w C:\Program Files\Apr2006_xinput_x64.cab
2007-06-21 00:40 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab
2007-06-21 00:40 86,400 ------w C:\Program Files\dxupdate.cab
2007-06-21 00:40 77,160 ------w C:\Program Files\DSETUP.dll
2007-06-21 00:40 702,212 ------w C:\Program Files\APR2007_d3dx10_33_x64.cab
2007-06-21 00:40 699,465 ------w C:\Program Files\APR2007_d3dx10_33_x86.cab
2007-06-21 00:40 56,902 ------w C:\Program Files\APR2007_xinput_x86.cab
2007-06-21 00:40 503,144 ------w C:\Program Files\DXSETUP.exe
2007-06-21 00:40 47,018 ------w C:\Program Files\AUG2006_xinput_x86.cab
2007-06-21 00:40 46,898 ------w C:\Program Files\Apr2006_xinput_x86.cab
2007-06-21 00:40 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab
2007-06-21 00:40 4,163,518 ------w C:\Program Files\Apr2006_MDX1_x86_Archive.cab
2007-06-21 00:40 213,767 ------w C:\Program Files\DEC2006_d3dx10_00_x64.cab
2007-06-21 00:40 199,366 ------w C:\Program Files\APR2007_XACT_x64.cab
2007-06-21 00:40 198,275 ------w C:\Program Files\FEB2007_XACT_x64.cab
2007-06-21 00:40 193,435 ------w C:\Program Files\DEC2006_XACT_x64.cab
2007-06-21 00:40 192,680 ------w C:\Program Files\DEC2006_d3dx10_00_x86.cab
2007-06-21 00:40 183,863 ------w C:\Program Files\AUG2006_XACT_x64.cab
2007-06-21 00:40 183,321 ------w C:\Program Files\OCT2006_XACT_x64.cab
2007-06-21 00:40 181,745 ------w C:\Program Files\JUN2006_XACT_x64.cab
2007-06-21 00:40 180,021 ------w C:\Program Files\Apr2006_XACT_x64.cab
2007-06-21 00:40 179,247 ------w C:\Program Files\Feb2006_XACT_x64.cab
2007-06-21 00:40 154,825 ------w C:\Program Files\APR2007_XACT_x86.cab
2007-06-21 00:40 151,583 ------w C:\Program Files\FEB2007_XACT_x86.cab
2007-06-21 00:40 146,559 ------w C:\Program Files\DEC2006_XACT_x86.cab
2007-06-21 00:40 138,977 ------w C:\Program Files\OCT2006_XACT_x86.cab
2007-06-21 00:40 138,195 ------w C:\Program Files\AUG2006_XACT_x86.cab
2007-06-21 00:40 134,631 ------w C:\Program Files\JUN2006_XACT_x86.cab
2007-06-21 00:40 133,991 ------w C:\Program Files\Apr2006_XACT_x86.cab
2007-06-21 00:40 133,297 ------w C:\Program Files\Feb2006_XACT_x86.cab
2007-06-21 00:40 13,265,040 ------w C:\Program Files\dxnt.cab
2007-06-21 00:40 100,417 ------w C:\Program Files\APR2007_xinput_x64.cab
2007-06-21 00:40 1,673,576 ------w C:\Program Files\dsetup32.dll
2007-06-21 00:40 1,610,958 ------w C:\Program Files\APR2007_d3dx9_33_x64.cab
2007-06-21 00:40 1,609,639 ------w C:\Program Files\APR2007_d3dx9_33_x86.cab
2007-06-21 00:40 1,575,336 ------w C:\Program Files\DEC2006_d3dx9_32_x86.cab
2007-06-21 00:40 1,572,114 ------w C:\Program Files\DEC2006_d3dx9_32_x64.cab
2007-06-21 00:40 1,413,862 ------w C:\Program Files\OCT2006_d3dx9_31_x64.cab
2007-06-21 00:40 1,398,718 ------w C:\Program Files\Apr2006_d3dx9_30_x64.cab
2007-06-21 00:40 1,363,684 ------w C:\Program Files\Feb2006_d3dx9_29_x64.cab
2007-06-21 00:40 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab
2007-06-21 00:40 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab
2007-06-21 00:40 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab
2007-06-21 00:40 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab
2007-06-21 00:40 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab
2007-06-21 00:40 1,156,363 ------w C:\Program Files\BDANT.cab
2007-06-21 00:40 1,128,177 ------w C:\Program Files\OCT2006_d3dx9_31_x86.cab
2007-06-21 00:40 1,116,109 ------w C:\Program Files\Apr2006_d3dx9_30_x86.cab
2007-06-21 00:40 1,085,608 ------w C:\Program Files\Feb2006_d3dx9_29_x86.cab
2007-06-21 00:40 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab
2007-06-21 00:40 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab
2007-06-21 00:40 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab
2007-06-21 00:40 1,065,813 ------w C:\Program Files\Jun2005_d3dx9_26_x86.cab
2007-06-21 00:40 1,014,113 ------w C:\Program Files\Feb2005_d3dx9_24_x86.cab
2007-06-04 03:47 2,511 ------w C:\Program Files\FriendFinder Messenger v3.0.lnk
2007-05-30 01:34 5,419,008 ------w C:\Program Files\MySpaceIM.exe
2007-05-29 22:00 2,803,440 ------w C:\Program Files\Shockwave_Installer_Slim.exe
2007-05-01 19:18 1,035 ------w C:\Program Files\install.ini
.
((((((((((((((((((((((((((((( snapshot@2008-01-23_23.50.26.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-25 00:55:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_750.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-23 23:30 145920]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 16:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 08:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-01-23 23:30 416256 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a------ 2004-06-03 19:51 131072 C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-06-29 05:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--------- 2007-06-21 13:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-03-21 15:58 3325952 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2002-05-29 01:59 520192 C:\Program Files\Logitech\iTouch\iTouch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2007-11-14 16:05 919016 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
R1 volsnapp;volsnapp;C:\WINDOWS\system32\drivers\volsnapp.sys [2008-01-11 21:12]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys [2001-08-17 07:19]
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys [2001-08-17 07:19]
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys [2001-08-17 07:19]
S3 bdfsfltr;bdfsfltr;C:\WINDOWS\system32\drivers\bdfsfltr.sys []
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2006-12-13 16:52]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 19:56:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-24 20:00:11 - machine was rebooted [Suzanne]
ComboFix-quarantined-files.txt 2008-01-25 01:00:05
ComboFix2.txt 2008-01-25 00:22:36
ComboFix3.txt 2008-01-24 19:59:59
.
2008-01-20 08:20:04 --- E O F ---

Report Offensive Follow Up For Removal

Response Number 9

Name: jabuck
Date: January 24, 2008 at 18:37:03 Pacific
Subject: Smitfraud virus

Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ope328.exe
C:\WINDOWS\system32\drivers\volsnapp.sys
C:\WINDOWS\system32\ope328.tmp
C:\WINDOWS\system32\ope321.tmp
C:\WINDOWS\ope326.tmp
Driver::
volsnapp
Folder::
C:\temp\tn3
C:\WINDOWS\system32\smvt3
C:\WINDOWS\system32\omp2
C:\WINDOWS\system32\obe3
C:\WINDOWS\system32\ardCo16
C:\WINDOWS\system32\ache3
C:\Temp\cEeer12

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new combofix log please.

Report Offensive Follow Up For Removal

Response Number 10

Name: SuzeeKuzee11
Date: January 24, 2008 at 19:39:29 Pacific
Subject: Smitfraud virus

Reply: (edit)

ComboFix 08-01-23.1B - Suzanne 2008-01-24 22:17:34.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.184 [GMT -5:00]
Running from: C:\Documents and Settings\Suzanne\My Documents\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Suzanne\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\ope326.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\volsnapp.sys
C:\WINDOWS\system32\ope321.tmp
C:\WINDOWS\system32\ope328.exe
C:\WINDOWS\system32\ope328.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\temp\tn3
C:\WINDOWS\ope326.tmp
C:\WINDOWS\system32\ache3
C:\WINDOWS\system32\ache3\vumpedll23.exe
C:\WINDOWS\system32\ardCo16
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\volsnapp.sys
C:\WINDOWS\system32\obe3
C:\WINDOWS\system32\omp2
C:\WINDOWS\system32\ope321.tmp
C:\WINDOWS\system32\ope328.exe
C:\WINDOWS\system32\ope328.tmp
C:\WINDOWS\system32\smvt3
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_VOLSNAPP
-------\volsnapp

((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.
2008-01-24 20:15 . 2008-01-24 20:15 <DIR> d-------- C:\VundoFix Backups
2008-01-24 20:04 . 2008-01-24 20:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-23 23:35 . 2005-01-13 22:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-01-23 23:31 . 2008-01-24 18:20 <DIR> d-------- C:\MGtools
2008-01-23 23:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 23:31 . 2008-01-24 18:20 35,714 --a------ C:\MGlogs.zip
2008-01-23 00:21 . 2008-01-23 00:21 <DIR> d-------- C:\Program Files\Ashampoo
2008-01-22 22:00 . 2008-01-22 23:00 2,404 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-22 21:59 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-22 21:59 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-22 21:59 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-22 21:59 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-22 21:59 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-22 10:40 . 2008-01-22 10:42 <DIR> d--hs---- C:\WINDOWS\system32\dllcache
2008-01-22 00:43 . 2008-01-22 00:43 87,952 --------- C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-01-22 00:30 . 2008-01-22 00:39 121 --a------ C:\WINDOWS\bdagent.INI
2008-01-21 23:51 . 2008-01-21 23:51 <DIR> d-------- C:\Program Files\BitDefender
2008-01-21 23:49 . 2008-01-23 13:39 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-01-20 19:48 . 2008-01-12 22:17 262,144 --a------ C:\Program Files\Uninstall Spy Blocker.dll
2008-01-20 03:04 . 2008-01-21 23:41 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-20 00:25 . 2008-01-20 00:26 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-20 00:25 . 2008-01-20 00:26 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-20 00:19 . 2008-01-20 00:23 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-20 00:14 . 2008-01-20 17:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-20 00:14 . 2008-01-20 00:24 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-18 02:17 . 2008-01-18 02:17 42 --a------ C:\WINDOWS\system32\RegistryEasy.lie
2008-01-18 02:04 . 2008-01-22 01:13 <DIR> d-------- C:\Program Files\Registry Easy
2008-01-18 01:14 . 2008-01-22 11:47 54 --a------ C:\WINDOWS\wininit.ini
2008-01-12 22:39 . 2008-01-24 22:27 23,132,192 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 22:39 . 2008-01-24 22:23 272,108 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 22:16 . 2008-01-12 22:20 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-12 22:15 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-12 22:15 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-12 22:13 . 2008-01-12 22:15 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-12 22:13 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-12 22:12 . 2008-01-24 22:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-12 22:12 . 2008-01-24 22:24 353,366 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-12 21:02 . 2008-01-18 10:17 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-01-12 15:32 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-11 21:12 . 2008-01-24 22:22 <DIR> d-------- C:\Temp
2008-01-11 21:11 . 2008-01-11 21:11 352,410 --a------ C:\WINDOWS\system32\ope321.exe
2008-01-11 20:49 . 2008-01-11 20:49 <DIR> d-------- C:\Motorola USB Modem
2008-01-11 20:08 . 2008-01-22 01:23 <DIR> d-------- C:\Program Files\Error Expert
2008-01-04 21:23 . 2008-01-04 21:23 <DIR> d-------- C:\Program Files\DivX
2007-12-26 16:34 . 2007-12-26 16:37 <DIR> d-------- C:\Program Files\Snood
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 04:46 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-01-24 04:41 --------- d-----w C:\Program Files\Yahoo!
2008-01-22 22:00 --------- d-----w C:\Program Files\Trillian
2008-01-22 15:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 16:39 --------- d-----w C:\Program Files\Java
2008-01-21 04:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 00:56 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-21 00:48 --------- d-----w C:\Program Files\KeyText
2008-01-21 00:46 --------- d-----w C:\Program Files\Believe in Sandy Holiday Story
2008-01-18 06:40 482 ------w C:\Program Files\Shortcut to WinRAR.lnk
2008-01-12 20:03 --------- d-----w C:\Program Files\TrojanHunter 5.0
2007-12-13 19:52 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-06 13:01 --------- d-----w C:\Program Files\Logitech
2007-12-05 14:52 --------- d-----w C:\Program Files\Macrogaming
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 01:02 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-04 01:02 --------- d-----w C:\Program Files\AskPBar
2007-08-10 22:18 774,144 ------w C:\Program Files\RngInterstitial.dll
2007-07-17 23:26 805 ------w C:\Program Files\Shortcut to NvMixer.lnk
2007-07-17 23:25 684 ------w C:\Program Files\Shortcut to firefox.lnk
2007-07-17 23:19 656 ------w C:\Program Files\Shortcut to moviemk.lnk
2007-07-17 23:19 632 ------w C:\Program Files\Shortcut to conf.lnk
2007-07-17 16:19 2,128,150 ------w C:\Program Files\McAfeeAvert349Stinger.zip
2007-07-17 15:49 763,737 ------w C:\Program Files\unins000.exe
2007-07-16 17:02 578,786 ------w C:\Program Files\PBpro.exe
2007-07-10 14:33 8,148,208 ------w C:\Program Files\RegistrySmart.exe
2007-07-10 14:33 763,120 ------w C:\Program Files\Launcher.exe
2007-07-09 14:11 10,561 ------w C:\Program Files\license.rtf
2007-06-21 01:00 702,644 ------w C:\Program Files\JUN2007_d3dx10_34_x64.cab
2007-06-21 01:00 702,072 ------w C:\Program Files\JUN2007_d3dx10_34_x86.cab
2007-06-21 01:00 45,302 ------w C:\Program Files\dxdllreg_x86.cab
2007-06-21 01:00 200,722 ------w C:\Program Files\JUN2007_XACT_x64.cab
2007-06-21 01:00 156,509 ------w C:\Program Files\JUN2007_XACT_x86.cab
2007-06-21 01:00 1,611,374 ------w C:\Program Files\JUN2007_d3dx9_34_x64.cab
2007-06-21 01:00 1,610,886 ------w C:\Program Files\JUN2007_d3dx9_34_x86.cab
2007-06-21 00:40 976,020 ------w C:\Program Files\BDAXP.cab
2007-06-21 00:40 917,318 ------w C:\Program Files\Apr2006_MDX1_x86.cab
2007-06-21 00:40 88,102 ------w C:\Program Files\AUG2006_xinput_x64.cab
2007-06-21 00:40 87,989 ------w C:\Program Files\Apr2006_xinput_x64.cab
2007-06-21 00:40 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab
2007-06-21 00:40 86,400 ------w C:\Program Files\dxupdate.cab
2007-06-21 00:40 77,160 ------w C:\Program Files\DSETUP.dll
2007-06-21 00:40 702,212 ------w C:\Program Files\APR2007_d3dx10_33_x64.cab
2007-06-21 00:40 699,465 ------w C:\Program Files\APR2007_d3dx10_33_x86.cab
2007-06-21 00:40 56,902 ------w C:\Program Files\APR2007_xinput_x86.cab
2007-06-21 00:40 503,144 ------w C:\Program Files\DXSETUP.exe
2007-06-21 00:40 47,018 ------w C:\Program Files\AUG2006_xinput_x86.cab
2007-06-21 00:40 46,898 ------w C:\Program Files\Apr2006_xinput_x86.cab
2007-06-21 00:40 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab
2007-06-21 00:40 4,163,518 ------w C:\Program Files\Apr2006_MDX1_x86_Archive.cab
2007-06-21 00:40 213,767 ------w C:\Program Files\DEC2006_d3dx10_00_x64.cab
2007-06-21 00:40 199,366 ------w C:\Program Files\APR2007_XACT_x64.cab
2007-06-21 00:40 198,275 ------w C:\Program Files\FEB2007_XACT_x64.cab
2007-06-21 00:40 193,435 ------w C:\Program Files\DEC2006_XACT_x64.cab
2007-06-21 00:40 192,680 ------w C:\Program Files\DEC2006_d3dx10_00_x86.cab
2007-06-21 00:40 183,863 ------w C:\Program Files\AUG2006_XACT_x64.cab
2007-06-21 00:40 183,321 ------w C:\Program Files\OCT2006_XACT_x64.cab
2007-06-21 00:40 181,745 ------w C:\Program Files\JUN2006_XACT_x64.cab
2007-06-21 00:40 180,021 ------w C:\Program Files\Apr2006_XACT_x64.cab
2007-06-21 00:40 179,247 ------w C:\Program Files\Feb2006_XACT_x64.cab
2007-06-21 00:40 154,825 ------w C:\Program Files\APR2007_XACT_x86.cab
2007-06-21 00:40 151,583 ------w C:\Program Files\FEB2007_XACT_x86.cab
2007-06-21 00:40 146,559 ------w C:\Program Files\DEC2006_XACT_x86.cab
2007-06-21 00:40 138,977 ------w C:\Program Files\OCT2006_XACT_x86.cab
2007-06-21 00:40 138,195 ------w C:\Program Files\AUG2006_XACT_x86.cab
2007-06-21 00:40 134,631 ------w C:\Program Files\JUN2006_XACT_x86.cab
2007-06-21 00:40 133,991 ------w C:\Program Files\Apr2006_XACT_x86.cab
2007-06-21 00:40 133,297 ------w C:\Program Files\Feb2006_XACT_x86.cab
2007-06-21 00:40 13,265,040 ------w C:\Program Files\dxnt.cab
2007-06-21 00:40 100,417 ------w C:\Program Files\APR2007_xinput_x64.cab
2007-06-21 00:40 1,673,576 ------w C:\Program Files\dsetup32.dll
2007-06-21 00:40 1,610,958 ------w C:\Program Files\APR2007_d3dx9_33_x64.cab
2007-06-21 00:40 1,609,639 ------w C:\Program Files\APR2007_d3dx9_33_x86.cab
2007-06-21 00:40 1,575,336 ------w C:\Program Files\DEC2006_d3dx9_32_x86.cab
2007-06-21 00:40 1,572,114 ------w C:\Program Files\DEC2006_d3dx9_32_x64.cab
2007-06-21 00:40 1,413,862 ------w C:\Program Files\OCT2006_d3dx9_31_x64.cab
2007-06-21 00:40 1,398,718 ------w C:\Program Files\Apr2006_d3dx9_30_x64.cab
2007-06-21 00:40 1,363,684 ------w C:\Program Files\Feb2006_d3dx9_29_x64.cab
2007-06-21 00:40 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab
2007-06-21 00:40 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab
2007-06-21 00:40 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab
2007-06-21 00:40 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab
2007-06-21 00:40 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab
2007-06-21 00:40 1,156,363 ------w C:\Program Files\BDANT.cab
2007-06-21 00:40 1,128,177 ------w C:\Program Files\OCT2006_d3dx9_31_x86.cab
2007-06-21 00:40 1,116,109 ------w C:\Program Files\Apr2006_d3dx9_30_x86.cab
2007-06-21 00:40 1,085,608 ------w C:\Program Files\Feb2006_d3dx9_29_x86.cab
2007-06-21 00:40 1,080,344 ------w C:\Program Files\Dec2005_d3dx9_28_x86.cab
2007-06-21 00:40 1,079,850 ------w C:\Program Files\Apr2005_d3dx9_25_x86.cab
2007-06-21 00:40 1,078,532 ------w C:\Program Files\Aug2005_d3dx9_27_x86.cab
2007-06-21 00:40 1,065,813 ------w C:\Program Files\Jun2005_d3dx9_26_x86.cab
2007-06-21 00:40 1,014,113 ------w C:\Program Files\Feb2005_d3dx9_24_x86.cab
2007-06-04 03:47 2,511 ------w C:\Program Files\FriendFinder Messenger v3.0.lnk
2007-05-30 01:34 5,419,008 ------w C:\Program Files\MySpaceIM.exe
2007-05-29 22:00 2,803,440 ------w C:\Program Files\Shockwave_Installer_Slim.exe
2007-05-01 19:18 1,035 ------w C:\Program Files\install.ini
.
((((((((((((((((((((((((((((( snapshot@2008-01-23_23.50.26.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 04:32:13 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-25 03:16:46 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-24 04:32:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-25 03:16:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-24 04:32:14 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\ntuser.dat
+ 2008-01-25 03:16:46 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\ntuser.dat
- 2008-01-24 04:32:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-25 03:16:46 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-24 04:32:14 3,710,976 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\ntuser.dat
+ 2008-01-25 03:16:46 3,710,976 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\ntuser.dat
- 2008-01-24 04:32:14 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-25 03:16:46 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-25 03:24:22 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_734.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-23 23:30 145920]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 10:20 50528 C:\Program Files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-01-02 16:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 08:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-01-23 23:30 416256 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a------ 2004-06-03 19:51 131072 C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2007-06-29 05:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--------- 2007-06-21 13:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-03-21 15:58 3325952 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2002-05-29 01:59 520192 C:\Program Files\Logitech\iTouch\iTouch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
--a------ 2007-11-14 16:05 919016 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
R2 NwSapAgent;SAP Agent;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys [2001-08-17 07:19]
R3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys [2001-08-17 07:19]
R3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys [2001-08-17 07:19]
S3 bdfsfltr;bdfsfltr;C:\WINDOWS\system32\drivers\bdfsfltr.sys []
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2006-12-13 16:52]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 22:27:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-24 22:31:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 03:30:56
ComboFix2.txt 2008-01-25 01:00:11
ComboFix3.txt 2008-01-25 00:22:36
ComboFix4.txt 2008-01-24 19:59:59
.
2008-01-20 08:20:04 --- E O F ---

Report Offensive Follow Up For Removal

Response Number 11

Name: jabuck
Date: January 24, 2008 at 19:52:55 Pacific
Subject: Smitfraud virus

Reply: (edit)

Much Better.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\ope321.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
If you still have Spyblocker installed, uninstall it.
Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.
You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster
Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
How is the computer operating.

Report Offensive Follow Up For Removal

Response Number 12

Name: khalkhalash
Date: February 10, 2008 at 07:43:26 Pacific
Subject: Smitfraud virus

Reply: (edit)

I had to deal with a Windows 2003 Server box which was infected by SmitFraud-C.CoreService two weeks ago. ComboFix simply would not run properly on this machine. None of the other suggested fixes worked either.
Jim Carolan's suggestion from the following thread was the only thing which finally for me, with one minor difference listed below:
http://www.computing.net/security/w...
"Reboot the computer in safe mode using f8 key as it boots.
go to directory c:\windows\system32\drivers
drag
core.cache.dsk and core.sys
onto the desktop and reboot.
Use the lasted updated version of spybot-search and destroy to remove the two registry entries for smitfraud-C.CoreService"
The 1 minor difference: I had to remove c:\windows\system32\drivers\dmioo.sys instead of core.sys (in addition to removing core.cache.dsk). I guess this latest incarnation of SmitFraud uses dmioo.sys. I'm not sure if this is the only file it uses or if dmioo.sys is a randomly-generated name.
None of the spyware removal tools I tried (as of Feb 3, 2008) were able to get rid of this latest version of SmitFraud-C.CoreService or even detect that dmioo.sys was the culprit.

Report Offensive Follow Up For Removal

Response Number 13

Name: btk1w1
Date: February 10, 2008 at 14:59:16 Pacific
Subject: Smitfraud virus

Reply: (edit)

It's a randomly named driver that protects and re-introduces core.cache.dsk.
It's a fairly new change that the malware writer has made to this nuisance.
I'm glad to see you solved it and thanks for the added info.

Report Offensive Follow Up For Removal