Tech Support Forum - View Single Post - Constant Pop-Ups: Smitfraud-C.CoreService

Ried · 01-07-2008, 01:37 PM

Thank you tetonbob.

Hello jonniegirl77,

This round will be considerably more time consuming for you as we have quite a bit to do. Just take it a step at a time.

*Important*

One or more of the infections onboard is a backdoor trojan.

Your account login and passwords for sites have been severely compromised. The x.dat and z.dat folders (now deleted by ComboFix) were the work of the attacker, and those folders collected the account login and passwords of sites you frequent.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords to your accounts from that clean machine. It would also be wise to contact those same financial institutions to apprise them of your situation.

Do NOT change passwords or do any transactions from this computer until we've finished cleaning it.

***************************************************

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in their entirety, and in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/208939-constant-pop-ups-smitfraud-c-coreservice-post1252449.html#post1252449

Collect::
C:\WINDOWS\mrofinu1000106.exe.tmp

RenV::
----a-w            39,792 2008-01-02 03:49:15  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w            28,738 2008-01-02 03:49:08  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w            68,856 2008-01-02 03:49:21  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           974,848 2008-01-02 03:48:56  C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe
----a-w           823,296 2008-01-02 03:48:54  C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe
----a-w            61,440 2008-01-02 03:49:27  C:\Program Files\kernel\kernel .exe
----a-w            57,344 2008-01-02 03:49:12  C:\Program Files\Lexmark 1200 Series\lxczbmgr .exe
----a-w         1,694,208 2008-01-02 03:49:27  C:\Program Files\Messenger\msmsgs .exe
----a-w            24,576 2008-01-02 03:49:07  C:\Program Files\Microsoft Works\wkfud .exe
----a-w           331,830 2008-01-02 03:49:05  C:\Program Files\Microsoft Works\WksSb .exe
----a-w           866,584 2008-01-02 03:49:18  C:\Program Files\Windows Defender\MSASCui .exe
----a-w            15,360 2008-01-05 16:58:12  C:\WINDOWS\system32\ctfmon .exe
----a-w           159,744 2008-01-02 03:48:58  C:\WINDOWS\system32\hkcmd .exe
----a-w           131,072 2008-01-02 03:49:01  C:\WINDOWS\system32\igfxpers .exe
----a-w           135,168 2008-01-02 03:48:55  C:\WINDOWS\system32\igfxtray .exe

File::
C:\n.bat

Folder::
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\ardCo18
C:\WINDOWS\system32\aj2
C:\WINDOWS\SmVzc2ljYSBIb2xicm9vaw
C:\Temp

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kernel"=-

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------

While you're connected to the internet...

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) Do not run it yet.

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
C:\SDFix\Report.txt
Kaspersky results
New HijackThis log
Update on system behavior

01-07-2008, 01:37 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,573 OS: WinXP and Vista	Re: Constant Pop-Ups: Smitfraud-C.CoreService Thank you tetonbob. Hello jonniegirl77, This round will be considerably more time consuming for you as we have quite a bit to do. Just take it a step at a time. *Important* One or more of the infections onboard is a backdoor trojan. Your account login and passwords for sites have been severely compromised. The x.dat and z.dat folders (now deleted by ComboFix) were the work of the attacker, and those folders collected the account login and passwords of sites you frequent. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords to your accounts from that clean machine. It would also be wise to contact those same financial institutions to apprise them of your situation. Do NOT change passwords or do any transactions from this computer until we've finished cleaning it. ************************************************* Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in their entirety, and in the sequence listed below. *********************************************** 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/208939-constant-pop-ups-smitfraud-c-coreservice-post1252449.html#post1252449 Collect:: C:\WINDOWS\mrofinu1000106.exe.tmp RenV:: ----a-w 39,792 2008-01-02 03:49:15 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ----a-w 28,738 2008-01-02 03:49:08 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe ----a-w 68,856 2008-01-02 03:49:21 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ----a-w 974,848 2008-01-02 03:48:56 C:\Program Files\Intel\Wireless\Bin\ifrmewrk .exe ----a-w 823,296 2008-01-02 03:48:54 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc .exe ----a-w 61,440 2008-01-02 03:49:27 C:\Program Files\kernel\kernel .exe ----a-w 57,344 2008-01-02 03:49:12 C:\Program Files\Lexmark 1200 Series\lxczbmgr .exe ----a-w 1,694,208 2008-01-02 03:49:27 C:\Program Files\Messenger\msmsgs .exe ----a-w 24,576 2008-01-02 03:49:07 C:\Program Files\Microsoft Works\wkfud .exe ----a-w 331,830 2008-01-02 03:49:05 C:\Program Files\Microsoft Works\WksSb .exe ----a-w 866,584 2008-01-02 03:49:18 C:\Program Files\Windows Defender\MSASCui .exe ----a-w 15,360 2008-01-05 16:58:12 C:\WINDOWS\system32\ctfmon .exe ----a-w 159,744 2008-01-02 03:48:58 C:\WINDOWS\system32\hkcmd .exe ----a-w 131,072 2008-01-02 03:49:01 C:\WINDOWS\system32\igfxpers .exe ----a-w 135,168 2008-01-02 03:48:55 C:\WINDOWS\system32\igfxtray .exe File:: C:\n.bat Folder:: C:\WINDOWS\system32\mr9 C:\WINDOWS\system32\ardCo18 C:\WINDOWS\system32\aj2 C:\WINDOWS\SmVzc2ljYSBIb2xicm9vaw C:\Temp Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "kernel"=- Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file. --------------------------------------------------------------------- While you're connected to the internet... Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix) Do not run it yet. -------------------------------------------------------------------- Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply. -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------- Run a new scan with HijackThis and save the log. --------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt C:\SDFix\Report.txt Kaspersky results New HijackThis log Update on system behavior __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 01-07-2008 at 01:42 PM.