Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan on ME


  • This topic is locked This topic is locked
22 replies to this topic

#1 ogorman

ogorman

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 20 July 2005 - 04:00 AM

here is log file using new version HJS
again thanks for any help

Logfile of HijackThis v1.99.1
Scan saved at 8:55:02 p.m., on 20/07/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {982FF11C-10C5-4D5B-A80A-5225A4823B4D} - C:\WINDOWS\SYSTEM\MABG.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\SYSTEM\yaemu.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O16 - DPF: {7D40ADF2-AD68-4959-ACEC-DA96BF5E6EB7} (SpyBouncer.SBDownloader) - http://spywareremover.spybouncer.com/downloader.ocx
O18 - Filter: text/html - {801529E7-3F72-44F7-8F64-2B89264A487D} - C:\WINDOWS\SYSTEM\MABG.DLL
O18 - Filter: text/plain - {801529E7-3F72-44F7-8F64-2B89264A487D} - C:\WINDOWS\SYSTEM\MABG.DLL

BC AdBot (Login to Remove)

 


#2 ogorman

ogorman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 20 July 2005 - 05:36 AM

have tried to remove with spybot,adaware
trojan seems to be in restore folder and cannot be deleted

thanks for your help

#3 ogorman

ogorman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 20 July 2005 - 06:43 PM

Hi Guys,

I have a fatal error on IE at 0028:C0011E36 caused by
Trojan-Spy.html.smitfraud

as such i cannot run panda or housecall online scanners.
AVG detects trojans Agent.cm and startpage.19.J
but cannot remove them.
nether can spybot or adaware
I am posting my hijackthis log in the hope that you can help

Mark

Logfile of HijackThis v1.99.1
Scan saved at 8:55:02 p.m., on 20/07/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {982FF11C-10C5-4D5B-A80A-5225A4823B4D} - C:\WINDOWS\SYSTEM\MABG.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\SYSTEM\yaemu.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O16 - DPF: {7D40ADF2-AD68-4959-ACEC-DA96BF5E6EB7} (SpyBouncer.SBDownloader) - http://spywareremover.spybouncer.com/downloader.ocx
O18 - Filter: text/html - {801529E7-3F72-44F7-8F64-2B89264A487D} - C:\WINDOWS\SYSTEM\MABG.DLL
O18 - Filter: text/plain - {801529E7-3F72-44F7-8F64-2B89264A487D} - C:\WINDOWS\SYSTEM\MABG.DLL

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 July 2005 - 07:05 AM

Hi ogorman and Welcome to the Bleeping Computer!

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Click Here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder.

Right click on a blank spot on your desktop and choose "New Folder". A New Folder will appear on the desktop. Name the folder SpSeHjfix.

Click Here to download SpSeHjfix109.zip. Save it to your desktop. Now unzip the SpSeHjfix109.zip file to the SpSeHjfix folder you created.

Disconnect from the internet and close all running programs and any open browser windows.

Open the 'SpSeHjfix' folder and click on the SpSeHjfix109.exe file. Now click on the "Start Disinfection" button and let it run.
When it's finished it will reboot your machine to finish the cleaning process.
It will create log of the fix which will appear in the folder.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Next run CWShredder. Click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

Run SpSeHjfix109 again while in Safe Mode-> Save that Report as well!


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Now locate and Delete this file

C:\WINDOWS\SYSTEM\yaemu.exe

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.

Select the tab labeled Startup and put a Check by every box there!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!


Post back with a fresh HijackThis log and the reports from Panda and SpSeHjfix!

#5 ogorman

ogorman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 23 July 2005 - 10:04 PM

Thanks 4 the reply Cretemonster,

Have followed your instructions
Here are the logs from the programs I ran
There is still something there!!!!
Active Scan
Incident Status Location

Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\oleadm.dll
Adware:Adware/SearchExe.gen No disinfected C:\WINDOWS\SYSTEM\bgcb.dll
Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Spyware:Spyware/Smitfraud No disinfected C:\WINDOWS\TEMP\pav6192.TMP

7/24/05 9:05:43 a.m.) SPSeHjFix started v1.09
(7/24/05 9:05:43 a.m.) OS: WinME A (4.90.73010104)
(7/24/05 9:05:43 a.m.) Language: english
(7/24/05 9:05:48 a.m.) Disinfect started
(7/24/05 9:05:48 a.m.) Bad-Dll(IEP): (not found)
(7/24/05 9:05:48 a.m.) Bad-Dll(IEP) in BHO: (not found)
(7/24/05 9:05:48 a.m.) UBF: 4
(7/24/05 9:05:48 a.m.) UBB: 0
(7/24/05 9:05:48 a.m.) UBR: 15
(7/24/05 9:05:48 a.m.) Bad IE-pages:
(7/24/05 9:05:48 a.m.) Stealth-String not found:
(7/24/05 9:05:48 a.m.) Not infected->END


(7/24/05 9:11:11 a.m.) SPSeHjFix started v1.09
(7/24/05 9:11:11 a.m.) OS: WinME A (4.90.73010104)
(7/24/05 9:11:11 a.m.) Language: english
(7/24/05 9:11:13 a.m.) Disinfect started
(7/24/05 9:11:13 a.m.) Bad-Dll(IEP): (not found)
(7/24/05 9:11:13 a.m.) Bad-Dll(IEP) in BHO: (not found)
(7/24/05 9:11:13 a.m.) UBF: 4
(7/24/05 9:11:13 a.m.) UBB: 0
(7/24/05 9:11:13 a.m.) UBR: 15
(7/24/05 9:11:13 a.m.) Bad IE-pages:
(7/24/05 9:11:13 a.m.) Stealth-String not found:
(7/24/05 9:11:13 a.m.) Not infected->END


Logfile of HijackThis v1.99.1
Scan saved at 2:51:10 p.m., on 24/07/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\SPYWAREVANISHER-FULL\SPYWAREVANISHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Spyware Vanisher] C:\SPYWAREVANISHER-FULL\SPYWAREVANISHER.EXE -FastScan
O16 - DPF: {7D40ADF2-AD68-4959-ACEC-DA96BF5E6EB7} (SpyBouncer.SBDownloader) - http://spywareremover.spybouncer.com/downloader.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Again Thanks for any help you can give


Mark

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:12 AM

Posted 29 July 2005 - 01:52 PM

Hello, because Cretemonster is in hospital unfortunately, I'm taking over this log.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\SPYWAREVANISHER-FULL\SPYWAREVANISHER.EXE -FastScan
O16 - DPF: {7D40ADF2-AD68-4959-ACEC-DA96BF5E6EB7} (SpyBouncer.SBDownloader) - http://spywareremover.spybouncer.com/downloader.ocx


* Click on Fix Checked when finished and exit HijackThis.


* Using Windows Explorer, locate the following folder and files, and delete it:

C:\WINDOWS\SYSTEM\bgcb.dll
C:\WINDOWS\SYSTEM\oleadm.dll
C:\SPYWAREVANISHER-FULL

This Spywarevanisher is a so called spywareremover, it has a bad reputation and is spyware itself. Read here for more nfo: http://www.spywarewarrior.com/rogue_anti-s...re.htm#products

If you can't remove it in normal mode, remove it in safe mode.

*Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

There is also something I want to check if it's really disinfected..

I want to know what it is, so can you go to next site:
http://virusscan.jotti.org/

On top you'll find: File to upload and scan.
Now browse to the next file:

C:\WINDOWS\SYSTEM\WININET.DLL

Click submit and let it scan.
Post the results in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ogorman

ogorman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 29 July 2005 - 06:27 PM

Hi miekiemoes,

I have completed all the steps you gave me,

The file
C:\windows\system\oleadm.dll
could not be deleted in normal or safe mode.

here is the scan log and hijackthis log you asked for ;

Thanks for your help

Mark

Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Oleadm.Callgate
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Alespy.B
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.2636
F-Prot Antivirus Found W32/Oleadm.A
Fortinet Found W32/Nsag.A
Kaspersky Anti-Virus Found Virus.Win32.Nsag.a
NOD32 Found Win32/Oleloa.gen
Norman Virus Control Found nothing
UNA Found Win32.Nsag.a
VBA32 Found Virus.Win32.Nsag.a



Statistics
Last file scanned at least one scanner reported something about: Dial/RAS in adrmcer.cab, detected by:Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web not a virus Adware.nCase
F-Prot Antivirus X
Fortinet Dial/RAS
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
UNA X
VBA32 X

Logfile of HijackThis v1.99.1
Scan saved at 11:06:41 a.m., on 30/07/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:12 AM

Posted 29 July 2005 - 06:55 PM

That's what I thought about the oleadm.dll

Hmm.. you have Windows ME, so I'm not sure if there are any legit/not infected copies of wininet.dll present on your system. Because wininet.dll is needed for several applications, but is infected here and may not be deleted but disinfected.

Ok, let's see..

Launch Notepad, and copy/paste next bold in it:

dir c:\wininet.dll /a:h /s > wininet.txt
start notepad wininet.txt


Save it as wininet.bat ,choose to save as all files and save it on your Desktop.
This is how the batch must look after you created it: Posted Image
Double-click on it. It will open Notepad with some text in it. Please post the contents of it in your next reply.

We'll take care of the oleadm.dll later.

Edited by miekiemoes, 29 July 2005 - 07:03 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ogorman

ogorman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 05 August 2005 - 05:11 PM

Hi again,

ran .bat file
this came with a file not found error and all that emerged was the following

Volume in drive C has no label
Volume Serial Number is 4519-14E2

Directory of C:\WINDOWS\Desktop

9,961.36 MB free

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:12 AM

Posted 05 August 2005 - 05:21 PM

Hmmm, this is odd... so it shows here that there is also no wininet.dll present in your system-folder??? There has to be though.

Ok, can you try something? Go to your system-folder and copy the wininet.dll to your desktop, not move, because that won't work.

Let me know if you could copy it to your desktop.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ogorman

ogorman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 05 August 2005 - 06:18 PM

it has allowed me to copy

wininet.dll to desktop, the filename is in uppercase

I have tried .bat file using uppercase filename with the same result.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:12 AM

Posted 05 August 2005 - 06:42 PM

Ok.. now reboot. Important.

First of all, I want you to download and install firefox, because a loss of wininet.dll causes your Internet Explorer and explorer not to run.
http://www.mozilla.org/products/firefox/
That's why we need to disinfect wininet.dll instead of deleting it. The reason why I let you install firefox is, you never know that a scanner deletes that wininet.dll, leaving you without IE or explorer. In this case you can still surf with firefox then.
In case you lost your explorer (no taskbar and icons on desktop), you can browse through files via your taskmanager (holding CTRL-ALT-DEL) and running programs from there (new task) such as firefox.exe.
Don't worry, normally, if you follow my directions in the right way, this won't happen, but I added this in case it will happen, so you know what to do.

Let's disinfect the wininet.dll that is present on your desktop.
We can't disinfect the one present in your system32-folder, because it's still in use, but if we already can disinfect one, so we have a clean copy of it, we'll find a way to deal with it.

Go to the Panda online scan again:
http://www.pandasoftware.com/products/acti...n_principal.htm

Choose Scan your Pc
Choose Check now
You have to fill in your email and country. when done, choose Start Scan
On top, you'll see: Select a device to scan.
Choose Other Media
A new window will open where you can select what file to scan.
Browse to that wininet.dll you copied to your desktop... Not the one in your system-folder but the one on your desktop.
Click ok.
Panda will scan this file and disinfect it.

When done, go to http://virusscan.jotti.org/ again and upload the wininet.dll from your desktop and let it scan there.
Post the results in your next reply, as you did before.

So, the important part in here is, we are dealing with the wininet.dll on your desktop now, not with the one present in your system-folder.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ogorman

ogorman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 06 August 2005 - 04:44 PM

here are the latest scan results from
wininet.dll

Incident Status Location

Virus:W32/Smitfraud.B Disinfected C:\WINDOWS\Desktop\WININET.DLL


File: WININET.DLL
Status: OK
MD5 be2fa807511e93172bc43fc9e298ed50
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


Statistics
Last file scanned at least one scanner reported something about: DIAL/300115 dialer in Diablo_2-_Games_-full-downloader.zip, detected by:
Scanner Malware name
AntiVir DIAL/300115 dialer
ArcaVir X
Avast Win32:Trojan-gen. {Other}
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus not-a-virus:Porn-Dialer.Win32.ALifeDialer
NOD32 X
Norman Virus Control X
UNA X
VBA32 X

thanks

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:12 AM

Posted 06 August 2005 - 04:54 PM

Ok.. so it seems like the wininet.dll on your desktop is disinfected now.
Let's replace it with the infected one present in your system-folder..

Open your system-folder and rename wininet.dll to wininet.old.
Now copy the wininet.dll from your desktop to your system-folder.

Let me know if that worked. :thumbsup:
If that doesn't work, let me know what errors you exactly get.

Edit: The reason why I let you copy the wininet.dll from your desktop instead of moving it to your system-folder is because we still have a clean copy present on your system, so we can use that one afterwards to solve it in another way if the previous steps fail. :flowers:

Edited by miekiemoes, 06 August 2005 - 04:58 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 ogorman

ogorman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 AM

Posted 06 August 2005 - 05:13 PM

canot rename wininet.dll in system folder

Error is
cannot rename wininet: secified file being used by windows




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users