This topic is lockedHave you had a chance to look at the logfiles?
Really need your help here
Kind regards, tc
Bloodhound+Trojan-Spy.HTML.Smitfraud.c [resolved]
Started by
thecollectore
, Jul 07 2005 06:43 AM
#16
Posted 08 July 2005 - 10:09 AM
thecollectore
- Topic Starter
-
- Member
-
- 62 posts
Member
Have you had a chance to look at the logfiles?
Really need your help here
Kind regards, tc
#17
Posted 08 July 2005 - 01:21 PM
g2i2r4
-
- Retired Staff
-
- 5,080 posts
retired HiJack Helper
I know Norton is crying out. I want to make sure to have your computer as clean as possible before we take on that mallware. If we do not use caution, we have big trouble.
Open Windows Explorer.
Remove these folders:
C:\Documents and Settings\rfossum\Favorites\Online Pharmacy\
C:\Documents and Settings\rfossum\Favorites\Online Gambling\
C:\Program Files\MyWay\
Remove these files:
C:\Documents and Settings\All Users\Desktop\Online Dating.url
C:\Documents and Settings\All Users\Desktop\Remove Spyware.url
C:\Documents and Settings\rfossum\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
C:\Documents and Settings\rfossum\Favorites\Black Jack Online.url
C:\Documents and Settings\rfossum\Favorites\Home Loan.url
C:\Documents and Settings\rfossum\Favorites\Network Security.url
C:\Documents and Settings\rfossum\Favorites\Online Dating.url
C:\Documents and Settings\rfossum\Favorites\Online Gambling.url
C:\Documents and Settings\rfossum\Favorites\Online Pharmacy.url
C:\Documents and Settings\rfossum\Favorites\Remove Spyware.url
C:\Documents and Settings\rfossum\Favorites\Spam Filters.url
C:\Documents and Settings\rfossum\Favorites\Web Detective.url
C:\Documents and Settings\rfossum\Favorites\Take It Here - Free [bleep] TGP.url
There's some other word at the [bleep] that didn't make it through our filters.
***
Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\uninstIU.exe
For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
If your computer does not restart automatically, please restart it manually.
***
Please go here: Jotti Virus Scan
Click the "browse" button and locate this file:
C:\WINDOWS\System32\wininet.dll
Click "Open", then click the "Submit" button. Copy the results and paste them here.
***
Copy everything in purple below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.
dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt
Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.
Beare with we for just a few posts please.
Open Windows Explorer.
Remove these folders:
C:\Documents and Settings\rfossum\Favorites\Online Pharmacy\
C:\Documents and Settings\rfossum\Favorites\Online Gambling\
C:\Program Files\MyWay\
Remove these files:
C:\Documents and Settings\All Users\Desktop\Online Dating.url
C:\Documents and Settings\All Users\Desktop\Remove Spyware.url
C:\Documents and Settings\rfossum\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
C:\Documents and Settings\rfossum\Favorites\Black Jack Online.url
C:\Documents and Settings\rfossum\Favorites\Home Loan.url
C:\Documents and Settings\rfossum\Favorites\Network Security.url
C:\Documents and Settings\rfossum\Favorites\Online Dating.url
C:\Documents and Settings\rfossum\Favorites\Online Gambling.url
C:\Documents and Settings\rfossum\Favorites\Online Pharmacy.url
C:\Documents and Settings\rfossum\Favorites\Remove Spyware.url
C:\Documents and Settings\rfossum\Favorites\Spam Filters.url
C:\Documents and Settings\rfossum\Favorites\Web Detective.url
C:\Documents and Settings\rfossum\Favorites\Take It Here - Free [bleep] TGP.url
There's some other word at the [bleep] that didn't make it through our filters.
***
Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\uninstIU.exe
For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
If your computer does not restart automatically, please restart it manually.
***
Please go here: Jotti Virus Scan
Click the "browse" button and locate this file:
C:\WINDOWS\System32\wininet.dll
Click "Open", then click the "Submit" button. Copy the results and paste them here.
***
Copy everything in purple below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.
dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt
Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.
Beare with we for just a few posts please.
#18
Posted 08 July 2005 - 01:37 PM
thecollectore
- Topic Starter
-
- Member
-
- 62 posts
Member
Hi! Puuh...you're back! 
I'm on it. I also see a folder C:\Documents and Settings\rfossum\Favorites\Sexual life which is not a favorite than I have added.... Should I leave for now, or delete it as well?
tc
I'm on it. I also see a folder C:\Documents and Settings\rfossum\Favorites\Sexual life which is not a favorite than I have added.... Should I leave for now, or delete it as well?
tc
#19
Posted 08 July 2005 - 01:43 PM
g2i2r4
-
- Retired Staff
-
- 5,080 posts
retired HiJack Helper
If you didn't put it there, delete it as well.
Be sure I won't leave you till you are as clean as I can make it.
Be sure I won't leave you till you are as clean as I can make it.
#20
Posted 08 July 2005 - 01:54 PM
thecollectore
- Topic Starter
-
- Member
-
- 62 posts
Member
Remember that I tried replacing the wininet.dll as described in first posting, therefore I will do a scan for the original wininet.dll file that is named wininet.old now as well, but when I try to scan this one I get "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file".
Results from Jotti for the replaced wininet.dll:
File: WININET.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 96e9cbb9f5b7faca709d87f49183ae5f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
*Maybe I should try renaming the wininet.old to wininet.dll again and then run the scan??
I stop here until you have checked it out, so I have not done the wininet.bat stuff yet.
Results from Jotti for the replaced wininet.dll:
File: WININET.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 96e9cbb9f5b7faca709d87f49183ae5f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
*Maybe I should try renaming the wininet.old to wininet.dll again and then run the scan??
I stop here until you have checked it out, so I have not done the wininet.bat stuff yet.
#21
Posted 08 July 2005 - 02:46 PM
g2i2r4
-
- Retired Staff
-
- 5,080 posts
retired HiJack Helper
Do not rename the wininet.old back!!!
Do create the wininet.bat and run it. I'd like to see the result.
Do create the wininet.bat and run it. I'd like to see the result.
Edited by g2i2r4, 08 July 2005 - 02:46 PM.
#22
Posted 08 July 2005 - 03:00 PM
thecollectore
- Topic Starter
-
- Member
-
- 62 posts
Member
Ok, here's the result;
Volume in drive C has no label.
Volume Serial Number is E020-1E35
Directory of C:\WINDOWS\ServicePackFiles\i386
29.08.2002 03:41 599˙040 wininet.dll
1 File(s) 599˙040 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819
04.08.2004 09:56 656˙384 wininet.dll
1 File(s) 656˙384 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\ea4fe5325a873581baacd3ab51700fd2\rtmgdr
27.04.2005 10:54 574˙976 wininet.dll
1 File(s) 574˙976 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\ea4fe5325a873581baacd3ab51700fd2\RTMQFE
27.04.2005 19:51 585˙216 wininet.dll
1 File(s) 585˙216 bytes
Directory of C:\WINDOWS\system32
21.01.2004 16:16 588˙288 WININET.DLL
1 File(s) 588˙288 bytes
Directory of C:\WINDOWS\system32\dllcache
21.01.2004 16:16 588˙288 WININET.DLL
1 File(s) 588˙288 bytes
Volume in drive C has no label.
Volume Serial Number is E020-1E35
Directory of C:\WINDOWS\ServicePackFiles\i386
29.08.2002 03:41 599˙040 wininet.dll
1 File(s) 599˙040 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819
04.08.2004 09:56 656˙384 wininet.dll
1 File(s) 656˙384 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\ea4fe5325a873581baacd3ab51700fd2\rtmgdr
27.04.2005 10:54 574˙976 wininet.dll
1 File(s) 574˙976 bytes
Directory of C:\WINDOWS\SoftwareDistribution\Download\ea4fe5325a873581baacd3ab51700fd2\RTMQFE
27.04.2005 19:51 585˙216 wininet.dll
1 File(s) 585˙216 bytes
Directory of C:\WINDOWS\system32
21.01.2004 16:16 588˙288 WININET.DLL
1 File(s) 588˙288 bytes
Directory of C:\WINDOWS\system32\dllcache
21.01.2004 16:16 588˙288 WININET.DLL
1 File(s) 588˙288 bytes
#23
Posted 08 July 2005 - 03:13 PM
g2i2r4
-
- Retired Staff
-
- 5,080 posts
retired HiJack Helper
Use killbox to remove these two files:
C:\Windows\System32\wininet.old
C:\Windows\System32\oleadm32.dll
Reboot.
Then download the updated tool smitrem and let it run in safe mode. There are still things left over in the Registry. The new tool creates a log. Post me that log please.
C:\Windows\System32\wininet.old
C:\Windows\System32\oleadm32.dll
Reboot.
Then download the updated tool smitrem and let it run in safe mode. There are still things left over in the Registry. The new tool creates a log. Post me that log please.
#24
Posted 08 July 2005 - 03:37 PM
thecollectore
- Topic Starter
-
- Member
-
- 62 posts
Member
Hi,
Used killbox and downloaded the fresh smitrem from your link on page 1. Created a new folder on desktop, went into Safemode and run the smitrem, but I do not see any logfile that I can upload?
Used killbox and downloaded the fresh smitrem from your link on page 1. Created a new folder on desktop, went into Safemode and run the smitrem, but I do not see any logfile that I can upload?
#25
Posted 08 July 2005 - 03:46 PM
g2i2r4
-
- Retired Staff
-
- 5,080 posts
retired HiJack Helper
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
#26
Posted 08 July 2005 - 03:49 PM
thecollectore
- Topic Starter
-
- Member
-
- 62 posts
Member
Got it!
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ system32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ system32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
Not Infected!
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ system32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ system32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
Not Infected!
#27
Posted 08 July 2005 - 03:54 PM
g2i2r4
-
- Retired Staff
-
- 5,080 posts
retired HiJack Helper
hmm then the panda scan should come clean on this infection.
Can you run that one again?
Can you run that one again?
#28
Posted 08 July 2005 - 03:56 PM
thecollectore
- Topic Starter
-
- Member
-
- 62 posts
Member
Ok, will run the panda scan.
#29
Posted 08 July 2005 - 06:04 PM
thecollectore
- Topic Starter
-
- Member
-
- 62 posts
Member
Here's the result of the panda scan:
Incident Status Location
Adware:Adware/MyWay No disinfected Windows Registry
Incident Status Location
Adware:Adware/MyWay No disinfected Windows Registry
#30
Posted 08 July 2005 - 06:09 PM
g2i2r4
-
- Retired Staff
-
- 5,080 posts
retired HiJack Helper
Ok, let's see if we can remove that last bit too.
Download and install Registrar Lite.
Let's go search the Registry for MYWAY
Please be very carefull what you do. A corrupt Registry is a broken down machine.
Doubleclick the file you just downloaded.
An Installshield will appear. Follow the instructions.
Go to start - programs - RegistrarLite - Registrar Lite
Since it's the first time you open it, the program will finish the installation.
Press the magnifying glass
In the box 'text to search for' type
MYWAY
press 'enter'. The program will search the Registry looking for items.
When it's done searching you will see a window with rows.
Click a row (*)
Click the star icon below
A new window (bookmarks) will open
You will be on the same row we started at
Click the right mousebutton
Click 'copy name to clipboard'
Open notepad
Click the right mousebutton and choose 'paste'.
Go back to Registrar Lite and close the bookmarks window.
Go to the next row
Repeat the steps from (*) untill all items are done.
Then close Registrar Lite.
In Notepad you can copy all lines and post them here in your answer.
I'll check back tomorrow (got squared eyes again
).
Download and install Registrar Lite.
Let's go search the Registry for MYWAY
Please be very carefull what you do. A corrupt Registry is a broken down machine.
Doubleclick the file you just downloaded.
An Installshield will appear. Follow the instructions.
Go to start - programs - RegistrarLite - Registrar Lite
Since it's the first time you open it, the program will finish the installation.
Press the magnifying glass
In the box 'text to search for' type
MYWAY
press 'enter'. The program will search the Registry looking for items.
When it's done searching you will see a window with rows.
Click a row (*)
Click the star icon below
A new window (bookmarks) will open
You will be on the same row we started at
Click the right mousebutton
Click 'copy name to clipboard'
Open notepad
Click the right mousebutton and choose 'paste'.
Go back to Registrar Lite and close the bookmarks window.
Go to the next row
Repeat the steps from (*) untill all items are done.
Then close Registrar Lite.
In Notepad you can copy all lines and post them here in your answer.
I'll check back tomorrow (got squared eyes again
).
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
