Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bloodhound+Trojan-Spy.HTML.Smitfraud.c [resolved]


  • This topic is locked This topic is locked

#16
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Hi g2i2r4!

Have you had a chance to look at the logfiles?

Really need your help here :tazz:

Kind regards, tc
  • 0

Advertisements


#17
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
I know Norton is crying out. I want to make sure to have your computer as clean as possible before we take on that mallware. If we do not use caution, we have big trouble.


Open Windows Explorer.
Remove these folders:
C:\Documents and Settings\rfossum\Favorites\Online Pharmacy\
C:\Documents and Settings\rfossum\Favorites\Online Gambling\
C:\Program Files\MyWay\


Remove these files:
C:\Documents and Settings\All Users\Desktop\Online Dating.url
C:\Documents and Settings\All Users\Desktop\Remove Spyware.url
C:\Documents and Settings\rfossum\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
C:\Documents and Settings\rfossum\Favorites\Black Jack Online.url
C:\Documents and Settings\rfossum\Favorites\Home Loan.url
C:\Documents and Settings\rfossum\Favorites\Network Security.url
C:\Documents and Settings\rfossum\Favorites\Online Dating.url
C:\Documents and Settings\rfossum\Favorites\Online Gambling.url
C:\Documents and Settings\rfossum\Favorites\Online Pharmacy.url
C:\Documents and Settings\rfossum\Favorites\Remove Spyware.url
C:\Documents and Settings\rfossum\Favorites\Spam Filters.url
C:\Documents and Settings\rfossum\Favorites\Web Detective.url

C:\Documents and Settings\rfossum\Favorites\Take It Here - Free [bleep] TGP.url
There's some other word at the [bleep] that didn't make it through our filters.

***

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\smdat32m.sys
C:\WINDOWS\uninstIU.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.

***

Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

C:\WINDOWS\System32\wininet.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here.

***

Copy everything in purple below and paste it into notepad. Go up to "File > Save As..." and click the drop-down box to change the "Save As Type" to "All Files". Save it as wininet.bat on your desktop.

dir %Systemdrive%\wininet.dll /a h /s > files.txt
start notepad files.txt


Double click wininet.bat and when it is ready it will open files.txt
Copy the content of files.txt and paste it here.

Beare with we for just a few posts please.
  • 0

#18
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Hi! Puuh...you're back! :tazz:

I'm on it. I also see a folder C:\Documents and Settings\rfossum\Favorites\Sexual life which is not a favorite than I have added.... Should I leave for now, or delete it as well?

tc
  • 0

#19
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
If you didn't put it there, delete it as well.

Be sure I won't leave you till you are as clean as I can make it.
  • 0

#20
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Remember that I tried replacing the wininet.dll as described in first posting, therefore I will do a scan for the original wininet.dll file that is named wininet.old now as well, but when I try to scan this one I get "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file".

Results from Jotti for the replaced wininet.dll:

File: WININET.DLL
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 96e9cbb9f5b7faca709d87f49183ae5f
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

*Maybe I should try renaming the wininet.old to wininet.dll again and then run the scan??

I stop here until you have checked it out, so I have not done the wininet.bat stuff yet.
  • 0

#21
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Do not rename the wininet.old back!!!
Do create the wininet.bat and run it. I'd like to see the result.

Edited by g2i2r4, 08 July 2005 - 02:46 PM.

  • 0

#22
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Ok, here's the result;

Volume in drive C has no label.
Volume Serial Number is E020-1E35

Directory of C:\WINDOWS\ServicePackFiles\i386

29.08.2002 03:41 599˙040 wininet.dll
1 File(s) 599˙040 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819

04.08.2004 09:56 656˙384 wininet.dll
1 File(s) 656˙384 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\ea4fe5325a873581baacd3ab51700fd2\rtmgdr

27.04.2005 10:54 574˙976 wininet.dll
1 File(s) 574˙976 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\ea4fe5325a873581baacd3ab51700fd2\RTMQFE

27.04.2005 19:51 585˙216 wininet.dll
1 File(s) 585˙216 bytes

Directory of C:\WINDOWS\system32

21.01.2004 16:16 588˙288 WININET.DLL
1 File(s) 588˙288 bytes

Directory of C:\WINDOWS\system32\dllcache

21.01.2004 16:16 588˙288 WININET.DLL
1 File(s) 588˙288 bytes
  • 0

#23
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Use killbox to remove these two files:
C:\Windows\System32\wininet.old
C:\Windows\System32\oleadm32.dll
Reboot.

Then download the updated tool smitrem and let it run in safe mode. There are still things left over in the Registry. The new tool creates a log. Post me that log please.
  • 0

#24
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Hi,

Used killbox and downloaded the fresh smitrem from your link on page 1. Created a new folder on desktop, went into Safemode and run the smitrem, but I do not see any logfile that I can upload?
  • 0

#25
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
  • 0

Advertisements


#26
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Got it! :tazz:


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

Not Infected!
  • 0

#27
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
hmm then the panda scan should come clean on this infection.

Can you run that one again?
  • 0

#28
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Ok, will run the panda scan. :tazz:
  • 0

#29
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Here's the result of the panda scan:


Incident Status Location

Adware:Adware/MyWay No disinfected Windows Registry
  • 0

#30
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Ok, let's see if we can remove that last bit too.

Download and install Registrar Lite.

Let's go search the Registry for MYWAY
Please be very carefull what you do. A corrupt Registry is a broken down machine.

Doubleclick the file you just downloaded.
An Installshield will appear. Follow the instructions.

Go to start - programs - RegistrarLite - Registrar Lite
Since it's the first time you open it, the program will finish the installation.

Press the magnifying glass
In the box 'text to search for' type
MYWAY
press 'enter'. The program will search the Registry looking for items.

When it's done searching you will see a window with rows.
Click a row (*)
Click the star icon below
A new window (bookmarks) will open
You will be on the same row we started at
Click the right mousebutton
Click 'copy name to clipboard'

Open notepad
Click the right mousebutton and choose 'paste'.

Go back to Registrar Lite and close the bookmarks window.

Go to the next row
Repeat the steps from (*) untill all items are done.

Then close Registrar Lite.

In Notepad you can copy all lines and post them here in your answer.


I'll check back tomorrow (got squared eyes again :tazz: ).
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP