Well that was interesting.
Ok so I have notes of my own and since the logs are so numerous, I'll start with my stuff so they don't get lost:
I couldn't initiallly delete the following:
C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE
Initially I was told the file(s) might be in use. So I tried killing them in
Task manager but they just respawned! There is a file called smss.exe which is also running and I wonder if it or another might be causing the autospawning
Note though that eventually, something killed the above processes and deleted the files as required.
However, smss.exe still runs and exists.
!!! Near the end, I'm supposed to go to the PANDA link and run a full scan. Unfortunately,
my iexplorer.exe is no longe present so I basically wiped out my browser somwhere along the way.
Needless to say I'm still networking stuff to this crappy box in order to post these replies.
Minus the little internet explorer mishap, the system seems to be running pretty well. I just have to get IE back so I can run the PANDA thing. Web access seems to be ok (MSN autoloaded).
Here are my logs:
Smitrem log: ----------------
smitRem log file
version 2.2
by noahdfear
The current date is: Mon 08/01/2005
The current time is: 20:26:51.09
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleadm.dll
wp.bmp
~~~ Windows directory ~~~
uninstIU.exe
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleadm.dll
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!!
Starting replacement procedure.
~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~
~~~~ dllcache\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~
~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~
~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~
~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~
~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~
~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~
~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~
~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~
~~~ Upon reboot ~~~
wininet.old present!
oleadm.dll present!
oleext.dll not present!
~~~ Upon completion ~~~
wininet.old not present!
oleadm.dll not present!
oleext.dll not present!
~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~
~~~~ C:\WINDOWS\system32\wininet.dll Clean!
~~~~
---------------------------------------------------------------------------------------------
EWIDO log: -------------
smitRem log file
version 2.2
by noahdfear
The current date is: Mon 08/01/2005
The current time is: 20:26:51.09
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleadm.dll
wp.bmp
~~~ Windows directory ~~~
uninstIU.exe
~~~ Drive root ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
oleadm.dll
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Wininet.dll ~~~
wininet.dll INFECTED!!
Starting replacement procedure.
~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~
~~~~ dllcache\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~
~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~
~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~
~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~
~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~
~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~
~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~
~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~
~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~
~~~ Upon reboot ~~~
wininet.old present!
oleadm.dll present!
oleext.dll not present!
~~~ Upon completion ~~~
wininet.old not present!
oleadm.dll not present!
oleext.dll not present!
~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~
~~~~ C:\WINDOWS\system32\wininet.dll Clean!
~~~~
-----------------------------------------------------------------------------------------------
HJT log before cleanup: Logfile of HijackThis v1.99.1
Scan saved at 8:15:33 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SMSSU.EXE
C:\WINDOWS\system32\Tmntsrv32.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://default.homeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://default.homeO2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\winadvt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\system32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\system32\Tmntsrv32.EXE
O4 - HKCU\..\Run: [Spyware Vanisher] C:\spywarevanisher-free\FreeScanner.exe -FastScan
O4 - HKCU\..\Run: [Win32res] C:\WINDOWS\win32res.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
-----------------------------------------------------------------------------------------------
HJT Log after cleanup Logfile of HijackThis v1.99.1
Scan saved at 9:26:50 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://default.homeR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://default.homeO4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
-----------------------------------------------------------------------------------------------
So there you go. That's all there is. Would sure love to get my Internet Explorer back.
Thanks for the help so far! Looks like soon I'll be out of the woods!
rg