Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Smitfraud/Alemod [RESOLVED]

Started by hijacked , Aug 06 2005 04:06 PM

This topic is locked

#1
hijacked

Posted 06 August 2005 - 04:06 PM

Member

Member
14 posts

Hello,

for about a week, I've been trying to get rid of Smitfraud and Alemod, second I detected yesterday only. I scanned the computer with Adaware, Search and Destroy, McAfee, ewido - it simply doesn't do the trick. Every little program finds something, but in the end, the problem remains, and I am moving in circles.

I tried smitrem, but get the message that this program does not run on my machine. I also downloaded killbox, but don't remember if I actually used it for something.

Since I am not really that good with computers, it seems that the more I read the more confused I am, so if you could help me, I would really appreciate it.

My hijackthis scan produced the following result:

Logfile of HijackThis v1.99.1
Scan saved at 5:58:29 PM, on 8/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Instant Wireless Dual Band network\WPC51AB.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\internat.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.spiegel.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: longcake - {08F79DE4-D664-C761-6F19-A708B95FAEAB} - C:\PROGRA~1\DOESME~1\Scr Amen.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WPC51AB.exe] C:\Program Files\Instant Wireless Dual Band network\WPC51AB.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [zpirbc] c:\windows\system32\zpirbc.exe
O4 - HKLM\..\Run: [sjyhst] C:\WINDOWS\sjyhst.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [CookieCooker] C:\Program Files\CookieCooker\CookieCooker.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kats-korn...er/tdserver.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://www.communit...bal.com/qp2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://sciencecenter...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://altavista.we...bex/ieatgpc.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...275/mcfscan.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Program Files\Atguard\iamserv.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

Thank You!!!

#2
greyknight17

Posted 06 August 2005 - 04:17 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

SmitRem should work since we will need it for the removal. Try again. If it still doesn't work continue on with the fixes I listed. But make sure to tell me that it didn't work.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: longcake - {08F79DE4-D664-C761-6F19-A708B95FAEAB} - C:\PROGRA~1\DOESME~1\Scr Amen.dll (file missing)
O4 - HKLM\..\Run: [zpirbc] c:\windows\system32\zpirbc.exe
O4 - HKLM\..\Run: [sjyhst] C:\WINDOWS\sjyhst.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O20 - Winlogon Notify: nwprovau - C:\WINDOWS\SYSTEM32\nwprovau.dll

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

Delete these if found:

C:\PROGRA~1\DOESME~1\
c:\windows\system32\zpirbc.exe
C:\WINDOWS\sjyhst.exe
C:\WINDOWS\system32\msmsgs.exe
C:\Program Files\PSGuard\
C:\WINDOWS\system32\intell32.exe
C:\WINDOWS\SYSTEM32\nwprovau.dll

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log.

Give me this log also:

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

#3
hijacked

Posted 06 August 2005 - 08:31 PM

Member

Topic Starter
Member
14 posts

Hello again,

I am trying! And downloaded Smitrem again and run it in safemode, but got the same message as before: this tool cannot be run on your system.

McAfee also continues to tell me that wininet.dll is infected.

Following are the available logfiles:

Pandascan:
Incident Status Location

Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\DEFAULT\APPLICATION DATA\Sskknwrd.dll
Adware:adware/e2give No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\UGO20.exe
Adware:adware/apropos No disinfected C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\cfout.txt
Adware:adware/sahagent No disinfected C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\isearchtech1005.sah
Spyware:spyware/istbar No disinfected C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\shortcuts.txt
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Dialer:dialer.dk No disinfected C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\ICD12.tmp
Adware:adware/twain-tech No disinfected C:\DOCUMENTS AND SETTINGS\DEFAULT\LOCAL SETTINGS\TEMP\THI1635.tmp
Spyware:spyware/searchcentrix No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\default\Desktop\l2mfix.exe[Process.exe]
Adware:Adware/BlazeFind No disinfected C:\Documents and Settings\default\Local Settings\Temp\bar.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\default\Local Settings\Temp\ICD23.tmp\turbo.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\default\Local Settings\Temp\ICD52.tmp\flash.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\default\Local Settings\Temp\THI370.tmp\farmmext.inf
Adware:Adware/Transponder No disinfected C:\Documents and Settings\default\Local Settings\Temp\THI5D02.tmp\Pynix.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\ieatgpc.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/WinActive No disinfected C:\WINDOWS\TEMP\bz23.tmp[bz23.tmp]
Ewido-log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:42:21 PM, 8/6/2005
+ Report-Checksum: 6603D93C

+ Scan result:

C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\default\Cookies\default@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\default\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

::Report End

L2mfix-log
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Invalid switch
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
mcgdmgr.dll Tue May 24 2005 7:23:32p A.... 288,320 281.56 K
mcinsctl.dll Mon Jul 18 2005 12:03:12p A.... 349,760 341.56 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K

11 items found: 11 files, 0 directories.
Total of file sizes: 3,275,552 bytes 3.12 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD

Directory of C:\WINDOWS\System32

07/31/2005 11:28a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 3,996,509,184 bytes free

And the latest Hijackthis-log is here:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:14 PM, on 8/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Instant Wireless Dual Band network\WPC51AB.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\internat.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.spiegel.de/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WPC51AB.exe] C:\Program Files\Instant Wireless Dual Band network\WPC51AB.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [CookieCooker] C:\Program Files\CookieCooker\CookieCooker.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kats-korn...er/tdserver.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://www.communit...bal.com/qp2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://sciencecenter...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://altavista.we...bex/ieatgpc.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...275/mcfscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Program Files\Atguard\iamserv.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

==================================================

Thanks for helping me!

#4
greyknight17

Posted 07 August 2005 - 06:30 PM

Malware Expert

Visiting Consultant
16,560 posts

OK, we'll have to try something else then.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\DOCUMENTS AND SETTINGS\DEFAULT\APPLICATION DATA\Sskknwrd.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UGO20.exe
C:\WINDOWS\Downloaded Program Files\ieatgpc.inf
C:\WINDOWS\Downloaded Program Files\turbo.inf
C:\WINDOWS\inf\biini.inf

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Try this to see if it takes care of that wininet.dll problem:

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system32\wininet.dll "C:\DOCUMENTS AND SETTINGS\DEFAULT\"
del copy.bat

Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/s...sinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system32\wininet.dll
del c:\windows\system32\oleadm.dll
del c:\windows\system32\oleext.dll
copy "C:\DOCUMENTS AND SETTINGS\DEFAULT\wininet.dll" c:\windows\system32
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Run a new Panda scan and post that log along with a HijackThis log.

#5
hijacked

Posted 08 August 2005 - 06:09 PM

Member

Topic Starter
Member
14 posts

Hello Greyknight,

how do I scan the Desktop Folder? The eTrust Web Scanner does not give this option, or I don't know how to do it.

Thanks,
still hijacked :-)

#6
greyknight17

Posted 08 August 2005 - 09:41 PM

Malware Expert

Visiting Consultant
16,560 posts

It should be simple

Did you agree to download that script when it asked you? Once you do that, wait for it to load. It will then ask you where to scan. Shoot, just saw that I asked you to copy that wininet.dll file in your username folder. So just go to c:\documents and settings\DEFAULT and leave it at there. Check that box. Don't check desktop since it's not there now. I asked you to copy it one folder up :tazz:

For more information if you still need help, refer to their help page. It has pictures and descriptions on how to use it. We don't need a full scan, only scan your DEFAULT folder since we only need to heal that wininet.dll file.

#7
hijacked

Posted 09 August 2005 - 07:11 PM

Member

Topic Starter
Member
14 posts

Ok, I saved the file and then scanned c:\documents and settings\DEFAULT but eTrust Web Scanner doesn't find an infection. So I skipped the second part, the delete bat, for now. Or do you still want me to do that?

#8
greyknight17

Posted 10 August 2005 - 07:32 AM

Malware Expert

Visiting Consultant
16,560 posts

Ignore the .bat instructions. I want you to go straight to the Panda scan.

We need to get that smitRem tool working. I have asked on a topic in the staff forum and awaiting a response on that. In the meantime, run Panda and give me that log along with a new HijackThis log.

#9
greyknight17

Posted 10 August 2005 - 02:18 PM

Malware Expert

Visiting Consultant
16,560 posts

OK, I want you to go to Start->Run and type in cmd and hit OK. Now type in ver and hit Enter. Post back exactly what that reports back to you on the screen. I was told that caps matter, so it's case sensitive. If it's lower case, type back in lower case if Windows begins in lowercase. Just type in exactly what you see on the screen and post it here. This may tell us what's wrong with smitRem running on your computer.

#10
hijacked

Posted 10 August 2005 - 06:26 PM

Member

Topic Starter
Member
14 posts

Hello Greyknight,

I think the Panda scan was a little more successful today.
But first: Microsoft Windows 2000 [Version 5.00.2195]

Pandalog:

Incident Status Location

Virus:W32/Smitfraud.E Disinfected Operating system
Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\DEFAULT\APPLICATION DATA\Sskuknwrd.dll
Spyware:spyware/betterinet No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\default\Desktop\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\default\Desktop\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\SYSTEM32\Process.exe
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\SYSTEM32\wininet.dll
hijackthis.log:
Logfile of HijackThis v1.99.1
Scan saved at 8:20:23 PM, on 8/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Instant Wireless Dual Band network\WPC51AB.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\internat.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spiegel.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.spiegel.de/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WPC51AB.exe] C:\Program Files\Instant Wireless Dual Band network\WPC51AB.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_46363] C:\WINDOWS\system32\ActiveScan\pavdr.exe 46363
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [CookieCooker] C:\Program Files\CookieCooker\CookieCooker.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kats-korn...er/tdserver.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://www.communit...bal.com/qp2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...96/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.na...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://sciencecenter...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://altavista.we...bex/ieatgpc.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...275/mcfscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Program Files\Atguard\iamserv.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

What do you think?

#11
greyknight17

Posted 10 August 2005 - 09:12 PM

Malware Expert

Visiting Consultant
16,560 posts

Delete this file:

C:\DOCUMENTS AND SETTINGS\DEFAULT\APPLICATION DATA\Sskuknwrd.dll

How about my post here? Do those steps there and post back a followup on that.

Does smitRem still work in Safe Mode?

#12
hijacked

Posted 11 August 2005 - 07:59 PM

Member

Topic Starter
Member
14 posts

Tried again in safemode, but smitrem still does not work. The link you built into your last post leads back to this thread here.

Upon reboot I got 2 error messages, saying that the dynamic link library wininet.dll could not be found in the specified path.

Affected programs were my wireless network card and mcafee.

I don't know if it was good what I did, but before the infected wininet.dll was deleted, I had made a search and had located the clean one elsewhere. So, I simply copied the good one to where the infected file was before, which is the system32 folder. All I can say is that I got the internet connection working again. Please let me know if I did something wrong.

I also deleted the file you had mentioned in your last post.

#13
greyknight17

Posted 11 August 2005 - 09:23 PM

Malware Expert

Visiting Consultant
16,560 posts

Sorry, I meant this post.

Yes, you did that correctly. The problem here, which you may have know by now, is that wininet.dll was infected. It was deleted by Panda automatically. If smitRem ran successfully it would have replaced that file with a good copy and also remove other smitfraud related files from your computer.

OK, do what I mentioned in that post I gave you above first. Post back.

#14
hijacked

Posted 12 August 2005 - 06:18 PM

Member

Topic Starter
Member
14 posts

Hi, all I get by typing the command ver is:
Microsoft Windows 2000 [Version 5.00.2195]

#15
greyknight17

Posted 13 August 2005 - 07:35 AM

Malware Expert

Visiting Consultant
16,560 posts

OK, I want you to right click on that RunThit.bat file (in your smitRem folder) and choose Edit. Now look for these two groups of lines:

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO notice

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO notice

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO notice1

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO notice1

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO notice1

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO notice

echo Unsupported Version
goto end

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

and delete those lines. Now save the file and close it. Try running RunThis.bat now.