I need help deleting smitfraud

This bugger really knocked my system for a loop. I finally got it up and ran smitrem in safe mode at the dos prompt. It unlocked many functions on my system, but the message appeared telling me that the file "oleadm.dll" is on my system and it corrupts my wininet.dll file. I also have a little red ball with a white exclamation point on it icon on my toolbar that flashes the bubble "Your computer is infected! Click here to protect it from spyware/viruses." The icon is non-fuctional.

I have tried to follow the instructions listed for removing smit that is posted here, but my adaware seems to be affected and the ewido says that it won't run on my system(ME)

I have two systems that are basically the same, so I can get a copy of both of the wininet.dll's to replace the infected ones if someone could tell me how to get rid of oleadm.dll.

Here is the smitfile:
Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system ~~~

oleadm.dll
intel32.exe
wp.bmp
hookdump.exe
intmonp.exe
msmsgs.exe
msole32.exe
shnlog.exe


~~~ Windows directory ~~~

uninstIU.exe
screen.html
sites.ini
popuper.exe


~~~ Drive root ~~~


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ system ~~~

oleadm.dll ~~ WARNING!! ~~


~~~ Windows directory ~~~



~~~ Drive root ~~~

 

My HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 3:05:43 PM, on 7/15/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\VWWTYY.EXE
C:\PROGRAM FILES\ICT\ACCELENET\ACCELENETCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE
C:\WINDOWS\SYSTEM\INTEL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ICT\ACCELENET\CLIENTSIDEPROXY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PROFILES\TONY\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135976022&id=1.00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135976022&id=1.00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135976022&id=1.00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135976022&id=1.00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135976022&id=1.00
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135976022&id=1.00
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\ENHTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [iCn] C:\PROGRAM FILES\ICHOOSE\NAG.EXE
O4 - HKLM\..\Run: [lduoycyoxk] C:\WINDOWS\SYSTEM\vwwtyy.exe
O4 - HKLM\..\Run: [AcceleNet Client Application] C:\Program Files\Ict\AcceleNet\AcceleNetClient.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - User Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - User Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - User Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: View Original Image - C:\Program Files\Ict\AcceleNet\getoriginal.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = hello
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 204.111.1.35,204.111.1.36

 

Please delete the current smitRem folder and zip you have, then download a new copy. It's been updated again.

smitRem.zip

Extract to a folder and reboot to safe mode (not command prompt only).

Scan with HijackThis and place a check next to the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sides...5976022&id=1.00
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sides...5976022&id=1.00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sides...5976022&id=1.00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sides...5976022&id=1.00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com << OK to leave if you set
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sides...5976022&id=1.00
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sides...5976022&id=1.00
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:9022 << OK to leave if you set
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\ENHTB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [lduoycyoxk] C:\WINDOWS\SYSTEM\vwwtyy.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe

Click fix checked and close.

Delete the following files.

C:\WINDOWS\SYSTEM\vwwtyy.exe
C:\WINDOWS\enhupdt.exe

If there is a PSGuard shortcut on your quick launch, delete it also. If you don't use quick launch, look in C:\Windows\Application Data\Microsoft\Internet Explorer\Quick Launch.

Open the smitRem folder and run the RunThis.bat

Reboot back into Windows and scan your PC with Panda ActiveScan. Save the report.

Post a new HJT log, the smitfiles.txt and ActiveScan report.

 

Little luck

Prior to your post, I saw a post from Frigginmook. He identified the trojan line. I removed it and my "icon" went away. The computer started acting a little better.

I tried to follow your directions and this is what I got:

I downloaded the new zip. In safe mode it gives the warning that if I run a DOS program in windows, I run the risk of corrupting my video display and experiencing other anomalies. I did not run it. I had ran the older zip in windows and now the video display only has screensaver, effects, and settings.

I ran HJT and removed the lines you identified, below is the new report.

I found both of the files, vwwtyy-I deleted, enhupdt.exe could not be deleted. Window popped up stating that it was in use by windows.

I tried to run the panda scan(3 times), but my computer seems to send out a file transfer that interferes with it.

I still have the "oleadm.dll" on this system and according to the warning that popped up it corrupts the wininet.dll file.

I have run ad-aware 10 times and each time it catches a few more. There are still about 37 ad/spy,vx2, that it cannot remove.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e4me.com/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135976022&id=1.00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135976022&id=1.00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\ENHTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [iCn] C:\PROGRAM FILES\ICHOOSE\NAG.EXE
O4 - HKLM\..\Run: [AcceleNet Client Application] C:\Program Files\Ict\AcceleNet\AcceleNetClient.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRAM FILES\AQUATICA WATERWORLDS\AQ3HELPER.EXE /partner AQ3
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = hello
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 204.111.1.35,204.111.1.36

 

Save this to text for use in safe mode.

First, check the properties of wininet.dll (C:\Windows\system folder) and write down the version number.

Go to Windows Update and use the personalize feature (may say Use administrator options) to access the Windows Update Catalog. Click 'Find updates for Microsoft Windows operating systems', then select Windows Millennium Edition from the list and click 'Advanced search options'. Check the box for 'critical updates and services packs' and then click search. Locate Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB883939) - (Posted Date: June 10, 2005), click 'add' then 'go to download basket'. Browse to a location to save it (desktop is ok) and download. Open the folders and double click the IE6.0sp1-KB883939-Windows-98-ME-x86-ENU.exe self-extracting file. Follow any prompts and reboot. This should replace the wininet.dll
Tap F8 on startup to enable the start menu and select safe mode.
Check the properties of wininet.dll again to verify it was replaced.

Open HijackThis and fix the following entries.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sides...5976022&id=1.00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sides...5976022&id=1.00
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\ENHTB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe

Close HJT.

Click Start>run and type command then hit enter to open a command window. Open this saved text and copy the commands below, one at a time and paste them to the command window, hitting enter after each and answering yes if asked to delete either file.


attrib -r -s -h C:\WINDOWS\ENHTB.DLL

del C:\WINDOWS\ENHTB.DLL

attrib -r -s -h C:\WINDOWS\system\oleadm.dll

del C:\WINDOWS\system\oleadm.dll


Open My Computer and right click Local Disk C:, then choose properties. Click Disk Cleanup, check all boxes and click OK.

Reboot back into Windows and post a new HJT log. Let us know any details of the outcome of the above instructions and any problems you are still having.