smitfraud (?) cannot remove - plz help

Hi,
trying to fix my bro's computer which is infected by viruses, trojans, spyware and so on.

What is wrong?

Well, first notice was the blue screen on the desktop, which i've understood is typical for smitfraud. I managed to remove this by the help of some smitfraud guide.

Next thing is that a lot of files (when being invoked?) provide an error message claiming that there is something wrong with wininet.dll.

The wininet.dll message keeps coming up when trying to launch a large number of applications: Internet Explorer (which means that i cannot run any of the online scanning engines that use directX), norton antivirus, f-prot, panda antivirus, spybot, adware. Also, i tried running an online scan that uses java, but j2re seems to be unactive. I tried reinstalling j2re, but only to get the mentioned wininet.dll error message.

Finally, the computer seems to be running wild - cpu usage gets up to 100 % really fast when just trying to run anything.

What can i run / have run?

I did manage to remove the blue screen on the desktop. When doing this I followd one of all the guides for removing smitfraud, which includes deleting some files with killbox and removing a number of entries with HijackThis. Also, I have run:
> smitfraud.reg
> hoster
> Fix_Protocol_zones_ranges

The only antivirus software which i've been able to run is AVG antivirus, but the scanning gave no viruses/threats found.

The only antispyware software which i've been able to run is microsoft antispyware. During the first scan i removed the following entries:
> EGroup Dialer
> WindUpdates.MediaAccess
> WindUpdates.MediaPass
> Windows AdTools
> MediaTickets CDT
> WinCommX

and put the following three on ignore:
> Messenger Plus!
> NewDotNet (Browser Plug-in)
> KaZaA

Internet explorer does not work, but mozilla does.

I hope this information, together with the Hijackthis log below, will be enough for someone to recognize at least something.

Fresh Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 02:10:19, on 2005-06-25
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Winamp\winampa.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\Program\AntiVirus\navapsvc.exe
C:\Program\AntiVirus\AdvTools\NPROTECT.EXE
C:\Program\Grisoft\AVG7\avgcc.exe
C:\Program\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program\DWL650+\AirPlus.exe
C:\Program\AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\notepad.exe
C:\Program\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\george w bush\Skrivbord\slask\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\ANTIVI~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe "
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TrojanScanner] C:\Program\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Uuai] C:\Documents and Settings\george w bush\Application Data\rtnu.exe
O4 - Startup: AMSN.lnk = C:\Program\AMSN\amsn.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program\AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program\AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

------------------------

I'm thankful for any help
George

 

> Messenger Plus!
> NewDotNet (Browser Plug-in)

Those are infecting you! But it was good you put Newdot.net on ignore, if you had allowed Antispy to remove it, you would have lost your internet connection.
First get the Smitrem.Zip and unzip it to the desktop, but don't do anything with it yet.
Uninstall Newdot.net from Control Panel\Add/Remove Programs and reboot.
Smitrem.Zip
When you reboot, reboot into Safe Mode, and double click RunThis.Bat from the Smitfraud Zip. A lot of things will happen on the screen when it is running, and it will end up blue. Follow the prompts that appear.
When done, reboot, and shut down MSN Messenger, and uninstall Messenger Plus!

Go here with Mozilla, and download Service Pack 2 for Windows XP. Do not install it untill you have disabled all Anti Virus, Antispyware, Firewall and messenger programs from running. Do not do this until HJT log comes up clean.
http://www.microsoft.com/downloads/...BE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
You may have noticed that Windows Update does nothing for you, it is because unless you have Service Pack 1a or Service Pack 2 installed, you are out in the dark.


Remove these items using HJT.
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe "O4 - HKCU\..\Run: [Uuai] C:\Documents and Settings\george w bush\Application Data\rtnu.exe

Delete all files in the C:\Windows\Prefetch folder, and all files and folders in these folders.
C:\Documents and Settings\george w bush\Local Settings\Temp
C:\Windows\Temp

Reboot, and delete this folder.
C:\Program\MessengerPlus! 3

Delete this file.
C:\Documents and Settings\george w bush\Application Data\rtnu.exe

Alternately there is another way to fix Wininet.Dll, that is to go to Start\Run, type in "SFC /SCANNOW" and press Enter. Have your XP CD handy as you will be asked for it.

BTW, if you keep using Kazaa, you will be reinfected, possibly by P2P Networking. Go get KazaaLite.

 

Is my HJT log clean now?

Hi again,
thanks for the fast reply and great help. Think I've managed to remove smitfraud and all other junk now. But what happened to the first reply I got here (made by some one called nn "-something "?? He/she suggested me to download the trial version of ewido security suite. This antivirus software I could actually run (unlike most others) and unlike AVG, ewido found and removed quite a few threats. Markp62's post helped me to exchanged the corrupt wininet.dll file. And voila, system seems to work perfectly again.

One thing I didnt follow, though, Markp62. You said I that it was good that i didnt allow MSantispy to delete NewDotNet, but I should instead delete it via control panel/remove program. I looked for NewDotNet in remove program, but couldnt find it. Finally I got tired of looking for a way to remove it, and simply allowed MSantispy to delete the it. But my internet connection was not lost. Just thought this might be of your interest to know.

Now, my final question, does my new HTJ log look clean? That is, is it safe to go download service pack 2?

Thanks for all your help, I'll be coming back to this neat forum.

Fresh log:

Logfile of HijackThis v1.99.1
Scan saved at 05:59:30, on 2005-06-25
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\jre1.5.0\bin\jusched.exe
C:\Program\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\DWL650+\AirPlus.exe
C:\Program\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program\AntiVirus\navapsvc.exe
C:\Program\AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\AntiVirus\SAVScan.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\notepad.exe
C:\Documents and Settings\george w bush\Skrivbord\slask\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.se
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.se
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.se
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.se
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.se
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\ANTIVI~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program\Delade filer\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program\AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program\AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program\AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

 

But what happened to the first reply I got here (made by some one called nn "-something "??
We try not to interfere with each other here unless needed, he (noahdfear) deleted his. Ever hear the saying about too many cooks? That is why.
Your HJT log is definitely clean.
However, it would not hurt to run WinSockFix because of the Newdot.net, even though your internet connection is working fine.
Note: after installing the Service Pack 2, M$ has included a firewall in it. You have Norton installed, and I believe it has a firewall. If you decide to use Norton's and it is a good idea to do so, go into Control Panel\Network Connections, right click your internet connection, and select Properties, then click on the Advanced tab, then the Settings button, and set the firewall to off.
The M$ firewall does nothing to control outgoing connections, but will block unsolicited incoming connections. Norton's will control outgoing, and it is the better thing to do. It is very important with XP to have one or the other working for you in any case.
Glad to be of help to you!