1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Smitfraud-SmitRem.zip missing .dll file

Discussion in 'Malware and Virus Removal Archive' started by Thesexytexan, 2005/07/03.

Thread Status:
Not open for further replies.
  1. 2005/07/03
    Thesexytexan

    Thesexytexan Inactive Thread Starter

    Joined:
    2005/07/02
    Messages:
    2
    Likes Received:
    0
    Hi, I have read other solutions for Smithfraud, and I have downloaded the SmitRem.zip, but I receive an error that I am missing a dll file: framedyn.dll missing, so it won’t open. I have tried several downloads, and I keep getting the same thing.

    Please help. I have run two online scans, one that was recommended here and housecalls. Both scans found viruses, and were cleaned. Well, they were not able to clean them so they were deleted. I have updated spybot ,HJT, & CWShredder. Spybot found many more after the update. I know that I need to do an update for MSIE….I will do that tonight since I’m still on dial-up w/this computer.

    Any help will be appreciated.
    Here is my latest HJT report:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:44:26 AM, on 7/3/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVSCHED32.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
    C:\WINDOWS\MSAGENT\AGENTSVR.EXE
    C:\HIJACKTHIS1\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://home.netscape.com/ "); (C:\Program Files\Netscape\Users\automedic\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAM FILES\AVPERSONAL\AVSCHED32.EXE /min
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
    O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
    Thesexytexan,
    #1
  2. 2005/07/03
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    You can remove these.

    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
    O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

    I have a question about this one.
    C:\WINDOWS\MSAGENT\AGENTSVR.EXE
    Are you using any type of charactor or application that reads files aloud, or using any application that uses voice commands? Peedy, Robo, or Merlin sound familiar on this? Office has a charactor such as this.
     
    markp62,
    #2


  3. to hide this advert.

  4. 2005/07/03
    Thesexytexan

    Thesexytexan Inactive Thread Starter

    Joined:
    2005/07/02
    Messages:
    2
    Likes Received:
    0
    Hi,

    Thanks for the reply. Unfortunately, things are getting worst instead of better. I have all sorts of "search bar" **** in my log now, and when I remove it….it just comes back. Any recommendations for keeping it off?

    I do not really know what C:\WINDOWS\MSAGENT\AGENTSVR.EXE is. I thought it had to do something with Microsoft, and it’s not a threat. I do not nor ever had any speaking program on this computer as far as I can remember.

    Thanks,
    Cindy

    Here’s my newest log:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:52:37 PM, on 7/3/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
    C:\PROGRAM FILES\AVPERSONAL\AVSCHED32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HIJACKTHIS1\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://home.netscape.com/ "); (C:\Program Files\Netscape\Users\automedic\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {D72B2D06-EBD6-11D9-A1EC-B7337B0FFD9B} - C:\WINDOWS\SYSTEM\MOH.DLL
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAM FILES\AVPERSONAL\AVSCHED32.EXE /min
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O18 - Filter: text/html - {D72B2D05-EBD6-11D9-A1EC-B7338BDD63EC} - C:\WINDOWS\SYSTEM\MOH.DLL
    O18 - Filter: text/plain - {D72B2D05-EBD6-11D9-A1EC-B7338BDD63EC} - C:\WINDOWS\SYSTEM\MOH.DLL
     
    Thesexytexan,
    #3
  5. 2005/07/05
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    AGENTSVR.EXE should be from Microsoft, part of the MS Agent technology they started. Some of it is installed into XP by default, but not with 98 or 98SE. MS Office would install part of it, it has an animated helper charactor.

    You seem to be infected with About:blank, download About:Buster. Update, and close for now.

    Rescan with HJT, and remove these items.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {D72B2D06-EBD6-11D9-A1EC-B7337B0FFD9B} - C:\WINDOWS\SYSTEM\MOH.DLL
    O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
    O18 - Filter: text/html - {D72B2D05-EBD6-11D9-A1EC-B7338BDD63EC} - C:\WINDOWS\SYSTEM\MOH.DLL
    O18 - Filter: text/plain - {D72B2D05-EBD6-11D9-A1EC-B7338BDD63EC} - C:\WINDOWS\SYSTEM\MOH.DLL

    The items in orange appear to be part of Modem on Hold software, but they aren't in the correct places. I don't think it needs a text filter to put your connection on hold. I recommend simply renaming the file for now, this can be done with the below dos commands I have here.

    After using HJT, Restart in Dos Mode, and do these commands at the prompt:
    smartdrv
    deltree c:\windows\history
    deltree c:\windows\temp
    deltree c:\windows\tempor~1
    attrib -r -h -s c:\windows\system\moh.dll
    ren c:\windows\system\moh.dll moh.old

    Type a Y that you want to delete, check for typos at this time. When done, reboot, and those folders will be rebuilt clean.

    When your system is up, run the About:Buster twice, back to back.
    Have a good one.
     
    markp62,
    #4
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...