Solved: Smitfrad virus deleted wininet.dll file!

Hi Crowfoot

Welcome to TSG!

* I am attaching a copy of the wininet.dll file from a 9x box to this post. It is zipped in the 98Wininet.zip file. Don't use it yet. Just unzip it and have the file ready to copy to the C:\Windows\System folder later. We need to remopve the infection first or it will just reinfect the new wininet.dll file.

* Click here to download smitRem.zip.

• Save the file to your desktop.
• Unzip smitRem.zip to extract the two files it contains.
• Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Go here to download CCleaner.

• Install CCleaner
• Launch CCleaner and look in the upper right corner and click on the "Options" button.
• Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
• Click OK
• Do not run CCleaner yet. You will run it later in safe mode.

* Go here and download Ad-Aware SE.

• Install the program and launch it.
• First in the main window look in the bottom right corner and click on Check for updates now
• Click Connect and download the latest reference files.
• Do not run Adaware yet. Just download the updates and have it ready to run later in safe mode.

* Click Here and download Killbox and save it to your desktop.

* Click here for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE C:\WINDOWS\SYSTEM\SERVICES\IR.EXE C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe

O4 - HKCU\..\Run: [Apwheel] C:\WINDOWS\SYSTEM\6080.EXE

O20 - Winlogon Notify: style2 - C:\WINDOWS\Q17583396_DISK.DLL (file missing)

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM\6080.EXE

C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

C:\WINDOWS\SYSTEM\SERVICES\IR.EXE

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Delete this folder:

C:\WINDOWS\SYSTEM\SERVICES

* Now launch Adaware:

• From main window click Start then under Select a scan Mode tick Perform full system scan.
• Next deselect Search for negligible risk entries.
• Now to scan just click the Next button.
• When the scan is finished mark everything for removal and get rid of it.
• Right-click the window and choose select all from the drop down menu and click Next

* Start Ccleaner and click Run Cleaner

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

* Now copy the new wininet.dll file to your C:\Windows\System folder.

Go to Start > Run and copy and paste this line in the Run box:

regsvr32 wininet.dll

Click OK.

* Restart back into Windows normally now.

* Download DelDomains.inf from here.

Rightclick DelDomains.inf and choose install.

* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

Hello flrman1,

Thank-you for your prompt reply.

I have followed your instructions, downloaded the programs mentioned, and things appeared to go well up until the point when you asked me to RunThis.bat file.

The RunThis.bat tool appeared to run ok but the disk cleanup process only ran for about one half second before exiting the program. I found this to be unusual.

The Killbox procedure seemed to work well as the pop-ups from the Start Up Menu no longer appear.

I have no C:\WINDOWS\SYSTEM\SERVICES folder in my directory.

I was unable to launch the Ad Aware program because of the wininet.dll problem.

CCleaner would not run. I got this error:

This program performed an illegal operation and will be shut down

CCLEANER caused an invalid page fault in
module <unknown> at 0000:00000013.
Registers:
EAX=007004d5 CS=0167 EIP=00000013 EFLGS=00010a82
EBX=006af084 SS=016f ESP=006af014 EBP=006af030
ECX=5dc94200 DS=016f ESI=000080a8 FS=2f0f
EDX=8162f9ac ES=016f EDI=006af038 GS=0000
Bytes at CS:EIP:
00 54 ff 00 f0 4c e1 00 f0 6f ef 00 f0 00 00 00
Stack dump:
0000016f 0042c95d 00000508 00000084 00000000 00be01d8 000080a8 006af050 bff7363b 00000508 00000084 00000000 00be01d8 80822caf 0000016f 006af064

"Reset Web Settings" to the original Internet Explorer defaults seemed to go ok.

There is no "Desktop tab" in the Display Properties of the Display Program. I did manage to change the color of desktop background, however.

My attempt to paste the wininet.dll file to the registry as per your instructions failed and gave me this error code:

LoadLibrary("wininet.dll") failed GetLastError returns 0X00000002.

But, I do have a wininet.dll file in my directory now, after following your earlier instructions.

I rebooted back into Normal Mode but now my desktop icons and Netscape 7.1 browser have the same appearance as if I was operating in Safe Mode, which I'm not. So, I'm unsure what's going on there!

The "DelDomains.inf" procedure wasn't doable as Internet Explorer still gives me the same error code as before when I try to open it and most of the Desktop Icons remain unfunctional.

I thought it pointless by this time to do the Panda Anti-virus scan, so I didn't do this.

Attached is a new HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:35:53 PM, on 7/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\TOOLS\REXPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 213.152.119.34:14524
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [kavsvc] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Global Startup: Windows Media PowerPoint Helper.lnk = C:\Program Files\Windows Media Components\Tools\nsppthlp.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.searchmeup.cc (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - Trusted IP range: 195.190.118.157 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

Thanks again for your help. It is very much appreciated!

Crowfoot

hi there.

Try this.

I'm uploading the smitfraud fix.reg, unzip it and doube click it to enter it into your registry.

if you don't have a copy of wininet.dll

download a new copy here.

http://www.dll-files.com/dllindex/dll-files.shtml?wininet

use the killbox to delete

C:\WINDOWS\SYSTEM\wininet.dll

then drop or register wininet.dll, follow flrman's instructions above for that.

rerun deldomain.

run panda's scan

run ccleaner.

post a new log and the panda scan log

Hello Khazars,

Please delete the last reply message to ferlman1 which contains no information as it was sent by accident. Sorry!

Further to your reply, the smitfrad.reg zip file never arrived with the message you sent. So, I can't proceed.

In addition, the wininet.dll file that flrman1 sent is the Internet Extension for Win32, v.6.00.2600.0000 and I believe I need the Internet Extension Win32, v5.00.2614.3500 version of the wininet.dll file. Dll-files.com does not have this version in their dll library. My browser details are contained within the HiJack This Log sent earlier.

Also, are you able to help me restore my desktop and browser settings back to "normal", as although I am running in Normal Mode, the desktop icons and Netscape browser I am using have all the features as if I'm running in Safe Mode as per my earlier reply to flrman1.

Thanks for the help,

Crowfoot

Hello khazars,

Ok, I've downloaded and successfully installed the smitfrad.reg file and added it to the registry.

I deleted the wininet.dll file located in the C:\windows\system directory\ path using Killbox and Exited the program.

I downloaded a new wininet.dll file from dll-files.com, unzipped it, and extracted the file to C:\windows\system directory\ . Flrman1's earlier instructions requested that I "copy" the wininet.dll file to the system directory. Am I doing something wrong here???

I then tried to do the regsvr32 wininet.dll procedure ie.) Start > Run> copy and paste regsvr32 wininet.dll in the box > pressed OK and got the same error message as before.

I then rebooted and the only thing that changed is the background color (blue) on the Desktop. Everything else continues to function as if I'm operating in Safe Mode.

A search of the system directory now shows two wininet.dll files. One in C:\windows\system directory\ and the other is in C:\!Submit which I guess is a Killbox cache of some sort.

My apologies for not noticing the file attachment you sent earlier.

I'm not sure but I believe I have to be using Internet Explorer (which I'm unable to do presently) to upgrade to IE 6.0. I'll see if I can find a version of IE 6.0 that corresponds with the wininet.dll file version and try to install it as the default browser using Netscape, if we can't make any progress in resolving these problems.

Kind regards,

Crowfoot

Khazars/flrman1,

I did a forum search for Win98 SE and looked at a number of HiJack This Logs in the threads; I came across a member (daviduu) who has the exact same Win 98SE/IE 5.0 set up as me.

He has not been active here since May 29th and I'm wondering if it would be appropriate to ask a favor of him to make a copy of his wininet.dll file and upload it to one of the forum moderators.

His profile indicates he doesn't want e-mail from other members and if he's been inactive for 5 weeks, its hard to say if he'd respond to a message left by a member he doesn't know.

I understand an Administrator may be able to send an e-mail to this member, but again I don't know if this would be an appropriate course of action or is against the Forum Rules!

It's just a thought!!!

Crowfoot

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\wp.exe

C:\wp.bmp

C:\bsw.exe

C:\Windows\sites.ini

C:\Windows\popuper.exe

C:\Windows\system\hhk.dll

C:\Windows\System\wldr.dll

C:\Windows\System\wp.bmp

C:\Windows\System\helper.exe

C:\Windows\System\intmon.exe

C:\Windows\System\shnlog.exe

C:\WINDOWS\System\OLEADM.dll

C:\Windows\System\intmonp.exe

C:\WINDOWS\system\hp8675.tmp

C:\WINDOWS\System\winnook.exe

C:\Windows\system\hookdump.exe

C:\Windows\System\msmsgs.exe

C:\Windows\system\msole32.exe

C:\WINDOWS\system\hp5C68.tmp

C:\Windows\System\ole32vbs.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Find and delete these folders if they exist:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\PSGuard
C:\Program Files\AdwareDelete
C:\Program Files\Security IGuard
C:\WINDOWS\System\Services
C:\Windows\System\Log Files

* * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Start Ccleaner and click Run Cleaner

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Come back here and report how all that went. If it all went reasonably well, we'll proceed to try and download and install IE 6 SP1.