Another smitfraud annoyance

It is a bit different from the other smitfraud posts, thats why I opened a new thread.
I removed every possible pest following all the instructions here. Everything seems to be clean. But as soon as I open IE and go online, that crap (intell32.exe) comes back and starts a hard drive scan.
I already tried Xoftspy AdAware Spybot AVG.
Would like to do an online scan (Panda), but can't use IE online.
How can I get rid of that without reinsalling?
It's a 98 (no SE) computer.

 

did you try to scan with spybot? or try a2 free and do a scan...
Good Luck.

 

thanks for your reply
but unfortunately no success
spybot I had already
a2 found it and removed it, but it keeps coming back.

 

U may want to post a HijackThis log at this site,

http://gladiator-antivirus.com/forum/index.php?showforum=170

then let the experts over there give u recommendations on getting rid of any existing malware on your system.

If u do, make sure u read the rules first before u post.


snowbound

 

the strange thing is, HijackThis doesn't show anything suspect.
It is so short, that I'll post it here to demonstrate only.
There is no use to analyse that log.

Logfile of HijackThis v1.99.1
Scan saved at 4:35:32 PM, on 07/08/05
Platform: Windows 98 Gold (Win9x 4.10.1998 )
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\_CC\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVCOMSX] c:\windows\SYSTEM\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] c:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - htlp://www.pandasoftware.com/activescan/as5free/asinst.cab

 

You're right, that is strange.

Are u sure u are copying and pasting the whole log?

There should be a lot more entries than that. I'm not sure what's going on there....

Maybe u could post the log as is over there, explaining your issues and see if they can figure out whats happening.

Just a thought...

When Wilders used to analyse HJT i remember seeing very short logs but i can't recall what the problems were.



snowbound

 

Gone

yes snowbound that's the whole log.
I took out everything bad and unnecessary plugins (yahoo, msn, ...)
No scan got rid of the infected part of wininet.dll and that was the reason why it came back everytime. So I copied it on a floppy disk and did some online scans on another system. Panda didn't find anything, neither did AVG. Next try was Kaspersky, which found the trojan, but didn't disinfect it. The online scanner from F-Secure found and disinfected the file

Hope that might help others too.

 

Good show!

Nice to see u got rid of it.


snowbound

 

I tried to find the online scan you mentioned by googling f-secure; found a company by that name but couldn't find anything aboout on-line scanning. Can you give me the link?

Thanks.

 

I asumme this might be it?

http://support.f-secure.com/enu/home/ols.shtml


snowbound