Tech Support Forum - View Single Post - Hijackthis Log: Something to do with stdole3.tlb i think

**POADB** · 11-14-2006, 01:00 PM

Hi, welcome to TSF

stdole3.tlb is related to an infection known as Smitfraud. We will perform a fix that will address the infection if it's present.

We will also clean some other malware along the way

Please follow instructions
-------------------------------------------------

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

Before you begin, take a read through these instructions and download the programs that I've advised.
Save the below instructions in Notepad or Word if you wish to reserve the format. Alternatively, Print the instructions because we require you work in safe mode without networking support, so this page wouldn't be available then.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

Please allow yourself a few spare hours. Below are instructions for a virus scan(s) that can take longer then 2 hours.

It is also important you don't miss a step and perform everything in the right order!! .

********************************FOR YOUR INFORMATION*************************

Please do not run Hijackthis from it's current location.

Create a permanent directory - C:\Program Files\HiJackThis\
Re-locate all files to the new directory

Updating Java and Clearing Cache

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

********************************DOWNLOADS********************************

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in the same directory as the HiJackThis program.

Please download CleanUp! and install it. Do not run it yet!

Download AVG Anti-Spyware

Install AVG Anti-Spyware
Double-click the icon on Desktop to launch AVG Anti-Spyware

You will need to update AVG Anti-Spyware to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
We shall use this later.

Unplug your computer from the Internet when you have finished downloading.

********************************PURGE/CLEANUP*********************************

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

Click "Options..."
Set the slider to "Standard CleanUp!"
Uncheck the following:
- Delete Newsgroup cache
- Delete Newsgroup Subscriptions
- Scan local drives for temporary files
Click OK

Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep that are stored in these locations; Move Them Now!!!

********************************SAFE MODE*********************************

REBOOT TO SAFE MODE

Restart the computer. The computer begins processing a set of instructions known as BIOS.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
Continue to do so until the 'Windows Advanced Options' menu appears.
Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

*********************************SETTING UP********************************

Enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options>View tab.
Enable the option for `Show hidden files and folder´
Disable the option for `Hide file extensions for known types´
Disable the option for `Hide protected operating system files´
Click Yes to confirm & then click OK

*********************************HJT FIXES********************************

Run HJT and perform a scan. Place a check next to each of the following, if present, and click 'Fix Cehcked'.

O4 - HKLM\..\Run: [Flag Body Team Online] C:\Documents and Settings\All Users\Application Data\FordWarnFlagBody\playskip.exe
O4 - HKLM\..\Run: [bikini] bikini.exe
O4 - HKCU\..\Run: [flawsurf] C:\DOCUME~1\Steven\APPLIC~1\WAVEDE~1\Site Blah Error.exe

*********************************DELETIONS********************************

Please delete this file:

C:\WINDOWS\system32\bikini.exe

*********************************SMITFRAUDFIX********************************

Open the SmitfraudFix Folder,

Double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?"
Answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll.
Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

********************************DESKTOP REPAIR********************************

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

********************************AVG SCAN********************************

** Please disable all other antivirus programs before proceeding.**

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

********************************TRUSTED ZONES********************************

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
You will be asked to Restore Hosts. Type 'Y'.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

********************************NO LOP********************************

First close any other programs you have running as this will require a reboot

Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

********************************ONLINE SCAN********************************

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

********************************CHECK LIST********************************

In your next post, please include fresh logs from:

AVG Results
rapport.txt
HiJackThis
Online scan
C:\NoLop.log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

11-14-2006, 01:00 PM	#2 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,209 OS: XP SP2	Hi, welcome to TSF stdole3.tlb is related to an infection known as Smitfraud. We will perform a fix that will address the infection if it's present. We will also clean some other malware along the way Please follow instructions ------------------------------------------------- Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". Before you begin, take a read through these instructions and download the programs that I've advised. Save the below instructions in Notepad or Word if you wish to reserve the format. Alternatively, Print the instructions because we require you work in safe mode without networking support, so this page wouldn't be available then. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. Please allow yourself a few spare hours. Below are instructions for a virus scan(s) that can take longer then 2 hours. It is also important you don't miss a step and perform everything in the right order!! . ******************************FOR YOUR INFORMATION********************* Please do not run Hijackthis from it's current location. Create a permanent directory - C:\Program Files\HiJackThis\ Re-locate all files to the new directory Updating Java and Clearing Cache Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9*. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept* License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version. ******************************DOWNLOADS**************************** Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in the same directory as the HiJackThis program. Please download CleanUp! and install it. Do not run it yet! Download AVG Anti-Spyware Install AVG Anti-Spyware Double-click the icon on Desktop to launch AVG Anti-Spyware You will need to update AVG Anti-Spyware to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Please Download NoLop to your desktop from one of the links below... Link 1 Link 2 Link 3 We shall use this later. Unplug your computer from the Internet when you have finished downloading. ****************************PURGE/CLEANUP***************************** Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Set the slider to "Standard CleanUp!" Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep that are stored in these locations; Move Them Now!!! ****************************SAFE MODE***************************** REBOOT TO SAFE MODE Restart the computer. The computer begins processing a set of instructions known as BIOS. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the 'Windows Advanced Options' menu appears. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode. *****************************SETTING UP**************************** Enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options>View tab. Enable the option for `Show hidden files and folder´ Disable the option for `Hide file extensions for known types´ Disable the option for `Hide protected operating system files´ Click Yes to confirm & then click OK *****************************HJT FIXES**************************** Run HJT and perform a scan. Place a check next to each of the following, if present, and click 'Fix Cehcked'. O4 - HKLM\..\Run: [Flag Body Team Online] C:\Documents and Settings\All Users\Application Data\FordWarnFlagBody\playskip.exe O4 - HKLM\..\Run: [bikini] bikini.exe O4 - HKCU\..\Run: [flawsurf] C:\DOCUME~1\Steven\APPLIC~1\WAVEDE~1\Site Blah Error.exe *****************************DELETIONS**************************** Please delete this file: C:\WINDOWS\system32\bikini.exe *****************************SMITFRAUDFIX**************************** Open the SmitfraudFix Folder, Double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter*. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry?" Answer Yes* by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ******************************DESKTOP REPAIR**************************** Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: · "Security Info" · "Warning Message" · "Security Desktop" · "Warning Homepage" · "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. ****************************AVG SCAN**************************** Please disable all other antivirus programs before proceeding. Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). ****************************TRUSTED ZONES**************************** Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter You will be asked to Restore Hosts. Type 'Y'. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ****************************NO LOP**************************** First close any other programs you have running as this will require a reboot Double click NoLop.exe to run it Now click the button labelled "Search and Destroy" <<your computer will now be scanned for infected files>> When scanning is finished you will be prompted to reboot only if infected, Click OK Now click the "REBOOT" Button. A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. -- ****************************ONLINE SCAN**************************** REBOOT TO NORMAL MODE Perform an online scan with Internet Explorer with Panda ActiveScan** Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ******************************CHECK LIST****************************** In your next post, please include fresh logs from: AVG Results rapport.txt HiJackThis Online scan C:\NoLop.log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________