How Do I Remove Snakeoil.dom (fixed)

tman70
 Share Followers 0

Recommended Posts

tman70

tman70

Posted
Posted (edited)

My son's paypal account cannot be accessed on his computer because of snakeoil.dom.

I have run updated spybot, adaware and avast, but it is still there.

I have ran hiJack this but do not see anything by that name.

Do I need a special tool to remove it?

Edited by tman70
Link to post
Share on other sites
tman70

tman70

Posted
  • Author
Posted
Snakeoil.dom is usually related to SSL certificates. You don't give any details about why you can't access the account besides "because of snakeoil.dom".

Phil

If he clicks on a link on the site it does nothing. If he logs in it asks for all his information.

If we use https:\\ instead of http:\\ it says that the certificate is fraudulent.

He can access Paypal from my computer without any problems.

Does this help?

Link to post
Share on other sites
JSKY

JSKY

Posted
Posted

If your using IE. Go to your "Tools" option on your taskbar. Then "Internet Options". Click on the "Content" tab. Use the second option. "Certificates".

Here you can view and remove both SSL and normal certificates.

Link to post
Share on other sites
tman70

tman70

Posted
  • Author
Posted (edited)
If your using IE. Go to your "Tools" option on your taskbar. Then "Internet Options". Click on the "Content" tab. Use the second option. "Certificates".

Here you can view and remove both SSL and normal certificates.

I tried that and did not see anything relating to "snakeoil". I did click on the clear the SSL State button. I was able to try the paypal site using the https:// and got the snakeoil cert. warning me the site was fraudulent, but did not see anything to help me locate it. The only name in it is snakeoil.

This is what the certificate says:

SSL Server Certificate

issued to

common name (cn) www.snakeoil.dom

organization (o) Snake Oil.LTD

organization unit (ou) webserver team

serial number 01

issued by

common name (cn) Snake Oil ca

organization (o) Snake Oil.LTD

organization unit (ou) Certificate Authority

Validity

issued on 10/21/1999

expires on 10/20/2001

Fingerprints

SHA1

Fingerprints 16:59:31:46:69:80:62:02:43:EO:DB:95:29:00:D7:58:7A:80:30:7C

MD5

Fingerprints BA:EC:16:30:27:CA:99:17:FF:DF:A4:4C:BC:BF:1B:98

If I use the https:// the site shows the closed lock at the bottom, but as soon as you click a link it redirects you to the bad site and you lose the lock.

The paypal page has been pharmsed, or whatever you call it, because it will only let you go to the login where you have to enter all your information again. My son does not keep his names and passwords on the computer. He types them in as needed, which probably saved him.

I have posted a Hijack This log on the malware site.

How do I get the real paypal site back?

Edited by tman70
Link to post
Share on other sites
Pete_C

Pete_C

Posted
Posted (edited)

http://journals.aol.com/cutefacedblonde/sn...--snakeoil.com/

If your computer produces an authentification certificate which says Snakeoil.dom or Snakeoil.com, DO NOT OPEN IT!

It launches a JS/Downloader Trojan which infects your .dll system files, and will continually re-install itself!

The Israeli computer thieves who launched this sinister trojan are attempting to gather (through use of keylogger spyware) your e-gold and alertpay password information.

Once they have that information, they will wait until you finish your transaction, and then set all your security settings to "OFF". They monitor your account activity, and when opportunity presents itself, they will clean out your account.

I am going to suggest you try the Kaspersky online scanner

http://www.kaspersky.com/virusscanner

Click on the thing with the magnifying glass at upper left.

It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you.

Edited by Pete_C
Link to post
Share on other sites
tman70

tman70

Posted
  • Author
Posted
http://journals.aol.com/cutefacedblonde/sn...--snakeoil.com/
If your computer produces an authentification certificate which says Snakeoil.dom or Snakeoil.com, DO NOT OPEN IT!

It launches a JS/Downloader Trojan which infects your .dll system files, and will continually re-install itself!

The Israeli computer thieves who launched this sinister trojan are attempting to gather (through use of keylogger spyware) your e-gold and alertpay password information.

Once they have that information, they will wait until you finish your transaction, and then set all your security settings to "OFF". They monitor your account activity, and when opportunity presents itself, they will clean out your account.

I am going to suggest you try the Kaspersky online scanner

http://www.kaspersky.com/virusscanner

Click on the thing with the magnifying glass at upper left.

It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you.

Hi Pete.

Thanks for the advice.

I had ran Kaspersky scan after I had posted the HJT log.

All it found was killwind.exe which is a compaq bundled program that lets them access the computer remotely. Since the computer is not under warranty I'll remove it later.

I did run the scan again just now and all it found was Smitfraudfix and killwind.

Smitfraudfix is what HJT guy here told me to try.

At this time since I am being helped by the guys at HJT forum I am only going to add or remove what they tell me.

Strange nothing shows but the paypal page is still High jacked.

Thanks again

Link to post
Share on other sites
shanenin

shanenin

Posted
Posted

Have you taken a look at your C:\WINDOWS\system32\drivers\etc\hosts file? You may see a suspicious enty in it

Mine is just the default

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#	  102.54.94.97	 rhino.acme.com		  # source server
#	   38.25.63.10	 x.acme.com			  # x client host

127.0.0.1	   localhost

Link to post
Share on other sites
Pete_C

Pete_C

Posted
Posted

Once they get you cleaned , make sure to uninstall all older Java Runtime Environment and get the latest (1.6.01) from Sun Java.

Also, delete that snake oil certificate .

If I remember correctly, this is a JS downloader trojan ,So make sure you clean all temp internet files too.

Link to post
Share on other sites
tman70

tman70

Posted
  • Author
Posted (edited)
Have you taken a look at your C:\WINDOWS\system32\drivers\etc\hosts file? You may see a suspicious enty in it

Mine is just the default

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#	  102.54.94.97	 rhino.acme.com		  # source server
#	   38.25.63.10	 x.acme.com			  # x client host

127.0.0.1	   localhost

shanenin,

My host file is the same as yours.

Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Edited by tman70
Link to post
Share on other sites
tman70

tman70

Posted
  • Author
Posted (edited)
Once they get you cleaned , make sure to uninstall all older Java Runtime Environment and get the latest (1.6.01) from Sun Java.

Also, delete that snake oil certificate .

If I remember correctly, this is a JS downloader trojan ,So make sure you clean all temp internet files too.

Pete

I will do that when we get it cleaned. I intend to update everything that needs it.

I intend to later remove a lot of Compaq bundled junk that he doesn't need.

I have went to IE options\contents and tried to find the snakeoil certificate, but can not find it in:

certificates

publishers

intermediate certification authorities

trusted root certification authorities

I have clicked the clear SSL State button, but the snakeoil cert. is still there.

How do I remove it when I can't find it?

Edited by tman70
Link to post
Share on other sites
sari

sari

Posted
Posted
http://journals.aol.com/cutefacedblonde/sn...--snakeoil.com/
If your computer produces an authentification certificate which says Snakeoil.dom or Snakeoil.com, DO NOT OPEN IT!

It launches a JS/Downloader Trojan which infects your .dll system files, and will continually re-install itself!

The Israeli computer thieves who launched this sinister trojan are attempting to gather (through use of keylogger spyware) your e-gold and alertpay password information.

Once they have that information, they will wait until you finish your transaction, and then set all your security settings to "OFF". They monitor your account activity, and when opportunity presents itself, they will clean out your account.

I am going to suggest you try the Kaspersky online scanner

http://www.kaspersky.com/virusscanner

Click on the thing with the magnifying glass at upper left.

It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you.

Just for the record, I cannot find any info on this other than on 2 blogs. I've searched Kaspersky's site, Webroot's site, and many other legitimate sites that we commonly use to investigate malware, etc. I'm not sure of the origin of this particular story. Every other reference for snakeoil.dom that I can find is related to Apache servers. Since the blog you quoted was from May 14 of this year, if this were an actual virus there should be information on the major antivirus and malware sites by now. If someone can find this on a legitimate site they can point me to, that would be great, but at this time I'm assuming that this some sort of hoax.

sari

Link to post
Share on other sites
tman70

tman70

Posted
  • Author
Posted

I would strongly advise you to have someone with training to read your HJT log first before doing anything.

Here is the link to the HJT thread:

http://www.besttechie.net/forums/Paypal-Pr...ved-t12185.html

Here is a condensed version that sari, from the HJT Forums, had me fix with HJT to get rid of the snakeoil.dom certificate.

I needed to reset my network information, especially my DNS servers.

This line was redirecting me.

O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74

That address appears to go to a company called Layered Tech, in Texas, but it actually resolves to a Brazilian address.

He had me run HJT again and put check marks at these entries and then click fix.

O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74

O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74

Then I went to Start > Run and typed cmd.

Typed> ipconfig /flushdns and hit enter.

I did this for both computers.

Then I shut off both PCs and then unpluged the cable modem and the router for 1 hr.

I then rebooted and went to Start > Run and typed cmd.

Then I typed> ipconfig /renew. I did this for both computers.

This will get new network addresses.

The snakeoil certificate was gone and paypal was back to orginal setting and paypal certificate.

I hope this helps someone else.

Link to post
Share on other sites
TheTerrorist_75

TheTerrorist_75

Posted
Posted

Good to see the two of you got it. Besides the bad IP redirect I would also suggest getting rid of the Hits2uToolbar. It can contain adware/spyware. I take it the kid is using Traffic Swarm to direct hits to a personal web site/blog.

Link to post
Share on other sites
tman70

tman70

Posted
  • Author
Posted
Good to see the two of you got it. Besides the bad IP redirect I would also suggest getting rid of the Hits2uToolbar. It can contain adware/spyware. I take it the kid is using Traffic Swarm to direct hits to a personal web site/blog.

Hi TT_75,

Thanks for the information. I will ask my son about it.

I think he has a business web site, but I don't ask or pry as it is his affair not mine.

He was all for taking his computer to a repair shop until I convinced him that you guys here would help solve the problem. There are a lot of good people on this board.

He was real pleased when he found out the only cost was a few days time.

Of course my time is expensive as tomorrow he has to help me with some plumbing.

Him working and me supervising. LOL

The wife and I are both disabled and the son (man) helps take care of us.

We could not make it without him.

So to stay busy I get to keep both computers working.

Thanks TT_75 we both appreciate the advise.

Link to post
Share on other sites
  • 1 month later...
zash

zash

Posted
Posted
Good to see the two of you got it. Besides the bad IP redirect I would also suggest getting rid of the Hits2uToolbar. It can contain adware/spyware. I take it the kid is using Traffic Swarm to direct hits to a personal web site/blog.

the original post was " how do I remove snakeoil.dom" I found this post from an internet search for snakeoil.dom because I came across something interesting a moment ago that smart people on this site may be knowlegeable of.

I went to purchase a product from thompsoncigar.com a moment ago and when I made my check out my computer popped a window up saying something like invalid certificate for the site ( that sorta thing) so I clicked for details and it said the owner of the site was snakoil.dom,

anyone know anything about this? can give me further information?

Link to post
Share on other sites
garmanma

garmanma

Posted
Posted

They're supposedly the largest online cigar seller. Here's what's said about them on Whois

Registrant:

Thompson and Company of Tampa, Inc.

(DOM-155219)

5401 Hangar Court Tampa

FL

33634 US

Domain Name: thompsoncigar.com

Registrar Name: Markmonitor.com

Registrar Whois: whois.markmonitor.com

Registrar Homepage: http://www.markmonitor.com

Administrative Contact:

Domain Admin

(NIC-14351765)

Thompson and Company of Tampa, Inc.

5401 Hangar Court Tampa

FL

33634 US

[email protected] +1.8138846344 Fax- +1.8132432261

Technical Contact, Zone Contact:

Domain Admin

(NIC-14351765)

Thompson and Company of Tampa, Inc.

5401 Hangar Court Tampa

FL

33634 US

[email protected] +1.8138846344 Fax- +1.8132432261

Created on..............: 1997-Jul-23.

Expires on..............: 2008-Jul-21.

Record last updated on..: 2007-Jun-19 04:12:14.

Domain servers in listed order:

UDNS1.ULTRADNS.NET

UDNS2.ULTRADNS.NET

NS2.MYDYNDNS.ORG

NS3.MYDYNDNS.ORG

NS4.MYDYNDNS.ORG

NS5.MYDYNDNS.ORG

MarkMonitor.com - The Leader in Corporate Domain Management

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 0
Go to topic listing