tman70 Posted July 10, 2007 Report Share Posted July 10, 2007 (edited) My son's paypal account cannot be accessed on his computer because of snakeoil.dom. I have run updated spybot, adaware and avast, but it is still there.I have ran hiJack this but do not see anything by that name.Do I need a special tool to remove it? Edited July 21, 2007 by tman70 Quote Link to post Share on other sites
Phil Posted July 10, 2007 Report Share Posted July 10, 2007 Snakeoil.dom is usually related to SSL certificates. You don't give any details about why you can't access the account besides "because of snakeoil.dom".Phil Quote Link to post Share on other sites
tman70 Posted July 10, 2007 Author Report Share Posted July 10, 2007 Snakeoil.dom is usually related to SSL certificates. You don't give any details about why you can't access the account besides "because of snakeoil.dom".PhilIf he clicks on a link on the site it does nothing. If he logs in it asks for all his information.If we use https:\\ instead of http:\\ it says that the certificate is fraudulent.He can access Paypal from my computer without any problems. Does this help? Quote Link to post Share on other sites
JSKY Posted July 11, 2007 Report Share Posted July 11, 2007 If your using IE. Go to your "Tools" option on your taskbar. Then "Internet Options". Click on the "Content" tab. Use the second option. "Certificates".Here you can view and remove both SSL and normal certificates. Quote Link to post Share on other sites
tman70 Posted July 11, 2007 Author Report Share Posted July 11, 2007 (edited) If your using IE. Go to your "Tools" option on your taskbar. Then "Internet Options". Click on the "Content" tab. Use the second option. "Certificates".Here you can view and remove both SSL and normal certificates.I tried that and did not see anything relating to "snakeoil". I did click on the clear the SSL State button. I was able to try the paypal site using the https:// and got the snakeoil cert. warning me the site was fraudulent, but did not see anything to help me locate it. The only name in it is snakeoil. This is what the certificate says:SSL Server Certificateissued tocommon name (cn) www.snakeoil.domorganization (o) Snake Oil.LTDorganization unit (ou) webserver teamserial number 01issued bycommon name (cn) Snake Oil caorganization (o) Snake Oil.LTDorganization unit (ou) Certificate AuthorityValidityissued on 10/21/1999expires on 10/20/2001Fingerprints SHA1Fingerprints 16:59:31:46:69:80:62:02:43:EO:DB:95:29:00:D7:58:7A:80:30:7CMD5Fingerprints BA:EC:16:30:27:CA:99:17:FF:DF:A4:4C:BC:BF:1B:98If I use the https:// the site shows the closed lock at the bottom, but as soon as you click a link it redirects you to the bad site and you lose the lock.The paypal page has been pharmsed, or whatever you call it, because it will only let you go to the login where you have to enter all your information again. My son does not keep his names and passwords on the computer. He types them in as needed, which probably saved him.I have posted a Hijack This log on the malware site.How do I get the real paypal site back? Edited July 11, 2007 by tman70 Quote Link to post Share on other sites
TheTerrorist_75 Posted July 11, 2007 Report Share Posted July 11, 2007 I just looked at your log. Tell your son to stop using the computer. It is infected. Wait for the HJT experts to help clean it up before resuming normal Internet use. Quote Link to post Share on other sites
tman70 Posted July 11, 2007 Author Report Share Posted July 11, 2007 Thanks TT_75.I'll try to keep him from using it until I can get some help. Quote Link to post Share on other sites
Pete_C Posted July 15, 2007 Report Share Posted July 15, 2007 (edited) http://journals.aol.com/cutefacedblonde/sn...--snakeoil.com/If your computer produces an authentification certificate which says Snakeoil.dom or Snakeoil.com, DO NOT OPEN IT!It launches a JS/Downloader Trojan which infects your .dll system files, and will continually re-install itself!The Israeli computer thieves who launched this sinister trojan are attempting to gather (through use of keylogger spyware) your e-gold and alertpay password information.Once they have that information, they will wait until you finish your transaction, and then set all your security settings to "OFF". They monitor your account activity, and when opportunity presents itself, they will clean out your account.I am going to suggest you try the Kaspersky online scanner http://www.kaspersky.com/virusscannerClick on the thing with the magnifying glass at upper left.It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you. Edited July 15, 2007 by Pete_C Quote Link to post Share on other sites
tman70 Posted July 16, 2007 Author Report Share Posted July 16, 2007 http://journals.aol.com/cutefacedblonde/sn...--snakeoil.com/If your computer produces an authentification certificate which says Snakeoil.dom or Snakeoil.com, DO NOT OPEN IT!It launches a JS/Downloader Trojan which infects your .dll system files, and will continually re-install itself!The Israeli computer thieves who launched this sinister trojan are attempting to gather (through use of keylogger spyware) your e-gold and alertpay password information.Once they have that information, they will wait until you finish your transaction, and then set all your security settings to "OFF". They monitor your account activity, and when opportunity presents itself, they will clean out your account.I am going to suggest you try the Kaspersky online scanner http://www.kaspersky.com/virusscannerClick on the thing with the magnifying glass at upper left.It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you.Hi Pete.Thanks for the advice.I had ran Kaspersky scan after I had posted the HJT log. All it found was killwind.exe which is a compaq bundled program that lets them access the computer remotely. Since the computer is not under warranty I'll remove it later. I did run the scan again just now and all it found was Smitfraudfix and killwind. Smitfraudfix is what HJT guy here told me to try. At this time since I am being helped by the guys at HJT forum I am only going to add or remove what they tell me.Strange nothing shows but the paypal page is still High jacked.Thanks again Quote Link to post Share on other sites
shanenin Posted July 17, 2007 Report Share Posted July 17, 2007 Have you taken a look at your C:\WINDOWS\system32\drivers\etc\hosts file? You may see a suspicious enty in itMine is just the default# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host127.0.0.1 localhost Quote Link to post Share on other sites
Pete_C Posted July 17, 2007 Report Share Posted July 17, 2007 Once they get you cleaned , make sure to uninstall all older Java Runtime Environment and get the latest (1.6.01) from Sun Java.Also, delete that snake oil certificate .If I remember correctly, this is a JS downloader trojan ,So make sure you clean all temp internet files too. Quote Link to post Share on other sites
tman70 Posted July 17, 2007 Author Report Share Posted July 17, 2007 (edited) Have you taken a look at your C:\WINDOWS\system32\drivers\etc\hosts file? You may see a suspicious enty in itMine is just the default# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host127.0.0.1 localhostshanenin,My host file is the same as yours.Copyright © 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host127.0.0.1 localhost Edited July 17, 2007 by tman70 Quote Link to post Share on other sites
tman70 Posted July 17, 2007 Author Report Share Posted July 17, 2007 (edited) Once they get you cleaned , make sure to uninstall all older Java Runtime Environment and get the latest (1.6.01) from Sun Java.Also, delete that snake oil certificate .If I remember correctly, this is a JS downloader trojan ,So make sure you clean all temp internet files too.PeteI will do that when we get it cleaned. I intend to update everything that needs it.I intend to later remove a lot of Compaq bundled junk that he doesn't need.I have went to IE options\contents and tried to find the snakeoil certificate, but can not find it in:certificates publishersintermediate certification authoritiestrusted root certification authoritiesI have clicked the clear SSL State button, but the snakeoil cert. is still there.How do I remove it when I can't find it? Edited July 17, 2007 by tman70 Quote Link to post Share on other sites
sari Posted July 18, 2007 Report Share Posted July 18, 2007 http://journals.aol.com/cutefacedblonde/sn...--snakeoil.com/If your computer produces an authentification certificate which says Snakeoil.dom or Snakeoil.com, DO NOT OPEN IT!It launches a JS/Downloader Trojan which infects your .dll system files, and will continually re-install itself!The Israeli computer thieves who launched this sinister trojan are attempting to gather (through use of keylogger spyware) your e-gold and alertpay password information.Once they have that information, they will wait until you finish your transaction, and then set all your security settings to "OFF". They monitor your account activity, and when opportunity presents itself, they will clean out your account.I am going to suggest you try the Kaspersky online scanner http://www.kaspersky.com/virusscannerClick on the thing with the magnifying glass at upper left.It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you.Just for the record, I cannot find any info on this other than on 2 blogs. I've searched Kaspersky's site, Webroot's site, and many other legitimate sites that we commonly use to investigate malware, etc. I'm not sure of the origin of this particular story. Every other reference for snakeoil.dom that I can find is related to Apache servers. Since the blog you quoted was from May 14 of this year, if this were an actual virus there should be information on the major antivirus and malware sites by now. If someone can find this on a legitimate site they can point me to, that would be great, but at this time I'm assuming that this some sort of hoax.sari Quote Link to post Share on other sites
tman70 Posted July 20, 2007 Author Report Share Posted July 20, 2007 I would strongly advise you to have someone with training to read your HJT log first before doing anything.Here is the link to the HJT thread:http://www.besttechie.net/forums/Paypal-Pr...ved-t12185.htmlHere is a condensed version that sari, from the HJT Forums, had me fix with HJT to get rid of the snakeoil.dom certificate.I needed to reset my network information, especially my DNS servers.This line was redirecting me.O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74That address appears to go to a company called Layered Tech, in Texas, but it actually resolves to a Brazilian address.He had me run HJT again and put check marks at these entries and then click fix.O17 - HKLM\System\CCS\Services\Tcpip\..\{144F6782-9984-4E25-9848-BC7F1AA97616}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{15CCB216-4184-4A68-B1CD-FCF69BC4CCAE}: NameServer = 72.21.36.74O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6FC0D7-5F21-4ACB-8D12-623FC013CF14}: NameServer = 72.21.36.74Then I went to Start > Run and typed cmd.Typed> ipconfig /flushdns and hit enter.I did this for both computers.Then I shut off both PCs and then unpluged the cable modem and the router for 1 hr.I then rebooted and went to Start > Run and typed cmd.Then I typed> ipconfig /renew. I did this for both computers.This will get new network addresses.The snakeoil certificate was gone and paypal was back to orginal setting and paypal certificate.I hope this helps someone else. Quote Link to post Share on other sites
TheTerrorist_75 Posted July 21, 2007 Report Share Posted July 21, 2007 Good to see the two of you got it. Besides the bad IP redirect I would also suggest getting rid of the Hits2uToolbar. It can contain adware/spyware. I take it the kid is using Traffic Swarm to direct hits to a personal web site/blog. Quote Link to post Share on other sites
tman70 Posted July 21, 2007 Author Report Share Posted July 21, 2007 Good to see the two of you got it. Besides the bad IP redirect I would also suggest getting rid of the Hits2uToolbar. It can contain adware/spyware. I take it the kid is using Traffic Swarm to direct hits to a personal web site/blog.Hi TT_75,Thanks for the information. I will ask my son about it.I think he has a business web site, but I don't ask or pry as it is his affair not mine.He was all for taking his computer to a repair shop until I convinced him that you guys here would help solve the problem. There are a lot of good people on this board.He was real pleased when he found out the only cost was a few days time.Of course my time is expensive as tomorrow he has to help me with some plumbing. Him working and me supervising. LOLThe wife and I are both disabled and the son (man) helps take care of us. We could not make it without him. So to stay busy I get to keep both computers working.Thanks TT_75 we both appreciate the advise. Quote Link to post Share on other sites
zash Posted August 23, 2007 Report Share Posted August 23, 2007 Good to see the two of you got it. Besides the bad IP redirect I would also suggest getting rid of the Hits2uToolbar. It can contain adware/spyware. I take it the kid is using Traffic Swarm to direct hits to a personal web site/blog.the original post was " how do I remove snakeoil.dom" I found this post from an internet search for snakeoil.dom because I came across something interesting a moment ago that smart people on this site may be knowlegeable of.I went to purchase a product from thompsoncigar.com a moment ago and when I made my check out my computer popped a window up saying something like invalid certificate for the site ( that sorta thing) so I clicked for details and it said the owner of the site was snakoil.dom,anyone know anything about this? can give me further information? Quote Link to post Share on other sites
garmanma Posted August 23, 2007 Report Share Posted August 23, 2007 They're supposedly the largest online cigar seller. Here's what's said about them on WhoisRegistrant: Thompson and Company of Tampa, Inc. (DOM-155219) 5401 Hangar Court Tampa FL 33634 US Domain Name: thompsoncigar.com Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com Administrative Contact: Domain Admin (NIC-14351765) Thompson and Company of Tampa, Inc. 5401 Hangar Court Tampa FL 33634 US [email protected] +1.8138846344 Fax- +1.8132432261 Technical Contact, Zone Contact: Domain Admin (NIC-14351765) Thompson and Company of Tampa, Inc. 5401 Hangar Court Tampa FL 33634 US [email protected] +1.8138846344 Fax- +1.8132432261 Created on..............: 1997-Jul-23. Expires on..............: 2008-Jul-21. Record last updated on..: 2007-Jun-19 04:12:14. Domain servers in listed order: UDNS1.ULTRADNS.NET UDNS2.ULTRADNS.NET NS2.MYDYNDNS.ORG NS3.MYDYNDNS.ORG NS4.MYDYNDNS.ORG NS5.MYDYNDNS.ORG MarkMonitor.com - The Leader in Corporate Domain Management Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.