Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Smithfraud (I think?) [RESOLVED]


  • This topic is locked This topic is locked

#121
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Bed Time for me, sorry


Trevuren
  • 0

Advertisements


#122
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
I ran the Ewido scan for you, but it does not save to my desktop in normal mode, its only in safe mode...so I just wrote down exactly what it said.
Ewido Security Suite - Scan Report

+Created on: 9:18:23 AM, 07-27-2005

+Report-checksum: FFA75718

+Scan Result:

D:\Documents and settings\Sherry\Cookies\sherry@ad.yieldmanager[2].txt--> spyware.cookie.yieldmanager : cleaned with backup
D:\Documents and settings\Sherry\Cookies\sherry@advertising[1].txt--> spyware.cookie.advertising : cleaned with backup
D:\Documents and settings\Sherry\Cookies\sherry@atdmt[2].txt--> spyware.cookie.atdmt : cleaned with backup
D:\Documents and settings\Sherry\Cookies\sherry@servedby.advertising [1].txt--> spyware.cookie.Advertising : cleaned with backup
D:\Documents and settings\Sherry\Cookies\sherry@trafficmp[2].txt--> spyware.cookie.trafficmp : cleaned with backup
D:\WINDOWS\sizjhh.exe-->Adware.BetterInternet : cleand with backup


Logfile of HijackThis v1.99.1
Scan saved at 9:42:43 AM, on 7/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\SpyCatcher\DeleteSatellite.exe
D:\PROGRA~1\AIM\aim.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\SpyCatcher\Protector.exe
D:\Program Files\SpyCatcher\Scheduler daemon.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "D:\Program Files\SpyCatcher\DeleteSatellite.exe"
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "D:\Program Files\SpyCatcher\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Protector.lnk = D:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = D:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121549626671
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0

#123
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Are you raedy to close it down? If there are no more malware issues, just give me the OK and we will procede with the final but essential cleanup procedures


Trevuren
  • 0

#124
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
I am ready to clean up everything! But I think that I should let you know that I am still receiving those pop ups that I posted earlier about from Messenger Service, and my computer seems to be running a little slower than usual. Oh, and my desktop is still that blue screen that took over my normal desktop that I had....and it also has an icon downloaded to it that reads "Free XXX" underneath it (which will not let me delete it, b/c it says I have to do so through add/remove programs...but I dont see any programs in there that should be removed). If you think we can get these things fixed with the clean up, then im ready to start!! Thanks for your help!
  • 0

#125
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

2. Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

3. REBOOT your system.

4. Pleae tell me if it had the desired effect.

Trevuren
  • 0

#126
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
I got it to work!!!! the desktop is back to normal :tazz:
  • 0

#127
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Excellent Summer. Well done


Now for the remaining popups.


Please tell me what messenger service is popping up? If it is a Windows product, do you use it?


Trevuren
  • 0

#128
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
Message from SYSTEM to ALERT on 7-27-05 10:54:30 PM
Microsoft Windows has encountered an Internal Error, your windows registry is corrupted. We recommend a complete system scan.
Visit http://FixReg32.com to repair now...and then an ok button

Message from FROM to TO on 7-27-05 10:55:23 PM
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
Windows has found 47 CRITICAL SYSTEM ERRORS!
To fix the errors please do the following: 1. download registry repair from: http://www.regcleanser.com. install registry repair 3. run registry repair 4. reboot your computer.
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

Message from SYSTEM to ALERT on 7-27-05 10:55:26 PM
Windows has encountered an Internal Error, your Windows registry is corrupted. An Immediate system scan is recommended. Visit http://e-regpatch.com to repair...and then an ok button.

The list just goes on and on....but I have no idea what these messages are talking about. But I did look on my add/reomove progams list and found that my little sister had installed Windows Media Player & Windows Mediat Format Runtime sometime last Friday when I didnt know she got on the computer. Do you think that could be it? Im actually positive thats what it is, because I was looking back through the posts and I noticed that I first mentioned it to you on Saturday the 23, and the add/remove programs list says it was downloaded the 22nd. I think I remember getting one of these messages Friday night, but am not for sure...definitely on Saturday though! I bet this is it!!
I just went into the control panel under add/remove programs and deleted both of these programs, and then rebooted the computer.

Edited by Summer_24, 27 July 2005 - 10:20 PM.

  • 0

#129
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/

2. Start it and paste in FixReg32.com, wait for it to complete the search, click ok at the prompt.

3. Then when wordpad opens, copy that back here please.


Trevuren
  • 0

#130
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
The message I got was....Search completed in 27 seconds, No instances of "FixReg32.com" found
  • 0

Advertisements


#131
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
The message I got was....Search completed in 27 seconds, No instances of "FixReg32.com" found
  • 0

#132
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I haven't abandonned you. It is just that I have put out a request for some assistance with these messages as they do not appear to reflect any existing known sites.

I will get back to you as soon as possible.

Trevuren
  • 0

#133
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
To make things easier to read and pull out the possible bad stuff, please do the following:

1. This will clean the malware that still resides in your temporary folders

Download the .exe format of Cleanup by Steven Gould from :HERE
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaultsas set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • Finally click "CleanUp"
The program with probably ask you to reboot. If it doesn't, then REBOOT your system yourself.


2. Reset your System Restore (To clean out the malware)

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
  • REBOOT your system.
3. I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.


REMEMBER just the bottom part, the infected files part

Regards,

Trevuren

  • 0

#134
Summer_24

Summer_24

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 114 posts
When doing step 2, do I disable first and then enable system restore? Or should I only be doing one of these two? Thanks,
Summer
  • 0

#135
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Both and more is coming


Trevuren
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP