Tech Support Forum - View Single Post

MicroBell · 06-25-2005, 03:39 AM

Please close the spacing on your next post as the log you posted is a mess

. Also move hijackthis to it's own folder on C: (C:\HJT) and NOT in a temp folder.

First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download and install AdawareSE Update it’s database after it’s installed and do a FULL system scan. Remove everything it finds.

Download, install, and update Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

After Cleanup! is finished:

Run Ewido.
Click on scanner
Make sure the following boxes are checked before scanning:
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop
Exit Ewido

Reboot into normal mode.

Go to Start > Control Panel > Add or Remove Programs and remove the following:

WildTangent

Exit Add or Remove Programs.

Delete the following, in bold, if found:

C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\WINDOWS\delmsbb.exe
C:\winstall.exe
C:\Program Files\WildTangent <--folder

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/cus....ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus....//my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/cus..../www.yahoo.com
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program
Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKCU\..\Run: [delmsbb] C:\WINDOWS\delmsbb.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

**Note** Fix all but the first one of the 018 entrys. I don't have the time to reassemble your spacing for each of them.

Close HiJackThis.

RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

After the merged successfully prompt, Using Windows Explorer, navigate to the following folder:

C:\Windows\Prefetch

If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.)

Reboot your computer.

You should be able to change your desktop back to normal now.

Post the report from Ewido and a new HiJackThis log into this topic.

06-25-2005, 03:39 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Please close the spacing on your next post as the log you posted is a mess . Also move hijackthis to it's own folder on C: (C:\HJT) and NOT in a temp folder. First, download and install CleanUp! but do not run it yet. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Download and install AdawareSE Update it’s database after it’s installed and do a FULL system scan. Remove everything it finds. Download, install, and update Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Scan local drives for temporary files Cleanup! All Users Click OK Press the CleanUp!* button to start the program. Reboot/logoff when prompted. After Cleanup! is finished: Run Ewido. Click on scanner Make sure the following boxes are checked before scanning: Binder Crypter Archives Click on Start Scan Let the program scan the machine While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report Save the report to your desktop Exit Ewido Reboot into normal mode. Go to Start > Control Panel > Add or Remove Programs and remove the following: WildTangent Exit Add or Remove Programs. Delete the following, in bold, if found: C:\Program Files\SpySheriff <-whole folder C:\Windows\Desktop.html C:\WINDOWS\delmsbb.exe C:\winstall.exe C:\Program Files\WildTangent <--folder Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus....ch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus....//my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus..../www.yahoo.com O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" O4 - HKCU\..\Run: [delmsbb] C:\WINDOWS\delmsbb.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe Note Fix all but the first one of the 018 entrys. I don't have the time to reassemble your spacing for each of them. Close HiJackThis. RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt, Using Windows Explorer, navigate to the following folder: C:\Windows\Prefetch If there are any files inside the Prefetch folder, delete ALL of them. (Do NOT delete the folder. Just delete the files inside.) Reboot your computer. You should be able to change your desktop back to normal now. Post the report from Ewido and a new HiJackThis log into this topic. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder