PDA

View Full Version : fake.wget is still there after using your fixme.reg!



mmoyne
2006-12-01, 05:20
Hello

This my first post.

After trying your fixme.reg I opened IE7 and was shocked to find the about:blank parasite still there.

This has kept me up to half two in the morning so far, it has me stumped!

I backed up my registry either last night or this morning using SpyBot Search & Destroy.

Please help as I will be purchasing Windows Vista Ultimate on January 30th 2007. I was using IE7+ on my brother-in-law's computer last night. He has Vista Ultimate RC1 installed and working perfectly apart from this bug.

Here are the registry details.

HKEY_USERS

HKEY_USERS\S-1-5-21-1078081533-1844823847-1801674531-1003

HKEY_USERS\S-1-5-21-1078081533-1844823847-1801674531-1003\Software

HKEY_USERS\S-1-5-21-1078081533-1844823847-1801674531-1003\Software\Wget

In the right-hand window:

Name Type Data

(default) REG_SZ (value not set)
klg REG_BINARY 00

The other one is:

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE\SOFTWARE

HKEY_LOCAL_MACHINE\SOFTWARE\Wget

In the right-hand window

Name Type Data

(default) REG_SZ (value not set)

nck REG_BINARY 0000 F5 11 42 50 38 12 69 12 the next character I can't type and as the file is BINARY it won't let me paste this data. The next character I can type, here it is: it's a full stop . BP8. i.

0008 DD 4A 4F 2C 33 34 72 00 the next one is a Y with an acute above it next is JO, 34r.

0010 A3 78 26 35 57 32 2D 60 £x & 5W2 - raised small diagonal line from left to right downwards

0018 B4 3C 2A 5E 33 34 72 00 same as last diagonal line only this time upwards. <*^34r.

0020 and nothing else.

Your file was not even added to the registry btw.

Right that's it it's now 03:18 and I'm off to bed before my Dad switches the elctric off.

Please help me get this sorted out.

mmoyne

LonnyRJones
2006-12-06, 13:46
Welcome mmoyne

Please go here and follow instructions.
http://forums.spybot.info/showthread.php?t=288
Post A Hijackthis log and an online scan report here in this thread.

mmoyne
2006-12-10, 01:16
Hello

Here are the contents of the HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 23:13:19, on 09/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

LonnyRJones
2006-12-10, 14:28
Thats only part of the log, we need to see all of it.

Also: Post a SpyBot results report.
Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results
(not full report) to clipboard and paste that back here please.

tashi
2006-12-18, 20:44
This topic is closed due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

EDIT:
mmoyne pmed to inform us the problem was resolved. :)