Systemerrorfixer etc

[Blade81]

Hi

Let's run SuperAntiSpyware next. Before it uninstall Malwarebytes' Anti-malware thru add/remove programs.


Then download SUPERAntispyware Free Edition (http://www.superantispyware.com/download.html)

Install it and double-click the icon on your desktop to run it.
* It will ask if you want to Update the program definitions, click Yes.
* Under Configuration and Preferences, click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked:

• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.

* On the main screen, under Scan for Harmful Software click Scan your computer.
* On the left check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK.
* Make sure everything in the white box has a check next to it, then click Next.
* It will quarantine what it found and if it asks if you want to reboot, click Yes.
* To retrieve the removal information please do the following:

• After reboot, double-click the SUPERAntiSpyware icon on your desktop.
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment in your post.


Then run Spyware Doctor again and let me know if the finding amount has decreased.

 

[Cats08]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/15/2008 at 07:18 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 01:02:20

Memory items scanned : 648
Memory threats detected : 0
Registry items scanned : 3840
Registry threats detected : 25
File items scanned : 44216
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Helen\Cookies\helen@media.sensis.com[1].txt
C:\Documents and Settings\Helen\Cookies\helen@socialmedia[2].txt
C:\Documents and Settings\Helen\Cookies\helen@rocku.adbureau[2].txt

Unclassified.Oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS

 

[Cats08]

Spyware Doctor Scan

OK

Of the 4 it found last time:

Rootkit.Agent
Trojan-Downloader.Conhook
RogueAntiSpyware.SpywareNo
Spyware.180search_Assistant

The first two are gone (which it rated as the most dangerous).

The last two are still there, along with
Trojan.Generic

and an application (NirCmd) which it rates as legit.

 

[Blade81]

Hi

Yes, NirCmd is legit. Let's try to remove that other one with a little registry fix.


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

REGEDIT4

[-HKEY_USERS\S-1-5-21-1149337873-3581715974-4078141996-1005\Software\Wget]

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Let me know if that helped

 

[Cats08]

Something called 'Application.TrackingCookies' (also apparently legit) has replaced the Trojan one. The other 3 are still there.

 

[Blade81]

Hi

To be able to help I would need to see all items Spyware Doctor finds. Cookie is not a problem but if you want those registry findings cleaned I need to see their complete paths. The regfix I provided in my previous post was easy enough to create 'cos I could see whole key in the screenshot.

 

[Cats08]

OK

There are two registry keys for each of the two that are still a problem.

For RogueAntiSpyware.SpywareNo (7 infections):
HKEY_USERS\S-1-5-21-1149337873-3581715974-4078141996-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}\iexplore
HKEY_USERS\S-1-5-21-1149337873-3581715974-4078141996-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}

For Spyware.180search_Assistant (6 infections):
HKEY_USERS\S-1-5-21-1149337873-3581715974-4078141996-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DECEAAA2-370A-49BB-9362-68C3A58DDC62}\iexplore
HKEY_USERS\S-1-5-21-1149337873-3581715974-4078141996-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DECEAAA2-370A-49BB-9362-68C3A58DDC62}


Do you need registry values as well?

 

[Blade81]

Hi

Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

REGEDIT4

[-HKEY_USERS\S-1-5-21-1149337873-3581715974-4078141996-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A26F07F-0D60-4835-91CF-1E1766A0EC56}]

[-HKEY_USERS\S-1-5-21-1149337873-3581715974-4078141996-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DECEAAA2-370A-49BB-9362-68C3A58DDC62}]

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

 

[Cats08]

It only finds cookies and NirCmd now! Could this mean we've succeeded...?:beerbeerb:

 

[Blade81]

Yep. If you install that hosts file I meantioned you won't see too many cookies either. Can't recall whether or not I meantioned this but it's recommended to run ATF Cleaner occasionally (once or twice a month). That way you can clean out temporary files that otherwise keep piling up.

 

[Cats08]

Wow - that's a huge relief! Thank you so much for your help, I really appreciate it!

Cheers!

 

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.