Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Systemerrorfixer


  • Please log in to reply
11 replies to this topic

#1 keithy

keithy

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:08 PM

Posted 09 February 2008 - 09:29 AM

CAN ANYONE TELL ME HOW TO STOP THIS ITS DRIVING ME UP THE WALL???
Within a few minutes of launching windows browser I get this warning, and I should download
a special program to get rid of embarassing adware, I've tried Spybot S&D, Adaware 2007, PC Tools and Advanced system cleaner V1.8.1, I've manually deleted "systemerrorfixer" using editreg, I've searched all files and removed it but to no avail, I need Help!

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 09 February 2008 - 12:36 PM

Hi and welcome :flowers: for a starting point, can you please tell us what your Windows version and anitvirus protection are please :thumbsup:

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 AM

Posted 09 February 2008 - 09:00 PM

Hello keithy
For XP/2K only

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 keithy

keithy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:08 PM

Posted 10 February 2008 - 08:20 AM

my PC
AMD 64 X 2 Dual Core Processor 4600 + 2,41 GHz , GB RAM
Windows XP Home 2002 (sp2)

Avast antvirus
Spybot S&D
AVG antispyware 7,5

I've tried also
a-squared
c-cleaner and rougeremover

I've even tried using another browser (T-Online) makes no difference!

Now run Smithfraudfix with the following results:

SmitFraudFix v2.285

Scan done at 14:07:16.15, 10/02/2008
Run from C:\Dokumente und Einstellungen\Keith\Eigene Dateien\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\XpertVision\TBPanel.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\T-DSL SpeedManager\SpeedMgr.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\dokumente und einstellungen\keith\lokale einstellungen\anwendungsdaten\yofglkgtg.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\DNA\btdna.exe
C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\T-DSL SpeedManager\TSMSvc.exe
C:\Dokumente und Einstellungen\Keith\Anwendungsdaten\U3\0DB0F860A080B8B0\LaunchPad.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\explorer.exe
c:\programme\a-squared free\a2free.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

C:\


C:\WINDOWS

C:\WINDOWS\frplprg.exe FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Dokumente und Einstellungen\Keith


C:\Dokumente und Einstellungen\Keith\Application Data


Start Menu


C:\DOKUME~1\Keith\FAVORI~1


Desktop


C:\Programme


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: dwrmntslwx.dll
BHO: SXG Advisor - {1C28A9A9-8704-4F4A-93B9-7983115F6E10}
TypeLib: {974B5E5F-5B0A-4041-B8E3-9739D667E38A}
Interface: {160647E4-22AE-4C2A-988B-455085B25E94}
Interface: {C9534338-A858-4249-9D97-B6F5C0C6F37A}


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: NVIDIA nForce Networking Controller - Paketplaner-Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A16069A0-CC57-40E0-B06C-2EC1E98BF835}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A16069A0-CC57-40E0-B06C-2EC1E98BF835}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Scanning for wininet.dll infection


End

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 AM

Posted 10 February 2008 - 10:23 AM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 keithy

keithy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:08 PM

Posted 12 February 2008 - 09:06 AM

I've tried using another browser but still the same

Windows internet explorer

Notice: Yoursystem is not optimized and your computer performance is not at the highest level.
Full system optimization will greatly increase your compuret's performance and prevent data loss.

Would you like to install SystemErrorFixer to optimize your computer's performance now for free? (Recommended)

Yes Cancel

Unfortunately the rapport from Smitfreudfix is too long to copy and paste!

What does "along with a new HijackThis log" mean??

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,330 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:08 AM

Posted 12 February 2008 - 10:59 AM

I'm sorry about the Hijack line,meant for if you already had a log posted. Lets try this before we have to go to an HijackThis log.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.
DO NOT run yet.

Now reboot into Safe Mode:
Safe Mode Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or the Opera browser click on that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:08 AM

Posted 12 February 2008 - 01:02 PM

Go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight "SystemErrorFixer" (if listed) and select Remove.

Search for and delete the following file(s) if present.

SysRep.exe
SysRep.exe.xml
ucookw.exe
atl71.dll
msvcp71.dll
mfc71.dll


You can use Windows Explorer to navigate to or use Windows Search feature > More advanced options to locate them. To do this, go to Start -> Search and click For Files or Folders....
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file. If you still have problems, then delete the file(s) in "Safe Mode".

Download AutoRuns and save it to your Desktop.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to systemerrorfixer or ucookw.
  • Right-click on the entry and choose delete.
  • Exit the program when done.
Please download OTMoveIt2 by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt2.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in the quote box and press CTRL+C or right-click and choose Copy.

C:\Program Files\systemerrorfixer
C:\Program Files\Common Files\systemerrorfixer
C:\Common Programs\systemerrorfixer
C:\Documents and Settings\All Users\Application Data\systemerrorfixer

  • Return to OTMoveIt2, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" (under the light blue bar) and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results will be displayed in the right-hand pane.
  • Highlight everything in the Results window (under the green bar), press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


Then search for and delete the following folder in bold if still present. You can use Windows Explorer to navigate to there:
C:\Documents and Settings\\Application Data\systemerrorfixer <- this folder
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 keithy

keithy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:08 PM

Posted 12 February 2008 - 02:45 PM

I've now started to use OPERA browser
up to now it's clear!!
This is the log from SuperAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/12/2008 at 08:26 PM

Application Version : 3.9.1008

Core Rules Database Version : 3400
Trace Rules Database Version: 1392

Scan type : Complete Scan
Total Scan Time : 00:51:03

Memory items scanned : 169
Memory threats detected : 0
Registry items scanned : 5496
Registry threats detected : 0
File items scanned : 44883
File threats detected : 0

I will still carry out the advice from quietman7
will let you know what happens!

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:08 AM

Posted 12 February 2008 - 03:14 PM

I will still carry out the advice from quietman7

Yes, please do. I didn't think SAS would help much with this.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 keithy

keithy
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:08 PM

Posted 15 February 2008 - 08:51 AM

I'll start by thanking you all for your advice th
hopefully the problem has been solved!
Unfortunately I've lost the log on the results.

I did find:
msvcp71.dll
mfc71.dll
and deleted them all

now I get a warning box with the following:
ashDisp.exe component not found
msvcp71.dll not found please re-install application

I will when I've worked out what it is? however it's only on start-up so until I use a program that doesn't work
I can live with that, thanks again to everyone for their help, think I'll stick with Opera browser though
Cheers

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,479 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:08 AM

Posted 15 February 2008 - 09:15 AM

The "Cannot find...", "Could not run..." message is usually related to a program (or malware) that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan or the uninstall of a program. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
Note: ashDisp.exe is related to Avast! anti-virus software. If you did not remove avast, then you should reinstall it.

Then if there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users