View Full Version : Fake.Wget
after doing the what LonnyRJones said in the other Fake.Wget topic i did a scan and still got 1 Fake.Wget entry
i just did another scan and i get 2 entries now
LonnyRJones
2006-08-24, 15:21
Hi
Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [win.update.2006] C:\WINDOWS\system32\win.updater.exe
O4 - HKCU\..\Run: [win.update.2006] C:\WINDOWS\system32\win.updater.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete C:\WINDOWS\system32\win.updater.exe
Check for and fix any problems with SpyBot twice, let us know if those two items are there the second scan ?
Also Post a fresh Hijackthis log
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.
on the second scan i get only 1 entry
i get some kind of script error when running Silentrunners.Vbs
here is the error
http://img150.imageshack.us/img150/3135/image1dy3.png
LonnyRJones
2006-08-25, 06:15
Were you able to delete that file ?
I cant make out that screenshot , tell me what you saw in regards to the script error
In addremove programs uninstall "SP2 Connection Patcher"
Have you ever had kazza installed ?
yes i was able to delete the file
script: c:\documenter and settings\josh\desktop\silent runners.vbs
line: 2844
char: 20
error: invalid procedure call or argument
code: 800A0005
source: microsoft VBScript runtime error
no i have never had kazza installed but i do have limewire pro
LonnyRJones
2006-08-26, 04:51
Thanks
I sent the error off to the Aurthur
In the meantime let see a combofix log
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
LonnyRJones
2006-08-26, 14:17
The Author of silent runners would like You to run this test version
http://www.aaronoff.com/misc_files/Silent%20Runners%20R47D03.vbs
It changes nothing on your system, just provides a report.
LonnyRJones
2006-08-27, 14:48
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
ftype exefile >> look.txt
ftype htafile >> look.txt
ftype cmdfile >> look.txt
ftype comfile >> look.txt
ftype batfile >> look.txt
start notepad look.txt
Run check.bat and post back with the text that will open then delete checkbat and look.txt
C:\Program Files\SP2 Connection Patcher < delete that folder
List the contents of these folders
C:\Program Files\Common Files\Microsoft Shared\MSEnv
C:\Program Files\Common Files\Microsoft Shared\Temp
C:\Documents and Settings\Josh\Application Data\Bat corn
the Application Data is hidden you will need to
Set windows to show hidden extensions, file's, folder's.
>click here for instructions<. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
;
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\RestrictRun]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"Ghp`amfUbrhLds"=-
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\DisallowCpl]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\DisallowRun]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\RestrictCpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoViewOnDrive"=-
"NoLogoff"=-
"NoWinKeys"=-
[-HKEY_USERS\S-1-5-21-1758659609-1711668887-586469053-1008\Software\Wget]
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Check for problems again with SpyBot . let me know if that fake wget shows
under
C:\Program Files\Common Files\Microsoft Shared\MSEnv
vers_man.exe.exe
under
C:\Program Files\Common Files\Microsoft Shared\Temp
MsoService.exe
under
C:\Documents and Settings\Josh\Application Data\Bat corn
nothing
LonnyRJones
2006-09-02, 16:54
Are there any current problems ?
C:\Program Files\Common Files\Microsoft Shared\MSEnv < delete folder
C:\Program Files\Common Files\Microsoft Shared\Temp < delete folder
C:\Documents and Settings\Josh\Application Data\Bat corn< delete folder
Silentrunners was updated, Im curious if it will run correctly now.
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
i did not get any problems this time
i get the same error as last time just on different line
Line: 2881
LonnyRJones
2006-09-06, 01:10
Thanks
Hows your PC acting ?
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
This topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.