after doing the what LonnyRJones said in the other Fake.Wget topic i did a scan and still got 1 Fake.Wget entry

i just did another scan and i get 2 entries now

Hi

Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [win.update.2006] C:\WINDOWS\system32\win.updater.exe
O4 - HKCU\..\Run: [win.update.2006] C:\WINDOWS\system32\win.updater.exe

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete C:\WINDOWS\system32\win.updater.exe

Check for and fix any problems with SpyBot twice, let us know if those two items are there the second scan ?

Also Post a fresh Hijackthis log
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

on the second scan i get only 1 entry

i get some kind of script error when running Silentrunners.Vbs

here is the error

http://img150.imageshack.us/img150/3135/image1dy3.png

Were you able to delete that file ?

I cant make out that screenshot , tell me what you saw in regards to the script error

In addremove programs uninstall "SP2 Connection Patcher"
Have you ever had kazza installed ?

yes i was able to delete the file

script: c:\documenter and settings\josh\desktop\silent runners.vbs
line: 2844
char: 20
error: invalid procedure call or argument
code: 800A0005
source: microsoft VBScript runtime error

no i have never had kazza installed but i do have limewire pro

Thanks
I sent the error off to the Aurthur

In the meantime let see a combofix log

Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

The Author of silent runners would like You to run this test version
http://www.aaronoff.com/misc_files/Silent%20Runners%20R47D03.vbs
It changes nothing on your system, just provides a report.

thanks for all the help

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


ftype exefile >> look.txt
ftype htafile >> look.txt
ftype cmdfile >> look.txt
ftype comfile >> look.txt
ftype batfile >> look.txt
start notepad look.txt

Run check.bat and post back with the text that will open then delete checkbat and look.txt

C:\Program Files\SP2 Connection Patcher < delete that folder
List the contents of these folders
C:\Program Files\Common Files\Microsoft Shared\MSEnv
C:\Program Files\Common Files\Microsoft Shared\Temp
C:\Documents and Settings\Josh\Application Data\Bat corn
the Application Data is hidden you will need to
Set windows to show hidden extensions, file's, folder's.
>click here for instructions<. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4
;
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\RestrictRun]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"Ghp`amfUbrhLds"=-
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\DisallowCpl]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\DisallowRun]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\RestrictCpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoViewOnDrive"=-
"NoLogoff"=-
"NoWinKeys"=-
[-HKEY_USERS\S-1-5-21-1758659609-1711668887-586469053-1008\Software\Wget]

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Check for problems again with SpyBot . let me know if that fake wget shows

under
C:\Program Files\Common Files\Microsoft Shared\MSEnv
vers_man.exe.exe

under
C:\Program Files\Common Files\Microsoft Shared\Temp
MsoService.exe

under
C:\Documents and Settings\Josh\Application Data\Bat corn
nothing

Are there any current problems ?

C:\Program Files\Common Files\Microsoft Shared\MSEnv < delete folder
C:\Program Files\Common Files\Microsoft Shared\Temp < delete folder
C:\Documents and Settings\Josh\Application Data\Bat corn< delete folder


Silentrunners was updated, Im curious if it will run correctly now.
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.

i did not get any problems this time

i get the same error as last time just on different line

Line: 2881

Thanks

Hows your PC acting ?

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.