Fake.Wget
- Thread starter yusky03
- Start date
LonnyRJones
Security Expert-Emeritus
Hi
Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [win.update.2006] C:\WINDOWS\system32\win.updater.exe
O4 - HKCU\..\Run: [win.update.2006] C:\WINDOWS\system32\win.updater.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete C:\WINDOWS\system32\win.updater.exe
Check for and fix any problems with SpyBot twice, let us know if those two items are there the second scan ?
Also Post a fresh Hijackthis log
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.
Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [win.update.2006] C:\WINDOWS\system32\win.updater.exe
O4 - HKCU\..\Run: [win.update.2006] C:\WINDOWS\system32\win.updater.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete C:\WINDOWS\system32\win.updater.exe
Check for and fix any problems with SpyBot twice, let us know if those two items are there the second scan ?
Also Post a fresh Hijackthis log
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.
LonnyRJones
Security Expert-Emeritus
Were you able to delete that file ?
I cant make out that screenshot , tell me what you saw in regards to the script error
In addremove programs uninstall "SP2 Connection Patcher"
Have you ever had kazza installed ?
I cant make out that screenshot , tell me what you saw in regards to the script error
In addremove programs uninstall "SP2 Connection Patcher"
Have you ever had kazza installed ?
yes i was able to delete the file
script: c:\documenter and settings\josh\desktop\silent runners.vbs
line: 2844
char: 20
error: invalid procedure call or argument
code: 800A0005
source: microsoft VBScript runtime error
no i have never had kazza installed but i do have limewire pro
script: c:\documenter and settings\josh\desktop\silent runners.vbs
line: 2844
char: 20
error: invalid procedure call or argument
code: 800A0005
source: microsoft VBScript runtime error
no i have never had kazza installed but i do have limewire pro
LonnyRJones
Security Expert-Emeritus
Thanks
I sent the error off to the Aurthur
In the meantime let see a combofix log
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
I sent the error off to the Aurthur
In the meantime let see a combofix log
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
LonnyRJones
Security Expert-Emeritus
The Author of silent runners would like You to run this test version
http://www.aaronoff.com/misc_files/Silent Runners R47D03.vbs
It changes nothing on your system, just provides a report.
http://www.aaronoff.com/misc_files/Silent Runners R47D03.vbs
It changes nothing on your system, just provides a report.
LonnyRJones
Security Expert-Emeritus
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
C:\Program Files\SP2 Connection Patcher < delete that folder
List the contents of these folders
C:\Program Files\Common Files\Microsoft Shared\MSEnv
C:\Program Files\Common Files\Microsoft Shared\Temp
C:\Documents and Settings\Josh\Application Data\Bat corn
the Application Data is hidden you will need to
Set windows to show hidden extensions, file's, folder's.
>click here for instructions<.
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Check for problems again with SpyBot . let me know if that fake wget shows
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Run check.bat and post back with the text that will open then delete checkbat and look.txt
C:\Program Files\SP2 Connection Patcher < delete that folder
List the contents of these folders
C:\Program Files\Common Files\Microsoft Shared\MSEnv
C:\Program Files\Common Files\Microsoft Shared\Temp
C:\Documents and Settings\Josh\Application Data\Bat corn
the Application Data is hidden you will need to
Set windows to show hidden extensions, file's, folder's.
>click here for instructions<.
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
Code:
REGEDIT4
;
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\RestrictRun]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"Ghp`amfUbrhLds"=-
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\DisallowCpl]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\DisallowRun]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\RestrictCpl]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoViewOnDrive"=-
"NoLogoff"=-
"NoWinKeys"=-
[-HKEY_USERS\S-1-5-21-1758659609-1711668887-586469053-1008\Software\Wget]Check for problems again with SpyBot . let me know if that fake wget shows
LonnyRJones
Security Expert-Emeritus
Are there any current problems ?
C:\Program Files\Common Files\Microsoft Shared\MSEnv < delete folder
C:\Program Files\Common Files\Microsoft Shared\Temp < delete folder
C:\Documents and Settings\Josh\Application Data\Bat corn< delete folder
Silentrunners was updated, Im curious if it will run correctly now.
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
C:\Program Files\Common Files\Microsoft Shared\MSEnv < delete folder
C:\Program Files\Common Files\Microsoft Shared\Temp < delete folder
C:\Documents and Settings\Josh\Application Data\Bat corn< delete folder
Silentrunners was updated, Im curious if it will run correctly now.
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
LonnyRJones
Security Expert-Emeritus
Thanks
Hows your PC acting ?
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Hows your PC acting ?
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
