Vundo variant hijacks winlogon...

hidelogonscripts...

0 = TRUE in microsoft's world... That's a bad thing I think? I don't remember turning that on, or off for that matter...

if there is a script that runs at logon, I'll never see it... this computer is not part of a domain... never has been, and now that i'm changing careers, probably never will be (it will hopefully be replaced before year end)... Should I be concerned?
 
Hi

First of all, to make it easier for me to follow please don't post multiple times before I've reacted your current post. Makes it easier for me to follow ;)

Delete those email messages (thru Outlook) found by Kaspersky.

If key in this file isn't legal then the file must go:
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip

Delete following folders:
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\KTATWL67
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4G2UJTNP
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4XMZW9U3

You seem to have different remote use related tools like remoteadmin there. If you don't use them remove related items flagged by Kaspersky. Kaspersky detects all these kind of programs since it doesn't know whether they're used for bad or good. If those are installed by you then it's ok to have them.
 
Hrmmm....

Blade81 said:
First of all, to make it easier for me to follow please don't post multiple times before I've reacted your current post. Makes it easier for me to follow ;)
Click to expand...
Sorry, wanted you to know that I realized there was a problem/solution.
Blade81 said:
Delete those email messages (thru Outlook) found by Kaspersky.
Click to expand...
Might be easier (and safer) to simply remove the entire .pst file? (considering that the messages are 2004 and older, I can't see how there could be much usefull info in them)

Blade81 said:
If key in this file isn't legal then the file must go:
Z:\BACKUPS\emallpos\-_downloads\ServerSoftware\radmin21 + key.zip
Click to expand...
Efen if it was legal, i'm not the one that purchased it, it would have been the company I was working for... so away it goes.

Blade81 said:
Delete following folders:
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\KTATWL67
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4G2UJTNP
Z:\BACKUPS\ncrs\ncrs.MrWarner_Backup.Documents And Settings.ace/Documents and Settings\ADMINISTRATOR.NCRSCOMPLETE\Local Settings\Temporary Internet Files\Content.IE5\4XMZW9U3
Click to expand...
easier said than done, they are inside a winace archive.

Blade81 said:
You seem to have different remote use related tools like remoteadmin there. If you don't use them remove related items flagged by Kaspersky. Kaspersky detects all these kind of programs since it doesn't know whether they're used for bad or good. If those are installed by you then it's ok to have them.
Click to expand...
again, backups... i'll get rid of most, if not all of them.
 
Hi

Might be easier (and safer) to simply remove the entire .pst file? (considering that the messages are 2004 and older, I can't see how there could be much usefull info in them)
Click to expand...
Sure, if not needed anymore :)

easier said than done, they are inside a winace archive.
Click to expand...
I think you can leave those then. Other solution would be to extract the archive, remove bad items and then re-archive.

Let's see fresh hjt log of the system when you're done with Kaspersky findings :)
 
not forgotten

having problems finding time with kids and school (started last week)... I will get to it by sunday, I promise.
 
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top