Matt

O4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe r This is the trojan. It is a random named O4 with a random named file attached. There will also be a random process (sme name as the file) running in the process list. These all change on reboot. there is also a stary r that appears at the end of the line.

Suspicious, Yes. Definately bad? NO. Any legit program could drop something there - however, they usually use their own folder.

They both do perform the delete on reboot feature, by adding the target file to PendingFileRenameOperations, (what MoveFileEx does) but killbox comes with many more features, such as replacing the file with a dummy file, backup files, create deletion logs, restore explorer.exe, edits Host file, remove directories, and many other things.

Yep, SpySweeper is great!

The log isn't too infected. Be careful with new.net thought, if you remove it wrong, it can kill your internet connection. It appears the file I sent you isn't in there.. One of your scans must have killed it.

Doh! Ifigured it out. I wasn't in the same directory as process.exe when I was telling it to be copied. Therefor, it couldn't find the file

Batch. Can anyone explain to my why this doesnt work? if not exist %windir%\system32\process.exe copy process.exe %windir%\system32\ Thanks so much! Matt

Are you still experiencing issues? Please run the F-Secure Online Scanner Note: This Scanner is for Internet Explorer Only! Follow the Instruction Here for installation. Accept the License Agreement. Once the ActiveX installs,Click Full System Scan Once the download completes,the scan will begin automatically. The scan will take some time to finish,so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and Copy&Paste the entire report in your next reply.

Hi and welcome to Besttechie! I will be assisting you! Please print out all directions for use if/when you cannot access this page. Please scan with HJT and place a check nest to the following items: R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [ms2src] c:\program files\common files\system\ms2src.exe /install O4 - HKLM\..\RunOnce: [uNINST1] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\UninstManager.dll,UninstallFinalizeFromNonMsiCaller {AC76BA86-0000-0000-0000-000000000000} Then, make sure all browser windows and other applications are closed, and click the Fix Checked button. Boot in

Thanks TT. You and shane are on my list to send this too. I know you guys won't misuse it, and even if something does go wrong; you're not called Experts for nothing If anyone else is interested, contact me via PM and we'll talk. BTW, moving this to spyware/adware information.

lol hi shanenin. This is something that lots of people (including myself) face. Its even harder when you are looking for a specific infection! Anyway, there are people/places that have access to many malware files, but they only open their databases to people they know and trust. I don't even have access to most of them. Shoot me a PM and I can give you some sites to hit that should infect you right up. Matt

Thanks jcl

By using this value, there is a way to delete multiple files on reboot. That's how Killbox does it. However, I am unsure on how to manipulate the data for this value to do more than one at a time. The Trojan it will be dealing with will only require one file for deletion, so that's all I'm having to write it for Yes. Adding the value 'PendingFileRenameOperations' to the Key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] with the data parsed correctly for the file I want, will tell Windows to delete it on reboot. This is actually used for Windows to Move the file o

Hello and Welcome to Besttechie! Please print out all directions given, for use if/when you cannot access this page. Please locate the HiJackThis icon and right click it. Select Rename. Change it's name to 19328. Next, Open HijackThis, click Config, click Misc Tools Click "Open Uninstall Manager" Click "Save List" (generates uninstall_list.txt) Click Save, copy and paste the results in your next post. Jotti File Submission: Please go to Jotti's malware scan Copy and paste the following file path into the "File to upload & scan"box on the top of the page: C:\windows\system32\pumd.exe

Hi Liz! I was just thinking that today as well! That I cannot answer, there isn't a lot of information on this infection. I spoke with some other HJT analyzers, and we agreed that the file ms2src.exe appears in almost all logs where people complain of Sweepstakes.com. Take a look at the BT logs that had that file. pumd.exe is less frequent, but also in many of the logs with the symptoms. pumd.exe has even less information about it. I can tell you Ms2src.exe is Trojan. Keep practicing all the normal protection routines. Updated AV/Firewall. Don't go to Shady Sites. Open attachment

OK, i figured out what was wrong. When I tried to add the data to PendingFileRenameOperations using reg.exe, it didnt work because reg.exe cant parse Multi String data well. It wanted hex, which is too complicated. So, now I'm using SWREG, a file by Bobbi_Flekman, that allows my to use ASCII rather than hex. Meaning... i got the delete on reboot gig down!

I don't know VB either. It does need to be compiled. Did you try NULL in the python script?

XP? This is how its done in VB I believe: MoveFileEx(szSrcFile, szDstFile, MOVEFILE_DELAY_UNTIL_REBOOT); Example: MoveFileEx( "C:\killme.exe", NULL, MOVEFILE_DELAY_UNTIL_REBOOT );

Can you call MoveFileEx from a batch file? Matt

Well, I found the answer to that problem. Needed reg add rather than reg query. Ill be sure to post back if I run into any more speedbumps

Inactive topic... If you still need help on this problem, contact me or one of the Moderators to re-open this up. Topic closed.

Repair install?

Well, I'm ending up having to delete on reboot. One question about this quote from TT's link: C:\>reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Session Manager" /v "PendingFileRenameOperations" Why does this return: "Error: The system was unable to find the specified registry key or value"? Thanks again Matt

A simple batch file that generates the needed reg files.