TechSpot

.inf and .exe in every shared folder (link inside) ansrwd by howard_hopkinso

By QfanatiQ
Aug 28, 2006
  1. Might have part of the answer posted previously here ??

    http://www.techspot.com/vb/topic56506.html

    Above is a thread i came accross when browsing for my PC problem. It sounds exactly the same.

    I assume i can almost follw the same rules as this thread. But if you woudl be so kind as to look over this and advise accordingly incase anythign is seperate.

    This seemed to come about when i tried limeware, morpheous and bearshare. I did not even use the prgrammes as i noticed this change and uninstalled straight away. However somethign still very present. All the above came from the official site.

    Did it arrise from any of these perhaps?

    Thank you very much.

    Q

    PC one (first infected)
     
  2. QfanatiQ

    QfanatiQ TS Rookie Topic Starter

    PC Two - not infected until recently



    Thanks.....Q
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    PC1.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    PowerReg Scheduler V3.exe
    gdnFR2332.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

    O4 - Startup: PowerReg Scheduler V3.exe

    O16 - DPF: {35E15453-5611-0A13-7ED6-39700B9F0018} - http://85.255.113.214/1/gdnFR2332.exe

    O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://ve.ukie.capgemini.com/dana-c...terisSetup.cab

    O16 - DPF: {6D936E93-7C77-6C31-9012-2ADD7642E03F} - http://85.255.113.214/1/gdnFR2332.exe

    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://ve.ukie.capgemini.com/dana-c...niperSetup.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system\smss.exe /w
    PowerReg Scheduler V3.exe

    Reboot into normal mode and turn system restore back on.

    Go HERE and follow the instructions for running Ewido.


    Regards Howard :wave: :wave:
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    PC2.

    The HJT log is clean. However, you`re not running any antivirus or firewall programmes. You should get some asap.

    Follow the above instructions for running Ewido.

    Regards Howard :)

    This thread is for the use of QfanatiQ only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. QfanatiQ

    QfanatiQ TS Rookie Topic Starter

    Thanks Howard. I will indeed be going through this tonight.

    I will get AVG on there, a very bad oversight. Firewall is provided by my router.

    But i am concerned about the same .exe and .inf files in every shared folder on the other PC, any other ideas?

    Cheers....Q
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Have you got the hide protected system files turned off? If you have, just reverse the procedure in these instructions.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Regards Howard :)
     
  7. QfanatiQ

    QfanatiQ TS Rookie Topic Starter

    Howard Thanks.
    HJT Log posted below after clean and following the instructions above.


    Is it all clean now?

    Cheers.....Q
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean.

    If you ever need to post a HJT log again, see HERE for instructions.

    If you have any further virus/spyware porblems, please post in this thread.

    Regards Howard :)

    This thread is for the use of QfanatiQ only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.