mondi
12 Apr 2004, 4:48pm
Just a quick update to Dexters guide:
as he mentioned, there are now variants spreading around.. looking at a few logs posted there seems to be a pattern forming, here are the relevant lines:
O4 - HKLM\..\Run: [one face] C:\PROGRA~1\Style clock jugs\copy peak.exe
O4 - HKLM\..\Run: [SectCool] C:\PROGRA~1\Tray hide\ooze copy city.exe
O4 - HKLM\..\Run: [Play iso] C:\PROGRA~1\ENCMAI~1\frag wma.exe
04 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
as you can see all of these follow the format:
O4 - HKLM\..\Run: + [random title]+ "PROGRA~1" + file name.exe
where the random title is made up of 2 words - no doubt designed to appear familiar to your typical internet user, the "Program Files" folder is truncated to PROGRA~1 (8.3 style) and the exe name is more than 1 word, with trailing spaces, again designed to appear "familiar"
Please read the updated removal info here (http://www.short-media.com/forum/showthread.php?t=12173)
and delete all files that follow the above pattern that you do not recognize
as he mentioned, there are now variants spreading around.. looking at a few logs posted there seems to be a pattern forming, here are the relevant lines:
O4 - HKLM\..\Run: [one face] C:\PROGRA~1\Style clock jugs\copy peak.exe
O4 - HKLM\..\Run: [SectCool] C:\PROGRA~1\Tray hide\ooze copy city.exe
O4 - HKLM\..\Run: [Play iso] C:\PROGRA~1\ENCMAI~1\frag wma.exe
04 - HKLM\..\Run: [Camp inter] D:\PROGRA~1\ONEFOURJUGS\Browse axis.exe
as you can see all of these follow the format:
O4 - HKLM\..\Run: + [random title]+ "PROGRA~1" + file name.exe
where the random title is made up of 2 words - no doubt designed to appear familiar to your typical internet user, the "Program Files" folder is truncated to PROGRA~1 (8.3 style) and the exe name is more than 1 word, with trailing spaces, again designed to appear "familiar"
Please read the updated removal info here (http://www.short-media.com/forum/showthread.php?t=12173)
and delete all files that follow the above pattern that you do not recognize