Thread: Kaspersky Reports Trojan (Zbot); Word, Other Progs Won't Run
View Single Post
Old 11-02-2008, 07:09 PM   #14 (permalink)
sUBs
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,353
OS: N/A


Re: Kaspersky Reports Trojan (Zbot); Word, Other Progs Won't Run
Quote:
4) WinUtilities uninstalled. I never ran the registry cleaner component of the program, for the reasons you cite.
I don't really have anything against WinUtilities but Registry Cleaners do cause a lot of damage.

Quote:
1) sorry, don't have the Kaspersky log . . . but I don't recall seeing those names
Could I trouble you to re-do the Kaspersky Scan?

Quote:
3) "Are these your doing?" Nope, at least not on purpose
This shall reset them to default values.

Open NOTEPAD.exe and copy/paste the text in the codebox below:
(don't forget to copy and paste REGEDIT4)

Code:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\JSEFile\Shell\Open\Command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,53,00,\
  63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,00,31,\
  00,22,00,20,00,25,00,2a,00,00,00

[HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,53,00,\
  63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,00,31,\
  00,22,00,20,00,25,00,2a,00,00,00

[HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,53,00,\
  63,00,72,00,69,00,70,00,74,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,00,31,\
  00,22,00,20,00,25,00,2a,00,00,00
Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry

Quote:
2) UploadThis.zip uploaded
Just finished looking at them.

rsetup.exe is the installer for ASCIIDoom. It's a game
FF802AC291.dll appears to be a data file masquerading as a DLL. Best delete it.


-------------


We'll see what Kaspersky brings back. While we wait, please tell me more of the machine's symptoms.
sUBs is offline