Trend Micro, McAfee, and FProt all have command-line scanners that are on multiple boot CD's (illegally) free for downloading and burning. All that's necessary is checking to see if they have current definitions loaded.* If you run them in a physical environment prior to booting into Windows, you can run all 3 simultaneously with no issues.
* if definitions are not up to date, I believe you can download the references from the respective sites for free and swap out the files on the image using UltraISO or the like.
July 21st, 2008, 11:49 AM
The reason that you failed to remove them from msconfig is probably that those two processes are still running while you do that; and they replace that startup registries immediately when you disable it.
All you need to do is restart in safemode and use msconfig to remove the startup process :
1) owjokuch rundll32.exe "C:\WINDOWS\system32\owjokuch.dll",s
2) wmjgenhj rundll32.exe "C:\WINDOWS\system32\wmjgenhj.dll",b
after that, reboot and they should be gone. Next, do a antivirus scan on your pc or manually delete those two files.
Hope it helps.
July 24th, 2008, 06:23 PM
I've had the same problems at several of our remote sites. You won't be able to disable them from startup and you can't remove them in safemode. The problem is that it's set to run at startup and then it hooks explorer.exe and lsass.exe. When one process is killed, the other memory resident copies replace it. Here's the easiest way I found to kill it:
-download IceSword from http://www.antirootkit.com/software/IceSword.htm
-using the IceSword file browser, locate those dll files in the sys32 folder
-right-click the dll file and use the "force delete" option. You will most likely have lots of similarly named dll files from approximately the same date range. Study these closely and delete any of them that are malware
-reboot. You will get some "file not found" errors since these dll files are still in startup
-disable these files from startup and reboot again
July 25th, 2008, 09:01 AM
alternatively if you are able to scan please use an onlien scanning tool from trend or panda