Virus started as XP Total Security now Window
Solved/Closed
debbiewake
-
Apr 27, 2011 at 04:40 PM
debbiewake Posts 10 Registration date Friday April 29, 2011 Status Member Last seen May 4, 2011 - May 4, 2011 at 05:09 PM
debbiewake Posts 10 Registration date Friday April 29, 2011 Status Member Last seen May 4, 2011 - May 4, 2011 at 05:09 PM
Related:
- Virus started as XP Total Security now Window
- Goose virus - Download - Other
- Microsoft save as pdf or xps - Download - Other
- Total war warhammer 3 free download - Download - Strategy
- Windows xp sp3 download - Download - Windows
- Total copy - Download - File management
21 responses
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
Apr 27, 2011 at 04:47 PM
Apr 27, 2011 at 04:47 PM
To help you, I must make a diagnostic and to do so, I require a log.
Open this link and download ZHPDiag :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
Register the file on your Desktop.
Double click on ZHPDiag.exe and follow the instructions.
the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step).
Double click on the short cut ZHPDiag on your Destktop.
Click on the Magnifying glass and run the analysys.
Wait for the tool to finished (maybe a long time)
Close ZHPDiag.
To transmit the report, click on this link :
https://authentification.site
Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).
Select the file ZHPDiag.txt.
Click on "upload »
Copy the url and post it here
Catch you and the viruses later
Open this link and download ZHPDiag :
https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
Register the file on your Desktop.
Double click on ZHPDiag.exe and follow the instructions.
the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step).
Double click on the short cut ZHPDiag on your Destktop.
Click on the Magnifying glass and run the analysys.
Wait for the tool to finished (maybe a long time)
Close ZHPDiag.
To transmit the report, click on this link :
https://authentification.site
Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).
Select the file ZHPDiag.txt.
Click on "upload »
Copy the url and post it here
Catch you and the viruses later
Below is the message I get every time I try to upload to Speedy Share -
The connection was reset
The connection to the server was reset while the page was loading.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
The connection was reset
The connection to the server was reset while the page was loading.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
Apr 28, 2011 at 04:01 AM
Apr 28, 2011 at 04:01 AM
Debbie
Try it again, the problem seems to have been temporary. Let me know
Try it again, the problem seems to have been temporary. Let me know
Didn't find the answer you are looking for?
Ask a question
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
Apr 28, 2011 at 04:07 PM
Apr 28, 2011 at 04:07 PM
Debbie,
Try Rapidshare:
https://www.rapidshare.com/
Please advise me when you send the url to me in separate message, just in case I miss it.
Try Rapidshare:
https://www.rapidshare.com/
Please advise me when you send the url to me in separate message, just in case I miss it.
I was able to upload with Rapid Share. Here is the url.
https://rapidshare.com/files/459759414/ZHPDiag.Txt
https://rapidshare.com/files/459759414/ZHPDiag.Txt
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
Apr 29, 2011 at 09:11 AM
Apr 29, 2011 at 09:11 AM
Here is the URL - https://rapidshare.com/files/459759414/ZHPDiag.Txt
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
Apr 29, 2011 at 04:00 PM
Apr 29, 2011 at 04:00 PM
Debbie,
I'am having problems with Rapidshare. It's the pits! Paste the entire log here please.
I'am having problems with Rapidshare. It's the pits! Paste the entire log here please.
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
Apr 29, 2011 at 07:18 PM
Apr 29, 2011 at 07:18 PM
I tried to paste it here but it kept saying syntax error. I uploaded to MegaVideo.
Try this link - http://www.megaupload.com/?d=DD9PUPUG
Hopefully this will work. It feels like the computer demons are trying to block my every avenue to get rid of them! :)
Try this link - http://www.megaupload.com/?d=DD9PUPUG
Hopefully this will work. It feels like the computer demons are trying to block my every avenue to get rid of them! :)
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
Apr 30, 2011 at 04:30 AM
Apr 30, 2011 at 04:30 AM
Got it! Stand by for my analysis.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
Apr 30, 2011 at 05:01 AM
Apr 30, 2011 at 05:01 AM
Dear Debbie
The log shows the following infections:
FakeAlert, BT, Rogue, Rootkit, spyware, adware.
The system was infected from the following site: www.ask.com and www.websearch.ask.com and possibly from Graboid Video PeerToPeer TV and most likely from FrostWire Gnutella.
ask.com has been placed in Kioskea security expert's blacklist as a major source of infection.
Your system is badly infected to the point where we would need to run several tools and again do some manual operations in the registry.
I shall prescribe to you a very powerfull medicinal compound that is able to kill and send any virus to the glue factory. It is of very last resort and should not be abused of, as matter of a fact, once you have used it, I suggest you delete it from your system.
To keep your system safe, you must follow the instructions hereunder to the letter:
First step, boot your system in safe mode with networking
1. Download Combofix to your desktop.
http://www.combofix.org/download.php
2.Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
3. Double click on the ComboFix icon.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
4. Accept the disclaimer and the recovery
5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.
ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.
If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.
5. Reboot the system and create a new restore point which you can name...let see...yes name it Ambucias. This way you will know that it's a safe date to return to in case of problems.
Once you are done, report to me on how your system is behaving.
Good luck
Ambucias
The log shows the following infections:
FakeAlert, BT, Rogue, Rootkit, spyware, adware.
The system was infected from the following site: www.ask.com and www.websearch.ask.com and possibly from Graboid Video PeerToPeer TV and most likely from FrostWire Gnutella.
ask.com has been placed in Kioskea security expert's blacklist as a major source of infection.
Your system is badly infected to the point where we would need to run several tools and again do some manual operations in the registry.
I shall prescribe to you a very powerfull medicinal compound that is able to kill and send any virus to the glue factory. It is of very last resort and should not be abused of, as matter of a fact, once you have used it, I suggest you delete it from your system.
To keep your system safe, you must follow the instructions hereunder to the letter:
First step, boot your system in safe mode with networking
1. Download Combofix to your desktop.
http://www.combofix.org/download.php
2.Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
3. Double click on the ComboFix icon.
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
4. Accept the disclaimer and the recovery
5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.
ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.
If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.
5. Reboot the system and create a new restore point which you can name...let see...yes name it Ambucias. This way you will know that it's a safe date to return to in case of problems.
Once you are done, report to me on how your system is behaving.
Good luck
Ambucias
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
Apr 30, 2011 at 11:04 AM
Apr 30, 2011 at 11:04 AM
Thank You! Things seem to be moving very well and my browser is no longer being hijacked. The small red shield icon is still in the tray on my desktop, however. It says it is Windows Security Alerts. I had never seen this icon before all of the problems started. Should I still be concerned?
Also, what do you advise as the best protection to prevent future problems? Currently I have Microsoft Security Essentials and also Malwarebytes. During this mess I tired Spybot, Avast, and AVG. I have deleted Graboid and will never again use Frostwire. Ask.com has been attached to other things but I will watch for it in the future and won't download anything that is associated with it.
Again - I can't thank you enough for taking the time to help me!
Also, what do you advise as the best protection to prevent future problems? Currently I have Microsoft Security Essentials and also Malwarebytes. During this mess I tired Spybot, Avast, and AVG. I have deleted Graboid and will never again use Frostwire. Ask.com has been attached to other things but I will watch for it in the future and won't download anything that is associated with it.
Again - I can't thank you enough for taking the time to help me!
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
Apr 30, 2011 at 11:26 AM
Apr 30, 2011 at 11:26 AM
I was wrong! My browser page looked funny so I went to options and my home page was listed as ask.com. It is still lurking around!
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
Apr 30, 2011 at 03:53 PM
Apr 30, 2011 at 03:53 PM
Debbie,
Rerun Rkill in the following manner:
You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.
To kill the processes:
1. Download to your desktop and run Rogue Kill:
https://download.bleepingcomputer.com/grinler/rkill.com
2. You should now see a window that shows all of your desktop icons, including the rkill.com program.
3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.
As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))
Please, DO NOT REBOOT your computer or the processes will come back to haunt you!
Download to your desktop Malwarebyte.
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Once on your desktop, we must still outwit the virus.
Right click on the MBAM icon and click on rename. Rename it kioskea.exe.
Install Malwarebyte and launch it. From the second tab, update it.
Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.
Rerun Rkill in the following manner:
You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.
To kill the processes:
1. Download to your desktop and run Rogue Kill:
https://download.bleepingcomputer.com/grinler/rkill.com
2. You should now see a window that shows all of your desktop icons, including the rkill.com program.
3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.
If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.
As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))
Please, DO NOT REBOOT your computer or the processes will come back to haunt you!
Download to your desktop Malwarebyte.
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Once on your desktop, we must still outwit the virus.
Right click on the MBAM icon and click on rename. Rename it kioskea.exe.
Install Malwarebyte and launch it. From the second tab, update it.
Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
May 2, 2011 at 08:01 AM
May 2, 2011 at 08:01 AM
I have repeated this process multiple times. The first time rkill found nothing and malware found nothing. I rebooted my system and tried again. this time rkill found 9 items but Malware found nothing. I have not rebooted again since this. I ran again a couple of more times and each time rkill finds something but malware does not. The red shield is still showing in my tray and I have seen ask.com pop up again when I used internet explorer. What else can i do to get rid of this malicious infection?
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
May 2, 2011 at 04:20 PM
May 2, 2011 at 04:20 PM
Dear Debbie,
I don't think that this Trojan much harm at the present as rkill has terminated the evil process. However some files may still exist and you must delete them manually:
1.Uninstall XP Total Security 2011 from Control Panel
Start > Settings > Control Panel > Add/Remove Programs. Double click to uninstall.
2.Delete XP Total Security 2011 registry entries:
To open registry editor click Start > Run > type "regedit".
Please avoid errors ensure the entries match perfectly. If you don't find the entry, Malwarebyte may have deleted them.
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'
HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
3.Search and delete these XP Total Security 2011 related files:
%AllUsersProfile%\t3e0ilfioi3684m2nt3ps2b6lru
%AppData%\Local\[random].exe
%AppData%\Local\t3e0ilfioi3684m2nt3ps2b6lru
%AppData%\Roaming\Microsoft\Windows\Templates\t3e0ilfioi3684m2nt3ps2b6lru
%Temp%\t3e0ilfioi3684m2nt3ps2b6lru
Let me know when you are done for further security advice.
I don't think that this Trojan much harm at the present as rkill has terminated the evil process. However some files may still exist and you must delete them manually:
1.Uninstall XP Total Security 2011 from Control Panel
Start > Settings > Control Panel > Add/Remove Programs. Double click to uninstall.
2.Delete XP Total Security 2011 registry entries:
To open registry editor click Start > Run > type "regedit".
Please avoid errors ensure the entries match perfectly. If you don't find the entry, Malwarebyte may have deleted them.
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'
HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
3.Search and delete these XP Total Security 2011 related files:
%AllUsersProfile%\t3e0ilfioi3684m2nt3ps2b6lru
%AppData%\Local\[random].exe
%AppData%\Local\t3e0ilfioi3684m2nt3ps2b6lru
%AppData%\Roaming\Microsoft\Windows\Templates\t3e0ilfioi3684m2nt3ps2b6lru
%Temp%\t3e0ilfioi3684m2nt3ps2b6lru
Let me know when you are done for further security advice.
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
May 3, 2011 at 07:40 AM
May 3, 2011 at 07:40 AM
I think I have made a HUGE mistake. The only things on the list I could delete were:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
But now I can not access the internet without a box that says - Windows cannot open this file.
I tried to reopen registry edit but I get the same message and even when the internet does open at shell.windows.com anything I put in search is hijacked and won't let me go anywhere!
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[random 3 letters].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
But now I can not access the internet without a box that says - Windows cannot open this file.
I tried to reopen registry edit but I get the same message and even when the internet does open at shell.windows.com anything I put in search is hijacked and won't let me go anywhere!
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
May 3, 2011 at 08:40 AM
May 3, 2011 at 08:40 AM
I can't open anything! Not add/delete programs in control panel, not malware, not Microsoft Word, Excel or any other program. i get the same message.
Windows cannot open this file. To open Windows needs to know what program created it.
Using the web search feature is the only way I can get to the internet at all and I can't Google ANYTHING without being redirected. The only way I can get here is because I have this page bookmarked.
Windows cannot open this file. To open Windows needs to know what program created it.
Using the web search feature is the only way I can get to the internet at all and I can't Google ANYTHING without being redirected. The only way I can get here is because I have this page bookmarked.
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
May 3, 2011 at 02:50 PM
May 3, 2011 at 02:50 PM
I use Firefox as my browser but since I couldn't get it open today - I tried Internet Explorer. It opened to ask.com. I closed it immediately.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
May 3, 2011 at 03:20 PM
May 3, 2011 at 03:20 PM
Looking at the number of infected files, I suspected that Murphy's law could come into play. Your log showed over 300 infected files.
Lets start with the "what program created it"
1. Go to this site:
http://www.dougknox.com/
Download and run the XP, exe files association fix.
2. Go to this Navilog1 site and download the exe files:
http://il.mafioso.pagesperso-orange.fr/Navifix/download.htm
Navilog proceed in 2 steps. It first looks for infected files and then proposes an automatic or a manual cleansing.
Launch Navilog and choose the language
Accept the license
In the window start now, pick ok
You will get a black window pick the letter e to search for infected files and enter. It will inform you the search is terminated.
Press on any key to go on
Once Navilog if fully installed, type 1 and enter. The search may take 10 minutes.
Press any key to show the report
If you can note down the search "BlackLight Engine/F-Secure"
Double click on the desktop Navilog shortcut and repeat the above except, after the language choice, pick 2 for automatic clean-up. After the clean, your system will be rebooted.
If you system still shows signs of infection, we will start the procedure again but we will do a manual removal...
And this may not be the end of it...remember over 350 infected files.
Lets start with the "what program created it"
1. Go to this site:
http://www.dougknox.com/
Download and run the XP, exe files association fix.
2. Go to this Navilog1 site and download the exe files:
http://il.mafioso.pagesperso-orange.fr/Navifix/download.htm
Navilog proceed in 2 steps. It first looks for infected files and then proposes an automatic or a manual cleansing.
Launch Navilog and choose the language
Accept the license
In the window start now, pick ok
You will get a black window pick the letter e to search for infected files and enter. It will inform you the search is terminated.
Press on any key to go on
Once Navilog if fully installed, type 1 and enter. The search may take 10 minutes.
Press any key to show the report
If you can note down the search "BlackLight Engine/F-Secure"
Double click on the desktop Navilog shortcut and repeat the above except, after the language choice, pick 2 for automatic clean-up. After the clean, your system will be rebooted.
If you system still shows signs of infection, we will start the procedure again but we will do a manual removal...
And this may not be the end of it...remember over 350 infected files.
debbiewake
Posts
10
Registration date
Friday April 29, 2011
Status
Member
Last seen
May 4, 2011
May 4, 2011 at 08:40 AM
May 4, 2011 at 08:40 AM
I took care of the first problem - association of files and things seem to be moving along. As for the second part - I went to Navilog and downloaded the exe files but once I launch it, i choose the language and then I am shown 3 more screens where the only option is "hit any key to continue". then I get "please wait" and nothing happens. Please wait has been on my screen for over 2 hours.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,163
May 4, 2011 at 04:47 PM
May 4, 2011 at 04:47 PM
Well at least we got the program thing fixed.
I wish you would not spend so many hours in front of your screen.
Please, close navilog, use alt+crtl+del to end the task if necessary.
Now, to recapitulate, do you still have that virus showing?
Can you now access the add/remove program in the control panel ?
If not, Click right on start, and left on Explorer.
Opened: Tools > Folder Options > View tab > Advanced settings: > Checked: SHOW hidden files and folders > Click: OK.
In the left pane, go down to program files, click on it. In the right hand pane see if you can locate XP total security and delete it.
If you don't find it in program files, go to:
c:/documents and settings/all users/application data/10176254 (may be another similar number)
and delete that file. if you see similar files ending with a number delete them also.
If you did find the above, rerun MBAM
Reboot the system.
I wish you would not spend so many hours in front of your screen.
Please, close navilog, use alt+crtl+del to end the task if necessary.
Now, to recapitulate, do you still have that virus showing?
Can you now access the add/remove program in the control panel ?
If not, Click right on start, and left on Explorer.
Opened: Tools > Folder Options > View tab > Advanced settings: > Checked: SHOW hidden files and folders > Click: OK.
In the left pane, go down to program files, click on it. In the right hand pane see if you can locate XP total security and delete it.
If you don't find it in program files, go to:
c:/documents and settings/all users/application data/10176254 (may be another similar number)
and delete that file. if you see similar files ending with a number delete them also.
If you did find the above, rerun MBAM
Reboot the system.