Posted: 5/29/2011 3:55:39 AM EDT
|
I hope you guys can help me.
Late last night I was searching for info on Air Intakes for my Jeep,, I was watching a few YouTube videos about the Air Intakes and then I started getting these virus warnings, One warning in particular asked me to click to check the computer for viruses, I did, it found 7 but could only remove 3, to remove the other 4 I had to buy a subscription for $80.00 I believe. I closed that window and I ran my own AVG9 and during the search for viruses I probably received about 20 more warnings, some appeared to be from Windows XP, some from "Resident Shield" (?) and some others were warnings that I was running out of memory, and others that something was wrong with the hard drive and needed to reboot, I ignored all these, my AVG9, found 6 viruses, Trojan something 22 I think, and then everything went to hell. A lot of my icons on my desk top disappeared, when I clicked on Start, Programs it showed empty. Soon after that the computer went off. After I rebooted, I was missing a lot of the icons and my program list was empty. I rebooted in safe mode and attempted to run AVG and Spy bot but it did not work, Again I rebooted with safe mode and did a system restore and waited about 20 minutes for the SR to do it's thing. Everything seemed back to normal but really slow. I ran the AVG program again and found 4 Trojans, then Spybot found 6 ad-ware. This morning AVG found 4 more Trojans. But my problem continues. What I have noticed so far is the following: My computer is now very slow. With Internet Explorer, I lost all my Favorites, Is there a way to get them back? When I try using Google, it searches and lists all the results in the usual manner, but when I click on them it brings me to a totally different page, it looks like a different search engine. This is what I have found so far, I am sure I'll find more problems, Can any of you computer gurus, help me with this? What can I do to solve this problem? Thank you in advance. Frank |
|
I think you are still infected with whatever virus it is.
You may try this. http://remove-malware.net/how-to-remove-resident-shield-new-virus-detected-popup/ |
|
You need unhider.exe by a guy named grinler.
http://download.bleepingcomputer.com/grinler/unhide.exe You also have a proxy running. You'll want to re-register the ieproxy.dll file, and check the proxy settings for IE. Go to Start, Run and type: msconfig.exe Hit enter. Click on services tab. Hide all Microsoft services. Look for stuff starting in places other than c:\windows and c:\windows\system32 Also, go to Start, Run and type %APPDATA% and hit enter. Delete any funny-named files or folders. Look in c:\documents and settings\all users\application data\ for gibberish file/folder names. Download superantispware's portable free scanner. http://www.superantispyware.com/portablescanner.html?tag=SAS_PORTABLEFOLDER |
|
Quoted:
I hope you guys can help me. Late last night I was searching for info on Air Intakes for my Jeep,, I was watching a few YouTube videos about the Air Intakes and then I started getting these virus warnings, One warning in particular asked me to click to check the computer for viruses, I did, it found 7 but could only remove 3, to remove the other 4 I had to buy a subscription for $80.00 I believe. I closed that window and I ran my own AVG9 and during the search for viruses I probably received about 20 more warnings, some appeared to be from Windows XP, some from "Resident Shield" (?) and some others were warnings that I was running out of memory, and others that something was wrong with the hard drive and needed to reboot, I ignored all these, my AVG9, found 6 viruses, Trojan something 22 I think, and then everything went to hell. A lot of my icons on my desk top disappeared, when I clicked on Start, Programs it showed empty. Soon after that the computer went off. After I rebooted, I was missing a lot of the icons and my program list was empty. I rebooted in safe mode and attempted to run AVG and Spy bot but it did not work, Again I rebooted with safe mode and did a system restore and waited about 20 minutes for the SR to do it's thing. Everything seemed back to normal but really slow. I ran the AVG program again and found 4 Trojans, then Spybot found 6 ad-ware. This morning AVG found 4 more Trojans. But my problem continues. What I have noticed so far is the following: My computer is now very slow. With Internet Explorer, I lost all my Favorites, Is there a way to get them back? When I try using Google, it searches and lists all the results in the usual manner, but when I click on them it brings me to a totally different page, it looks like a different search engine. This is what I have found so far, I am sure I'll find more problems, Can any of you computer gurus, help me with this? What can I do to solve this problem? Thank you in advance. Frank You wouldn't have this problem if you hadn't clicked on that. You should read some of this stuff here: http://nakedsecurity.sophos.com/2011/02/14/scareware-distribution-tactics-practical-protection-mechanisms/ |
|
There are likely 5 registry keys that have this malware running in it.
1) HKEY_CLASSES_ROOT\.exe This is the content of a reg file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.exe] @="exefile" "Content Type"="application/x-msdownload" [HKEY_CLASSES_ROOT\.exe\PersistentHandler] @="{098f2470-bae0-11cd-b579-08002b30bfeb}" 2) HKEY_CLASSES_ROOT\exefile This is the content of a registry file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\exefile] @="Application" "EditFlags"=hex:38,07,00,00 "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52, 00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00, 32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c, 00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00 [HKEY_CLASSES_ROOT\exefile\DefaultIcon] @="%1" [HKEY_CLASSES_ROOT\exefile\shell] [HKEY_CLASSES_ROOT\exefile\shell\open] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shell\runas] "HasLUAShield"="" [HKEY_CLASSES_ROOT\exefile\shell\runas\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shell\runasuser] @="@shell32.dll,-50944" "Extended"="" "SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" [HKEY_CLASSES_ROOT\exefile\shell\runasuser\command] "DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}" [HKEY_CLASSES_ROOT\exefile\shellex] [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers] @="Compatibility" [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility] @="{1d27f844-3a1f-4410-85ac-14651078412d}" [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler] @="{86C86720-42A0-1069-A2E8-08002B30309D}" [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers] [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page] @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" 3)HKEY_CURRENT_USER\Software\Classes There should be no .exe hive or exefile hive here. 4)HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet This is the contents of the registry file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet] @="IEXPLORE.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE] @="Mozilla Firefox" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities] "ApplicationDescription"="Firefox delivers safe, easy web browsing. A familiar user interface, enhanced security features including protection from online identity theft, and integrated search let you get the most out of the web." "ApplicationIcon"="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe,0" "ApplicationName"="Firefox" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\FileAssociations] ".htm"="FirefoxHTML" ".html"="FirefoxHTML" ".shtml"="FirefoxHTML" ".xht"="FirefoxHTML" ".xhtml"="FirefoxHTML" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\StartMenu] "StartMenuInternet"="FIREFOX.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations] "ftp"="FirefoxURL" "http"="FirefoxURL" "https"="FirefoxURL" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\DefaultIcon] @="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe,0" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\InstallInfo] "HideIconsCommand"="\"C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe\" /HideShortcuts" "ShowIconsCommand"="\"C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe\" /ShowShortcuts" "ReinstallCommand"="\"C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe\" /SetAsDefaultAppGlobal" "IconsVisible"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command] @="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\properties] @="Firefox &Options" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\properties\command] @="\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\" -preferences" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode] @="Firefox &Safe Mode" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command] @="\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\" -safe-mode" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE] @="Internet Explorer" "LocalizedString"="@C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,-702" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\DefaultIcon] @="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,-7" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo] "IconsVisible"=dword:00000001 "ShowIconsCommand"="\"C:\\Windows\\System32\\ie4uinit.exe\" -show" "ReinstallCommand"="\"C:\\Windows\\System32\\ie4uinit.exe\" -reinstall" "HideIconsCommand"="\"C:\\Windows\\System32\\ie4uinit.exe\" -hide" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\naom] "MUIVerb"="@C:\\Windows\\System32\\ieframe.dll,-39229" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\naom\command] @="\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -extoff" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] @="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" The shell open commands for the web browsers will have the path to the virus in it, copy and paste the sections between the bold type and paste into text file (notepad.exe) or wordpad and save with .reg extension, and import into registry from safe-mode command prompt only. |
|
THANK YOU SO MUCH!!!
Computer is up and running, so far so good. the only thing I noticed was not as before, was my Canon Utilities, I just unloaded all canon programs and reloaded them from the Canon CD. Now is working. Even my Ipod is recognized and boots up Itunes when I plug the Ipod. I hope stays like this. Thank you again!!!! I'll remember, if I ever get a virus notice, log off, and run my own anti virus program. Lesson learned. |
|
Quoted:
There are likely 5 registry keys that have this malware running in it. 1) HKEY_CLASSES_ROOT\.exe This is the content of a reg file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.exe] @="exefile" "Content Type"="application/x-msdownload" [HKEY_CLASSES_ROOT\.exe\PersistentHandler] @="{098f2470-bae0-11cd-b579-08002b30bfeb}" 2) HKEY_CLASSES_ROOT\exefile This is the content of a registry file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\exefile] @="Application" "EditFlags"=hex:38,07,00,00 "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52, 00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00, 32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c, 00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00 [HKEY_CLASSES_ROOT\exefile\DefaultIcon] @="%1" [HKEY_CLASSES_ROOT\exefile\shell] [HKEY_CLASSES_ROOT\exefile\shell\open] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shell\runas] "HasLUAShield"="" [HKEY_CLASSES_ROOT\exefile\shell\runas\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shell\runasuser] @="@shell32.dll,-50944" "Extended"="" "SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}" [HKEY_CLASSES_ROOT\exefile\shell\runasuser\command] "DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}" [HKEY_CLASSES_ROOT\exefile\shellex] [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers] @="Compatibility" [HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility] @="{1d27f844-3a1f-4410-85ac-14651078412d}" [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler] @="{86C86720-42A0-1069-A2E8-08002B30309D}" [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers] [HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page] @="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" 3)HKEY_CURRENT_USER\Software\Classes There should be no .exe hive or exefile hive here. 4)HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet This is the contents of the registry file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet] @="IEXPLORE.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE] @="Mozilla Firefox" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities] "ApplicationDescription"="Firefox delivers safe, easy web browsing. A familiar user interface, enhanced security features including protection from online identity theft, and integrated search let you get the most out of the web." "ApplicationIcon"="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe,0" "ApplicationName"="Firefox" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\FileAssociations] ".htm"="FirefoxHTML" ".html"="FirefoxHTML" ".shtml"="FirefoxHTML" ".xht"="FirefoxHTML" ".xhtml"="FirefoxHTML" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\StartMenu] "StartMenuInternet"="FIREFOX.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations] "ftp"="FirefoxURL" "http"="FirefoxURL" "https"="FirefoxURL" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\DefaultIcon] @="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe,0" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\InstallInfo] "HideIconsCommand"="\"C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe\" /HideShortcuts" "ShowIconsCommand"="\"C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe\" /ShowShortcuts" "ReinstallCommand"="\"C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe\" /SetAsDefaultAppGlobal" "IconsVisible"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command] @="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\properties] @="Firefox &Options" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\properties\command] @="\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\" -preferences" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode] @="Firefox &Safe Mode" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command] @="\"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe\" -safe-mode" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE] @="Internet Explorer" "LocalizedString"="@C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,-702" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\DefaultIcon] @="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe,-7" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo] "IconsVisible"=dword:00000001 "ShowIconsCommand"="\"C:\\Windows\\System32\\ie4uinit.exe\" -show" "ReinstallCommand"="\"C:\\Windows\\System32\\ie4uinit.exe\" -reinstall" "HideIconsCommand"="\"C:\\Windows\\System32\\ie4uinit.exe\" -hide" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\naom] "MUIVerb"="@C:\\Windows\\System32\\ieframe.dll,-39229" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\naom\command] @="\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -extoff" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open] [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] @="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" The shell open commands for the web browsers will have the path to the virus in it, copy and paste the sections between the bold type and paste into text file (notepad.exe) or wordpad and save with .reg extension, and import into registry from safe-mode command prompt only. This guy knows his stuff..... |