Results 1 to 3 of 3

Thread: Help - got hit by worm or virus, renamed all program extension, use ZA, AVG,Lavasoft

  1. #1
    bamboopanda Guest

    Default Help - got hit by worm or virus, renamed all program extension, use ZA, AVG,Lavasoft

    Hi

    I am hoping someone can assist with a) telling me what I got hit by and b) how to repair.

    I was online and my system started acting strange so I shut down and on reboot Adaware (lavasoft) caught
    a number registry changes (I have a text file of it) and browser hijack attempts and user preference file corruption

    Basically all program files were renamed

    Here is the log file:

    1. Internal error : User Preference file corrupted! To correct this error, close and relaunch Ad-Watch.

    Default settings have been applied. (All blocking features are active)

    MInitialization error (3)

    2. Registry modificaton detected:

    Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\regfile\shell\open\command
    Value:
    Data:
    New Data: regedit.exe "%1" === regedit no longer will open

    3. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\regfile\shell\open\command
    Value:
    Data:
    New Data: regedit.exe "%1"

    4. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\lnkfile\CLSID
    Value:
    Data:
    New Data:{00021401-0000-0000-C000-000000000046}

    5. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\exefile\shell\open\command
    Value:
    Data:
    New Data: "%1"%*


    6. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\.com
    Value:
    Data:
    New Data:comfile

    7. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\.scr
    Value:
    Data:
    New Data:scrfile

    8. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\.bat
    Value:
    Data:
    New Data:batfile

    9. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\.pif
    Value:
    Data:
    New Dataiffile

    10. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\.reg
    Value:
    Data:
    New Data:regfile

    11. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\.lnk
    Value:
    Data:
    New Data:lnkfile

    12. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Classes\.exe
    Value:
    Data:
    New Data:exefile

    13. Root: HKEY_LOCAL_MACHINE
    Key: Software\Microsoft\Windows\CurrentVersion\ShellSer viceObjectDelayLoad
    Value: PostBootReminder
    Data:
    New Data:{7849596a-48ea-486e-8937-a2a3009f31a9

    14. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies \System
    Value: dontdisplaylastusername
    Data:
    New Data:0

    15. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies \Explorer
    Value: NoDriveTypeAutoRun
    Data:
    New Data:255

    16. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Window s
    Value: AppInit_DLLs
    Data:
    New Data:

    17. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value: AWMON
    Data:
    New Data:"C:PROGRA~1\Lavasoft\AS-AWA~2\Ad-Watch.exe"

    18. Root: HKEY_LOCAL_MACHINE
    Key: SOFTWARE\Microsoft\Internet Explorer\Search
    Value: SearchAssistant
    Data:
    New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


    There is more.... this is hand typed so tried to avoid error but there may be a type

    Up to date on ZA,Adaware, Lavasoft, AVG (even did AVG scan and it did not catch this)

    End result,cannot open program files the regular way. But I can open them for example if I click on a .jpg and the program associated with it will open no problem.

    ZA is unavailable (due to extension change) (this is paid version, newly updated) AVG is unavailable, cannot access regedit because of extension change

    Updated windows recently as well. using Windows XP home

    ANY IDEAS or Explanations on how this happened? Did not open sexy girl email, surf safe, was on Ebay when this happened and was using Irfan on desktop when it went wanky.

    THanks!

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:2.x

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Help - got hit by worm or virus, renamed all program extension, use ZA, AVG,Lavasoft

    Hi Doesn't seem good. I would try an Ewido(ewido.com) scan and removal for malware. This can be done on-line from their site as well as maybe a trendmicro.com or bitdefender.com or norton.com scan and removal ( also done from their site and use the IE, since they probaby use active-x) Ewido or Asquared can be downloaded and updated for free! If it's still bad , consider hijackthis from merjin.richardlionhearted.com or downloads.com or majorgeeks or almost any of the major security froums. After running the hijack send the results, with your posting ,explaining and introducing yourself, to majorgeeks or wilders or castlecops or spywarewarrior forums. There are highly qualified experts to give you correct procedure and solutions from the hijack report.The advise they give will probably be the solution. Other alternatives would be SpywareDoctor from pctools or Spybot S&D or SpySweeper from Webroot. If you can remove the malware, a good cleaning of reg or files will probabbly be a good ideal. For this I use CCleaner. Hope your pc gets better Oldsod
    Best regards.
    oldsod

  3. #3
    jarvis Guest

    Default Re: Help - got hit by worm or virus, renamed all program extension, use ZA, AVG,Lavasoft

    Just a thought...

    Try Right-click on My COmputer --> Properties --> Advanced --> Environment Variables (at the bottom)

    Check the PATHEXT variable contains .COM;.EXE;.BAT;.CMD;.VBS;.VBE; etc. IF not, add them as shown above, separated by semi-colons. You might have to reboot to make it take effect.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •