Jump to content
Sign in to follow this  
flywelder

Help!! I have a broken file association in registry and alot more!!

Recommended Posts

Hi, I can't beileve I am here finally I have been trying for 4 hrs! I have been redirected so many times! and I am getting numerouse pop ups! here is what is hapening. I am getting pop ups that say : system broken file association in registry. other pop ups say: Adware.tracking cookie others say: XP internet Security Center this pop up says my fire wall is turned off. now when I go to control panel and look at the fire wall it is turned off and I can not turn it on!...and i don't recall turning it off???

I get another pop up with words about system recovery. another pop up with words of: disabled task manager.

another pops up with words of : found Trogen BNK. Win32. keylogger.gen C:\Program files \Messenger\msmsgs.exe

these pop up with in seconds of each other!

I ran scans after scans with Super Anti spy ware, it keeps finding the same things, and the list grows! from 5 to 13 and now 17 infections! I updated it each time and ran yet more scans and the same files appear with more infections!

Help!!!!

Now, I cannot see any programs listed under the start nutton! ???

Now I cannot see the saved folders with all my word docs. saved in them !...nothing is showing up in my documents!??? it says empty??

the program button says empty...?????

The smybol for Super antispyware that was in my tool bar at the bottom right next to the clock is now gone? it was there before I had this computer reboot, as instructed by super antispyware.???? where is it now?

I don't know that I'll be able to get back to this web site forum once I leave it. I twas so difficult to get here this time, I not sure how I did it? FYI: I am not a computer expert just a user with a tad bit more knowledge about computers and affiliated problems than adverge perhaps.

I appreciate all your help! I really appreciate your help!!

I can be reached at: flywelder@live.com

below I hope to post the latest scan log, I might not be able to as i cannot find any icon for SAS to click on!????

I might go ahead and post this message so that you folks hear from me, and can email me with advice and instructions. so I can post my scan log next. remember my email above, I'll be looking there for help.

I am going to use 'search' and try to find SAS and maybe a scan log file. if I am successful I try and post it at the botom of this message.

I make a request right now, to have diagnostics be run by SAS developers.....it think it would be wise as I feel I am way in over my head now. would you agree that would be a good step? and if so, how do we proceed? would there be a way to learn where these viruses came from?...so they can be avoided in the future.

Thanks, thanks, thanks! :)

David 5-06-2011

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 05/06/2011 at 01:56 PM

Application Version : 4.51.1000

Core Rules Database Version : 6999

Trace Rules Database Version: 4811

Scan type : Complete Scan

Total Scan Time : 00:38:38

Memory items scanned : 467

Memory threats detected : 3

Registry items scanned : 7213

Registry threats detected : 8

File items scanned : 27521

File threats detected : 10

System.BrokenFileAssociation

HKCR\.exe

Disabled.TaskManager

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System#DisableTaskMgr

HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR

HKU\S-1-5-21-605865402-4069305935-1106247723-1011\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM#DISABLETASKMGR

Trojan.Agent/Gen-FakeAlert

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UYSXVIYJUISDKJH.EXE

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UYSXVIYJUISDKJH.EXE

C:\DOCUMENTS AND SETTINGS\BIOMED\LOCAL SETTINGS\APPLICATION DATA\ISJ.EXE

C:\DOCUMENTS AND SETTINGS\BIOMED\LOCAL SETTINGS\APPLICATION DATA\ISJ.EXE

[uySxVIYJUiSDkJH] C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\UYSXVIYJUISDKJH.EXE

C:\WINDOWS\Prefetch\ISJ.EXE-35FA3FA6.pf

C:\WINDOWS\Prefetch\UYSXVIYJUISDKJH.EXE-030F83E2.pf

Trojan.Agent/Gen-FakeAV[Nx]

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\17555236.EXE

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\17555236.EXE

C:\WINDOWS\Prefetch\17555236.EXE-36AE10C6.pf

Disabled.SecurityCenterOption

HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#ANTIVIRUSDISABLENOTIFY

HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#FIREWALLDISABLENOTIFY

HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER#UPDATESDISABLENOTIFY

Trojan.Agent/Gen-FakeSecurity

C:\DOCUMENTS AND SETTINGS\BIOMED\DESKTOP\WINDOWS RECOVERY.LNK

C:\DOCUMENTS AND SETTINGS\BIOMED\START MENU\PROGRAMS\WINDOWS RECOVERY\UNINSTALL WINDOWS RECOVERY.LNK

C:\DOCUMENTS AND SETTINGS\BIOMED\START MENU\PROGRAMS\WINDOWS RECOVERY\WINDOWS RECOVERY.LNK

Trojan.Agent/Gen-Virut

C:\WINDOWS\SYSTEM32\DRIVERS\1409.SYS

Share this post


Link to post
Share on other sites

Maybe I've had the same... Annoying, isn't it? Two weeks ago I struggled with cleaning it, and for some reason it reappeared tonight.

In addition to taking over operations with its fake warnings, it disables task manager and the legit antiviral software, the ability to run exe's, and turns the firewall off. I have xp-pro and these steps work for me.

A run of exefix_xp.com restores the ability to execute files, so that you'll be able to run MSE, Malwarebytes, SuperAntiSpyware, etc.

I believe I found it on the web.

Start/Run regsvr32 wuaueng.dll restores the firewall.

Reboot into safe mode.

Run full scan antivirus softwares in safe mode. Get the software updates as soon as you have the ability to open them and the firewall issue is resolved. Again run the antivirus programs in full boot. I run the 3 I mentioned, updating continually, and find that they find different components.

This works for me. It takes 1 or more hours for each execution of an antivirus software, so it does take time.

Good luck.

Share this post


Link to post
Share on other sites

Maybe this can help in the future..

My BF kept getting this infection over and over before finally putting it to rest with SAS..

But here's the main thing..

we are networked and have basically the same computer..same OS..same avast free..same firewall...same everything else..

I never got this infection, though, despite us being networked and despite me being more active on my computer..

The only difference I can see is that I had SAS pro real-time protection.

I'm convinced that it's worth it.

Share this post


Link to post
Share on other sites

When the FakeAV initiates on my computer, it disables MSE and MBAM, but not SAS. This infection led me to purchase SAS. Now, I have SAS resident with MSE. MBAM has found files missed by SAS. However, SAS default Scanning Controls was set to Ignore non-executable files ~ perhaps causing the difference? Irrespective, I find it best to run several programs for cleaning. I see that SAS has a repair tab to restore functions removed by the Fakes. If I look at history for my 2 residents, SAS and MSE, I see that they've both caught different attack attempts. I'm wondering why so frequently the Fake gets in. Since my 1st infection 2 weeks ago, I've been careful about selecting the sites I visit.

Share this post


Link to post
Share on other sites

I seem to be clean, now. I believe it is important to not click on any of the Fake AV warning pop-ups... I move them to the side when possible. It seems that clicking them, even the X to close, enables the virus to do additional destruction, as encountered by flywelder.

My last SAS log of infection cleanup:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 05/09/2011 at 11:41 PM

Application Version : 4.52.1000

Core Rules Database Version : 7021

Trace Rules Database Version: 4833

Scan type : Complete Scan

Total Scan Time : 01:35:17

Memory items scanned : 518

Memory threats detected : 0

Registry items scanned : 8376

Registry threats detected : 1

File items scanned : 57411

File threats detected : 26

System.BrokenFileAssociation

HKCR\.exe

Adware.Tracking Cookie

C:\Documents and Settings\Joyce\Cookies\joyce@lucidmedia[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@specificmedia[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@ad.yieldmanager[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@ru4[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@a1.interclick[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@collective-media[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@invitemedia[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@realmedia[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@www.windowsmedia[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@adbrite[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@questionmarket[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@tribalfusion[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@media.adfrontiers[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@specificclick[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@imrworldwide[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@media6degrees[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@ads.pubmatic[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@pointroll[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@adxpose[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@revsci[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@ads.pointroll[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@interclick[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@serving-sys[1].txt

ia.media-imdb.com [ C:\Documents and Settings\Joyce\Application Data\Macromedia\Flash Player\#SharedObjects\47867SAQ ]

msnbcmedia.msn.com [ C:\Documents and Settings\Joyce\Application Data\Macromedia\Flash Player\#SharedObjects\47867SAQ ]

Trojan.Agent/Gen-FakeAV

C:\DOCUMENTS AND SETTINGS\JOYCE\LOCAL SETTINGS\TEMP\JAR_CACHE5582401156241880608.TMP

MBAM scan executed after SAS reported:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6543

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/10/2011 2:16:35 AM

mbam-log-2011-05-10 (02-16-35).txt

Scan type: Full scan (C:\|)

Objects scanned: 252971

Time elapsed: 1 hour(s), 17 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\exqonczctruceg (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1257\A0110716.exe (Trojan.FakeAlertRP.Gen) -> Quarantined and deleted successfully.

MSE History reports on actions it took automatically (I didn't run a scan):

Exploit:Win32/Pdfjsc.OY Severe 5/10/2011 7:54 AM Removed

file:C:\Documents and Settings\Joyce\Local Settings\Application Data\Mozilla\SeaMonkey\Profiles\obrov2kz.default\Cache(4)\93746344d01

Rogue:Win32/FakeSpypro Severe 5/10/2011 2:05 AM Removed

containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1257\A0110716.exe

file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1257\A0110716.exe->[Obfuscator.JM]->(UPX)

Rogue:Win32/FakeRean Severe 5/09/2011 10:26 PM Removed

file:C:\Documents and Settings\Joyce\Local Settings\Temp\jar_cache5582401156241880608.tmp

Rogue:Win32/FakeRean Severe 5/09/2011 10:08 PM Removed

file:C:\Program Files\SeaMonkey\null0.8474681624012698.exe

regkey:HKCU@S-1-5-21-4250537583-2546393392-2140395777-1005\software\classes\.exe

Share this post


Link to post
Share on other sites

I seem to be clean, now. I believe it is important to not click on any of the Fake AV warning pop-ups... I move them to the side when possible. It seems that clicking them, even the X to close, enables the virus to do additional destruction, as encountered by flywelder.

My last SAS log of infection cleanup:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 05/09/2011 at 11:41 PM

Application Version : 4.52.1000

Core Rules Database Version : 7021

Trace Rules Database Version: 4833

Scan type : Complete Scan

Total Scan Time : 01:35:17

Memory items scanned : 518

Memory threats detected : 0

Registry items scanned : 8376

Registry threats detected : 1

File items scanned : 57411

File threats detected : 26

System.BrokenFileAssociation

HKCR\.exe

Adware.Tracking Cookie

C:\Documents and Settings\Joyce\Cookies\joyce@lucidmedia[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@specificmedia[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@ad.yieldmanager[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@ru4[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@a1.interclick[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@collective-media[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@invitemedia[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@realmedia[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@www.windowsmedia[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@adbrite[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@questionmarket[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@tribalfusion[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@media.adfrontiers[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@specificclick[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@imrworldwide[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@media6degrees[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@ads.pubmatic[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@pointroll[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@adxpose[1].txt

C:\Documents and Settings\Joyce\Cookies\joyce@revsci[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@ads.pointroll[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@interclick[2].txt

C:\Documents and Settings\Joyce\Cookies\joyce@serving-sys[1].txt

ia.media-imdb.com [ C:\Documents and Settings\Joyce\Application Data\Macromedia\Flash Player\#SharedObjects\47867SAQ ]

msnbcmedia.msn.com [ C:\Documents and Settings\Joyce\Application Data\Macromedia\Flash Player\#SharedObjects\47867SAQ ]

Trojan.Agent/Gen-FakeAV

C:\DOCUMENTS AND SETTINGS\JOYCE\LOCAL SETTINGS\TEMP\JAR_CACHE5582401156241880608.TMP

MBAM scan executed after SAS reported:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6543

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/10/2011 2:16:35 AM

mbam-log-2011-05-10 (02-16-35).txt

Scan type: Full scan (C:\|)

Objects scanned: 252971

Time elapsed: 1 hour(s), 17 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\exqonczctruceg (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1257\A0110716.exe (Trojan.FakeAlertRP.Gen) -> Quarantined and deleted successfully.

MSE History reports on actions it took automatically (I didn't run a scan):

Exploit:Win32/Pdfjsc.OY Severe 5/10/2011 7:54 AM Removed

file:C:\Documents and Settings\Joyce\Local Settings\Application Data\Mozilla\SeaMonkey\Profiles\obrov2kz.default\Cache(4)\93746344d01

Rogue:Win32/FakeSpypro Severe 5/10/2011 2:05 AM Removed

containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1257\A0110716.exe

file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1257\A0110716.exe->[Obfuscator.JM]->(UPX)

Rogue:Win32/FakeRean Severe 5/09/2011 10:26 PM Removed

file:C:\Documents and Settings\Joyce\Local Settings\Temp\jar_cache5582401156241880608.tmp

Rogue:Win32/FakeRean Severe 5/09/2011 10:08 PM Removed

file:C:\Program Files\SeaMonkey\null0.8474681624012698.exe

regkey:HKCU@S-1-5-21-4250537583-2546393392-2140395777-1005\software\classes\.exe

Is the following detection deleted after the scan?

Trojan.Agent/Gen-FakeAV

C:\DOCUMENTS AND SETTINGS\JOYCE\LOCAL SETTINGS\TEMP\JAR_CACHE5582401156241880608.TMP

Does it come up upon a second scan?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...