| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 118665 | 2011-06-15 18:26:00 | Nod 32 version 5? | apsattv (7406) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1209606 | 2011-06-17 04:51:00 | I've managed to find me a copy of XP Home AntiSpyware 2012. These new versions are very clever, they don't hide in the Startup, but they make themselves the 'launcher' for .exe files, and specifically for Internet Explorer. Means that you kill it off, and it comes right back again. If I wanted to submit that to eset, where would be the best place? Right now, nothing picks this up. Not even Malwarebytes, Spybot, McAfee or NOD32... You need to scan the drive from another PC, then fix the .exe file association issues. I did one this morning and NOD grabbed it when I scanned over top of the drive. I would post the log file, but I just removed the NOD RC I scanned with and the log files didn't get saved. x:\documents and settings\administrator\local settings\application data\wky.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Is that the location? Throwing that lot headlong into the registry then rebooting ought to fix the exe association issues assuming you're running 7 or vista. Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.EXE] @="exefile" "Content Type"="application/x-msdownload" [HKEY_CLASSES_ROOT\.EXE\PersistentHandler] @="{098f2470-bae0-11cd-b579-08002b30bfeb}" [HKEY_CLASSES_ROOT\exefile] @="Application" "EditFlags"=hex:38,07,00,00 "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00, 6d,00,52,\ 00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00 ,74,00,65,00,6d,00,33,00,\ 32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32 ,00,2e,00,64,00,6c,00,6c,\ 00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00 [HKEY_CLASSES_ROOT\exefile\DefaultIcon] @="%1" [HKEY_CLASSES_ROOT\exefile\shell] [HKEY_CLASSES_ROOT\exefile\shell\open] "EditFlags"=hex:00,00,00,00 [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shell\runas] [HKEY_CLASSES_ROOT\exefile\shell\runas\command] @="\"%1\" %*" "IsolatedCommand"="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shellex] [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler] @="{86C86720-42A0-1069-A2E8-08002B30309D}" [-HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\FileExts\.exe\UserChoice] |
wratterus (105) | ||
| 1209607 | 2011-06-17 05:20:00 | Yeah close but I also found that it hijacks the HKLM\Software\Clients\StartMenuInternet\IEXPLORE.E XE\shell\open\command Updated my post here earlier today: www.c2s.co.nz So you're saying NOD32 now picks it up? It didn't previously ... Granted it was a few weeks ago, and I scanned *from* the infected PC. |
Chilling_Silence (9) | ||
| 1209608 | 2011-06-17 05:42:00 | Lots of these infections these days cant be removed if the PC is actually using the System. I made the rescue CD that Nod allows you to do, you need the WAIK kit from MS installed first, this makes the WINPE bootable interface, then boot from that CD, it finds the majority of infections and allows you to then open windows normally and finish cleaning it out. Chill -- to send a file to Eset Have a read (www.en.eset.ch) :) |
wainuitech (129) | ||
| 1 2 3 4 | |||||