|
My computer got hacked into Oblivion bys this god damn Virus called Vista Internet Security 2012. It's a fake program that detects fake threats and tells you to buy it. Problem is, it blocks everything, can't use the internet, can't use Run...
This is the virus and this is the removal guide I found: http://freeofvirus.blogspot.com/2011/06/vista-internet-security-2012-removal.html
or http://www.2-spyware.com/remove-vista-internet-security-2012.html
I did step 1, and terminated the process in Windows Task Manager but I can't edit the registry (step 2) because the "Run" program just doesn't work. It tells me that "regedit" and "cmd" .exe are not found.
I tried in both SafeMode and Normal Mode ang I got the same message. I can't open any .exe basically.
So how do I get in my registry ?
|
Try to go into safemode and remove it with Malwarebytes.
edit: actually, maybe wait for someone more knowledgeable to help fix it. Doing things like this have worked for me in the past though.
|
you'll probably need to make an antivirus boot disk
I've never used one though so can't recommend anything
|
|
I got a very similar virus some while ago (cant remember if it was the same 1). But anyways what i did was that as you start up the computer, go into task manager before it blocks anything, you have a small window here. Then find a wierd process (usually some weird combo of numbers and letters), click open file location and just delete the folder.
I tried a lot of programs to tried to remove it, but it was as simple as this.
Worth a shot i guess. Just gotta hit your timing. Also, when you get to the folder after opening file location, just change the name so that next time you open the computer you can remove it during that window you have.
Sorry if it doesnt help, but worked for me with a really similar virus.
|
Reinstall windows? It's not so nice as just recovering your computer as is, but as far as simple solutions, it's pretty good.
|
can you run msconfig ?? if so look for it on there ... it can still be running in the background and blocking your .exe functions. if you find it on msconfig and can stop it from running on boot then you should restart and then get access to your registry files and go from there
DONT TOUCH ANYTHING ELSE IN MSCONFIG YOU CAN INSTANTLY SCREW YOUR PC/LAPTOP
much esports love
|
On August 06 2011 00:06 RedJustice wrote: Reinstall windows? It's not so nice as just recovering your computer as is, but as far as simple solutions, it's pretty good. This solution should always be used last.
make sure you back-up all that you can if you do decide to reformat.
|
On August 06 2011 00:09 asendent88 wrote: can you run msconfig ?? No. I can't open anything.
msconfig.exe was not found.
Please TL, you're my only hope.
|
malwarebytes.
run it in safemode. If you cant access the internet to download it then you should download it on a other computer and put it on a memory stick. Then go into safemode and run it.
|
On August 06 2011 00:15 pStar wrote: malwarebytes.
run it in safemode. If you cant access the internet to download it then you should download it on a other computer and put it on a memory stick. Then go into safemode and run it.
I already have malwarebytes but I can't open/run it... Safemode or not, doesnt change anything.
|
Im no expert but ive had that virus and i just run system restore to a previous point and that fixed it. But like i said im not an expert.
|
On August 06 2011 00:20 Darkdeath3 wrote: Im no expert but ive gooten that virus and i just run system restore to previous point and that fixed. But like i said im not an expert.
I haven't tried this yet but I can't open ANYTHING so i don't see why that program would open and not any others...
If I can't figure out anything else, I will have to try this tho.
|
On August 06 2011 00:23 TuElite wrote:Show nested quote +On August 06 2011 00:20 Darkdeath3 wrote: Im no expert but ive gooten that virus and i just run system restore to previous point and that fixed. But like i said im not an expert. I haven't tried this yet but I can't open ANYTHING so i don't see why that program would open and not any others... If I can't figure out anything else, I will have to try this tho.
Did you try my suggestion? Are you sure you cant open anything even right when you start up the computer? Usually you'll have a window of like 30secs to open something before the virus starts or whatever. Could be a much more refined version of the virus i got...
|
Try a rescue cd, most anti virus companies have them. I suggest the Kaspersky rescue disk.
|
try downloading malwarebytes on another computer and installing it via a USB device in safemode, my friend was infected with this same virus (2011 version?) and we were able to remove it by doing so.
edit: We may have renamed the installer or removed the .exe extension and manually selected how to launch the program, I don't recall now hope you can fix it. ^^
|
On August 06 2011 00:25 Deadlyfish wrote:Show nested quote +On August 06 2011 00:23 TuElite wrote:On August 06 2011 00:20 Darkdeath3 wrote: Im no expert but ive gooten that virus and i just run system restore to previous point and that fixed. But like i said im not an expert. I haven't tried this yet but I can't open ANYTHING so i don't see why that program would open and not any others... If I can't figure out anything else, I will have to try this tho. Did you try my suggestion? Are you sure you cant open anything even right when you start up the computer? Usually you'll have a window of like 30secs to open something before the virus starts or whatever. Could be a much more refined version of the virus i got...
I already stopped the Virus's process and deleted the files that caused it (from Task Manager). So that's "gone" the virus doesnt "start' anymore like it used to so i got all the time in the world...
Now it's just that I can't open or access anything. But at least I've gotten rid of the virus process that caused the fake scans and everything.
|
Try renaming the malwarebytes executable. Some of these viruses block programs on a name basis.
|
Have you tried the system resotore or can u still not start any programs?
|
On August 06 2011 00:36 Sinborn wrote: Try renaming the malwarebytes executable. Some of these viruses block programs on a name basis.
-__-, yeah I wish it was that easy.
|
On August 06 2011 00:36 Darkdeath3 wrote: Have you tried the system resotore or can u still not start any programs?
Just tried System Restore.
Same as any other program, can't access it.
|
Try using the exe association fix from here
|
|
On August 06 2011 00:47 TuElite wrote:Show nested quote +On August 06 2011 00:36 Darkdeath3 wrote: Have you tried the system resotore or can u still not start any programs? Just tried System Restore. Same as any other program, can't access it. you can boot off the installation dvd, and choose the “Repair your computer” option on the lower left hand side. If you don’t have an installation/repair disc, you can make one with these instructions. http://www.howtogeek.com/howto/windows-vista/how-to-make-a-windows-vista-repair-disk-if-you-dont-have-one/
Click next on the next screen, and then choose System Restore from the System Recovery dialog. It will take a few seconds to come up, and you will see the same screen that you would see in windows.
Click next, and on the next screen select the drive that your copy of Windows 7 or Vista is installed on.
Click Finish, and Windows will roll back to the previous restore point. Really pretty simple stuff.
|
GOOD NEWS UPON ME
By using Task Manager and holding CTRL + File(Run) I managed to access the DOS or whatever (the black screen where u can get shit done). I can now access regedit and the registry from there.
Now I'm going to try and delete the following files in the registry
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1' HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'
As well as these files
%AllUsersProfile%\U3F7PNVFNCSJK2E86ABFBJ5H %LocalAppData%\ppn.exe %Temp%\U3F7PNVFNCSJK2E86ABFBJ5H %LocalAppData%\U3F7PNVFNCSJK2E86ABFBJ5H %AppData%\TEMPLATES\U3F7PNVFNCSJK2E86ABFBJ5H
And that should get rid of the virus....
Hoppefully my .exe files comeback after that too but I have a feeling that I'll need to do more shit...
|
On August 06 2011 01:02 TuElite wrote:GOOD NEWS UPON ME By using Task Manager and holding CTRL + File(Run) I managed to access the DOS or whatever (the black screen where u can get shit done). I can now access regedit and the registry from there. Now I'm going to try and delete the following files in the registry Show nested quote +HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1' HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1' As well as these files %AllUsersProfile%\U3F7PNVFNCSJK2E86ABFBJ5H %LocalAppData%\ppn.exe %Temp%\U3F7PNVFNCSJK2E86ABFBJ5H %LocalAppData%\U3F7PNVFNCSJK2E86ABFBJ5H %AppData%\TEMPLATES\U3F7PNVFNCSJK2E86ABFBJ5H And that should get rid of the virus.... Hoppefully my .exe files comeback after that too but I have a feeling that I'll need to do more shit...
On August 06 2011 00:27 h3r1n6 wrote: Try a rescue cd, most anti virus companies have them. I suggest the Kaspersky rescue disk.
Just try a rescue disk, way easier and more efficient.
|
My best advice is to re-install Windows. This type of Malware is designed to be profitable at the expense of the victim, and trust me when I say the creators are relentless. Whether that means tricking you to pay for their crap, or stealing credit card information. Due to that fact, and the nature of how operating systems function (you can never be 100% sure the given malware is completely removed if it has root-kit functionalities), I will personally always recommend a reinstall.
|
On August 06 2011 00:50 mucker wrote:Try using the exe association fix from here This is your answer.
I had this exact same virus on my machine just a couple months ago. Ended up accidentally removing the association to exe files in an attempt to get rid of it. I did a google search and found the reg keys you can download to re-associate exe files.
You don't need to reinstall windows.
|
Canada13372 Posts
Ive only ever gotten rid of this by reinstalling windows.
|
Try with full path, c:\windows\system32\regedit.exe?
|
After it's done you might want to think about buying a backup external drive. After years of clicking on stupid things I learned it's best ot just reformat and start fresh with my media secured on a unconnected drive
Sorry.
|
Anyone who uses "pl0x" any where other than 4chan deserves to be hacked.
|
I would use the association fix now, and then run combofix (transfer from USB to desktop) to get rid of the virus.
What are rescue disks? I might make one soon. Also, this thread should be under tech support, you'd get less replies but better replies there.
|
On August 06 2011 07:54 obesechicken13 wrote: I would use the association fix now, and then run combofix (transfer from USB to desktop) to get rid of the virus.
What are rescue disks? I might make one soon. Also, this thread should be under tech support, you'd get less replies but better replies there.
A bootable cd image, that will scan and remove infections from your pc. So it's basically an anti virus that you can run without booting your os Trying to disinfect a pc by booting it first and then trying to remove the infection is a losing battle.
|
I got rid of this for a friend recently I just used SuperAntiSpyware's Mobile version its named differently so the virus doesn't block the EXE of it. gl I would just follow the bleepingcomputers link others have posted its what I used as a reference also
|
Not to derail the thread (idk how to make my own thread) but, I have a similar problem where I can't open FB/Youtube sometimes. I think its a virus and its like sometimes I can access certain websties and sometimes I can't. (internet works for e.g. yahoo.com though) PM me if u can help!
|
Netherlands45349 Posts
Well fuck your KARA collection better not be in danger.
Good luck!
Also, perhaps you should make a seperate thread in the Tech Support section?There are some really smart guys there too who don't read blogs.
|
On August 06 2011 08:36 iSometric wrote: Not to derail the thread (idk how to make my own thread) but, I have a similar problem where I can't open FB/Youtube sometimes. I think its a virus and its like sometimes I can access certain websties and sometimes I can't. (internet works for e.g. yahoo.com though) PM me if u can help! Make a new thread. If you speak binary, post it in tech support.
Otherwise post it in blogs or say "use a code to english translator" before hitting post.
Derailing a thread only serves to lose focus on the original intention.
|
On August 06 2011 08:41 Kipsate wrote: Well fuck your KARA collection better not be in danger.
Good luck!
Also, perhaps you should make a seperate thread in the Tech Support section?There are some really smart guys there too who don't read blogs.
Number 1 reason why I didn't just reinstall obv obv.
I haven't tried to fix my registry yet, I will try tomorrow morning and if I can't get it to work I'll consider posting in Tech Support (lol did not even know that section existed). Thanks!
And then I'm backing up the collection on external hard drive. This work of art must be preserved.
|
You didn't get hacked, you just got malware.
Try to get a better anti-virus/malware so it doesn't happen again.
There's almost never a need to re-install windows, or run msconfig, cuz if you don't know what you're doing you can EFF up big time.
Regedit is pretty confusing, but once you get down the file tree and layout as well as the data entry, you should be fine. Make sure you only change what you need to, cuz if you mess certain things up... gg. Just follow the guide on the site you got and it should be fine.
Regedit should help you take care of most of the virus triggers, but make sure you search your C drive for hidden folders or newly created files+folders. (Sort by date modified) Also use MalwareBytes to makes sure everything is gone.
GL!
|
On August 06 2011 03:19 Dance. wrote: Anyone who uses "pl0x" any where other than 4chan deserves to be hacked.
Haha. I was gonna make a similar comment but you've already done it for me
|
|
|
|