Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty redirect virus and Rkill problem - egad!


  • Please log in to reply
4 replies to this topic

#1 dochallenbeck

dochallenbeck

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 12 April 2010 - 01:46 PM

My computer is an electronic disaster. The problems became evident a couple days ago with the presence of ave.exe and its hilariously over the top warning messages - "bank fraud initiated" etc and the sort.

I ran spybot and adaware in safe mode - no luck.

I ran AVG free - no luck

I downloaded and ran Malwarebytes - whalla! - 10 problems removed - and I think it got ave.exe since it's fake security icon dissapeared from my taskbar and the fake security warning popups have stopped...but something is still hidden in my CPU and causing major issues.

I am now getting forcefully redirected to spam sites non-stop - in Firefox the problem is so bad that I cannot even use the browser as literally every single link I click or (url) I enter will direct me to some ad soaked spam site

Plus - I am being blocked from going to windows update - uh oh

So this morning I downloaded Rkill - and intended to run it (an then run Malwarebytes again). My understanding was that anything (done) by Rkill could be (undone) with a restart

After I ran Rkill the only process the log file said it terminated (other than Rkill itself) was C:\program files\internet explorer\iexplore.exe

However, immediatly after Rkill finished, the thumbnails for the majority of the icons on my desktop changed to this little square default image that kind of looks like a mini screenshot - and suddenly none of the programs/files associated with those icons will work at all - Malwarebytes is included among the programs with this (thumbnail change issue), along with Firefox - clicking on any of these altered
icons now generates the following message:

"this file does not have a program associated with it for performing this action - create an assocation in the folder options control panel"

Making matters worse, restarting my computer, or even turning it off altogether (and then back on) has not changed this.

So now not only do I still have a rouge virus lurking, but some sort of Rkill related issue had made the majority of my cpu totally unusable (thank god explorer is still working) and I am able to post this plea for help.

I run Windows XP - Many thanks for any advice

Edited by dochallenbeck, 12 April 2010 - 01:52 PM.


BC AdBot (Login to Remove)

 


#2 sduvick

sduvick

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 12 April 2010 - 02:06 PM

my guess would be that it's not another virus, but that it's a simple registry change that is redirecting all of your web traffic through a proxy (local or remote) and that is where the spam is coming from. it's either a proxy setting in the browser, which is unlikely because it is consistent across all browsers, or a system wide redirect through the registry.

as for the inability to run files, it would appear that your file associations are skewed.

Removed rest of post to comply with AII posting guidelines. ~ OB

Edited by Orange Blossom, 13 April 2010 - 04:22 PM.


#3 dochallenbeck

dochallenbeck
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 12 April 2010 - 02:53 PM

Thanks for the advice - I guess my the biggest crisis facing me is suddenly not the virus but the file extension errors from running Rkill - I just tried these instructions found via google - (They did not work)

For Windows NT/2000/XP

Edit the File Association:
1.Double-click My Computer on the desktop.
2.On the Tools menu, click Folder Options (or Options).
3.Click the File Types tab.
4.Click URL:HyperText Transfer Protocol in the Registered File Types box.
5.Click Advanced.
6.In the Actions box, click Open.
7.Click Edit.
8.Click Browse.
9.Navigate to the \Program Files\Internet Explorer folder.
10.Click the Iexplore.exe file.
11.Click Open.
12.Click OK.
13.Click OK again.
14.Click Close.

As far as your virus advice goes (and your notepad instructions) - this may seem like a stupid question...but is "Windows Registry Editor Version 5.00" part of the text that should be copied to notepad?

And many thanks for anybody who can help me get my file associations working again - this is suddenly a WAY larger problem than virus spam site redirects

#4 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:03:31 PM

Posted 12 April 2010 - 05:30 PM

Try the exe file association fix from here
In the beginning there was the command line.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:31 PM

Posted 13 April 2010 - 04:25 PM

I guess my the biggest crisis facing me is suddenly not the virus but the file extension errors from running Rkill


rkill does not cause file extension errors - that is an affect of the infection you have.

Please try Eyesee's suggestion and let us know if that resolves those errors.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users