Member Avatar for barriereg

New malware pretends to be an antivirus program , infiltrates your system. Started in Oct 2010.
Does not let you launch anything... Had to go to safemode...

Deleted tick off all weird strings from MSconfig startup (i.e. IJHHLUVDLTA)
deleted all "antivirus actions" values from regedit...including weird strings in Startupreg folder area.

All seem ok now except when we type in www.hotmail.com urlfrom IE8 we get re-directed to ..You guessed it Antivirus Action setup page.Tried from Firefox... all ok
IE8 appears to be corrupted. I attempted IE8 re-install...no cahnge...Can uninstall IE8 in XP ...

Went back to IE8 and got into Hotmail via Live mail URL.

I would like to know how to cleanup the poisonned Hotmail URL within IE8

Any ideas

tx
Gilles

  • 3 Contributors
  • 2 Replies
  • 102 Views
  • 19 Hours Discussion Span
  • Latest Post Latest Post by jholland1964

Recommended Answers

All 2 Replies

Member Avatar for AtomicPages

Did you check your proxy settings for IE? Tools > Internet Options > Connections > Lan Settings.

The only box that should be checked is Automatically detect settings unless you have a proxy setup for some reason.

Make sure you got all of these registry entries:

HKEY_CURRENT_USER\Software\[SET OF RANDOM CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter "Enabled" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:33921"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]yhsn.exe"

Focus on the entries that deal with IE, you may have missed them.

Member Avatar for jholland1964

You may have deleted "some" of the infection but you need to follow all the steps given in our Read Me sticky, especially running MBA-M. Follow the instructions exactly. Post the logs back here when all have been completely and we can decide what needs to be done next.
http://www.daniweb.com/forums/thread134865.html
Judy

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.