Thread: Virus in registry, pls help

hi,

mycomputer>hkey_current_user\software\microsoft\wi ndows\currentversion\internet setting\zonemap\domains\koolynoody.net

it also exists in hkey_local_machine, hkey__users total 2 entries in current user, 2 in local machine and 6 in current user.

It do something with the browser. when i clicked internet explorer to run yahoo antispy, my download manager(internet download accelerator), went active, ie it was about to download something.

i ran yahoo antispy previously and removed this downloader "koolynoody". but when i restarted the system, i couldn't type yahoo in firefox or google chrome, then i clicked the C drive, but instead of opening, it showed properties. so was the case with desktop and other drive, and we couldn't type anything. i used address bar and accessed drives, checked for autorun files(after turning on hidden files). couldn't find any. i scanned regisrty for koolynoody and found one entry, the i used tune up utilities and found 10 entries. couldn't delete some of them.

Under mycomputer>hkey_current_user\software\microsoft\wi ndows\currentversion\internet setting\ I found a lot of untrustworthy websites, having words prone, sex, download etc. too many of them.

so is the case with current users>default, user>S-1-5.... and local machine.

pls help me if you know something about this.

reboot your system in safe mode and the run the utility and scan for registry ..
another thing you can do but its RISKY so back up your registry and do it...
In safe mode go to registry and find the key and manually delete the whole key itself not just the entry ( if the entry is in its own key) else just delete the key..
if your HDD partitions are in Fat32 reboot it with win98 start-up disk and go to command prompt and search your partition for the Autorun.inf file it compulsorily should be there if your drive when you try to open, opens anything else best way to check it is right click on drive and see what the first entry is if its OPEN then no problem, if its Autorun then there surely is a problem.
use the start-up disk and delete all the related autoun.inf files manually(in windows they will not get deleted) to check the autorun.inf file just edit it and see what are the files it is running......!


its browser hijacker you can follow these steps>if your using mozilla firefox then >Open Firefox
Select TOOLS
Select OPTIONS
in the MAIN tab
TICK "Always check to see if Firefox is the default browser at startup"
OK
Close Firefox
Re-Open Firefox

Answer YES to keep as default

(Note it can be confusing if you are going to switch browsers a lot)

--

Kooly Noody
You may need to reset IE settings:
How to use Reset Internet Explorer Settings (RIES)

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7. or u can remove it by dowloading spybot search and destroy from>www.download.com/Spybot-Search-Dest... and superantispyware from>www.superantispyware.com/superantis... scan it in safe mode by pressing F8 key then remove the infection

thanks. i am already doing it manually. but the problem is that the internet setting(mycomputer>hkey_current_user\software\micr osoft\wi ndows\currentversion\internet setting) is showing a lot of scrap websites. about 50 i think. not sure which one is good.

i have spybot. it should have told me when there was a modification in registry entry. please tell me how to make a registry back and registry scan.
i did immunize ie and firefox.

please tell me how to create a registry back up. Actaully spybot has one. i dont know how activate the stored backup.


see, never set firefox as default, because these spyware plugins will be installed in default browser. i use ie 6 as default. i never use it. i used it to run antispy from yahoo toolbar.

i use windows firewall. it is already blocking some features of firefox and internet download accelerator.these hijacker work with all of these. thats why i downloaded safari and google chrome.

You can try "System Restore". Choose a day much before the day the problem happened.

creating the registry back up is very easy

Open Registry Editor.
On the File menu, click Export.
In File name, enter a name for the registry file.
Under Export range, do one of the following:
To back up the entire registry, click All.
To back up only a particular branch of the registry tree, click Selected branch and enter the name of the branch you want to export.
Click Save.

after backing up delete whatever you find suspicious then reboot and check if windows did not load properly then you back up the registry and try again...
delete keys in safe mode for better authority

i am not sure when this happened. actually i took broadband in nov. i used to get huge bills. i fixed a few problems before. i was using ie then. was a mistake. i will try registry back up. still if it already have those infected entries....

may be this will give clear picture

also

which OS are you using ?
the best is format your os and get a new os installed and then protect your system from getting infected....!

in my system in EscDomains microsoft.com is the only site listed.... so i guess rest all are useless

i am using windows XP SP2. i will try reinstalling.

Originally Posted by meetdilip

i am using windows XP SP2. i will try reinstalling.

DONT just re-install, format that drive and reinstall it...

it works

Best option : Format & reinstall XP
2nd option : Visit Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro USA for free online scan & remove.
3rd option : Download & install any security suite or some specific virus/malware remover ( if u know the name of the virus)

Hi ,

My system was hanging at times. So I used CA Yahoo Antispy. It detected Kooly Noody. I chose remove options. Traces are still there. As instructed by Kiran in one of the earlier posts, I tried to reset internet setting. But it says the settings do not allow. Is there any alternate way for doing that? I have Avira + Adaware+ CCleaner + Spybot. All those scans failed to give a result. Can you help me with this.

1. A specific Kooly Noody removal tool.

2. Reset internet settings. I use IE6.

I tried to find a solution, but in vain. Please help.

here is the link to manually remove the code try and update if worked...!

http://www.ehow.com/how_4896274_remo...y-spyware.html

Thanks Kiran. I did it. But under internet settings, there are a lot of domains. I removed those under current user. But it seems it is also under local machine, users etc. Can I use IE 8 to reset the IE settings. Because IE 6 does not support it. I use a non genuine version of Windows XP. So if IE 8 has some detection or something. Please let me know what you think.

On the whole, it seems to be best if you reformat the HDD and reinstall the OS. Or have you done it already?

I used Control panel to reset the internet settings. I was unable to do it. Please check the screen shots. My installation has only one user and am logged in as administrator.

Originally Posted by just4kix

On the whole, it seems to be best if you reformat the HDD and reinstall the OS. Or have you done it already?

Thanks Just4kix. I just tried formatting C till date. I wanted to avoid full format for a few more days. Till i get a new hard disk. I have some useful data in the present one, which is too costly (for me) to erase. It leaves me no option but to fight this some how.


If someone can suggest any specific tools for Kooly Noody, it will be great help.

@meetdilip

Did you check this e-how article?

How to Remove the KoolyNoody Spyware

You can save your data somewhere. Plain data files, media files, etc. are not affected. But abandon all hope on EXE, DLL, etc.Your PC has been completely hijacked; probably you may have tried to install a keygen. Be it as it may, salvage whatever data you can, ignore all installables, and reinstall everything. Remember that you USB drives must have also been affected. This applies to installables burned on the CD/DVD also.

Do the following:

1. Reformat and reinstall OS. Do not connect to internet at all till said so.
2. If you have a clean copy of AV then install it next.
3. Now connect to internet and download the latest AV updates+upgrades. Disconnect from internet.
4. Scan you USB drives for any virus/tojan/worm/etc.
5. Install genuine/licensed software only.
6. Buy a licensed copy of Net Nanny (only $25) that will prevent visits to porno+virus filled sites.

I faced this problem when I was using pirated copy of Windows and freeware. That was 3 years ago. I have sworn off pirated stuff since then. People spend 40~50K on hardware. They pay Rs. 600 to Rs. 1000 pm for internet access. Some play online games and spend even more. But people are unwilling to spend less than 10K on genuine software and say that they cannot afford it.

Originally Posted by dhaneshv

@meetdilip

Did you check this e-how article?

How to Remove the KoolyNoody Spyware

Yes. I did removed the reg keys. But there is a problem as you can see in the screen shots. I cannot reset my internet settings.

@just4kix

I totally agree with your views.

Yes. I also agree with what just4kix have said.

Originally Posted by just4kix

Buy a licensed copy of Net Nanny (only $25) that will prevent visits to porno+virus filled sites.

But, there is no need of this, because the free McAfee Site Advisor or WOT plug-in for web browsers can solve that kind of problems and they are the best out there in the Internet for Parental Control (which is widely called so). Therefore, I don't see any need of buying one.

Just take a look what the Virus has done to my system. The system status was ok when I installed Tuneup Utilities 2009 last night. Now it is like this. I cannot change the settings even in TuneUp utities. Just wanted to share, that others can have some use on a later period.

Tuneup utilities proved to be a better one than I imagined. I deleted every registry entry manually. Disconnected the internet. Went for a restart. Took tuneup utilities. Changed all these hostile setting. Now it seems everything is ok. It did reset the administrative right i lost for the internet explorer.

Thanks Tuneup Utilities.