India Broadband Forum

meetdilip

hi,

mycomputer>hkey_current_user\software\microsoft\wi ndows\currentversion\internet setting\zonemap\domains\koolynoody.net

it also exists in hkey_local_machine, hkey__users total 2 entries in current user, 2 in local machine and 6 in current user.

It do something with the browser. when i clicked internet explorer to run yahoo antispy, my download manager(internet download accelerator), went active, ie it was about to download something.

i ran yahoo antispy previously and removed this downloader "koolynoody". but when i restarted the system, i couldn't type yahoo in firefox or google chrome, then i clicked the C drive, but instead of opening, it showed properties. so was the case with desktop and other drive, and we couldn't type anything. i used address bar and accessed drives, checked for autorun files(after turning on hidden files). couldn't find any. i scanned regisrty for koolynoody and found one entry, the i used tune up utilities and found 10 entries. couldn't delete some of them.

Under mycomputer>hkey_current_user\software\microsoft\wi ndows\currentversion\internet setting\ I found a lot of untrustworthy websites, having words prone, sex, download etc. too many of them.

so is the case with current users>default, user>S-1-5.... and local machine.

pls help me if you know something about this.

kirankumargb

reboot your system in safe mode and the run the utility and scan for registry ..
another thing you can do but its RISKY so back up your registry and do it...
In safe mode go to registry and find the key and manually delete the whole key itself not just the entry ( if the entry is in its own key) else just delete the key..
if your HDD partitions are in Fat32 reboot it with win98 start-up disk and go to command prompt and search your partition for the Autorun.inf file it compulsorily should be there if your drive when you try to open, opens anything else best way to check it is right click on drive and see what the first entry is if its OPEN then no problem, if its Autorun then there surely is a problem.
use the start-up disk and delete all the related autoun.inf files manually(in windows they will not get deleted) to check the autorun.inf file just edit it and see what are the files it is running......!


its browser hijacker you can follow these steps>if your using mozilla firefox then >Open Firefox
Select TOOLS
Select OPTIONS
in the MAIN tab
TICK "Always check to see if Firefox is the default browser at startup"
OK
Close Firefox
Re-Open Firefox

Answer YES to keep as default

(Note it can be confusing if you are going to switch browsers a lot)

--

Kooly Noody
You may need to reset IE settings:
How to use Reset Internet Explorer Settings (RIES)

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7. or u can remove it by dowloading spybot search and destroy from>www.download.com/Spybot-Search-Dest... and superantispyware from>www.superantispyware.com/superantis... scan it in safe mode by pressing F8 key then remove the infection

meetdilip

thanks. i am already doing it manually. but the problem is that the internet setting(mycomputer>hkey_current_user\software\micr osoft\wi ndows\currentversion\internet setting) is showing a lot of scrap websites. about 50 i think. not sure which one is good.

i have spybot. it should have told me when there was a modification in registry entry. please tell me how to make a registry back and registry scan.
i did immunize ie and firefox.

please tell me how to create a registry back up. Actaully spybot has one. i dont know how activate the stored backup.


see, never set firefox as default, because these spyware plugins will be installed in default browser. i use ie 6 as default. i never use it. i used it to run antispy from yahoo toolbar.

i use windows firewall. it is already blocking some features of firefox and internet download accelerator.these hijacker work with all of these. thats why i downloaded safari and google chrome.

just4kix

You can try "System Restore". Choose a day much before the day the problem happened.

kirankumargb

creating the registry back up is very easy

Open Registry Editor.
On the File menu, click Export.
In File name, enter a name for the registry file.
Under Export range, do one of the following:
To back up the entire registry, click All.
To back up only a particular branch of the registry tree, click Selected branch and enter the name of the branch you want to export.
Click Save.

after backing up delete whatever you find suspicious then reboot and check if windows did not load properly then you back up the registry and try again...
delete keys in safe mode for better authority

meetdilip

i am not sure when this happened. actually i took broadband in nov. i used to get huge bills. i fixed a few problems before. i was using ie then. was a mistake. i will try registry back up. still if it already have those infected entries....

meetdilip

may be this will give clear picture

Attached Images

Registry virus 1.JPG (81.9 KB, 13 views)

meetdilip

also

Attached Images

Registry virus 2.JPG (92.9 KB, 8 views)

kirankumargb

which OS are you using ?
the best is format your os and get a new os installed and then protect your system from getting infected....!

in my system in EscDomains microsoft.com is the only site listed.... so i guess rest all are useless

meetdilip

i am using windows XP SP2. i will try reinstalling.

kirankumargb

DONT just re-install, format that drive and reinstall it...

meetdilip

it works

Jaganathsamal

Best option : Format & reinstall XP
2nd option : Visit Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro USA for free online scan & remove.
3rd option : Download & install any security suite or some specific virus/malware remover ( if u know the name of the virus)

meetdilip

Hi ,

My system was hanging at times. So I used CA Yahoo Antispy. It detected Kooly Noody. I chose remove options. Traces are still there. As instructed by Kiran in one of the earlier posts, I tried to reset internet setting. But it says the settings do not allow. Is there any alternate way for doing that? I have Avira + Adaware+ CCleaner + Spybot. All those scans failed to give a result. Can you help me with this.

1. A specific Kooly Noody removal tool.

2. Reset internet settings. I use IE6.

I tried to find a solution, but in vain. Please help.

kirankumargb

here is the link to manually remove the code try and update if worked...!

http://www.ehow.com/how_4896274_remo...y-spyware.html

meetdilip

Thanks Kiran. I did it. But under internet settings, there are a lot of domains. I removed those under current user. But it seems it is also under local machine, users etc. Can I use IE 8 to reset the IE settings. Because IE 6 does not support it. I use a non genuine version of Windows XP. So if IE 8 has some detection or something. Please let me know what you think.

just4kix

On the whole, it seems to be best if you reformat the HDD and reinstall the OS. Or have you done it already?

meetdilip

I used Control panel to reset the internet settings. I was unable to do it. Please check the screen shots. My installation has only one user and am logged in as administrator.

Attached Images

	1.png (10.8 KB, 13 views)
	2.png (41.9 KB, 13 views)

meetdilip

Thanks Just4kix. I just tried formatting C till date. I wanted to avoid full format for a few more days. Till i get a new hard disk. I have some useful data in the present one, which is too costly (for me) to erase. It leaves me no option but to fight this some how.


If someone can suggest any specific tools for Kooly Noody, it will be great help.

The One

@meetdilip

Did you check this e-how article?

How to Remove the KoolyNoody Spyware