Ping.exe shows up in the list of processes after a braviax family infection
Ie. Win7 antivirus 2012, vista antispyware 2012 etc… To remove the FAKEAV use the following codes to manually activate:
3425-814615-3990: Win7 antispyware 2012, XP security 2012, vista ||||
Y76REW-T65FD5-U7VBF5A: Privacy Protector…
LIC2-00A6-234C-B6A9-38F8-F6E2-0838-F084-E235-6051-18B3: Security monitor 2012…
remove manually and run the following as a reg file to fix shell corruption.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
"HasLUAShield"=""
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runasuser]
@="@shell32.dll,-50944"
"Extended"=""
"SuppressionPolicyEx"="{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"
[HKEY_CLASSES_ROOT\exefile\shell\runasuser\command]
"DelegateExecute"="{ea72d00e-4960-42fa-ba92-7792a7944c1d}"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers]
@="Compatibility"
[HKEY_CLASSES_ROOT\exefile\shellex\ContextMenuHandlers\Compatibility]
@="{1d27f844-3a1f-4410-85ac-14651078412d}"
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
@="C:\Program Files\Mozilla Firefox\firefox.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command]
@="C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
@="C:\Program Files\Internet Explorer\iexplore.exe"
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\pezfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
After removal Open windows\system32 locate ping.exe change ownership to everyone. Right click ping.exeàPropertiesàsecurityàadvancedàowner and edit ownership to make the current user the owner. Close the properties windows and reopen them again….
Edit security as shown below to grant full permissions to current user from trustedinstaller. Then delete ping.exe.
This sort of infection can download anything from a hacktool to a rootkit. Use broad spectrum scanners to get rid of any other threats. This one has proved particularly useful..
http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe
tks post !
ReplyDelete