Jump to content

Featured Replies

Posted

[Crossposted to Security Virus newsgroup, as OP has repost there]

 

There's a very strong possibility that you have a Vundo infection, which is

usually accompanied by ZLOB and/or SDBot infections, all of which are

protected by a rootkit.

 

Run a thorough check for hijackware, including posting your hijackthis log

to an appropriate forum.

 

Checking for/Help with Hijackware

http://aumha.org/a/parasite.htm

http://aumha.org/a/quickfix.htm

http://aumha.net/viewtopic.php?t=5878

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

http://mvps.org/winhelp2002/unwanted.htm

http://inetexplorer.mvps.org/data/prevention.htm

http://inetexplorer.mvps.org/tshoot.html

http://www.mvps.org/sramesh2k/Malware_Defence.htm

http://defendingyourmachine2.blogspot.com/

http://www.elephantboycomputers.com/page2.html#Removing_Malware

 

When all else fails, HijackThis v2.0.2

(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in

conjuction with some other utilities). HijackThis will NOT fix anything on

its own, but it will help you to both identify and remove any

hijackware/spyware with assistance from an expert. **Post your log to

http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,

http://forums.spybot.info/forumdisplay.php?f=22,

http://aumha.net/viewforum.php?f=30, or another appropriate forum for review

by an expert in such matters, not here.**

 

If the procedures look too complex - and there is no shame in admitting this

isn't your cup of tea - take the machine to a local, reputable and

independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

==========================================

 

Start a free Windows Update support incident request:

https://support.microsoft.com/oas/default.aspx?gprid=6527

 

Support for Windows Update:

http://support.microsoft.com/gp/wusupport

 

For home users, no-charge support is available by calling 1-866-PCSAFETY in

the United States and in Canada or by contacting your local Microsoft

subsidiary. There is no-charge for support calls that are associated with

security updates.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

 

Jim Bunton wrote:

> Tried:

> Run services.msc

> Check Background Intelligent Transfer Service running - OK

> Check Event Log running - ok

> Check Automatic Updates NOT running

>

> Automatic Updates is disabled and it's start button is greyed out

> Setting the combo to Automatic (or manual) it reverts to disabled

>

> -----------

> RECENT EVENTS

> IeExplorer Home page began to default to MyWebHunt

> When reset to normal home page on reboot reverted to MyWebHunt

> ---------------

> Googled mywebhunt

> --------

> found:

> http://www.threatexpert.com/report.aspx?uid=dd190d12-5574-4797-8d70-24b662a299ea

> The following Registry Value was modified:. [HKEY_CURRENT_USER\Software\

> Microsoft\Internet Explorer\Main]. Start Page = "http://www.mywebhunt.com"

> ...

>

> reports the folowing registry modifications

> a.. The following Registry Key was created:

> a.. HKEY_LOCAL_MACHINE\SOFTWARE\GodLib

> a.. The newly created Registry Values are:

> a.. [HKEY_LOCAL_MACHINE\SOFTWARE\GodLib]

> a.. FR = "1"

> b.. BootDays = "23"

> b.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

> a.. NotifyDownloadComplete = "yes"

> c.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

> a.. [filename of the sample #1 without extension] =

> "%Windir%\[filename of the sample #1]"

>

> so that [filename of the sample #1] runs every time Windows starts

>

> a.. The following Registry Value was modified:

> a.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

> a.. Start Page = http://www.mywebhunt.com

> ---------

> I HAVE DELETED

> HKEY_LOCAL_MACHINE\SOFTWARE\GodLib

> HKEY_LOCAL_MACHINE\SOFTWARE\GodLib]

> a.. FR = "1"

> b.. BootDays = "23"

> in the entry

> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

> a.. [filename of the sample #1 without extension] = "%Windir%\[filename

> of

> the sample #1]"

> I found a program named molocha.exe

> AND a copy of it

> in C:\Windows & Documents and Settings .. . \Temp

> CREATED DATE today !!

>

> Deleted the registry entry

> "[filename of the sample #1 without extension] =

> "%Windir%\[filename of the sample #1]" " for this file

>

> AND, after reboot, renamed the C:\windows instance to Xmolocha.exe

> AND deleted it from Documents and Settings\ . . \Temp

>

> ----------

> This has stopped the hijack of the web browser to MyWebHunt

> BUT Internet explorer is occassionally opening new instances with

> seemingly

> random websites.

> --- HELP! ---

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...