Guest Jim Bunton Posted October 10, 2008 Posted October 10, 2008 Windows media centre service pack 3 iexplorer v 7 Windows update will not run Run services.msc Check Background Intelligent Transfer Service running - OK Check Event Log running - ok Check Automatic Updates NOT running Automatic Updates is disabled and it's start button is greyed out Setting the combo to Automatic (or manual) it reverts to disabled ----------- RECENT EVENTS - seems like some sort of malware IeExplorer Home page began to default to MyWebHunt When reset to normal home page on reboot reverted to MyWebHunt --------------- Googled mywebhunt -------- found: http://www.threatexpert.com/report.aspx?ui...70-24b662a299ea The following Registry Value was modified:. [HKEY_CURRENT_USER\Software\ Microsoft\Internet Explorer\Main]. Start Page = "http://www.mywebhunt.com" .... reports the folowing registry modifications a.. The following Registry Key was created: a.. HKEY_LOCAL_MACHINE\SOFTWARE\GodLib a.. The newly created Registry Values are: a.. [HKEY_LOCAL_MACHINE\SOFTWARE\GodLib] a.. FR = "1" b.. BootDays = "23" b.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] a.. NotifyDownloadComplete = "yes" c.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] a.. [filename of the sample #1 without extension] = "%Windir%\[filename of the sample #1]" so that [filename of the sample #1] runs every time Windows starts a.. The following Registry Value was modified: a.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] a.. Start Page = http://www.mywebhunt.com --------- I HAVE DELETED HKEY_LOCAL_MACHINE\SOFTWARE\GodLib HKEY_LOCAL_MACHINE\SOFTWARE\GodLib] a.. FR = "1" b.. BootDays = "23" in the entry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] a.. [filename of the sample #1 without extension] = "%Windir%\[filename of the sample #1]" I found a program named molocha.exe AND a copy of it in C:\Windows & Documents and Settings .. . \Temp CREATED DATE today !! Deleted the registry entry "[filename of the sample #1 without extension] = "%Windir%\[filename of the sample #1]" " for this file AND, after reboot, renamed the C:\windows instance to Xmolocha.exe AND deleted it from Documents and Settings\ . . \Temp ---------- This has stopped the hijack of the web browser to MyWebHunt BUT Internet explorer is occassionally opening new instances with seemingly random websites. --- HELP! --- Quote
Guest Malke Posted October 10, 2008 Posted October 10, 2008 Jim Bunton wrote: <span style="color:blue"> > Windows media centre service pack 3 > iexplorer v 7 > > Windows update will not run > Run services.msc > Check Background Intelligent Transfer Service running - OK > Check Event Log running - ok > Check Automatic Updates NOT running > > Automatic Updates is disabled and it's start button is greyed out > Setting the combo to Automatic (or manual) it reverts to disabled > RECENT EVENTS - seems like some sort of malware > IeExplorer Home page began to default to MyWebHunt > When reset to normal home page on reboot reverted to MyWebHunt</span> (snippage) <span style="color:blue"> > I found a program named molocha.exe > AND a copy of it > in C:Windows & Documents and Settings .. . Temp > CREATED DATE today !! > > Deleted the registry entry > "[filename of the sample #1 without extension] = > "%Windir%[filename of the sample #1]" " for this file > > AND, after reboot, renamed the C:windows instance to Xmolocha.exe > AND deleted it from Documents and Settings . . Temp > This has stopped the hijack of the web browser to MyWebHunt > BUT Internet explorer is occassionally opening new instances with > seemingly random websites.</span> Go through these general malware removal steps systematically - http://www.elephantboycomputers.com/page2....emoving_Malware Include scanning with David Lipman's Multi_AV and follow instructions to do all scans in Safe Mode. Please see the special Notes regarding using Multi_AV in Vista. http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions http://tinyurl.com/yoeru3 - download link and more instructions You can also check to see if there are targeted removal steps for your malware here: Bleeping Computer removal how-to's - http://www.bleepingcomputer.com/forums/forum55.html or here: Malwarebytes malware removal guides: http://tinyurl.com/5xrpft When all else fails, get guided help. Choose one of the specialty forums listed at the first link. Register and read its posting FAQ. PLEASE DO NOT POST LOGS IN THE MS NEWSGROUPS. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest The Real Truth MVP Posted October 10, 2008 Posted October 10, 2008 Use my Remove-it software, it will remove that malware from your system. Choose yes for all options when prompted. Download it here http://pcbutts1.com/downloads/tools/tools.htm When done from the same site download Microsoft's Automatic Update Repair Tool to fix your auto update issue. -- Ignore any posts made by the Stalker Leythos, he's still in love with me. He started stalking me after I spurned his advances towards me. He said he would stop Stalking me If I stopped mentioning his name. As you can see that does not work. He is a sick obsessive STALKER. "Jim Bunton" <wbbr26814@blueyonder.co.uk> wrote in message news:48eef3f2$0$13867$426a34cc@news.free.fr...<span style="color:blue"> > Windows media centre service pack 3 > iexplorer v 7 > > Windows update will not run > Run services.msc > Check Background Intelligent Transfer Service running - OK > Check Event Log running - ok > Check Automatic Updates NOT running > > Automatic Updates is disabled and it's start button is greyed out > Setting the combo to Automatic (or manual) it reverts to disabled > > ----------- > RECENT EVENTS - seems like some sort of malware > IeExplorer Home page began to default to MyWebHunt > When reset to normal home page on reboot reverted to MyWebHunt > --------------- > Googled mywebhunt > -------- > found: > http://www.threatexpert.com/report.aspx?ui...70-24b662a299ea > The following Registry Value was modified:. [HKEY_CURRENT_USERSoftware > MicrosoftInternet ExplorerMain]. Start Page = "http://www.mywebhunt.com" > ... > > reports the folowing registry modifications > a.. The following Registry Key was created: > a.. HKEY_LOCAL_MACHINESOFTWAREGodLib > a.. The newly created Registry Values are: > a.. [HKEY_LOCAL_MACHINESOFTWAREGodLib] > a.. FR = "1" > b.. BootDays = "23" > b.. [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain] > a.. NotifyDownloadComplete = "yes" > c.. [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] > a.. [filename of the sample #1 without extension] = > "%Windir%[filename of the sample #1]" > > so that [filename of the sample #1] runs every time Windows starts > > a.. The following Registry Value was modified: > a.. [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain] > a.. Start Page = http://www.mywebhunt.com > --------- > I HAVE DELETED > HKEY_LOCAL_MACHINESOFTWAREGodLib > HKEY_LOCAL_MACHINESOFTWAREGodLib] > a.. FR = "1" > b.. BootDays = "23" > in the entry > [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] > a.. [filename of the sample #1 without extension] = "%Windir%[filename > of > the sample #1]" > I found a program named molocha.exe > AND a copy of it > in C:Windows & Documents and Settings .. . Temp > CREATED DATE today !! > > Deleted the registry entry > "[filename of the sample #1 without extension] = > "%Windir%[filename of the sample #1]" " for this file > > AND, after reboot, renamed the C:windows instance to Xmolocha.exe > AND deleted it from Documents and Settings . . Temp > > ---------- > This has stopped the hijack of the web browser to MyWebHunt > BUT Internet explorer is occassionally opening new instances with > seemingly > random websites. > --- HELP! --- > > > </span> Quote
Guest David H. Lipman Posted October 10, 2008 Posted October 10, 2008 From: "Jim Bunton" <wbbr26814@blueyonder.co.uk> | Windows media centre service pack 3 | iexplorer v 7 | Windows update will not run | Run services.msc | Check Background Intelligent Transfer Service running - OK | Check Event Log running - ok | Check Automatic Updates NOT running | Automatic Updates is disabled and it's start button is greyed out | Setting the combo to Automatic (or manual) it reverts to disabled | ----------- | RECENT EVENTS - seems like some sort of malware | IeExplorer Home page began to default to MyWebHunt | When reset to normal home page on reboot reverted to MyWebHunt | --------------- | Googled mywebhunt | -------- | found: | http://www.threatexpert.com/report.aspx?ui...70-24b662a299ea | The following Registry Value was modified:. [HKEY_CURRENT_USER\Software\ | Microsoft\Internet Explorer\Main]. Start Page = "http://www.mywebhunt.com" | ... | reports the folowing registry modifications | a.. The following Registry Key was created: | a.. HKEY_LOCAL_MACHINE\SOFTWARE\GodLib | a.. The newly created Registry Values are: | a.. [HKEY_LOCAL_MACHINE\SOFTWARE\GodLib] | a.. FR = "1" | b.. BootDays = "23" | b.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] | a.. NotifyDownloadComplete = "yes" | c.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] | a.. [filename of the sample #1 without extension] = | "%Windir%\[filename of the sample #1]" | so that [filename of the sample #1] runs every time Windows starts | a.. The following Registry Value was modified: | a.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] | a.. Start Page = http://www.mywebhunt.com | --------- | I HAVE DELETED | HKEY_LOCAL_MACHINE\SOFTWARE\GodLib | HKEY_LOCAL_MACHINE\SOFTWARE\GodLib] | a.. FR = "1" | b.. BootDays = "23" | in the entry | [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] | a.. [filename of the sample #1 without extension] = "%Windir%\[filename of | the sample #1]" | I found a program named molocha.exe | AND a copy of it | in C:\Windows & Documents and Settings .. . \Temp | CREATED DATE today !! | Deleted the registry entry | "[filename of the sample #1 without extension] = | "%Windir%\[filename of the sample #1]" " for this file | AND, after reboot, renamed the C:\windows instance to Xmolocha.exe | AND deleted it from Documents and Settings\ . . \Temp | ---------- | This has stopped the hijack of the web browser to MyWebHunt | BUT Internet explorer is occassionally opening new instances with seemingly | random websites. | --- HELP! --- Please do NOT use Remove-IT from the fake MS MVP. There are many reasons from the fact it is malicious and it is based upon two plagiarized utilities to the fact that it will not target the malware you have. I have seen the malware that you are infected with. Have you been downloading and installing so-called cracked programs, w-arez or software cracking utilities ? The malware I have seen does indeed create the Registry key; HKLM\SOFTWARE\GodLib as seen in a SandBox However, I could find no references to it in any malware encyclopedias and there were no detections for the installer. The following is your best bet. Download and execute HiJack This! (HJT) http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe Then post the contents of the HJT log in your post in one of the below expert forums... { Please - Do NOT post the HJT Log here ! } Forums where you can get expert advice for HiJack This! (HJT) Logs. NOTE: Registration is REQUIRED in any of the below before posting a log Suggested primary: http://www.thespykiller.co.uk/index.php?board=3.0 Suggested secondary: http://www.bleepingcomputer.com/forums/forum22.html http://castlecops.com/forum67.html http://www.malwarebytes.org/forums/index.php?showforum=7 Suggested tertiary: http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.atribune.org/forums/index.php?showforum=9 http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://forum.networktechs.com/forumdisplay.php?f=130 http://forums.maddoktor2.com/index.php?showforum=17 http://www.spywarewarrior.com/viewforum.php?f=5 http://forums.spywareinfo.com/index.php?showforum=18 http://forums.techguy.org/f54-s.html http://forums.tomcoyote.org/index.php?showforum=27 http://forums.subratam.org/index.php?showforum=7 http://www.5starsupport.com/ipboard/index.php?showforum=18 http://aumha.net/viewforum.php?f=30 http://makephpbb.com/phpbb/viewforum.php?f=2 http://forums.techguy.org/54-security/ http://forums.security-central.us/forumdisplay.php?f=13 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Leythos Posted October 11, 2008 Posted October 11, 2008 In article <KKPHk.2979$as4.2449@nlpi069.nbdc.sbc.com>, toidi@tpap.com says...<span style="color:blue"> > Use my Remove-it software > </span> Read the truth about PCBUTTS online: http://tinyurl.com/4rruwd -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Guest ---Fitz--- Posted October 11, 2008 Posted October 11, 2008 "Leythos" <void@nowhere.lan> wrote in message news:1223690937_179331@news.usenet.com...<span style="color:blue"> > In article <KKPHk.2979$as4.2449@nlpi069.nbdc.sbc.com>, toidi@tpap.com > says...<span style="color:green"> >> Use my Remove-it software >></span> > Read the truth about PCBUTTS online: > > http://tinyurl.com/4rruwd > > > -- > - Igitur qui desiderat pacem, praeparet bellum. > - Calling an illegal alien an "undocumented worker" is like calling a > drug dealer an "unlicensed pharmacist" > spam999free@rrohio.com (remove 999 for proper email address)</span> Very informative...even through the translation. Quote
Guest Leythos Posted October 11, 2008 Posted October 11, 2008 In article , ---fitz--- @invalid.com says...<span style="color:blue"> > "Leythos" <void@nowhere.lan> wrote in message > news:1223690937_179331@news.usenet.com...<span style="color:green"> > > In article <KKPHk.2979$as4.2449@nlpi069.nbdc.sbc.com>, toidi@tpap.com > > says...<span style="color:darkred"> > >> Use my Remove-it software > >></span> > > Read the truth about PCBUTTS online: > > > > http://tinyurl.com/4rruwd > ></span> > > > Very informative...even through the translation. </span> I wish I could translate the language myself, had to use the google translation services, it leaves a little to be desired but people can get the overall story. -- Leythos - spam999free@rrohio.com (remove 999 to email me) Public Service Warning: Learn about PCButts before you trust: http://www.velocityreviews.com/forums/t513...f-removeit.html http://www.google.com/search?hl=en&q=pcbutts1+thief http://tinyurl.com/4rruwd Quote
Guest The Real Truth MVP Posted October 11, 2008 Posted October 11, 2008 You idiot. That article is in direct response to me putting the pctipp.ch website in my hosts file. The popularity of my hosts file is growing fast. Plus they probably didn't like the email I sent them about David Lipman and hosting his stolen script. They blew me off and ignored me and now that I done it they are trying to explain why. -- Ignore any posts made by the Stalker Leythos, he's still in love with me. He started stalking me after I spurned his advances towards me. He said he would stop Stalking me If I stopped mentioning his name. As you can see that does not work. He is a sick obsessive STALKER. "---Fitz---" <---fitz---@invalid.com> wrote in message news:OLfsBW1KJHA.5904@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > "Leythos" <void@nowhere.lan> wrote in message > news:1223690937_179331@news.usenet.com...<span style="color:green"> >> In article <KKPHk.2979$as4.2449@nlpi069.nbdc.sbc.com>, toidi@tpap.com >> says...<span style="color:darkred"> >>> Use my Remove-it software >>></span> >> Read the truth about PCBUTTS online: >> >> http://tinyurl.com/4rruwd >> >> >> -- >> - Igitur qui desiderat pacem, praeparet bellum. >> - Calling an illegal alien an "undocumented worker" is like calling a >> drug dealer an "unlicensed pharmacist" >> spam999free@rrohio.com (remove 999 for proper email address)</span> > > > Very informative...even through the translation. </span> Quote
Guest Peter Foldes Posted October 11, 2008 Posted October 11, 2008 nicht richtig. That article seems to be correct -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "The Real Truth MVP" <toidi@tpap.com> wrote in message news:P28Ik.2060$pr6.656@flpi149.ffdc.sbc.com...<span style="color:blue"> > You idiot. That article is in direct response to me putting the pctipp.ch > website in my hosts file. The popularity of my hosts file is growing fast. > Plus they probably didn't like the email I sent them about David Lipman and > hosting his stolen script. They blew me off and ignored me and now that I > done it they are trying to explain why. > > > -- > Ignore any posts made by the Stalker Leythos, he's still in love with me. > He started stalking me after I spurned his advances towards me. > He said he would stop Stalking me If I stopped mentioning his name. > As you can see that does not work. He is a sick obsessive STALKER. > > > > > > "---Fitz---" <---fitz---@invalid.com> wrote in message > news:OLfsBW1KJHA.5904@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> "Leythos" <void@nowhere.lan> wrote in message >> news:1223690937_179331@news.usenet.com...<span style="color:darkred"> >>> In article <KKPHk.2979$as4.2449@nlpi069.nbdc.sbc.com>, toidi@tpap.com >>> says... >>>> Use my Remove-it software >>>> >>> Read the truth about PCBUTTS online: >>> >>> http://tinyurl.com/4rruwd >>> >>> >>> -- >>> - Igitur qui desiderat pacem, praeparet bellum. >>> - Calling an illegal alien an "undocumented worker" is like calling a >>> drug dealer an "unlicensed pharmacist" >>> spam999free@rrohio.com (remove 999 for proper email address)</span> >> >> >> Very informative...even through the translation. </span> ></span> Quote
Guest The Real Truth MVP Posted October 11, 2008 Posted October 11, 2008 The only thing correct about that article is the spelling of the name pcbutts1. You people are so dumb and gullible I wonder how you make it through the day without hurting yourself. I mean they have been complaining about me for years everyday and every post I make. When are you idiots going to admit that you have failed, that the reason you keep failing is because you going after the wrong person. I am NOT Chris butts. You have been after him for years and nothing has been done. Don't you learn from your mistakes? apparently not. You have it instilled and burned into you feeble mind because of one post I made 4 years ago that I am Chris butts. That's why you are trolls. -- Ignore any posts made by the Stalker Leythos, he's still in love with me. He started stalking me after I spurned his advances towards me. He said he would stop Stalking me If I stopped mentioning his name. As you can see that does not work. He is a sick obsessive STALKER. "Peter Foldes" <okf22@hotmail.com> wrote in message news:%2334b2K%23KJHA.4236@TK2MSFTNGP03.phx.gbl... nicht richtig. That article seems to be correct -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "The Real Truth MVP" <toidi@tpap.com> wrote in message news:P28Ik.2060$pr6.656@flpi149.ffdc.sbc.com...<span style="color:blue"> > You idiot. That article is in direct response to me putting the pctipp.ch > website in my hosts file. The popularity of my hosts file is growing fast. > Plus they probably didn't like the email I sent them about David Lipman > and > hosting his stolen script. They blew me off and ignored me and now that I > done it they are trying to explain why. > > > -- > Ignore any posts made by the Stalker Leythos, he's still in love with me. > He started stalking me after I spurned his advances towards me. > He said he would stop Stalking me If I stopped mentioning his name. > As you can see that does not work. He is a sick obsessive STALKER. > > > > > > "---Fitz---" <---fitz---@invalid.com> wrote in message > news:OLfsBW1KJHA.5904@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> "Leythos" <void@nowhere.lan> wrote in message >> news:1223690937_179331@news.usenet.com...<span style="color:darkred"> >>> In article <KKPHk.2979$as4.2449@nlpi069.nbdc.sbc.com>, toidi@tpap.com >>> says... >>>> Use my Remove-it software >>>> >>> Read the truth about PCBUTTS online: >>> >>> http://tinyurl.com/4rruwd >>> >>> >>> -- >>> - Igitur qui desiderat pacem, praeparet bellum. >>> - Calling an illegal alien an "undocumented worker" is like calling a >>> drug dealer an "unlicensed pharmacist" >>> spam999free@rrohio.com (remove 999 for proper email address)</span> >> >> >> Very informative...even through the translation.</span> > </span> Quote
Guest ---Fitz--- Posted October 12, 2008 Posted October 12, 2008 "The Real Truth MVP" <toidi@tpap.com> wrote in message news:P28Ik.2060$pr6.656@flpi149.ffdc.sbc.com...<span style="color:blue"> > You idiot. That article is in direct response to me putting the pctipp.ch > website in my hosts file. The popularity of my hosts file is growing fast. > Plus they probably didn't like the email I sent them about David Lipman > and hosting his stolen script. They blew me off and ignored me and now > that I done it they are trying to explain why. > > > -- > Ignore any posts made by the Stalker Leythos, he's still in love with me. > He started stalking me after I spurned his advances towards me. > He said he would stop Stalking me If I stopped mentioning his name. > As you can see that does not work. He is a sick obsessive STALKER. > > > > > > "---Fitz---" <---fitz---@invalid.com> wrote in message > news:OLfsBW1KJHA.5904@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> "Leythos" <void@nowhere.lan> wrote in message >> news:1223690937_179331@news.usenet.com...<span style="color:darkred"> >>> In article <KKPHk.2979$as4.2449@nlpi069.nbdc.sbc.com>, toidi@tpap.com >>> says... >>>> Use my Remove-it software >>>> >>> Read the truth about PCBUTTS online: >>> >>> http://tinyurl.com/4rruwd >>> >>> >>> -- >>> - Igitur qui desiderat pacem, praeparet bellum. >>> - Calling an illegal alien an "undocumented worker" is like calling a >>> drug dealer an "unlicensed pharmacist" >>> spam999free@rrohio.com (remove 999 for proper email address)</span> >> >> >> Very informative...even through the translation.</span> ></span> The popularity of your hosts file? You mean the one that installs without the user knowing what legitimate sites it blocks, even the MVP site? Seems your fame is international! Way to go! However...stupidity is NOT a life goal. Quote
Guest Leythos Posted October 12, 2008 Posted October 12, 2008 In article <A39Ik.3289$c45.484@nlpi065.nbdc.sbc.com>, toidi@tpap.com says...<span style="color:blue"> > Ignore any posts made by the Stalker Leythos, he's still in love with me. > He started stalking me after I spurned his advances towards me. > He said he would stop Stalking me If I stopped mentioning his name. > As you can see that does not work. He is a sick obsessive STALKER. > </span> Do you really want to trust someone that was banned from posting directly to Microsoft Usenet servers, someone that has posted links to pornographic materials on HIS WEBSITE, who's website is in the MVP HOST Block list, and who provides a tool for your use that will block access to reputable anti-malware sites without telling you he's doing it? Do you really want to trust someone that has had to change their posting identity after being busted by MS as a fake MVP? Stalking, even in usenet is a crime, there are enough pages from your filthy site to prove you're stalking me in your posts, I have them documented and certified authentic - it's your call now Stalker. -- Leythos - spam999free@rrohio.com (remove 999 to email me) Public Service Warning: Learn about PCButts before you trust: http://www.velocityreviews.com/forums/t513...f-removeit.html http://www.google.com/search?hl=en&q=pcbutts1+thief http://tinyurl.com/4rruwd Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.