Guest PA Bear [MS MVP] Posted October 10, 2008 Posted October 10, 2008 [Crossposted to Security Virus newsgroup, as OP has repost there] There's a very strong possibility that you have a Vundo infection, which is usually accompanied by ZLOB and/or SDBot infections, all of which are protected by a rootkit. Run a thorough check for hijackware, including posting your hijackthis log to an appropriate forum. Checking for/Help with Hijackware http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://aumha.net/viewtopic.php?t=5878 http://wiki.castlecops.com/Malware_Removal...n:_Introduction http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/data/prevention.htm http://inetexplorer.mvps.org/tshoot.html http://www.mvps.org/sramesh2k/Malware_Defence.htm http://defendingyourmachine2.blogspot.com/ http://www.elephantboycomputers.com/page2....emoving_Malware When all else fails, HijackThis v2.0.2 (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in conjuction with some other utilities). HijackThis will NOT fix anything on its own, but it will help you to both identify and remove any hijackware/spyware with assistance from an expert. Post your log to http://spywarehammer.com/simplemachinesfor....php?board=10.0, http://forums.spybot.info/forumdisplay.php?f=22, http://aumha.net/viewforum.php?f=30, or another appropriate forum for review by an expert in such matters, not here. If the procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a local, reputable and independent (i.e., not BigBoxStoreUSA) computer repair shop. ========================================== Start a free Windows Update support incident request: https://support.microsoft.com/oas/default.aspx?gprid=6527 Support for Windows Update: http://support.microsoft.com/gp/wusupport For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and in Canada or by contacting your local Microsoft subsidiary. There is no-charge for support calls that are associated with security updates. -- ~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ Jim Bunton wrote:<span style="color:blue"> > Tried: > Run services.msc > Check Background Intelligent Transfer Service running - OK > Check Event Log running - ok > Check Automatic Updates NOT running > > Automatic Updates is disabled and it's start button is greyed out > Setting the combo to Automatic (or manual) it reverts to disabled > > ----------- > RECENT EVENTS > IeExplorer Home page began to default to MyWebHunt > When reset to normal home page on reboot reverted to MyWebHunt > --------------- > Googled mywebhunt > -------- > found: > http://www.threatexpert.com/report.aspx?ui...70-24b662a299ea > The following Registry Value was modified:. [HKEY_CURRENT_USERSoftware > MicrosoftInternet ExplorerMain]. Start Page = "http://www.mywebhunt.com" > ... > > reports the folowing registry modifications > a.. The following Registry Key was created: > a.. HKEY_LOCAL_MACHINESOFTWAREGodLib > a.. The newly created Registry Values are: > a.. [HKEY_LOCAL_MACHINESOFTWAREGodLib] > a.. FR = "1" > b.. BootDays = "23" > b.. [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain] > a.. NotifyDownloadComplete = "yes" > c.. [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] > a.. [filename of the sample #1 without extension] = > "%Windir%[filename of the sample #1]" > > so that [filename of the sample #1] runs every time Windows starts > > a.. The following Registry Value was modified: > a.. [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain] > a.. Start Page = http://www.mywebhunt.com > --------- > I HAVE DELETED > HKEY_LOCAL_MACHINESOFTWAREGodLib > HKEY_LOCAL_MACHINESOFTWAREGodLib] > a.. FR = "1" > b.. BootDays = "23" > in the entry > [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] > a.. [filename of the sample #1 without extension] = "%Windir%[filename > of > the sample #1]" > I found a program named molocha.exe > AND a copy of it > in C:Windows & Documents and Settings .. . Temp > CREATED DATE today !! > > Deleted the registry entry > "[filename of the sample #1 without extension] = > "%Windir%[filename of the sample #1]" " for this file > > AND, after reboot, renamed the C:windows instance to Xmolocha.exe > AND deleted it from Documents and Settings . . Temp > > ---------- > This has stopped the hijack of the web browser to MyWebHunt > BUT Internet explorer is occassionally opening new instances with > seemingly > random websites. > --- HELP! --- </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.