|
Posted by David H. Lipman on October 10, 2008, 6:07 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Windows media centre service pack 3
| iexplorer v 7
| Windows update will not run
| Run services.msc
| Check Background Intelligent Transfer Service running - OK
| Check Event Log running - ok
| Check Automatic Updates NOT running
| Automatic Updates is disabled and it's start button is greyed out
| Setting the combo to Automatic (or manual) it reverts to disabled
| -----------
| RECENT EVENTS - seems like some sort of malware
| IeExplorer Home page began to default to MyWebHunt
| When reset to normal home page on reboot reverted to MyWebHunt
| ---------------
| Googled mywebhunt
| --------
| found:
|
http://www.threatexpert.com/report.aspx?uid=dd190d12-5574-4797-8d70-24b662a299ea
| The following Registry Value was modified:. [HKEY_CURRENT_USER\Software\
| Microsoft\Internet Explorer\Main]. Start Page = "http://www.mywebhunt.com"
| ...
| reports the folowing registry modifications
| a.. The following Registry Key was created:
| a.. HKEY_LOCAL_MACHINE\SOFTWARE\GodLib
| a.. The newly created Registry Values are:
| a.. [HKEY_LOCAL_MACHINE\SOFTWARE\GodLib]
| a.. FR = "1"
| b.. BootDays = "23"
| b.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
| a.. NotifyDownloadComplete = "yes"
| c.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
| a.. [filename of the sample #1 without extension] =
| "%Windir%\[filename of the sample #1]"
| so that [filename of the sample #1] runs every time Windows starts
| a.. The following Registry Value was modified:
| a.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
| a.. Start Page = http://www.mywebhunt.com
| ---------
| I HAVE DELETED
| HKEY_LOCAL_MACHINE\SOFTWARE\GodLib
| HKEY_LOCAL_MACHINE\SOFTWARE\GodLib]
| a.. FR = "1"
| b.. BootDays = "23"
| in the entry
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
| a.. [filename of the sample #1 without extension] = "%Windir%\[filename of
| the sample #1]"
| I found a program named molocha.exe
| AND a copy of it
| in C:\Windows & Documents and Settings .. . \Temp
| CREATED DATE today !!
| Deleted the registry entry
| "[filename of the sample #1 without extension] =
| "%Windir%\[filename of the sample #1]" " for this file
| AND, after reboot, renamed the C:\windows instance to Xmolocha.exe
| AND deleted it from Documents and Settings\ . . \Temp
| ----------
| This has stopped the hijack of the web browser to MyWebHunt
| BUT Internet explorer is occassionally opening new instances with seemingly
| random websites.
| --- HELP! ---
Please do NOT use Remove-IT from the fake MS MVP.
There are many reasons from the fact it is malicious and it is based upon two
plagiarized
utilities to the fact that it will not target the malware you have.
I have seen the malware that you are infected with.
Have you been downloading and installing so-called cracked programs, w-arez or
software
cracking utilities ?
The malware I have seen does indeed create the Registry key;
HKLM\SOFTWARE\GodLib as
seen in a SandBox
However, I could find no references to it in any malware encyclopedias and there
were no
detections for the installer.
The following is your best bet.
Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Then post the contents of the HJT log in your post in one of the below expert
forums...
{ Please - Do NOT post the HJT Log here ! }
Forums where you can get expert advice for HiJack This! (HJT) Logs.
NOTE: Registration is REQUIRED in any of the below before posting a log
Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0
Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7
Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
| 
XML site map