PA Bear [MS MVP]

[Crossposted to Security Virus newsgroup, as OP has repost there]

There's a very strong possibility that you have a Vundo infection, which is
usually accompanied by ZLOB and/or SDBot infections, all of which are
protected by a rootkit.

Run a thorough check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachi...php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

==========================================

Start a free Windows Update support incident request:
https://support.microsoft.com/oas/de...spx?gprid=6527

Support for Windows Update:
http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling 1-866-PCSAFETY in
the United States and in Canada or by contacting your local Microsoft
subsidiary. There is no-charge for support calls that are associated with
security updates.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Jim Bunton wrote:
> Tried:
> Run services.msc
> Check Background Intelligent Transfer Service running - OK
> Check Event Log running - ok
> Check Automatic Updates NOT running
>
> Automatic Updates is disabled and it's start button is greyed out
> Setting the combo to Automatic (or manual) it reverts to disabled
>
> -----------
> RECENT EVENTS
> IeExplorer Home page began to default to MyWebHunt
> When reset to normal home page on reboot reverted to MyWebHunt
> ---------------
> Googled mywebhunt
> --------
> found:
> http://www.threatexpert.com/report.a...0-24b662a299ea
> The following Registry Value was modified:. [HKEY_CURRENT_USER\Software\
> Microsoft\Internet Explorer\Main]. Start Page = "http://www.mywebhunt.com"
> ...
>
> reports the folowing registry modifications
> a.. The following Registry Key was created:
> a.. HKEY_LOCAL_MACHINE\SOFTWARE\GodLib
> a.. The newly created Registry Values are:
> a.. [HKEY_LOCAL_MACHINE\SOFTWARE\GodLib]
> a.. FR = "1"
> b.. BootDays = "23"
> b.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
> a.. NotifyDownloadComplete = "yes"
> c.. [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
> a.. [filename of the sample #1 without extension] =
> "%Windir%\[filename of the sample #1]"
>
> so that [filename of the sample #1] runs every time Windows starts
>
> a.. The following Registry Value was modified:
> a.. [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
> a.. Start Page = http://www.mywebhunt.com
> ---------
> I HAVE DELETED
> HKEY_LOCAL_MACHINE\SOFTWARE\GodLib
> HKEY_LOCAL_MACHINE\SOFTWARE\GodLib]
> a.. FR = "1"
> b.. BootDays = "23"
> in the entry
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
> a.. [filename of the sample #1 without extension] = "%Windir%\[filename
> of
> the sample #1]"
> I found a program named molocha.exe
> AND a copy of it
> in C:\Windows & Documents and Settings .. . \Temp
> CREATED DATE today !!
>
> Deleted the registry entry
> "[filename of the sample #1 without extension] =
> "%Windir%\[filename of the sample #1]" " for this file
>
> AND, after reboot, renamed the C:\windows instance to Xmolocha.exe
> AND deleted it from Documents and Settings\ . . \Temp
>
> ----------
> This has stopped the hijack of the web browser to MyWebHunt
> BUT Internet explorer is occassionally opening new instances with
> seemingly
> random websites.
> --- HELP! ---