Horseserver is gone but left problems

Discussion in 'malware problems & news' started by matlock, Jun 7, 2005.

Thread Status:
Not open for further replies.
  1. matlock

    matlock Guest

    I got rid of the horseserver or whatever with the hsfix, but
    1) my computer is acting really slow,
    2) I cant change my background and my Warez program shows that I have over 400 downloaded programs like spybot, spyware killers, and some other prgrams but they were all downloaded on the same day.
    3) My internet explorer opens up to some page called clicksearch and popup boxes with the heading Aurora keep coming up.

    I have a log file from hijackthis but i dont know what any of it means. Can some please help me.
     
    matlock, Jun 7, 2005
    #1
  2. controler

    controler Guest

    controler, Jun 7, 2005
    #2
  3. controler

    controler Guest

    I just looked at the HSfix folder on my desktop. All it is , is a DOS batch file that searches for known horseserver files that have already been seen in Hijackthis logs, delets them, creats a log and opens notepad when all done.

    At no time does this BAT file install the reg file included in the folder nor does the help file say anything about the REG file.
    Close look at the REG file shows restoring some entries I am guessing if they got deleted.

    This is all the reg files does.
    REGEDIT4


    [-HKEY_CURRENT_USER\Software\WebSiteViewer\Settings]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winlow]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16]

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\memlow]

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_MEMLOW]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "secboot"=-
    "tibs3"=-
    "Shell"=-
    "tibs5"=-
    "Systems Restart"=-

    [-HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
    "StackSize"=-
    "Impersonate"=-

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion]
    "hws"=-

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\Memory Management]
    "EnforceWriteProtect"=-
    "hws"=-

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
    "EnforceWriteProtect"=-
    "hws"=-

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F9561D0-03B2-44a3-89A6-E95E417CBA25}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F9561D0-03B2-44a3-89A6-E95E417CBA25}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{962F12AE-2773-4BEB-99EA-B5C3AB9A6606}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{962F12AE-2773-4BEB-99EA-B5C3AB9A6606}]


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
    @="WebCheck"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
    @=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,77,\
    65,62,63,68,65,63,6b,2e,64,6c,6c,00
    "ThreadingModel"="Apartment"

    [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\TestService]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B72F75B8-93F3-429D-B13E-660B206D897A}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B72F75B8-93F3-429D-B13E-660B206D897A}]

    [-HKEY_CURRENT_USER\Software\WebSiteViewer]

    [-HKEY_CURRENT_USER\Software\WebSiteViewer\Settings]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!!]

    see attached txt file for what the bat file does. Then the author has the nerver to make you ask for permission to use a simple old BAT file. Since when has that been required?

    After looking at the BAT.TXT file, do you see any those files he is deleting on your machine or did you see any of them before running Hsfix?



    controler
     

    Attached Files:

    controler, Jun 7, 2005
    #3
  4. matlock

    matlock Guest

    I forgot to mention that it will not let me access my task manager too. Is there something elese I can do for that?
     
    matlock, Jun 8, 2005
    #4
Loading...
Similar Threads
  1. itman

    Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem

    itman, Jan 25, 2018
    Replies:
    3
    Views:
    443
    Minimalist
    Feb 5, 2018
Thread Status:
Not open for further replies.