MRU Blaster program taken

Discussion in 'other security issues & news' started by Jastizary, Dec 6, 2004.

Thread Status:
Not open for further replies.
  1. Jastizary

    Jastizary Guest

    I need help...
    There has been some peeps who took ur MRU blaster program...
    lili4lili2lili0lili (the persons yahoo ID)...and manipulated it to their advantage.here is what he started posting soon after to our family members

    th33_d3v1l5_b4b3gurl (11:52:08 PM): th33_d3v1l5_b4d_b4d_c0wg1rl: **** u guys are lame ur to easy ... got me another name now im kevin and this gurl th33_d3v1l5_b4b3gurl (11:52:13 PM): th33_d3v1l5_b4b3gurl (11:52:20 PM): th33_d3v1l5_b4d_b4d_c0wg1rl: how many more names can i get from u guys

    th33_d3v1l5_n4ugh7y_c0wg1rl (11:06:10 PM): got 3 of u bitches now!! th33_d3v1l5_n4ugh7y_c0wg1rl (11:07:50 PM): how many more u think i can get??

    th33 is our family name...but the names above are the ones that are affected...we did get the names back..but they are infected!!!!!!

    A few of our family members were sent a mypic.jpg.pif ...from a similiar family name THAT WAS STOLEN.......now..what this person has done...is to come in the system..take id's, passwords, administrative accounts...and used it to their benefit.

    How do I know it's ur program.>>>..it's in the peoples' registry..as this
    (default( type: reg_52 (value not set) then a type reg_52 C:/documents and settings/angel/my documents/mypic,jpg.pif then MRUlist reg_52 a

    now..what this hakr has done is taken over their admins accounts..they are not able to do anything other than log on to the basic user accounts.
    when they try to go into task manager..they get this account has been locked by the administrator..meaning of course that their password has been change by the hakr.

    These hakrz have been reported and are now under invesitgation..but the problem is...our family members can't use their computers...

    DO U HAVE A FIX FOR THIS...IT'S NEEDED IMMEDIATELY...ONE FAMILY MEMBER CAN'T EVEN FORMAT HER COMPUTER...

    please replay ASAP

    Thank you for your time in this matter.

    Jasta
     
    Last edited by a moderator: Dec 6, 2004
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Jasta,

    I have split your post off into it's own thread. I am also re-reading your post in an attempt to understand what your saying. Hopefully we can assist you with your problem.

    BTW....MRUlist reg_52 does not infer this is a MRUblaster problem.
     
  3. Jasta

    Jasta Guest

    Thanks Bubba

    Pretty much is that a few family members have had their personal information stolen from their registry...log on id's from yahoo, msn, administrator log ons.

    MRUlist_52-----is this a completely different program outsife of MRUblaster..

    Understandibly...the behavior is the same...taking the MRU information..but it's gone further by sending that information to the hacker...thus---giving the hacker the users information to use at his expense..

    Problem is....the person who done this...doesn't really know what's he's done..

    He was saying just turn your virus and spyware programs on to accept javascript...so that ur anti-virus and spyware program will find it..

    Please...Bubba..any help is sooo appreciated...Thanks...Jasta
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    MRUlist is a common entry found in the registry....but it's not necessarily associated with a program. While I can not assist you in some of what your asking....I'll attempt to figure out some of what your saying.

    you said:
    "it's in the peoples' registry..as this (default( type: reg_52 (value not set)"

    Would you go back in the registry and write down the whole registry key info concerning the MRUlist and this reg_52 you are mentioning. I am showing an example below of what I would like to see as far the actual registry location.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU....MRUList
     
  5. Jasta

    Jasta Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    3
    Location:
    Ontario, Canada
    Hey Bubba

    We didn't go into a particular area of the registry..I have her go into regedit and ctrl F for the mypic file..

    (default( type: reg_52 (value not set) then a type reg_52 C:/documents and settings/angel/my documents/mypic,jpg.pif then MRUlist reg_52 a

    was the finding on the right hand side under "pif" folder in the main registry..
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Software\pif

    once the pif folder was open...there were no actual files in there except what is showing on the right
    (default( type: reg_52 (value not set) then a type reg_52
    C:/documents and settings/angel/my documents/mypic,jpg.pif then MRUlist reg_52 a

    I understand completely how MRU's work...what i don't understand is how it was manipulated to work against the client.
    Once we know this..im sure it will be easy to find a fix..

    TWO OF THE FAMILY MEMBERS HAVE REFORMATTED AND REPARITIONED... and this has solved the problem...the third refuses to do this, as
    it's a business computer..."possible business infomation has been stolen..and this is our concern..

    Thanks Again Bubba

    Jasta
     
Loading...
Thread Status:
Not open for further replies.