Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DecodingHQ


  • Please log in to reply
8 replies to this topic

#1 zeltus

zeltus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 11 March 2009 - 12:13 PM

Having stupidly clicked on an unknown exe file, I found myself unable to get at System Restore or Network Connections (and no doubt a ton of other stuff) : My PC has also been given some dodgy looking DNS settings.

It seems to be something to do with DecodingHQ, but altho' I've googled, there is not much out there. Perhaps becasue it is quite new?

I have, eventually, got a version of MBAM scanning on the PC and to date it is finding some infected files. Here's hoping it'll fix the problem.

In the meantime, has anyone with expertise and experience come across this one before? I sortta hope so, I don't like life at the bleedin' edge! :-{

Cheers

My Router has a secure password, so that is safe, at least.

Bill

BC AdBot (Login to Remove)

 


#2 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,569 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:09:02 PM

Posted 11 March 2009 - 04:46 PM

No experience, but here's plenty of info. Yes, it appears to be fairly new.
http://www.prevx.com/filenames/13539468370...INGHQ2EEXE.html
http://www.threatexpert.com/report.aspx?md...df4f587a4f2ef95

Edited by tos226, 11 March 2009 - 04:48 PM.


#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:02 PM

Posted 11 March 2009 - 06:48 PM

Please post that MBAM log
Chewy

No. Try not. Do... or do not. There is no try.

#4 wolli0808

wolli0808

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 12 March 2009 - 06:54 AM

Hi,

until yesterday I had the same problem with the same file!

I had parsed with DDS and used Combofix (here in this Forum) Now my PC is clean.

Wolfgang

#5 grizgza

grizgza

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 12 March 2009 - 10:02 AM

I'm infected with this as well! Any advice?

I don't know what parse the DDS means, or how to use ComboFix...

AdAware found the DNS settings changes "Attempted DNS hijack" and cleaned that up. My DNS settings look correct now on my PC, but I'm still having issues. My google search result links are taking me to random pages. I can't seem to get to any online virus/malware scanners either.

Edited by grizgza, 12 March 2009 - 10:16 AM.


#6 grizgza

grizgza

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 12 March 2009 - 10:17 AM

No experience, but here's plenty of info. Yes, it appears to be fairly new.
http://www.prevx.com/filenames/13539468370...INGHQ2EEXE.html
http://www.threatexpert.com/report.aspx?md...df4f587a4f2ef95


Anyone know if this Prevx.com site is legit? Looks just as shady as malware itself....
EDIT: I looked it up and it seems legit, im going to try it.

EDIT2: I paid for a month license and ran the cleanup, seems to have worked for the most part. There was one registry entry it looks like it didn't get and I'm unable to delete it... HKEY_LOCAL_MACHINE\SOFTWARE\Classes\videoshow. I also noticed the malware installed itself on my flash drives and messed with autoplay. Came up asking me if I wanted to run some long file name S-4-3-59-100024869-100029764-100017254-7855.com... I declined, I then checked my Task manager and that process was running so I terminated it. I formatted the flash drives and when I put them back in my PC I do not get the autoplay problem. I also deleted C:/autorun.inf that had that garbage in it too, seems like the Prevx CSI missed that too.

Edited by grizgza, 12 March 2009 - 11:15 AM.


#7 sylkenfire

sylkenfire

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:02 PM

Posted 15 March 2009 - 11:12 AM

I downloaded a torrent on March 11th. When I tried to play it, it said I need to download this decoder to play it. I have downloaded codec's in the past and figured it was no big deal so I downloaded the decoder (decodinghq.exe) I scanned both the torrent and the exe file with my antivirus (updated daily) The torrent wouldn't play so I found the video somewhere else, then shut down the computer.

Next morning I try to boot up and get a message "can't find owner cache"
Tried a couple of other profiles, same thing
Manually shut down and tried again
Booted into windows, went to go online, the entire network was wiped out, 2 dialers, wireless connections..... everything
Uninstalled NIC, rebooted..... still no network
Uninstalled decodinghq.exe and it SEEMED to uninstall ok
Meantime I am repeatedly getting an svchost.exe error
Disabled all in msconfig, rebooted, same things are happening
booted into safe mode, tried everything including system restore
Cant get past the date window in system restore
If i try to set up the wireless it tells me its not supported on this machine
When I run my antivirus it says I am clean
Wont let me run Spybot S&D
At one point in safemode I got this message... nt authority system, sys shutdown, 10737418

So, at this point I am going to do a sys restore (in between working on papers for school) Which is what this MORON should be using his brain for instead of sitting at his computer like the LOSER he is and inventing viruses. I think he is likely compensating for something...

Anyway, looks like its fairly new. Will be interesting to see what other kinds of grief it causes.

#8 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,569 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:09:02 PM

Posted 15 March 2009 - 07:07 PM

grizgza - prevx is an old reputable outfit. The fact that it didn't see something simply means they aren't ready to detect it yet.

zeltus, sylkenfire
I think your computers have been seriously compromised and nothing short of a full reinstallation will do.
Once crap has been invited in, it did the damage, ruined windows and can do anything it pleases including disabling security software so that one becomes irrelevant, not matching the system it was designed for.
If I were you, I'd be reinstalling Windows or posting HijackThis logs and/or MBAM as DaChew, the visiting alien :thumbsup: suggested, and hoping for help from someone.

zeltus,
The fact that a router has a password is irrelevant at this point. Too late. And router will permit what you ask for to come in.

sylkenfire,
If you do system restore, make sure you go back far enough to well before the faulty download.

#9 zeltus

zeltus
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:02 PM

Posted 29 March 2009 - 06:32 AM

Router passwording to me simply means "unless a baddy can guess my router password, they can't get into the router settings and b*gger it up" - and indeed, this decodinghq couldn't/didn't/and won't.

In the end, I restored the partition from a Ghost backup. Took a few hours but I gave up messing about trying to reset the dns settings, the registry was all f*cked up and god knows what else.

a) I WILL be more careful in future and not blindly trust my anti-everything tools

:thumbsup: Thanks for the tip about MBAM - I now have added that to my suite

c) At least I was sensible enough to keep reasonably regular backups...

Bill




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users