SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
 ·RoadRunner Cable
| SuperSick2008
Got a new variant of Vundo/Panic special. This one hijacks the desktop completely. The local drives and CD/DVD drives are not visible in Windows. I had to copy superantispyware to the hard drive using DOS in the safe mode. In regular mode I would get "Path Not Found". The command prompt is modified with the term "Infected". Superantispyware and Malware bytes both find stuff, delete it and after a reboot find stuff all over again. Malware Bytes informed me that regedit had been disabled and it offered to re-enable it. Task manager will not come up. The panic warning windows will not close. They keep tangling up with the dialog boxes of the utilities. If it weren't for being a quad core machine it would be non-functional already. This is another NOD32 case, green dot and all. Not that it matters. If I cannot cure this one without DBN, I will not be trying to use conventional antivirus software any longer.
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI | That's pretty nasty!
If Spybot-S&D was installed on the machine doesn't it have a replaceable copy of core registry keys/values?
That might be good starting point, if available. |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| I didn't know about a Spybot registry backup. My bad ! I did not do the initial setup so I don't think it ever had spybot. I'll be sure to find out about that feature for future encounters. Thanks !
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
noway1
join:2004-11-29
edit:
July 28th, @11:46PM
| reply to SipSizzurp
said by SipSizzurp  :...This is another NOD32 case, green dot and all. Q1. Sorry, I don't understand what you mean by this sentence.
Q2. AV Version? Sig version?
Q3. Has the updater been updating regularly or have there been some updates missed? (some NOD32 v3 users are having some updater problems right now)
Q4. Do you know how you got this Vundo? |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
edit:
July 29th, @12:40AM
| Q1 The system tray has a green dot. Maximum protection. Number of blocked attacks = 0
Q2 ESET NOD32 AntiVirus 3.0.650.0 Sig Ver. 3304 2008728
Q3 I assume it has been running since it is current.
Q4 No. I wish you hadn't have asked. I just checked it's browser history. It has been to numerous porn sites. The virus may be responsible for some of them, but knowing where I picked the computer up from, not all of them. There was a lot more wrong than Vundo. There was a plethora of trojans and hijackers detected. Spybot found only one more. It is now partially cured, I can get to the local resources in "My Computer" and the start menu is back. It was also empty earlier. Desktop background is still whited out with the icons looking weird. I've got the Exaspery tool running now. It is at about 20% and has found nothing yet. I'm planning to run prevx, and then attempt an exorcism with RKU. After that I'll run SFC to see if I can repair some damage. I'm not sure what else to throw at it.
Looks like the main site for the primary viral download was antivirusxp2008 dot com. The homepage is being hijacked to : softwarereferral dot com. Might make for some interesting whois reading.
Edit - I wonder if she would answer her phone. Easy number to remember ! 
Domain Name: ANTIVIRUSXP2008.COM
Registrant:
Goya interco llc
Alice Velaques (alice.velasues@botiquestomp.com)
La vaal sq 47 of 54
Kemi
Ahvenanmasnlääni,10755
FI
Tel. +001.41512345678
Fax. +001.41512345678
Creation Date: 17-Jun-2008
Expiration Date: 17-Jun-2009
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
 ·Clearwire Wireless
| said by SipSizzurp :Creation Date: 17-Jun-2008 Expiration Date: 17-Jun-2009 FWIW, the initial infection probably happened sometime after 17-Jun-2008 |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to SipSizzurp
About 2 weeks ago I was fixing a machine which was running a fully updated version of KAV 7. KAV was configured to update every hour, and perform a full system scan every night at 3:00 AM.
The user had somehow managed to get the worst Vundo infection I had ever seen.
Next to anything on the system which had a timestamp, the text "VIRUS ALERT!" was appended to it.
Literally everything!
The system clock (yes, the one in the taskbar) had the text "VIRUS ALERT!" next to it. When I right-clicked any file on the machine to view it's properties and attributes, the timestamps for things like creation date, ect all had "VIRUS ALERT!" next to them.
The start menu was completely hosed. Regedit and taskmanager, among other things, were disabled. The system was completely trashed.
I vanquished the Vundo with autoruns and a few other goodies. Even after completely removing the infection, most of Windows remained in ruins.
I ended up reformatting the box.
Worst infection I'd ever seen.
--
QUAD!!!! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
edit:
July 29th, @02:47AM
| reply to SipSizzurp
Elite, that is the same exact symptom I had, to the tee. "VIRUS ALERT!" is the precise wording, not "Infected" like I had previously stated. It was in the system tray after the clock. My entire start menu was void, dos prompt said virus alert. I've got it down to a white desktop overlay. Doesn't seem to be much if any of the active virus left. My router reports no out going connections. I'm down to system file checker, and from there it will be Dban, reload and deepfreeze, which is going on everything from now on. It's a little more trouble to set up, but I can't keep doing this. I also had a fully updated exaspery 7 machine come down with this viruses little sister last month. Exaspery 6 has dropped on me 3 or 4 times this year and I 've had 3 or 4 sick NAVs. It is not the fault of the AV companies. They have simply been licked. The virus battle is officially over as far as I'm concerned.
Edit - XPpro SP3.
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | reply to SipSizzurp
I never saw the point to doing all of what it does. It doesn't make any sense do this.
It all comes down to the "parasite" idea, a parasite doesn't kill its host.
--
Tom |
|
tempnexus
Premium
join:1999-08-11
Boston, MA
| reply to SipSizzurp
Yeap myself just finished cleaning the system.
After that went Malware hunting and yes about 7/10 of malware I found was not detected by neither AntiVir/Boclean/Kav8/Nod32/Norton Endpoint/Bitdefender/SuperAntispyware/MalwareBytes etc
All of them were submitted to respectable AV's, however I am yet to find a good submit e-mail to superantispyware.
From all of them so far AntiVir Heuritics were very high, higher then NOd32 (but I bet noisier on False Positives). NOD32 detected only 4 out of the 10 (maxed out). KAV detected 7/10.
BoClean I think also 4 out of 10.
Basically I myself have also given up on the AV industry I think so far indeed they are playing a giant catchup. And yes I been fully disappointed with NOD32 as of late, too many malware that falls through the cracks. Especially that after submitting to VirusTotal I get 14 out of 35 hits and NOD32 is not one of the 14 so yeah...kinda behind the ball. |
|
Stem Bolt
Premium
join:2002-11-08
Cleveland, OH
| said by tempnexus :All of them were submitted to respectable AV's, however I am yet to find a good submit e-mail to superantispyware. samples@superantispyware.com
I would be interested in seeing the results from the ones you submitted to Virus Total. I'm curious to see how well my anti virus did. Or didn't do. If you could post the links to the the Virus Total results, I would appreciate it.
Thanks.
BTW, how many did SuperAntiSpyware detect?
--
Dr. Web + SuperAntiSpyware Pro + Online Armor Free + Router/SPI |
|
tempnexus
Premium
join:1999-08-11
Boston, MA
edit:
July 29th, @09:59PM
| said by Stem Bolt :said by tempnexus :All of them were submitted to respectable AV's, however I am yet to find a good submit e-mail to superantispyware. samples@superantispyware.com I would be interested in seeing the results from the ones you submitted to Virus Total. I'm curious to see how well my anti virus did. Or didn't do. If you could post the links to the the Virus Total results, I would appreciate it. Thanks. BTW, how many did SuperAntiSpyware detect? Sorry the samples are long gone.
I decided not to post the virus total results since well I did in the past and my posts were locked or deleted. Mainly it's a courtesy to the other AntiViruses that did not detect the sample. You don't want to sway opinion of a potential customer by a single sample(s).
edit:
Yeap that is what happened in the past, they got deleted or at least the images were.
But here is one that I found still laying around in my outbox.
»www.virustotal.com/analisis/7c95···4ec2d682 (scanned yesterday)
»www.virustotal.com/analisis/8ba3···db2f70be (re-scanned today)
And here is a new one I just downloaded right now (will send it in 5 min to respectable AV teams....to answer the question...all the ones below were not detected by SAS Core 3521 Trace 1151)
»www.virustotal.com/analisis/7d87···87f55978
»www.virustotal.com/analisis/be74···fb2a8df8
»www.virustotal.com/analisis/e580···f776b179
»www.virustotal.com/analisis/80f6···b7dd4b0a
»www.virustotal.com/analisis/1261···3d5abe6d
Enough for right now (samples sent).
EDIT 2:
Below was sent 4 days ago at that time it was detected by 11 out of 35, now it's 16 out of 35...but still 4 days.
»www.virustotal.com/analisis/f517···07487bab |
|
Kayrac
Premium
join:2001-09-29
Lee, NH
| I don't see why a post would be deleted or locked
anyone thinking any 1 av is going to catch them all is sadly mistaken, alot of people complaining about nod32 over at wilders missing some 'rogue security applications' but as i tried to explain over there, they change daily, if not more often, it's almost impossible to keep up on
while it doesn't seem like they understood that, it's true, and would be insane to think any av is going to catch them all
and thats just fake antivirus's, everything else is changing quickly as well |
|
