jlspartz

A couple days ago a message was bounced back from 50 old emails that said they were undeliverable within a couple minutes of time. Interesting, and it's just one line saying to quickly visit a website. I googled information on it and the site link should not be loaded with a virus (although I won't check), since the site links change in every person's case online, although the quick one line of text stays the same and points them to all different websites. Without going to the website link in mine, I found out it's to a wine producers website in France. Now I know everyone is thinking it must be a virus on the computer accessing it. Well, first off, it's being accessed on a mac, with no mail client, only web-based email login. I know a person could send it using my email to others, but these were people in my contact list. I know some will get ahold of forwarded emails and use the to and from fields there, but there were no mass forwards in the past to these people. It was within Hotmail, with the online messenger turned off and no other apps added. It seemed to be a one-time occurrence. The only conclusion I can come to is either the account was hacked or an email contained a security exploit that forwards the message to all those in the contact list upon viewing it.

We're calling it quits. This is definitely a new variant, and worse than the previous ones, but does not have the website redirection. I'd like to try to solve it, but time=money and we're ordering a new computer and wiping this one clean.

I got TDSS to run, but it can't clean it. 2010/11/02 14:39:23.0277 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49 2010/11/02 14:39:23.0277 ================================================================================ 2010/11/02 14:39:23.0277 SystemInfo: 2010/11/02 14:39:23.0277 2010/11/02 14:39:23.0277 OS Version: 5.1.2600 ServicePack: 3.0 2010/11/02 14:39:23.0277 Product type: Workstation 2010/11/02 14:39:23.0277 ComputerName: CDSMITH007 2010/11/02 14:39:23.0277 UserName: gsabel 2010/11/02 14:39:23.0277 Windows directory: C:\WINDOWS 2010/11/02 14:39:23.0277 System windows directory: C:\WINDOWS 2010/11/02 14:39:23.0277 Processor architecture: Intel x86 2010/11/02 14:39:23.0277 Number of processors: 2 2010/11/02 14:39:23.0277 Page size: 0x1000 2010/11/02 14:39:23.0277 Boot type: Normal boot 2010/11/02 14:39:23.0277 ================================================================================ 2010/11/02 14:39:23.0402 Initialize success 2010/11/02 14:39:24.0683 ================================================================================ 2010/11/02 14:39:24.0683 Scan started 2010/11/02 14:39:24.0683 Mode: Manual; 2010/11/02 14:39:24.0683 ================================================================================ 2010/11/02 14:39:27.0120 Suspicious service (NoAccess): vbma17c8 2010/11/02 14:39:27.0120 vbma17c8 - detected Locked service (1) 2010/11/02 14:39:27.0323 ================================================================================ 2010/11/02 14:39:27.0323 Scan finished 2010/11/02 14:39:27.0323 ================================================================================ 2010/11/02 14:39:27.0323 Detected object count: 1 2010/11/02 14:39:33.0321 Locked service(vbma17c8) - User select action: Skip 2010/11/02 14:39:36.0445 Deinitialize success

OTL I got to open by putting it on a flash drive and renaming it winlogon.exe. But once I hit scan the program is killed. I just tried ProcessExplorer and that won't open either.

I also tried Combofix off a flash drive. Downloaded it on another machine, renamed it iexplore.exe and ran it and it shows a progress bar which finishes and then nothing else happens after that. No combofix.txt file at the end.

Running ClamWin Portable it detects mup.sys is infected - the heuristics engine finds it, so it's unknown in definition - just labled as rootkit. vmba17c8.sys comes up as permission denied from the scan.

If I try to reopen the program it tells me permission denied. Same goes for MBAM. I can uninstall and reinstall to get it back open. But once the virus detects it, it's killed and not allowed to open anymore.

I downloaded OTL and says I don't have permission to run it. I downloaded the second one. The scan runs and finds a rootkit (vbma17c8.sys) and asks to do a full scan. When I click Yes, the program disappears.

Log from RKUnhooker: RkU Version: 3.8.388.590, Type LE (SR2) ============================================== OS Name: Windows XP Version 5.1.2600 (Service Pack 3) Number of processors #2 ============================================== >Drivers ============================================== 0xF58B5000 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys 3637248 bytes (Intel Corporation, Intel

This virus got on a co-workers computer. I will have to secure it more for external use. But, the virus calls itself Antivirus 2010 and looks like it, but no manual removal instructions work for it (uses all different file names and registry keys). I can disable it's service which prevents it from coming up, but it's removal prevention mechanism is still in place. Even when running in safe mode, and installing MBAM, it updates and opens fine. Once run, the program disappears.