hehe.. killbox = no good, nothing would drop the running dll, i couldn't
copy it, delete it, rename it, or kill the registry entry.
here is a nice add in for people:
http://mvps.org/winhelp2002/hosts.htm
I am thinking of parsing the file and putting it into our dns servers to
prevent
all the corporate computers for accessing any of those sites.
here is the tool i downloaded to remove the thing..
http://www.atribune.org/downloads/l2mfix.exe
here is the virustotal response from this morning (its up from yesterdays 3)
Its pretty much being deteced as "W32/Look2Me.ag.6" or "VeryLince" the
VeryLince
google search pointed me to a geekstogo forum where someone else had it
running.
here is the URL to the geekstogo thread
http://www.geekstogo.com/forum/VeryLince_Help_-t44719.html
you can look at the l2mfix find log and see what it actually hooked itself
into.
---- THis was officially the WORST malware/spyware i have seen, it totally
took over the machine. and downloaded just about everything on the net and
installed it on the users machine.
I would technically call this "Computer" Trespassing.. Maybe I need to put
a "No Trespassing" Sign on this computer :=]
----- Original Message -----
From: "Greg Little" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Monday, July 25, 2005 5:07 PM
Subject: Re: [Declude.Virus] OT: Online file check?
Keep it off the network as much as possible.
Also a software firewall (like Zone Alarm) will help control the "phone
home for updates".
Another tool I used for those "really hard to remove stains", is KillBox.
You can give it a list of files to be deleted at the start of the next
boot.
I've had one that was still locked in memory (and recreating itself to new
file names and restoring reg keys) in safe mode with explorer exited.
(You have to start a Dos Window before killing the Explorer process. Then
"explorer" to start it again.)
It hooked into login, but KillBox got it on bootup before it could install
its memory resident program.
SysInternals has some great tools for Watching processes, Controlling
startups, etc.
http://www.sysinternals.com/SystemInformationUtilities.html
Greg Little
PS Does this pest have a name?
---
[This E-mail scanned for viruses by Findlay Internet]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com
---
This email has been scanned for possible viruses by Declude Antivirus.
For more information on Declude Antivirus, Visit www.declude.com
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
