I had 2 users almost get this installed on their PCs this week. I dont know
what sites they are going to that are leading them there but I'm thinking a
clampdown is in order.
James
----- Original Message -----
From: Durf
To: NT System Admin Issues
Sent: Thursday, August 14, 2008 2:54 PM
Subject: Re: "Vista Antivirus 2008" malware removal
It's not hooking DNS, that's the interesting thing. Direct NSLOOKUP queries
work fine, only the appropriate local servers are listed. Somehow it's
actually redirecting the traffic itself, probably through a hidden driver.
Ah well - off to the nuke pile with it.
-- Durf
On Thu, Aug 14, 2008 at 2:49 PM, Erik Goldoff <[EMAIL PROTECTED]> wrote:
I think that's a variant of winfixer .... verify via IPCONFIG -all that
ONLY your preferred DNS is in play... and I'd boot from a secondary instance
of the OS (or a boot CD) and *then* scan for malware and rootkits
----------------------------------------------------------------------------
From: Durf [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2008 2:26 PM
To: NT System Admin Issues
Subject: "Vista Antivirus 2008" malware removal
Hey guys;
I was called in to look over another tech's customer who had a system where
they had (mostly) removed the "Vista Antivirus 2008" fake AV malware. The
only issue still remaining was what we thought at first was a simple browser
redirection issue - visting a huge number of security-related sites resulted in
a 404.
Well, it wasn't a BHO, and it wasn't a redirect, and it's not a HOSTS file.
It's something screwed in the TCP/IP stack. NSLOOKUP returns the proper DNS
result for a site, but when you send any traffic to it at all - ping, let's say
- it's redirected to localhost.
Anyone seen this before and fixed it by means other than burning down the
system, which is what I'm going to recommend otherwise?
-- Durf
--
--------------
Give a man a fish, and he'll eat for a day.
Give a fish a man, and he'll eat for weeks!
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.6.3/1611 - Release Date: 8/14/2008
6:20 AM
--
--------------
Give a man a fish, and he'll eat for a day.
Give a fish a man, and he'll eat for weeks!
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
