I recently got a number of malwares, which, I suspect dowloaded other malwares. Yesterday, one of them began blocking me access to antivirus sites, like for instance AVG. I just couldn’t access the pages.
Superantispyware got me rid (apparently) of all those it could detect except one. This malware job seems to be to display adds on the sites I visit, for instance an add telling me I won something at the bottom of the straightdope pages (FTR, it’s Adware.vundo variant)
I’m not sure how I’m going to get rid of this one, but I suspect it’s not the malware that blocked the access to antivirus pages in the first place. Still, I can’t access them. Instead of them being blocked, I’m now redirected to other pages and supposed search engines.
Assuming that I’m right (that the malware I still have isn’t the cause), is it possible that the others, now presumably eliminated, malwares have modified some settings in my browsers or somewhere else that I could now change back?
If so, where should I look for?
Get your hands on malwarebytes anti malware and sdfix. SDFix rips vundo several new assholes, and the malware byte product seems to cover some of the gaps in the usual suspects like avg.
Actually, since I wrote my OP, I noticed that there are more webpages than I thought where I was denied access : anti-malware forums, computer security sites, sites where I should be able to download tools useful against malwares like the ones you linked to, symantec, hijackthis, fixs for vundo…
Could the malware have changed your host file? You could try deleting the file, but I don’t know what happens when you do… I’m running Windows XP, and the file is located in C:\windows\system32\drivers\etc File name is “hosts.” (no extension)
Because I don’t know what would happen if your delete it in its entirety, here is a copy of my file:
Sounds like changes were made in your HOSTS file (lots of links to visit at the bottom).
Ya might want to start with the Security Now! podcast page on the HOSTS file (link goes to the notes page, the actual podcast is here) for the basics on the HOSTS file.
Some anti-malware programs monitor and/or prevent changes to the HOSTS file (Spybot S&D, Spyware Blaster, etc), some of the start-up monitors do too (WinPatrol does for sure) and there are custom HOSTS files like Mike’s Ad Blocking Hosts file among others which block ads and malicious sites.
CMC +fnord!
Reading your last bunch of posts to this thread I’d try seeing if you can even get into the file (Windows NT/2000/XP/2003/Vista: %SystemRoot%\system32\drivers\etc\ is the default location, which may be changed. The actual directory is determined by the Registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath.
Windows 95/98/Me: %WinDir%) some malware locks the file and if you can’t access it then you can be pretty certain that’s what happened.
I’m going to try both of these tomorrow. I’ve resigned myself to believing that’s there’s nothing that will kill vundo. It’s like Chucky—you can burn it, stab it, shoot it, pour sulfuric acid and several different experimental fluorine compounds on it, and even force it to watch a Britney Spears video in an unending loop for several days straight, and it will not die. If these really work, I will build a four-inch statue of you in earthquake paste and affix it to the top of my processor.
OK. I could download malwarebytes from a french website (and was also able to access AVGFrance, by the way)
Malwarebytes found a dozen more malwares, including apparently the one that prevented me from accessing malware related sites. That’s the first time I see a malware that tries to prevent you from healing malwares. I assume it includes a list of the main sites the victim is likely to try to access and blocks them, but probably (and fortunately) only sites in English are included. Fuckers! :mad: :mad:
This problem at least is dealt with. I’m still stuck with the adds provided by vundo, though. This one wasn’t healed (I remember having a hard time getting rid of an older version of it a couple years ago). I’ll try sdfix next and look for other anti-vundo tools, now that I regained control of my browsers.
** Hirka T’Bawa ** and ** crowmanyclouds **
Thanks too for the infos. I’ll look into that and try to build a better defence.
Didn’t someone in the “what will impress you in 2048” thread predicted that malwares and anti-malwares are likely to soon become sentient? I suspect he’s right.
You might want to gather the raw materials for the statue, because after running both programs, Superantispyware doesn’t find Vundo anymore on my machine (even though I’m still not fully convinced… I’m paranoid like that). I hope it will work for you.
*Sweeeeet… *SuperAntiSpyware always finds vundo and quarantines it, but it invariably rears its ugly head next time you boot—so you have to run it every time you start up. If SDFix can really kill the little varmint, it’ll be like the second coming.
There has been ALOT of virus activity lately that has taken time for the AV companies to respond to. Our virus cleanup work in my shop lately has nearly doubled.
It did not rise its ugly head this time. At least superantispyware doesn’t find it any more, and I don’t have unwanted adds anymore, either.
What is weird, however, is that after using Malewarebytes, Vundo was still present (or at least, I still had adds). I then ran SDFix, that didn’t find anything. Nevertheless, after having run it, Vundo wasn’t anywhere to be found. So, I’m not sure what exactly removed it (assuming it has actually been removed, a thing I’m still sceptical about, even though I’ve no reason to be apart from a past experience where killing it had involved much more than simply running an anti-virus)
You might have a rootkit if you’re computer is behaving strangely but no one detects any malware. That can be a tough nut. I’ve used Rootkit Revealer myself, but it can be difficult to sort out false positives and so on.
They were browser windows, assuming I’m not mistaken about the meaning of this word : they appeared on web pages on spots where you’d expect to see adds (for instance, on the SDMB at the bottom of the page, replacing the regular google adds)
but belonged to the illegitimate adds category like “get a green card to live in the USA”, “you’re the 100 000th visitor on this site”, “gorgeous woman living in your neighbourhood left you a message”, etc…
