My Avast antivirus started throwing fits this evening as I browsed the Dope - lots of malicious temporary internet files showing up, and the installation without consent of some toolbar called ‘Mirar’. Anybody else having trouble?
What browser are you using? I’m using Firefox, Chrome, and Firefox 3.1beta (Minefield) and not getting any of that…also using AVG so don’t know.
Nope, looks like you got infected from another site, e-mail, or suspicious download. You might give Spybot Search & Destroy and Ad-Aware a whirl (but not at the same time) to see if they clean your system up.
I clicked on a link in MPSIMS and got the big danger, danger sign from my anti-virus. That doesn’t happen to me often here.
There’s one other site I consider a possible source on this - Mirar actually was the symptom, not the disease.
The disease is this nasty piece of work :
Avast, Spybot, and Ad-Aware haven’t gotten rid of it yet, but I’ve got one or two more ideas…
I’ve had that before. Run Spy-bot and your AV in safe mode. Should do the trick.
Malwarebytes comes highly recommended. Or run Hijackthis and post your log here: http://forums.spywareinfo.com/
Just in case you aren’t aware of the feature, avast! has a “Schedule Boot-Time Scan” in the menu. Much better to run it during boot-up then with Windows actually running.
CMC +fnord!
ETA The avast! screen saver is really cool too!
Thanks for your thoughts, gentlemen, though I arrived at most of the same ideas by independent experimentation.
This is a newish strain of Virtumonde. Safe Mode + MalwareBytes + Spybot + Ad-Aware + Avast + SuperAntiSpyware = Failure.
It had a stealth DLL attached to all my SvcHost processes that would re-create deleted registry entries when they were removed, and the only thing Safe Mode bought me was that it couldn’t go out and re-create its auxiliary malicious files. None of the AV software found the DLL.
I was able to pin it down with Process Explorer and Autoruns, two utilities from SysInternals. This thing was attached in such a way that it could not be seen from Windows Explorer. (I don’t mean hidden file - I mean attached to the explorer process and preventing it from being seen.)
I was able to go into the command line, and rename the DLL. Then rebooted. Since its name had changed, the reg entries wouldn’t load it into memory, and then I was able to kill everything off.
Just be careful with that. I got that strain myself, and it was somehow able to repopulate itself if I stayed online to long. I can’t really offer much advice, as I finally switched to Linux after all that mess. But it’s been suggested that it may have uninstalled some of your updates.
(Yes, I know I may have had concurrent infections. All the more reason for me to just nuke that partition.)
Hmm yeah I got a virus I can’t get rid of but can’t find it eather. I’ve ran Avast, Spybot, Malwarebytes though I have yet to us Hijack this so that might help. Cause I don’t have anything major to speak of at this point but for whatever reason can’t shut my IE off completely though I use a browser called Maxthon which basicly uses IE settings but is secure customizalbe like Firefox.
It’s that pesky extra DLL. It’ll repopulate everything if you don’t get it, and anti-spyware software doesn’t get it.
My system scans clean now with SpyBot, Ad-Aware, MalwareBytes, and SuperAntiSpyware. It’s been online in normal mode for a day and a half. I’m pretty confident it’s gone.