"My PC is running normally"

[plun]

Hmmm ?

Latest Messenger Plus with sponsor gives this.
http://www.msgplus.net/news.php

Amaena and trojans:
http://hem.bredband.net/b288305/mess.jpg

Errorsafe:
http://hem.bredband.net/b288305/es5.jpg

According to Windows Defender my PC is running "normally".

Maybe it is...... or time for a "nix" box (or Mac)



regards
plun

 

[Bill Sanderson MVP]

http://msmvps.com/blogs/spywaresucks/default.aspx

I went back to my problem child windows 2000 machine which I know to be
infected, even though about a month ago, Windows Defender, Ewido, Blacklight
and RootkitRevealer all gave it a clean bill of health.

I had some spare time tonight so I thought I'd see if technology had
advanced enough to find the pesky critter that was popping up ads every time
a browser opened. The ads have gotten a bit slicker--they all have
disclaimers at the bottom about how they aren't related to the web site you
are viewing.....

Windows Defender--current to date--clean.
Ewido - Clean (both quick scans)

Blacklight--downloaded today--found 1,842 hidden files--mostly 1830+ cached
items, and a few executables--totally stealthed--several running processes
invisible to task manager, and a hidden subdirectory under program files (at
least they are using the right hierarchy!)--and an executable or two in
\windows\system32. and a .SYS driver in \windows\system32\drivers.

Even given full path info from Blacklight, I couldn't touch these objects
with standard Windows tools in a standard boot. Restarted in safe mode
command prompt, and found that indeed, BlackLight had been able to rename a
few of the executables (since each choice must be made individually, I did
all the executable code pieces, and a few hundred of the cache pieces before
I gave up and said do it!)

At any rate, in safe mode I was able to spot the pieces--the driver, the
executables in system32, and the now unhidden subdirectory. Blew everything
away, and the system appears clean for the first time in many months.

So--I don't know what happened here--perhaps the payload in place changed
over time, and I hit it at the right time with the right tools. I suspect,
though, that BlackLight has gotten smarter--I didn't get around to trying
RootkitRevealer--I was so pleased to have actually gotten a handle on the
thing I just wiped up the pieces as fast as I could and went home.

Something that hides as well as this does is going to take some real care to
find--I wish that Windows Defender could have found it--but it did not.

 

[plun]

Hi Bill

Well again.... "Houston we have a problem"

Sandis expression within her blog:
"Guess what Patchou. You're the lowest of the low.".............

These infest tactics I have only seen within Internets real backyard
and
now Patchou is using it.

One "funny" thing with these infests seems to be that the LOP servers
sends out Errorsafe or Amanea.com randomly and on specific times.

Maybe they also using IP adress recognition so that they can avoid US
problems.

So latest Messenger Plus really stinks.......better with a RTP block
with WD, Done !

regards
plun