dev22
2008-05-21, 15:29
this seems pretty serious.
i'm not a computer beginner, i am actually retired security expert and I usually don't have any problems with my computers...
probably a new version of virus, spreading like crazy all over the world. i downloaded a new version of winrar 3.71 from a torrent site yesterday and it was probably infected with this shit.
what happens:
- major computer slowdown
- popups, popunders, in firefox as well as in IE (urls: adnetserver.com, suspensorpc.com and others)
- browser ad hijacking
- searching in google is painfully slow
AD browser hijacking: every site i visit which shows some ads is hijacked with this malware. the ads they normally display are removed and replaced by some other ads after few seconds, originating mostly from CPXinteractive.com Yield Manager. This happens on all websites no matter the language or ad format. Ads also rotate and change like each 5 seconds.
what i did:
- complete scans with nod32, hijack this, ad-aware, spybot -> no help
what i found:
- there're infected files (libraries) causing this mess located in Windows/System32. their names are totally random with .dll extension (pmnnmljJ.dll, byXQHBrq.dll, supmqbat.dll). there are some some .ini files with random names as well (ypukrblc.ini, qrBHQXyb.ini2, etc). each file has about 300 kB in size
- it's impossible to delete these files. i tried safe mode, applications moveonboot and killerbox and many other utilities - but nothing can delete these files! they must be hooked up somewhere in the kernel or in system drivers.
- there's a classic registry entry in HKLM/ms/win/cur version/run launching these files: "Runddl32.exe C:/Windows/System32/clbrkupy.dll". If you remove this, it's added back within few seconds.
here's one more URL which tried to download something but was stopped by nod32. Edit: removed
trojan
i am trying kaspersky online scan now and utility called SuperAntiSpyware now but I doubt it will help. this is a really serious shit spreading fast and I guess I'm not the only only having these issues right now.
UPDATE: kaspersky found the virus and marked it as Trojan-Downloader.Win32.Agent.pvz. It was unable to delete it though.
any help is welcome
i'm not a computer beginner, i am actually retired security expert and I usually don't have any problems with my computers...
probably a new version of virus, spreading like crazy all over the world. i downloaded a new version of winrar 3.71 from a torrent site yesterday and it was probably infected with this shit.
what happens:
- major computer slowdown
- popups, popunders, in firefox as well as in IE (urls: adnetserver.com, suspensorpc.com and others)
- browser ad hijacking
- searching in google is painfully slow
AD browser hijacking: every site i visit which shows some ads is hijacked with this malware. the ads they normally display are removed and replaced by some other ads after few seconds, originating mostly from CPXinteractive.com Yield Manager. This happens on all websites no matter the language or ad format. Ads also rotate and change like each 5 seconds.
what i did:
- complete scans with nod32, hijack this, ad-aware, spybot -> no help
what i found:
- there're infected files (libraries) causing this mess located in Windows/System32. their names are totally random with .dll extension (pmnnmljJ.dll, byXQHBrq.dll, supmqbat.dll). there are some some .ini files with random names as well (ypukrblc.ini, qrBHQXyb.ini2, etc). each file has about 300 kB in size
- it's impossible to delete these files. i tried safe mode, applications moveonboot and killerbox and many other utilities - but nothing can delete these files! they must be hooked up somewhere in the kernel or in system drivers.
- there's a classic registry entry in HKLM/ms/win/cur version/run launching these files: "Runddl32.exe C:/Windows/System32/clbrkupy.dll". If you remove this, it's added back within few seconds.
here's one more URL which tried to download something but was stopped by nod32. Edit: removed
trojan
i am trying kaspersky online scan now and utility called SuperAntiSpyware now but I doubt it will help. this is a really serious shit spreading fast and I guess I'm not the only only having these issues right now.
UPDATE: kaspersky found the virus and marked it as Trojan-Downloader.Win32.Agent.pvz. It was unable to delete it though.
any help is welcome