Posted 09 July 2009 - 01:10 PM
I'm getting ready to upload a HJT (to the appropriate forum, oc)
But was wondering in the meantime if you folks here have come across this.
The standard symptoms: HOST file gets redirected with 127.0.0.1 a chura.pl/rc link (which page can't
be displayed via IE6) (And PCT SDAV doesn't intercept).
PCT SDAV does intercept an spontaneous request for sys.zief.pl (this request runs about 4x/minute)
IE6 browsing is blocked for security sites
These 3 things seem very similar to the FEB 2009 start of the W32.virut -- but seem different mostly
because of the chura.pl and "sys." in front of zief.
I haven't seen any <iframe> examples yet
I haven't seen this propagate across machines here yet.
PCTools, so far, is ignoring my requests for help.
I've been attempting to kill this since Monday 6 Jul. I isolated one thread of infection that was in my Eudora 7 (saved folder). After XP reinst I copied the entire contents of that folder back into the new Eudora install.
Start Eudora and bam. IE6 pops up with chura.pl as the address.
I just successfully reinstd XP & eudora, copied my mbx and tocs and ini only. and Voila! no bizarreness. my email is there and the HOSTS file is clean. Sorry I don't have the time isolate a culprit(s) dll or exe (turns out i was copying over the original copy of eudora.exe all those other reinst/copy times. Doh!
There was another file: a Dell driver install.exe for my integrated audio adapter. That's now gone after I had PCTools SDAV quash it. (I'm coming around to the idea manual retrieval of things I can keep and then killing the D: drive. And the J: drive 1.2 tb, sheesh where will I put it all.
If I think this through. The problem seems intransigent. If you get this (family of) virus/rootkit you must lose everything and re-install because by the time the problem arises and your AV is aware of it -- its too late. Because the bug is latent in an exe waiting for execution.
I ran Nortons W32.virut removal tool -- it found nothing on a clean install -- although that infected eudora related file was scanned. I then installed eudora, copied my stuff, ran eudora and bam got hit. then ran the removal tool again
it found 2 thread infections, fixed them,-- but my hosts file was still modified. So the AV folks will have us users running in circles and losing massive amounts of time.
I have run HJT a few times, reviewed but didn't see anything obvious. If I get hit again I will run it&post.
One last weirdness: the HOSTS file. I cleaned it manually. saved it and made it read-only. rebooted.
I still got redirected -- and the hosts file was still clean. Huuh!
Any thoughts on this? anybody seen this (variant)? Any advice.