Spybot didn't detect anything. and was banned from updating
Malwarebytes didn't detect anything. and was banned from updating
Superantispyware wouldnt run
I deleted the parts that loaded via the registry,killed the running process, updated and ran all three programs again.
Superantispyware removed 11 components (one of which was funweb)
I thought that it was gone.
This morning our corporate install of Kasperksy Antivirus killed this:
c:\documents and settings\alan\local settings\application data\ebnveh\tkhqsftav.exe
I deleted the directory.
Behavior:
Originally:
- Showed fake virus warnings
Gave false warning on Windows Security settings
Porn pop-ups
Taskbar infected pop-up
Blocked updates to anti-malware programs
Installed Proxy into Internet explorer 8 127.0.0.0 : 5000
Hyjack this shows nothing unusual and I mean not a thing.
Everything in the Hyjackthis log version 2.0002 has been verified.
Nothing is listed in MSconfig
Nothing unusual is loading from the (Run or Run once) listings in the Registry
I 'm down to checking for a rootkit at this point.
Short of setting the machine to create a bootlog and dissecting it I'm running short on ideas.
Somehow this bugger is still reloading the proxy and rebuilding the directory on boot.
Any ideas?
Thanks,
Mackintire
Update 2/24/2010
The proxy reloading may have been a fluke leftover from the last reboot. The rootkit scan came clean and we rebooted with no signs of infection. It'll be a few days before I call it verified clean.
