I'm not sure if theres some new and weird stuff thats going around atm.
I currently have here a laptop for repair that appears to have been root-kitted
Its a bit of a nightmare this one - it got past AVG, and according to the owner, got in via an ad displayed on a website that they frequent (nothing naughty). The time of the attack, and also from looking at their browser history would seem to confirm this.
Over the years I normally enjoy the challenge of sweeping up infected PCs as viruses are something I sidetracked into when doing my dissertation.
.. But this one is a real nasty.
Im still working on it.... as malware bytes says its clean, but Rootkitrevealer is still showing something weird and Im still having probs accessing some essential windows files but so far this is what its done/did
~ Disabled access to Control Panel, Task Manager, Sys restor, cmd, windows event logging and various sys32 files.
~ Disabled regedit - no access to the registry.
~ Disabled:AVG. Stopped access to M$ sites & other AV type sites.
~ Stopped any AV or malware scanners being run such as HJT, malwarebytes.
~ Trojan still ran when in safe mode - had also accessed memory module.
~ Multipart which regenerated itself using polymorphic naming. Was about a dozen parts so if you didnt get it all at once, it just simply regen'd itself.
~ Took over Windows Administrator account. I tried to access via administrator in safe mode and it had changed the main admin password so you couldnt get in.
~ Changed numerous policies & permissions (machine was XPHome so no gpedit :/)
~ Blew a massive hole in the firewall and opened various ports, and now the machine was a nice target for just about any piece of crap that was floating around the internet. - To be precise another 23 viruses, trojans and other assorted malware.
Stresses that the above did NOT come from the dslzone attack.. and its NOT the same thing that you guys are seeing.
The point being that new variants of viruses are being released all the time and thats why making sure our AV is kept up to date and patched.
Ive been online now for about 13/14 yrs and iirc the only time ive ever suffered from such like is back in 2002/2003 on the very night that sql slammer was released into the wild. It got me about 30mins after it was released... but it was so new that none of the AVs could offer any protection against it. It was a few days before M$ released a patch for MSDE sql and even longer before the AVs started offering protection.
None of us should be too complacent either, because I know of several forums which have been attacked through brand new security issues that have come to light, luckily these were more minor stuff such as spam bots type and not malicious stuff... but in the world of computing we all have constantly alert :/
