Undetected by Eset u.winzxm.com

Compromised a whole network of computers. Have latest version of Eset 4.0.417. Full scan no infection. It is currently being detected by One Care when the browser trys to access the site..

When trying to connect to Windows Update, it connects to u.winzxm.com and trys to install an activex. After trying to install activex, it hangs IE.
Host files are clean, DNS is clean. Input Microsoft Windows Update IP manually on browser, still same results.

Please see attach pic's of the site it connects to.

http://mtgrescue.com/1.JPG
http://mtgrescue.com/2.JPG
http://mtgrescue.com/3.JPG
http://mtgrescue.com/4.JPG
http://mtgrescue.com/activex.JPG
http://mtgrescue.com/onecare.JPG
http://mtgrescue.com/onecare1.JPG

Scan Logs
http://mtgrescue.com/SysInspector-DDZ1Y5H1-090411-1014.zip
http://mtgrescue.com/4102009.xml

Info from Malware domain list.
http://www.malwaredomainlist.com/mdl.php?search=61.152.144.85&colsearch=All&quantity=50

2009/04/08_00:00 j.winxyz.com/win/j/index.htm 61.152.144.85 - exploits zengcheng kirazxm@qq.com
2009/04/08_00:00 m.winxyz.com 61.152.144.85 - redirects to exploits zengcheng kirazxm@qq.com
2009/01/21_12:00 u.winzxm.com 61.152.144.85 - exploits winzxm@qq.com
2009/04/08_00:00 winxyz.com/win/j.exe 61.152.144.85 - trojan zengcheng kirazxm@qq.com
2009/04/08_00:00 winzxm.com/win/u.exe 61.152.144.85 - trojan zengcheng winzxm@qq.com

 

yes i found file :
~EC edit: VirusTotal results removed as per TOS~


in this adress : hxxp://j.xxxxxxxxx.com/win/j/dadongf.swf

 

Not sure what steps to take, it pretty much hangs IE. Does not effect Firefox.

 

you should not post links to malware here, please edit your post

 

I like how you say that yet you quoted the link

 

and edited it about 60 secs afterwards

 

Please edit/remove link to Virustotal as this is also a violation of TOS.
Thanks.

 

shouldn't you also be asking the person who actually posted these links?

 

The original link was removed by moderator. You then quoted the links, thereby
copying them.

 

the user him/herself removed them, but only in the last couple of minutes. Yes I understand how quoting works thanks.

 

Actually, the moderator removed the link to Virustotal, after I alerted him/her.

 

Any suggestion for Eset to help??

 

Anything?

 

On Sunday ?

 

You would be concern if your clients are at risk by this. Imagine your network was infected by this Asking for help because we want Eset to be the first to detect it.

 

submit some samples to ESET or call them directly.. It usually takes 3 days before I hear back if I email or leave messages

 

Not sure what to submit, Eset is not finding anything nor we know what file is causing it. When trying to visit any of Microsoft websites, it directs to itself to u.winzxm.com. Currently Windows One Care detects it when it is trying to download from u.winzxm.com. Temp fix is to block access to winzxm.com on our firewall. We have contacted Eset on Fri, they called back but we have to wait until Monday for help.

 

Just submit the URL and the information you already got that could help Eset to understand and fix this issue.

 

wait, are you actually expecting for ESET to respond to any Emergency on a Weekend? Any Weekend and ESPECIALLY EASTER SUNDAY??
~Comment removed.~

FYI, Monday after Easter Sunday is also national Holiday in some Eastern European Countries.....just an FYI. (Most kids are running around dumping buckets of water on each other).

Get in contact with the CA support, directly.

 

I'd suggest sending all files marked red in the SysInspector log in an archive protected with the password "infected" to samples[at]eset.com with this thread's url in the subject.

 

Hi,
The link you posted with malware are now detected by NOD32 as u.exe - Win32/PSW.Gamania.NBN trojan and E:\index.htm - JS/TrojanDownloader.Iframe.NDY trojan.

 

Looks like that is today's definitions, hopefully it finds something.

 

Denny -

any luck on this? I'm having the same problem on my small office network, every client has some Javascript installed (js_shellcode.br) that forces Internet Explorer to try to download a file (expl_iframebo.a) from u.winzxm.com. My antivirus is TrendMicro, and it's blocking the download of the exploit object, but I can't seem to remove the Javascript. It tries to run in Firefox/Chrome/Safari as well but doesn't seem to work. Unfortunately, a good deal of the modern world doesn't deem it necessary to make their sites compatible with anything but IE.

If you've found anything in your searching, please let me know.

 

This is the support forum for Eset products so in your case you should check out a support forum for Trend products if Trend is not able to detect or remove a infection. Unless you use Eset nod32 i don't think this is the right place to ask why your antivirus software do not block/remove a infection. The solution provided here will most likely be of no help for you since you do not use a antivirus product from Eset.

 

Does Eset solve this problem now? I ran the trial nod32 on 4/21/09 and so far no such luck.