Using a PC with a Windows install you don’t care about, aim your browser at navitotal.com The advertisements on it are doing a bang-up job at drive-by infestation.
It started with amatuerish attempts with automatic redirects to spam sites. Then it escalated to fake virus warnings. Next up came the sneak attacks but with easily cleaned malware. A few weeks ago I got nailed with a rootkit that sailed right past Avast and MSE. That took quite a bit of work to hunt down and remove.
I went back Sunday, May 1, 2011 and got nailed again. This time with malware that’s blocking Microsoft Security Essentials from running and it’s redirecting Yahoo and Google results through annogigheort.com which bounces through two or more additional sites that vary. Avast and MSE were alerting like crazy (for the first time on navitotal, they’d been completely silent on it previously) but at least one still got past.
Nothing I’ve scanned with, TDSSKiller, Avast, Malware Bytes, ComboFix finds a bleeping thing. Spybot S & D twigs to a registry entry with a notice about MSE being disabled, but it can’t fix it. HitMan Pro found rsopn.dll in Windows\System32 as a trojan but it’s 30 day free trial on the current download is pre-expired.
I used Unlocker to force-delete it then I used attrib to remove its system, hidden and read only attributes then put it in Avast’s chest to submit. From what little I could dig up on it, it appears to be from Russia.
Anyway, I think it’d be a good thing for the Avast people (and all other AV companies) to visit that site and allow it to massively infect a PC just to collect what’s new in nastiness. Going by reports by users of the navitotal forum, the drive-by attacks may be set to be for specific IP ranges. I’m in the USA.
Edit: Forgot to mention this malware also deleted all my System Restore points so I couldn’t just kick it back to last Friday or Saturday.