The Task Scheduler indicates it was last run 11-Sep-15 06:15:10.
If I understand that correctly, it wasn't running when I started this thread or when I clicked the "Yes" button.
Therefore, it must have been a fake indication of a run.
Is that correct?
You would ONLY have got that popup for one reason - you were attempting to install the update.
The update is signed, and as such, if there had been a problem with it, you would have seen a very different popup describing certificate errors.
I wasn't installing anything. I think that pop-up was an impostor and I was tricked into clicking yes. Once I clicked yes, all the trouble started.
Well I kind of agree with Noel however that doesn't explain why task scheduler doesn't show that it ran when you clicked on the UAC pop up! Instead in shows 11 September which doesn't seem right.
If it was an impostor, it seems right. The UAC didn't run, but a pop-up that appeared to be the UAC did run and when I clicked on "Yes," the back door was wide open for all the riff-raff.
I thought it was very strange for that pop-up to occur. That's why I started this thread, but I didn't wait long enough to read the replies, before I got curious and clicked "Yes."
The two were definately related.
It's been so long since I've been hit like that that I got stupid.
Regards
Hey tjg79, I fell for it too even after checking the cert (expired) and researching WAT. When I saw that it did not update the file(s) it said it was going to, I immediately pull the system from the network and reimaged it. I also changed my user name and password. I still haven't solved my account lockout problem this caused though.
I think this virus is new. It's very sophisticated, because the pop-up is high quality and looks legit.Hey tjg79, I fell for it too even after checking the cert (expired) and researching WAT. When I saw that it did not update the file(s) it said it was going to, I immediately pull the system from the network and reimaged it. I also changed my user name and password. I still haven't solved my account lockout problem this caused though.
When ESET tech support cleaned my system, they collected what information they could about this virus. Hopefully, it will be incorporated into their virus definitions soon.
Regards
FYI-we believe the payload came from camelcap.com/work/home/index.php. Since I re-imaged the system, that was all we could find. I also solved my account lockout issue which was fortunately only caused by my username change.
Cheers
The who.is data on camelcap is interesting -
originally registered 16/9/15 - so only 1 month old.
Registrar is in China
Registered owner is in the UK (!) - the post code is actually for ebuyer.com (!!) - but the address is Skelton, a couple of miles away, and appears not to exist (at least according to the Royal Mail postcode finder service).
Quote