|
Midelne posted:Erm.
|
# ? Sep 4, 2009 14:55 |
|
|
# ? May 9, 2024 16:31 |
|
brc64 posted:They really need to change their name to something that sounds less like malware. Maybe something like UltraSpywareKiller2010.
|
# ? Sep 4, 2009 15:35 |
|
Midelne posted:Maybe something like UltraSpywareKiller2010. Point taken.
|
# ? Sep 4, 2009 15:49 |
|
I feel like I'm risking getting flamed in here... I had a friend recently who had Virut on her hard drive in a few system files, WMplayer.exe, etc. I scanned it offline from another machine with SAS and MBAS, as well as the AV client on the scanning machine, then performed a repair install. Should I have been able to clean it off in the space of a few hours? Here's the important part of the log: code:
|
# ? Sep 4, 2009 15:57 |
|
Oddhair posted:I feel like I'm risking getting flamed in here... I had a friend recently who had Virut on her hard drive in a few system files, WMplayer.exe, etc. I scanned it offline from another machine with SAS and MBAS, as well as the AV client on the scanning machine, then performed a repair install. Should I have been able to clean it off in the space of a few hours? Personally I see Virut and give up on cleaning. It's not impossible to clean, but it's a lot quicker and less frustrating to remove vital pictures and documents, format, and reinstall Windows. Did you ever see that Achewood comic about the guy who invented Comic Sans? That's what I imagine it'll be like someday for the IT community when someone takes credit for writing Virut.
|
# ? Sep 4, 2009 16:05 |
|
Otacon posted:Came across a Rogue Antivirus today at work that would blue screen on Safe Mode, but let you into Windows normally. All EXE, BAT and DLL associations were changed and no longer allowed to run - I'd try launching Combofix, and Windows would ask me "Please choose a program to run this Application." Found some registry tweaks online, installed those, and finally ComboFix came up with about 25 infected GIF files sitting in System32/Config - turns out whatever this Rogue AV included allowing GIF files to be run as programs. SANS post on something very similar today, at least with regards to .exe hijacking. Looks like another major pain in the rear end to clean no matter how you slice it.
|
# ? Sep 4, 2009 17:44 |
|
What gets me about virut, is that it doesn't seem like it has any real purpose other than to just gently caress up an install. When I got it once all it did was devour my subsystem processes one by one till windows wouldn't even run properly. It didn't seem to affect any htm files like the general description of it mentioned. It did drop a pretty rad fake virus scanner on though. I actually thought because of the scanner it was vundo, but after getting something that would actually run to scan, it came up virut. All I could really do to fix it was just kill the install and excorcise the disc before reinstalling.
|
# ? Sep 4, 2009 21:50 |
|
It was probably something like a proof of concept that went too far. What it's supposed to do, probably, if inject code into an executable and work while the executable still functions properly, but it screws up the injection most of the time and breaks everything.
|
# ? Sep 4, 2009 23:12 |
|
Firefox is going to start warning users when they've got versions of Adobe Flash Player that are known to have security issues. Good idea, but the way things have been I'm betting it'll be under a month before we see a slow shift from YOU NEED A VIDEO CODEC to YOUR FLASH PLAYER IS INSECURE -- it'd be simple to target Mozilla users with a separate package and serve the usual crap to IE. Still, step in the right direction maybe?
|
# ? Sep 5, 2009 00:09 |
|
Midelne posted:Personally I see Virut and give up on cleaning. It's not impossible to clean, but it's a lot quicker and less frustrating to remove vital pictures and documents, format, and reinstall Windows. I've told clients that if I ever met the son of a bitch I would approach him, shake his hand, congratulate him on making something so nefariously evil, and then cold cock him in the nose. I think I would be justified.
|
# ? Sep 5, 2009 15:33 |
|
http://en.wikipedia.org/wiki/Comic_Sans The guy made it for children cartoon speech bubbles in MS Bob. It's not his fault every idiot on the planet adopted it as a general use font.
|
# ? Sep 5, 2009 20:13 |
|
Suspicious posted:http://en.wikipedia.org/wiki/Comic_Sans I would rather see every font in the world replaced with comic sans than see another thing that uses Papyrus. At least Comic Sans is legible, if informal.
|
# ? Sep 5, 2009 20:25 |
|
Anyone the kind of virus resurfaces on your computer after a resetting the CMOS and removing the battery? I removed my hard drives. Reset the cmos and removed the system battery and waited the normal 10 seconds. On reboot I get a message telling about a CMOS checksum error. Forcing me to F2 the setup menu where each time there is always something different than the previous reset. I.E. the boot devices are different. Most noticeably after a long careful process of taking the proper steps my boot devices were listed as cdrom hard drive device removeable media card
|
# ? Sep 6, 2009 02:37 |
|
AFAIK, every time you do a reset, your BIOS will force you to go into the settings, or at least force you to choose between custom and "optimized" settings of its own. What you have doesn't sound like a virus at all. Why did you remove your hard drives? They have nothing to do with clearing a CMOS. Your problem sounds more like hardware than viruses.
|
# ? Sep 6, 2009 02:40 |
|
Ensign Expendable posted:AFAIK, every time you do a reset, your BIOS will force you to go into the settings, or at least force you to choose between custom and "optimized" settings of its own. What you have doesn't sound like a virus at all. Why did you remove your hard drives? They have nothing to do with clearing a CMOS. Your problem sounds more like hardware than viruses. So I can be pragmatic I, I'm obviously trying to eliminate all possible problem causes right off the bat. The hard drive because there are boot managers such as SBM Smart Boot Manager that can be installed to the hard drives master boot record. But that doesn't seem to be the real source since my BIOS acts differently each time I reset it totally independent of any hard drive attachment..
|
# ? Sep 6, 2009 02:55 |
|
I don't know where to go for help, everything's turned up useless. I have a hijacker that just appeared today, it shrinks my browser and redirects for me to download Virus Doctor or greenav install. Neither of those is actually installed so I can't remove them, and nothing is finding the redirector, not even Combofix. The url it usually tries to send me to is andoscan.info. My netbook ended up with the same hijacker when I tried looking it up for removal instructions. I did get to http://safeweb.norton.com/report/show?name=andoscan.info and all the entries there are from today. What the gently caress does anyone know what to do, I'm scared. Edit: I've used Combofix, Malawarebytes, AdAware, Spybot, Windows Defender, McAfee, VundoFix, and HijackThis. None of them have found anything wrong. I know this probably isn't the right place but the malware guide in Tech Support is like four years out of date. Grand Fromage fucked around with this message at 03:56 on Sep 6, 2009 |
# ? Sep 6, 2009 03:51 |
|
Did you try those in safe mode? Also, try burning the Ultimate Boot CD and scanning from that, don't give the virus a chance to run and conceal itself. Of course, there is the possibility that it's new and nothing detects it yet, in which case your only hope is that heuristics get it. I think Avira has the most paranoid ones, try that.
|
# ? Sep 6, 2009 03:58 |
|
Downloading Avira. The fact that no one reported this before today on Norton's site makes me suspicious about it being new, do you have any idea how long it usually takes for updated tools? I really, really don't want to format, especially if it might come right back from one of my other hard drives.
|
# ? Sep 6, 2009 04:04 |
|
New definition files for Avast come out once every few days, but tossing in a file signature shouldn't be all that hard, unless it's especially sneaky somehow. The only way that it could come back from your other drives is if it infected the autorun.ini file and starts itself once the drive is mounted. You can get around that by disabling autorun and scanning it once antiviruses can detect it.
|
# ? Sep 6, 2009 04:08 |
|
Ensign Expendable posted:The only way that it could come back from your other drives is if it infected the autorun.ini file and starts itself once the drive is mounted. You can get around that by disabling autorun and scanning it once antiviruses can detect it. That makes me feel better at least. I have a C: partition for Windows, then all my programs on D: partition, then another internal and three external drives. If I format C: and reinstall, I shouldn't have to worry about reinfection from those other drives/partitions? Or would I have to completely wipe the physical drive that the C: partition is on? Or both internals?
|
# ? Sep 6, 2009 04:16 |
|
Depends on how persistent this one is. If it's your average malware, once any good AV gets the definition, it should be able to clean it right off and you won't have to format anything. If it's as bad as Virut, you'll have to nuke everything that was in contact with the drive. I haven't seen any virus/malware that replicates itself through internal disks, only external ones. Once anything you have can detect it, disable autorun and scan every drive that could have been infected. Overall, it shouldn't be too bad, I've never seen a hijacker that warranted a reinstall.
|
# ? Sep 6, 2009 04:49 |
|
It would be nice if we could keep the help requests in Haus of Tech Support.
|
# ? Sep 6, 2009 05:08 |
|
Tapedump posted:It would be nice if we could keep the help requests in Haus of Tech Support. This thread has a pretty solid history of virus removal help requests. If we excluded those, what would we have besides a bunch of IT dudes bitching? We already have a couple threads for that.
|
# ? Sep 6, 2009 05:09 |
|
Yeah, I suppose you're right. Never mind then, carry on.
|
# ? Sep 6, 2009 05:11 |
|
Ensign Expendable posted:in which case your only hope is that heuristics get it. I think Avira has the most paranoid ones Yeah I can vouch for that. Drives me crazy sometimes.
|
# ? Sep 6, 2009 05:40 |
|
Sunbelt's Vipre software has very good heuristics, updates hourly, and has a free 15 day trial. I'd give that a shot.
|
# ? Sep 6, 2009 07:02 |
|
Grand Fromage posted:That makes me feel better at least. I have a C: partition for Windows, then all my programs on D: partition, then another internal and three external drives. If I format C: and reinstall, I shouldn't have to worry about reinfection from those other drives/partitions? Or would I have to completely wipe the physical drive that the C: partition is on? Or both internals? You should go to https://www.bleepingcomputer.com and post there. They will be able to help you much more and will be able to write removal programs if nothing else works.
|
# ? Sep 6, 2009 20:01 |
|
fishmech posted:At least Comic Sans is legible, if informal. She told me that she once received a letter, claiming to be some sort of legal proof that a particular debt had been taken care of or something. The letter was printed in Comic Sans.
|
# ? Sep 6, 2009 23:49 |
|
hobofood posted:My parents PC has picked up a horrible little SuperAntiSpyware 2010 infection, claiming that they have 38 trojans and really should input their credit card details to get rid of them. I have no idea how to get rid of it. They had AVG and Spybot installed originally, but both were uninstalled when I came to it. I ran MalwareBytes and that gets rid of it as far as I know it gets rid of it completely, subsequent scans with both MalwareBytes and Spybot both report that it's clean, so I installed Avast, set Avast and MalwareBytes to scan every day and left them to it. In a hilarious turn of events, when my dad described the return of the malware, he failed to mention that it's name was "AVG Antivirus" and that it was telling him that it had blocked things. I ran VundoFix and ComboFix anyway, both came up clean. AVG's log looked fine too (blocked a couple of things but scans have been running)
|
# ? Sep 7, 2009 11:42 |
|
Holy poo poo, it just took me four days to get rid of the most annoying piece of crap on my home pc. I need some expert advice itt to prevent this from happening, so please excuse this missive from noobsville. I don't know where it came from (I'm not online at home) or when the infection happened and all my usb storage appears to be clean. It was a whole bunch of loving things including braviax.exe, cru629.dat, msword98.exe and so on. Even after finding and removing everything in Safe Mode, something else would pop up and off we'd go again. During the infection I couldn't get my copy of Spybot S&D to run and couldn't get Superantispyware installed. WTF? Eventually I got the latest AVG 8 update from my uni's it support yesterday and it was as simple as that. What the hell happened there?
|
# ? Sep 8, 2009 14:15 |
|
Phaeoacremonium posted:Holy poo poo, it just took me four days to get rid of the most annoying piece of crap on my home pc. I need some expert advice itt to prevent this from happening, so please excuse this missive from noobsville. Firefox and noscript add-on will fix it. I just cleaned that malware off a computer last Thursday and he got it from a web ad.
|
# ? Sep 8, 2009 14:26 |
|
Independence posted:Firefox and noscript add-on will fix it. I just cleaned that malware off a computer last Thursday and he got it from a web ad. Alright, thanks. Just weird because like I said I don't go online on that computer. But I'll take steps with firefox on my netbook, which is used online at work.
|
# ? Sep 8, 2009 14:31 |
|
Phaeoacremonium posted:Alright, thanks. Just weird because like I said I don't go online on that computer. But I'll take steps with firefox on my netbook, which is used online at work. You mentioned you're connecting to your Universities network. That's probably your vector for infection right there.
|
# ? Sep 8, 2009 15:38 |
|
Stanley Pain posted:You mentioned you're connecting to your Universities network. That's probably your vector for infection right there. Your avatar reminds me I need to expense a new punchdown tool. Mine is less than snazzy.
|
# ? Sep 8, 2009 15:39 |
|
Midelne posted:Your avatar reminds me I need to expense a new punchdown tool. Mine is less than snazzy. You're welcome
|
# ? Sep 8, 2009 15:44 |
|
juggernaught posted:So I can be pragmatic I, I'm obviously trying to eliminate all possible problem causes right off the bat. The hard drive because there are boot managers such as SBM Smart Boot Manager that can be installed to the hard drives master boot record. But that doesn't seem to be the real source since my BIOS acts differently each time I reset it totally independent of any hard drive attachment.. Your BIOS is trying to make sense of the corrupted data stored in the NVRAM, most likely. There aren't any BIOS level viruses for the x86 platform, because by the time flash memory for ROMs became common, there were too many differences between systems to write one that would be guaranteed to do anything other than A) fail to flash, or B) disable the system entirely. If you're virus hunting, it's on the harddrive. It came from the internet or removable media. Start from there. corgski fucked around with this message at 11:29 on Sep 9, 2009 |
# ? Sep 9, 2009 07:03 |
|
thelightguy posted:There aren't any BIOS level viruses for the x86 platform Yes there are, but they're very hard to catch and when they activate they tend to just silently wipe the bios during regular usage.
|
# ? Sep 9, 2009 07:28 |
|
fishmech posted:Yes there are, but they're very hard to catch and when they activate they tend to just silently wipe the bios during regular usage. Not saying I doubt you or anything, but there are so many inconsistencies between BIOSes that it would be impossible to write something that would target more than a relatively small number of systems, since you'd need a different binary image for each motherboard. The Amiga, because of its more standardized architecture had so-called restart proof viruses, which were more or less BIOS level, but not the PC. corgski fucked around with this message at 11:25 on Sep 9, 2009 |
# ? Sep 9, 2009 07:49 |
|
thelightguy posted:The Amiga, because of its more standardized architecture had so-called restart proof viruses, which were more or less BIOS level, but not the PC. Actually the equivalent of the BIOS on the amiga was the kickstart which was not flashable (except on the A1000 and A3000 where it lived on a floppy disk). The restart persistent viruses on the amiga could survive warm reboots (ctrl+amiga+amiga), which didn't clear the memory (and, presumably, some kind of initialization vector), and spread to the next floppy disk inserted. Powering off your amiga properly between disk swaps stopped the virus spreading (this is all pre-hard-drive, of course). re: BIOS viruses, they definitely exist but i've not yet seen one in the wild. POCs are easy to find, I think there's even a phrack paper about making one using vmware. But I doubt you'll run into them because they're a lot harder than regular viruses which are, at this point, downright trivial to make (since they're all mostly the same few bits of code copy+pasted together anyway). Why bother putting the time in? Viruses are for-profit these days and the people getting infected with them aren't going to be more vulnerable to a BIOS virus.
|
# ? Sep 9, 2009 11:40 |
|
|
# ? May 9, 2024 16:31 |
|
Midelne posted:http://www.awfulmart.com/ Big Jim's Spyware annihilator and Fish Boner
|
# ? Sep 9, 2009 16:56 |