|
Jetsetlemming posted:I was just doing something on my sister's computer went WinAntivirus2010 popped up. I instantly responded by holding down the power button until it shut off. I'm reasonably sure it wasn't infected before, and I don't know if the popup "warning" from antivirus2010 is post or during infection. The system's running Vista Home Premium and AVG, both up to date, and the latest version of IE, with UAC active and working. How hosed is it? Got it in safe mode running a full AVG scan right now, but it said that "Documents and Settings" is a locked folder and skipped scanning it entirely so I'm not feeling too confident. Got Combofix downloaded on a different PC and ready to be transferred over. "Documents and Settings" isn't really a folder in Vista. Its essentially a redirect for legacy applications to the Vista/Windows 7 profile locations which is C:\Users
|
| # ? Feb 18, 2010 17:59 |
|
|
|
| # ? May 19, 2013 20:58 |
|
|
Well I rebooted in safe mode, ran AVG, ran combofix, rebooted, updated windows, ran another AVG scan, checked the currently running processes in Process Explorer, checked the settings in MSConfig, opened IE and looked for popups, went to a few random sites through google searches and didn't get redirected to a site I didn't click on, browsed to some AV sites and successfully loaded them. The only thing odd left is that now, post crap, Windows Defender is active, but it can't update its malware definitions. Nothing seems to consider it harmful/infected, so I guess maybe ComboFix or something turned it on.
|
| # ? Feb 18, 2010 22:15 |
|
|
I google'd ComboFix and went to the first link at BleepingComputer to download it, well I tried to my AV had it flagged as a Trojan apparently 
|
| # ? Feb 19, 2010 01:06 |
|
|
Suran37 posted:I google'd ComboFix and went to the first link at BleepingComputer to download it, well I tried to my AV had it flagged as a Trojan apparently McAfee HATES Combofix. Get a non-poo poo AV software, or disable McAfee on-access protection, and try again.
|
| # ? Feb 19, 2010 01:33 |
|
|
Ugh, McAffee is awful. Did their enterprise software improve at all? Back when I last used it, it would prevent you from accessing removable media for half an hour before you could run anything and locked up the computer for 10-15 minutes a day. Piggybacking on svchost so you can't even lower its priority is just unfair.
|
| # ? Feb 19, 2010 02:23 |
|
|
Otacon posted:McAfee HATES Combofix. Get a non-poo poo AV software, or disable McAfee on-access protection, and try again. Not my choice, it was my dad's. His mindset is that if Comcast gives it to their customers it must be the best AV ever made. Maybe I'll just uninstall it. What would be a good replacement?
|
| # ? Feb 19, 2010 03:27 |
|
|
Suran37 posted:Not my choice, it was my dad's. His mindset is that if Comcast gives it to their customers it must be the best AV ever made. Maybe I'll just uninstall it. What would be a good replacement?
|
| # ? Feb 19, 2010 03:32 |
|
|
This is probably as good a place to ask as any, but what's some good anti-malware software that'll run in a WinPE environment and scan attached hard drives? I want to make some WinPE USB sticks for my techs, and have them available for the really bad malware cases (like the rootkits these days that write bytes to the hard drive outside of the system partition and what not), but my go-tos like Malwarebytes are mainly designed for in-OS running only. I know in the end we'll still have to boot into Windows and run anti-malware tools there, but sometimes not even booting into Safe Mode is feasible.
|
| # ? Feb 19, 2010 03:50 |
|
|
-Dethstryk- posted:Microsoft Security Essentials. Free and it does a drat good job. This. I love this program - although, I ended up uninstalling it from my netbook last night. It really is a dog when booting into Windows if you only turn on your computer a handful of times a month -- and, your computer is painfully slow from the start. If you're online everyday, and your computer isn't less than 1ghz, it's wonderful. mpeg4v3 posted:This is probably as good a place to ask as any, but what's some good anti-malware software that'll run in a WinPE environment and scan attached hard drives? I want to make some WinPE USB sticks for my techs, and have them available for the really bad malware cases (like the rootkits these days that write bytes to the hard drive outside of the system partition and what not), but my go-tos like Malwarebytes are mainly designed for in-OS running only. I know in the end we'll still have to boot into Windows and run anti-malware tools there, but sometimes not even booting into Safe Mode is feasible. To be honest, I'm not aware of any that function entirely in WinPE. I've been using F-Secure as of late - it's Knoppix based, and while it's removal process goes pretty slowly, it finds and renames just about every virus/malware infection I've tried it against. It's about 200mb, is bootable, connects to the internet, downloads new definitions and begins the scans. Otacon fucked around with this message at Feb 19, 2010 around 04:26 |
| # ? Feb 19, 2010 04:23 |
|
|
If that is his mindset you could point out that Comcast is no longer distributing it. http://security.comcast.net/ Suran37 posted:Not my choice, it was my dad's. His mindset is that if Comcast gives it to their customers it must be the best AV ever made. Maybe I'll just uninstall it. What would be a good replacement?
|
| # ? Feb 19, 2010 04:43 |
|
|
Yesterday VIPRE started detecting setup.exe of CYGWIN distro as a generic trojan. Really annoying.
|
| # ? Feb 20, 2010 00:22 |
|
|
Anyone have any good information on combofix? It's just a really interesting program to me, but I understand why it's processes are secretive. I found a whitepaper on a 'security' site explaining quite a bit of it and how to hide from it, but at this point I'm more curious about stuff like who the hell made it(subs? do we know this guy from anywhere else?) that sort of thing.
|
| # ? Feb 20, 2010 18:58 |
|
|
A few months ago I got a virus from a redirect ad at anonib.com. This computer was a desktop I had running for a few years so it still had Windows XP. Basically, this thing installed "Antivirus 2009"(http://en.wikipedia.org/wiki/MS_Antivirus) and it kept on asking me to "upgrade". It supressed MalwareBytes, Spybot S&D and some generic Windows antivirus program and redirected me from any popular techhelp sites I would visit. It also deleted all of my system restore points. Eventually, I was able to torrent Spyware Doctor and I removed some of the infection, but I still had a lot of instability, specifically at start-up. Sometimes the computer would freeze if I ran firefox, tried to search or use regedit. One time when I rebooted, I got a random disk-check and all of a sudden Spybot S&D started working again and the computer was pretty stable. I think I had removed the infection totally by this point. This was a few days ago. Last week my cousin used the same desktop for a while and all of a sudden it was infected by scareware again. It didn't behave like the other virus, it caused much more instability and replaced my desktop background with an image of the bluescreen of death or a random "Your PC is infected message". I kept getting a stream of error messages about acrotray and a known virus process whose name escapes me along with the same pestering messages to upgrade and some viagra ads. I used spybot a few times but the virus would always reinstall itself at start-up. After a few reboots a different scareware program appeared and it blocked spybot, regedit, task manager, system restore and pretty much everything except the browsers which ran incredibly slowly. The next reboot the operating system was dead. Was there more than one virus at work or was it the same one that kept reinstalling itself? Is XP just so nonsecure that it can't be used anymore? I'm not sure if this is a notable virus or not, but I'd never experienced an infection that aggressive before. Both infections were also terribly programed and I don't understand how their designers could hope to make any money off of these fake-antivirus thingies. Even if I fell for the clumsy scam, my system would have been too slow to even try and signup for "Internet Guard 2010". What can I do about my desktop? I'm sure I need a clean install of windows but have I lost all my old files and programs as well?
|
| # ? Feb 22, 2010 00:23 |
|
|
Reinstalling would be your best bet. You never know if there's a rootkit that's just inviting these viruses to come in and screw things up. XP isn't inherently insecure, you should just keep everything up to date, especially Flash and Java. Enable DEP. Ensure your antivirus is good and up to date. Of course, 7 is a lot better than XP, so if you can upgrade then you should.
|
| # ? Feb 22, 2010 00:38 |
|
|
HOT SQUATS posted:
You can still recover your files, as long as you have another computer available. Remove your old hard drive, plug it into your new system, power-up, and you'll find your drive mounted and ready to look at. Your files are most likely in X:\Documents and Settings\username\, under Desktop and My Documents. DO NOT RUN ANY FILES. Just copy/paste your My Documents or Desktop folders or what have you, into your new computers drive. Power down, unplug the old hard drive, reboot. Perform a full virus scan after you do this. Thats the good news. The bad news is that your programs are gone. While you can recover from these things and disinfect a virus-ridden computer, it is tough work. A good computer repair place can probably do this, as well as recover your data - but I don't trust BestBuy and can't recommend their service.
|
| # ? Feb 22, 2010 01:07 |
|
|
In my best experience, the only sure-fire way to get rid of a virus is to nuke the OS from orbit and start from scratch. I don't know what may be left lingering after removing a virus, so it's a good excuse to reformat. Trying to clean-up after an infection probably takes as long as reinstalling the OS anyway. I try to keep the OS in it's own partition, and have my data on the other. That way, should the OS go tits up, I don't have to go through the trouble of backing up my data. Sure, I have to reinstall programs again, but that's usually not a problem once I get the internet connection up and running again. It was the only way to handle a virus infection at my old Dell tech support job, can't have rookits inviting viruses through the backdoor if I've nuked the fucker, can they? 
|
| # ? Feb 22, 2010 01:28 |
|
|
Starhawk64 posted:In my best experience, the only sure-fire way to get rid of a virus is to nuke the OS from orbit and start from scratch. I don't know what may be left lingering after removing a virus, so it's a good excuse to reformat. Trying to clean-up after an infection probably takes as long as reinstalling the OS anyway. "DOCTOR, DOCTOR, COME QUICK! I'VE GOT THIS SPLINTER, AND I THINK IT'S INFECTED!" "Oh boy. Well, that's not good. We could operate on you, but I don't think that'd work - we'll never get 100% of that splinter out. Do you want me to call a priest so you can be read your last rights?"
|
| # ? Feb 22, 2010 01:57 |
|
|
Can splinters install hidden splinter magnets that will make splinters pop out of trees and embed themselves into you whenever you walk past some wood?
|
| # ? Feb 22, 2010 02:13 |
|
|
Ensign Expendable posted:Can splinters install hidden splinter magnets that will make splinters pop out of trees and embed themselves into you whenever you walk past some wood? Or transmit personal info to the tree mafia.
|
| # ? Feb 22, 2010 02:36 |
|
|
Rewriting the boot sector, using Combofix/Malwarebytes, and following up with an external AV scan seems to clean 99.9% of all viruses I've encountered on over 500 computers, with the only reinfections being from idiots doing things that got them infected in the first place. While yes, there have been some Windows reinstalls in those numbers, they are rare and I don't like to do them unless I've exhausted all other options. Maybe I'm just really good at removing splinters?
|
| # ? Feb 22, 2010 03:01 |
|
|
Starhawk64 posted:In my best experience, the only sure-fire way to get rid of a virus is to nuke the OS from orbit and start from scratch. I don't know what may be left lingering after removing a virus, so it's a good excuse to reformat. Trying to clean-up after an infection probably takes as long as reinstalling the OS anyway. Actually, this is a questionable exercise anyhow. If the files are transferred to another (vulnerable) machine then next use will kickoff a new infection. My experience with antivirus scanners is poor in general, so good luck, although giving it a few weeks for the scan should significantly improve your odds. I recall a virus that installed autorun files on hard drives so if another computer mounted them, bam - infected.
|
| # ? Feb 22, 2010 03:31 |
|
|
Otacon posted:Rewriting the boot sector, using Combofix/Malwarebytes, and following up with an external AV scan seems to clean 99.9% of all viruses I've encountered on over 500 computers, with the only reinfections being from idiots doing things that got them infected in the first place.
|
| # ? Feb 22, 2010 04:35 |
|
|
I posted in this very thread one of my many dealings with, with Virut. It's the nastiest strain I've come across, and I even managed to infect a system with it myself - my own home computer. I managed to clean my system after almost 2 days of downtime, since I had realized what I had done, and hard-shut down my computer relatively quickly after infection. It still managed to overwrite a bunch of Windows files, as well as a few random EXEs that were in various folders on my C drive. I cleaned it with an XP Repair-install and recovery console eventually, but Combofix did not clean it - I agree. (I also would not dump Virut in the same category with the random rogue-AV poo poo that's going around - but now it's being packaged with various fake poo poo - still rare, but still occuring) For future dealings with Virut, I do recommend a reinstall - but Norton actually can repair most EXE files that are infected - so I'm more than happy to do documents/settings backups.
|
| # ? Feb 22, 2010 07:20 |
|
|
HOT SQUATS posted:What can I do about my desktop? I'm sure I need a clean install of windows but have I lost all my old files and programs as well? Transferring them off doesn't actually even require swapping the hard drive. Boot from Backtrack or other Linux-related live boot CD, plug in your handy-dandy USB drive, and copy the documents and pictures that you want to save off of the computer. Everything else must be left behind to be purified by the coming flames. 'course, this does require that you have the aforementioned live CD, but it's a good reminder to keep one around for the occasions when a Windows install is just too toxic to touch through the OS.
|
| # ? Feb 22, 2010 16:38 |
|
|
I set up a virtual machine with Windows XP, basic install with no updates in Windows 7. I deliberately tried wrecking this system to see what would happen. It took me DAYS of googling "most infected sites" and jumping all over them, going to various russian and .hk domains, running every single executable file that popped up, etc. Finally, this afternoon, I got what looks like virut: The thing is, with all the viagra ads, the marquee windows update red X and yellow ! alternating and everything, neither Malwarebytes nor Windows Security Essentials found much. MWB found 5 things, all trojans, but this was after I had tons of browser redirects and stupid stuff beforehand. Is there a reason why neither program found most of these? Oh, and Microsoft Sec Ess. is up to date, I updated before scanning. Just another quirk of the viruses, I guess... Seriously, I have an unusable computer now and MWB found 5 things and MSE found 1. 1! What giveS? Edit: An interesting thing I discovered with this concoction of viruses is that I can run Processexp as soon as the computer comes up and end the virus/trojans and use the internet fine for a while. But, the program comes back up later, and when I end it again, it takes my internet connection with it. Huh. Ted Stevens fucked around with this message at Feb 22, 2010 around 18:10 |
| # ? Feb 22, 2010 17:42 |
|
|
Ted Stevens posted:I set up a virtual machine with Windows XP, basic install with no updates in Windows 7. I deliberately tried wrecking this system to see what would happen. It took me DAYS of googling "most infected sites" and jumping all over them, going to various russian and .hk domains, running every single executable file that popped up, etc. Finally, this afternoon, I got what looks like virut:  This will save you some time next time you get curious.Virut would've infected every executable file on your computer as quickly as you could run them. If you could remove the infection by running a virus scanner inside the infected VM, you're almost certainly not dealing with Virut. Try running a scanner that deals specifically with rootkits and you may have a bit more fun with what you find.
|
| # ? Feb 22, 2010 18:18 |
|
|
Porn sites are amazingly productive in getting viruses. Just go to some site promoting free videos and you get links for video.exe, porn.exe, hot lolita xxx.exe, and other good stuff. I just did a scan with GMER: Yay, I got my first rootkit today!
|
| # ? Feb 22, 2010 19:11 |
|
|
Ted Stevens posted:Yay, I got my first rootkit today! Don't be a tease. Tell us the details.
|
| # ? Feb 22, 2010 19:18 |
|
|
Well, like I said, I was treating this VM like a Saigon whore. I abused and kicked the poo poo out of it, I never said no, regardless of what file or site came to my attention. I downloaded so many installers, actively installed Antivir, and other "Your computer is infected, install this AV for great success!" programs. I've crashed the computer a few times, lost internet connection nearly a dozen (I keep winsockfix handy just in case), then I downloaded a copy of GMER and ran that. This is what I got: It looks like about 2-3 rootkits, but they call a lot of things. Oh, and AntivirusSoft will not go away, no matter what I do. If I clear it, kill the process in processexp and then get rid of it via HijackThis, it still comes back, eventually. Ted Stevens fucked around with this message at Feb 22, 2010 around 19:47 |
| # ? Feb 22, 2010 19:43 |
|
|
Those fake AV things have been popping up all over people I know recently. Do the tools posted in the first few pages still do the trick?
|
| # ? Feb 22, 2010 20:22 |
|
|
This might be a dumb question, but how exactly did I get infected in the first place? I know what site I visited that infected me, but I don't think I really clicked on anything and I know for certain I didn't execute anything. I always thought these things happened to people who run every .exe offered to them or open random e-mail attachments. I'm reading some literature on malware and according to Symantec, XP is the most vulnerable operating system around. In 2009 25% of all malicious programming was in a PC running XP. I'm sure XP users only make up a tiny fraction of overall users too. Another stupid question. I've tried moving files from an internal HDD to another computer before and I didn't even know where to start. How could I connect an internal hard drive to something like a USB port? HOT SQUATS fucked around with this message at Feb 22, 2010 around 21:03 |
| # ? Feb 22, 2010 21:00 |
|
|
HOT SQUATS posted:This might be a dumb question, but how exactly did I get infected in the first place? I know what site I visited that infected me, but I don't think I really clicked on anything and I know for certain I didn't execute anything. I always thought these things happened to people who run every .exe offered to them or open random e-mail attachments. One fun way right now that you wouldn't most likely even see happening until you were infected and covered in popups are invisible iframes inserted into the webpage either by a malicious site owner or because the web page was hacked. You load the page, your browser sees the invisible window's request that it download and execute some data and does it for you, welcome to popup land. Alternately, an infected Flash ad could be dropped into rotation, which could again either involve a malicious site owner, a hack of the site, or a hack of the ad provider. Also, XP is still the biggest of the sitting ducks, and probably will be for some significant time. For the file transfer the easiest option is to plug in a USB thumbdrive that you picked up at Best Buy for $15, copy the relevant documents and pictures away from the infected drive and onto the thumbdrive while using an operating system other than the infected one, then move the thumbdrive to the new (presumably pristine) computer. Barring that, you can purchase hard drive enclosures that will allow you to connect IDE/SATA drives to a USB port. This would be less desirable, at least in my mind, because it brings the drive closer to your clean computer and also costs more.
|
| # ? Feb 22, 2010 21:10 |
|
|
What's the best anti-rootkit/scanner thingy for Windows 7 64bit? Haven't really found anything that works well.
|
| # ? Feb 22, 2010 21:11 |
|
|
Stanley Pain posted:What's the best anti-rootkit/scanner thingy for Windows 7 64bit? Haven't really found anything that works well. there are no kernel-mode rootkits for windows 7 64-bit
|
| # ? Feb 22, 2010 21:24 |
|
|
BillWh0re posted:there are no kernel-mode rootkits for windows 7 64-bit Though that makes me feel better about my system security, it baffles me as to how some of my login info got lifted.
|
| # ? Feb 22, 2010 21:36 |
|
|
PopeOnARope posted:Though that makes me feel better about my system security, it baffles me as to how some of my login info got lifted. oh I'm sure there's plenty of userland malware and keyloggers, and most of the 32-bit stuff will work straight up without problems there just aren't any kernel-mode rootkits because 64-bit Windows enforces driver signing, and so far the only bypasses have been proof-of-concepts using infected boot sectors or BIOSes, nothing actually in the wild
|
| # ? Feb 22, 2010 21:42 |
|
|
BillWh0re posted:there are no kernel-mode rootkits for windows 7 64-bit Good to know  on a side note, anyone with Windows HomeServer want to do a quick gmer scan and tell me what they see.
|
| # ? Feb 22, 2010 21:50 |
|
|
Midelne posted:For the file transfer the easiest option is to plug in a USB thumbdrive that you picked up at Best Buy for $15, copy the relevant documents and pictures away from the infected drive and onto the thumbdrive while using an operating system other than the infected one, then move the thumbdrive to the new (presumably pristine) computer. Barring that, you can purchase hard drive enclosures that will allow you to connect IDE/SATA drives to a USB port. This would be less desirable, at least in my mind, because it brings the drive closer to your clean computer and also costs more. For some reason I was assuming I would have to remove the hard drive to recover the files.  Before I was talking about an internal HDD I unscrewed from a ruined laptop. Is there something I can do with that? Will a hard drive enclosure work with an internal HDD?
|
| # ? Feb 22, 2010 22:55 |
|
|
HOT SQUATS posted:For some reason I was assuming I would have to remove the hard drive to recover the files. It will if it's designed to. 
|
| # ? Feb 22, 2010 22:57 |
|
|
|
| # ? May 19, 2013 20:58 |
|
|
Stanley Pain posted:on a side note, anyone with Windows HomeServer want to do a quick gmer scan and tell me what they see. I justy ran a scan on mine, and I get the following notice: code:Are you getting something else?
|
| # ? Feb 22, 2010 23:13 |
|
