Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«94 »
  • Post
  • Reply
Scott808
Jul 11, 2001


highme posted:

After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result?

I got that with McAfee Enterprise. After I cleaned a computer out using ComboFix, McAfee's on access scanner automatically deleted it. Thanks, McAfee.

Adbot
ADBOT LOVES YOU

Capnbigboobies
Dec 2, 2004


highme posted:

After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result?

I just scanned a copy of combofix from bleepingcomputer with antivir and it says its virus free.

Bunny Cuddlin
Dec 12, 2004


BillWh0re posted:

Are there other computers on your local network? The latest batch of Zlobs perform DNS poisoning so they end up redirecting DNS requests from clean computers that are networked to an infected one.

This is a cool little feature.

EMILY BLUNTS
Jan 1, 2005



combofix is actually dozens of little utilities... some of them probably have to do some pretty crazy stuff to get at rootkits, and it's possible AV heuristics think you've got evil hacking tools.

PopeOnARope
Jul 23, 2007

Hey! Quit touching my junk!


The worst I had to deal with recently was one of those bastard child XPAntiSpyware things. I remember infecting myself with the 2007 variant. Since then, it's come with friends that lock your DNS down to the 85.255 hell, and cause all sorts of wonderous crashing. Formatted that computer.

BillWh0re
Aug 6, 2001




Car posted:

This is a cool little feature.

Actually my post wasn't totally accurate as I seem to remember it poisons dhcp rather than dns directly, so you should be able to see it based on the dns server configured by dhcp. Still a nightmare to track down though.

ProjektorBoy
Jun 18, 2002

I FUCK LINEN IN MY SPARE TIME!

I work for a large corporation's help desk and the occasional malware infection comes up on the computers of the people who call me. I've been able to scrub these computers clean manually by just a combination of resourcefulness, a good solid knowledge of known-good processes, and having Process Explorer at hand.

Process Explorer is great because it'll let you see every DLL file that an executable loads. Even better, it somehow is able to mark suspect DLL files in the list. It took a combination of using the sword of regsvr32 /u and being able to quickly get to certain file locations. Also there were times where I'd boot up the computer to the login screen, then go delete the bad files remotely because they attach to winlogon.exe. I've been able to defeat everything that came up at me so far.

I'm aware that nastier things are out there, but I already feel pretty competent against the current wave of shitware that's out there.

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


Are some of you guys forced into paying for these programs? I will never understand why people would pay for antivirus or antispyware. I hate when people come in and say "I just bought this Norton can you put it on?"

I haven't come across an infection that I can't get rid of with free programs. And in the rare case I do have to fresh install, it is usually because Windows has become so messed up anyway.

I usually start off with UBCD and scan with antivir, a squared, super antispy, and web cureit. Then go into windows with a hijack, and then run malware bytes in safe mode. After that it's mostly just running spybot and adaware to clean up anything that was missed. And we install AVG to stop windows from nagging about there being no antivirus.

I don't personally like AVG all that much, it got much better in version 8 but it is still a pain and doesn't find all that much. We used to install antivir but it was always with the pop ups about buying it.

I'd say malware bytes is the best program I have come across recently. But I will start trying this combofix thing. Should I use combofix mainly for stubborn malwares or just run it every time?

Hillridge
Aug 3, 2004

WWheeeeeee!

fishmech posted:

I'd advise alerting the owners of the sites that they may have been exploited, and posting what sites and search results are giving you redirects.

I don't think this is it, since it's happening way too often, and with sites like walmart.com


I did a google search for "christmas" and clicked the first link and it happened.

It looks like it is redirecting through http://goougly.com

Here's where the christmas link took me before it redirected to some other crap page:

http://goougly.com/c.php?url=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26source%3Dweb%26ct%3Dres%26cd%3D4%26url%3Dhttp%253A%252F%252Fen.
wikipedia.org%252Fwiki%252FChristmas%26ei%3DQ49SSZWLKce_tgeGn-nmBg%26usg%3DAFQjCNHBERwlZenm8jlqrLxALb-57ddTfw%26sig2%3D1UfxyEfkLC_AekJrHrKR4A&p=3&rf=http%3A%2F%2Fchristmas.asdos.com%2Findex.php


Edit: This is with Firefox 3.0.5

Hillridge fucked around with this message at Dec 25, 2008 around 19:27

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


Have you tried immunization with spybot? I don't know if it does more than the hosts file, but it is worth a shot.

Otacon
Aug 13, 2002


highme posted:

After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result?

Combofix isn't something you install - it's for wiping out viruses and shitware. It WILL be detected as a virus, and this is normal. Just keep it on a flash drive, and only run it when your system is hosed.

Bleepingcomputer is their main site. The reason is returns as a virus is because of the heuristics built in. Don't worry about it.

BillWh0re
Aug 6, 2001




Cojawfee posted:

Are some of you guys forced into paying for these programs? I will never understand why people would pay for antivirus or antispyware. I hate when people come in and say "I just bought this Norton can you put it on?"

...and scan with antivir...

I dunno man kinda sounds like the reason you don't feel the need to buy antivirus is because you are illegally using the free personal editions for commercial use.

Otacon
Aug 13, 2002


I read something from Reddit a couple nights ago that I can't find anymore.

Some hackers have figured out how to use other site's redirect pages against us.

The example I remember (which is now patched) was that Microsoft has a redirect page, that tells you "You are now leaving Microsoft.com, we are not responsible for the content on this linked page, etc etc etc". These hackers have used this redirect against them by posting blog comments that read "http://www.microsoft.com/redirect/www.malwaresite.com/?frooty+loops+6+download"

Now, when someone searches Google for "frooty loops 6 download" Google returns the biggest site results - most notably, microsoft.com. Clicking that link will then forward the user to Malwaresite.com, which seems to be able to load up some real-looking virus alerts, which users stupidly click on and download something.

Microsoft patched it, but a number of other sites still have their old redirect pages not secured.

Be careful Googling, folks.

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


BillWh0re posted:

I dunno man kinda sounds like the reason you don't feel the need to buy antivirus is because you are illegally using the free personal editions for commercial use.

These are people's personal computers, so it doesn't make sense to buy enterprise licenses. But there are lot of shady things my business does that I don't totally agree with. But in the end, no one really cares, because there is no money to be made in suing us. Everyone would rather go after the people who are actually selling fake versions.

1997
Jan 20, 2008

calmer than you are

The most infections I've ever seen on a computer was 145,000+ spread through 80GB of all sorts of pirated anime and porn. The computer itself was hilariously dirty and somehow, miraculously, we were able to remove all the viruses off of it without reformatting it. I think the scans themselves took about 3 days to complete and after that, finishing up was butter.

Antivirus XP/Pro/2009 and all of it's variants are funny as hell. I'd say about 85 percent of all the computers that come in have a form of it. I don't know how so many people can get this stuff, but just from speaking from them I can see how they got it. They're not always bright.

Hillridge
Aug 3, 2004

WWheeeeeee!

I ran combofix again, and it quarantined a bunch of stuff. Judging from the file names of some of the .dlls it reported (8 letters, alternating vowel-consonant pattern), it looks like loving vundo was still kicking around.

I haven't seen any redirects yet, but I'm not going to declare this machine clean until it stays that way for a few days.

Also, I recently started having a problem where if I was running uTorrent any web browsing was incredibly slow, if not impossible. That seems to be fixed now.

My dad just asked about antivirus 2009 popups, so I may get to repeat all this, only over the phone.

kapinga
Oct 12, 2005

I am not a number

Otacon posted:

I read something from Reddit a couple nights ago that I can't find anymore.

Some hackers have figured out how to use other site's redirect pages against us.

The example I remember (which is now patched) was that Microsoft has a redirect page, that tells you "You are now leaving Microsoft.com, we are not responsible for the content on this linked page, etc etc etc". These hackers have used this redirect against them by posting blog comments that read "http://www.microsoft.com/redirect/www.malwaresite.com/?frooty+loops+6+download"

Now, when someone searches Google for "frooty loops 6 download" Google returns the biggest site results - most notably, microsoft.com. Clicking that link will then forward the user to Malwaresite.com, which seems to be able to load up some real-looking virus alerts, which users stupidly click on and download something.

Microsoft patched it, but a number of other sites still have their old redirect pages not secured.

Be careful Googling, folks.

Ars seems to have an OK writeup on this: http://arstechnica.com/news.ars/pos...-loophole.html.

I'd suggest if you see a site that this happens on, send feedback. Since the attack relies on the target site having a reputation, one can hope they pay attention to these things.

Hillridge
Aug 3, 2004

WWheeeeeee!

Crap, still seeing goougly links in google.
I found some info on it, but nothing helpful.

I also turned off 3rd party cookies in Firefox.

I think I'm going to drop into safe mode and run:
spybot, superantispyware, ccleaner, malwarebytes, then combofix.

If that combo doesn't cure it, I don't know what will.

ab0z
Jun 28, 2008

by angerbotSD


Hillridge posted:

Crap, still seeing goougly links in google.
I found some info on it, but nothing helpful.

I also turned off 3rd party cookies in Firefox.

I think I'm going to drop into safe mode and run:
spybot, superantispyware, ccleaner, malwarebytes, then combofix.

If that combo doesn't cure it, I don't know what will.


All you have to do is find what's starting up and running via hijackthis or the silent runners vbscript, then pull the power, boot the computer to the recovery console, and delete or replace the affected files. If you need to remove registry entries, use BartPE or similar, they have offline registry editors.

AceSnyp3r
Mar 23, 2006

Why walk when you can fly?!

Hillridge posted:

Crap, still seeing goougly links in google.
I found some info on it, but nothing helpful.
It probably goes without saying, but have you tried changing your DNS server to something like OpenDNS temporarily, to make sure the redirects are only on your end, and not just your ISP's DNS's fault?

darkforce898
Sep 11, 2007



Hillridge posted:

Crap, still seeing goougly links in google.
I found some info on it, but nothing helpful.

I also turned off 3rd party cookies in Firefox.

I think I'm going to drop into safe mode and run:
spybot, superantispyware, ccleaner, malwarebytes, then combofix.

If that combo doesn't cure it, I don't know what will.

I had this but I also ran SDFix, and found out I had TDSServ on the machine. IF you see anything related to that you need to uninstall the driver or else nothing will work

Hillridge
Aug 3, 2004

WWheeeeeee!

AceSnyp3r posted:

It probably goes without saying, but have you tried changing your DNS server to something like OpenDNS temporarily, to make sure the redirects are only on your end, and not just your ISP's DNS's fault?

I have not, but other PCs on my network do not have this problem.

I just found a post in another forum from someone with a similar problem, and he was told to use GooredFix.exe

I ran this, found a problem, removed it, and I think it is fixed.

I'd still like to find the guy who wrote this browser hijack and punch him in the sack though.

Hillridge fucked around with this message at Dec 27, 2008 around 15:39

ab0z
Jun 28, 2008

by angerbotSD


Hillridge posted:

I'd still like to find the guy who wrote this browser hijack and punch him in the sack though.

Wouldn't we all...

cr0y
Mar 24, 2005

IRONKNUCKLE PERMBANNED! READ HERE

I recently had to deal with vundo(actually, some variant, nothing found it except adaware and it couldnt remove it). and good lord was it a pain in the rear end.

is there a good tutorial somewhere about making a live cd that has ad-aware+definitions and a good antivirus+definitions? I played with bartPE years ago but never really followed it through.

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


Just download UBCD.

Drighton
Nov 30, 2005



A user got Antivirus Plus on their computer before the Christmas break and just now called me to his office to fix it. It's had enough time to download what ever else is on here that nearly all of my tools were disabled or could not be installed, and I couldn't open task manager or msconfig, even in safe mode.

Managed to get Malwarebytes installed but after the first scan it BSOD'd and even on the second scan its still picking things up.

Drighton fucked around with this message at Dec 30, 2008 around 16:53

abominable fricke
Nov 11, 2003

What does Pottsylvania have more than any other country? Mean! We have more mean than any other country in Europe! We must export mean.

Install Superantispyware to a flash key and run it

Duck and Cover
Apr 6, 2007


I cry endlessly about video games! I just can't stop!

Don't reply because I'm not listening!

I should ALREADY be on your ignore list!


I'm enjoying having my ads hijacked so that I can be sold vimax and other lovely products. While I solved the problem of the ads by blocking through the hosts file I'd like to eliminate the problem instead of working around it. Oh and for the hell of it, it seems to block any attempts to update anti virus malware software.

Midelne
Jun 19, 2002

I shouldn't trust the phones. They're full of gas.

Win32/Yektel infection chiming in. SUPERAntiSpyware picked up the bulk of it on the first run, Combofix grabbed the good old ieupdater.exe out of System32, and now we appear to be clean.

I get a genuine kick out of Win32/Yektel infections. It's got some genuine thought behind it, and that's nice to see even if it does make my day a bit more entertaining than I usually like it.

As a bonus, the first user to report the infection took one look at the fake security center popup and called for help without touching anything. How often does that happen? Loving it.

Drighton
Nov 30, 2005



abominable fricke posted:

Install Superantispyware to a flash key and run it

I did. I pulled the flash key back to my computer to put some files on it and Symantec started deleting all the executables on the disk all as W32.Wowinzi.A
The flash disk looks like this now.

Only registered members can see post attachments!

bazaar apparatus
Nov 30, 2006

Whenever my body starts to feel sick, I just stop being sick and be awesome instead.

Midelne posted:

As a bonus, the first user to report the infection took one look at the fake security center popup and called for help without touching anything. How often does that happen? Loving it.

Why can't my users do this....

By the time I ever get to look at most of their systems, they've hosed it up so bad just clicking on things without thinking that a 15-minute call turns into a few hours just trying to get everything out of there.

Midelne
Jun 19, 2002

I shouldn't trust the phones. They're full of gas.

bazaar apparatus posted:

Why can't my users do this....

By the time I ever get to look at most of their systems, they've hosed it up so bad just clicking on things without thinking that a 15-minute call turns into a few hours just trying to get everything out of there.

Trade you jobs.

BillWh0re
Aug 6, 2001




Drighton posted:

I did. I pulled the flash key back to my computer to put some files on it and Symantec started deleting all the executables on the disk all as W32.Wowinzi.A
The flash disk looks like this now.

Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu.

Instead of running tools from flash drives run them from CDs so this can't happen. Especially if the computer has a file infecting virus. Also, never use explorer to open or browse drives on an infected computer because the open and explore actions usually execute the worm.

BillWh0re fucked around with this message at Dec 30, 2008 around 20:16

Elected by Dogs
Apr 20, 2006


BillWh0re posted:

Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu.

Instead of running tools from flash drives run them from CDs so this can't happen. Especially if the computer has a file infecting virus. Also, never use explorer to open or browse drives on an infected computer because the open and explore actions usually execute the worm.

CDs can autorun too.

thelightguy
Feb 6, 2007

Well there's your problem.


Elected by Dogs posted:

CDs can autorun too.

CDs can't be written to once they're burned.

BillWh0re
Aug 6, 2001




Elected by Dogs posted:

CDs can autorun too.

They're read only which means they don't get infected the moment you stick them in an infected computer, which is what happens with USB sticks unless there happen to be some fancy ones that make themselves read only.

bazaar apparatus
Nov 30, 2006

Whenever my body starts to feel sick, I just stop being sick and be awesome instead.

Midelne posted:

Trade you jobs.

Heh, I'm entry-level at this place, you probably make a lot more than I do

Elected by Dogs
Apr 20, 2006


BillWh0re posted:

They're read only which means they don't get infected the moment you stick them in an infected computer, which is what happens with USB sticks unless there happen to be some fancy ones that make themselves read only.

CDRW? If it was burned along with the files (dunno if any malware does this kind of insertion) - it would still infect anyways.

Drighton
Nov 30, 2005



BillWh0re posted:

Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu.

Instead of running tools from flash drives run them from CDs so this can't happen. Especially if the computer has a file infecting virus. Also, never use explorer to open or browse drives on an infected computer because the open and explore actions usually execute the worm.

Just grabbed the user's profile folder and started a format. gently caress this.

VVV good idea.

Drighton fucked around with this message at Dec 30, 2008 around 20:53

Adbot
ADBOT LOVES YOU

BillWh0re
Aug 6, 2001




Elected by Dogs posted:

CDRW? If it was burned along with the files (dunno if any malware does this kind of insertion) - it would still infect anyways.

I've not used Windows CD burning in some time but I don't think it kicks in automatically on file copies and no malware initiates the burn process. Probably just stays queued up in explorer forever or something.

Drighton posted:

Just grabbed the user's profile folder and started a format. gently caress this.

Better confiscate all their USB sticks and scan them too if you don't want to get called out again in an hours time.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«94 »