Search Amazon.com:
Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«88 »
  • Post
  • Reply
slidebite
Nov 6, 2005

Happiness is a tight butt and flat tummy. I have neither but yours looks awesome BTW do you have any beer?

Otacon posted:

Oh boy, interesting day at the office.

I'm by no means a hardware wizard and probably have no right posting in this thread other than being one to ASK for help instead of to give ( ) but could you pull the internal drive out of the laptop and plug it in as an extra drive on a different PC and scan it that way?

Adbot
ADBOT LOVES YOU

Otacon
Aug 13, 2002



slidebite posted:

I'm by no means a hardware wizard and probably have no right posting in this thread other than being one to ASK for help instead of to give ( ) but could you pull the internal drive out of the laptop and plug it in as an extra drive on a different PC and scan it that way?

I've done this in the past, and while Avast can scan the drive, nothing I find can scan the registry. SuperAntiSpyware can scan directories, but thats it. MBAM can't scan anything selectively. So while I'd remove any viruses, I'd only get some of the malware, which would still leave me unable to boot into Windows.

I'm almost absolutely sure that one of her graphic drivers was infected, and since it was from the VAIO setup CD, and didn't come installed with Windows, that the Windows Repair didn't replace it.

I guess I could take a look in the system32 folder through ERD and look for suspicious files, I was just hoping someone would post something like: "Hi! Here are the drivers you need, in .sys and .ini format. Just unzip them to system32 and reboot!"

A man can wish, right?

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


If it is just a driver, and not a hardware problem. You can just delete the driver totally and see if that lets you get into windows. This is assuming that the machine doesn't need a sata driver to see the hard drive that is part of the chipset.

darkforce898
Sep 11, 2007
Rawr

Otacon posted:

The other case was a Toshiba laptop that freezes upon the insertion of any USB plug. All of the plugs freeze the system. Flashdrives, Printers, anything USB will freeze it. This sounds like hardware to me, but she claims it just started happening a few weeks ago. Any ideas on this one? I've never experienced these problems before. Please help.

I would try removing and putting the motherboard drivers and chipset back on. It could be as simple as user error deleting something hat is needed.

Also, all you people with malware and spyware issues, I would head over to bleepingcomputer and post there. They are amazing at this kind of stuff.

CalvinandHobbes
Aug 4, 2004



I am a moderatly knowledegable user and i think i'm in over my head. I'm trying to fix my sister in law's computer which had the spyguard 2008 on it for at least a week. Unfortunatly its downloaded several other viruses (i've detected winlogun, winlogin, prunnet, and one more that starts with r32). The big problem is that i can't install or run ANY programs. I had malware bytes on it from earlier but attempting to run it does nothing ( the process appears in task manager but it never loads anything). I can't install combofix even in safe mode. I tried installing superantispyware to a flash drive but attempting to run it just says superantispyware has encountered a problem and needs to close ( thanks to this thread for the forewarning that my flash drive would get infected!).

I've go through msconfig and disabled all the startup files from the virus' i could find (which is how i know it is infected by the above). The winlogin and winlogun still appear on reboots however.

Do i have any options left other than flatten and reinstall?

Oh, i if i leave the flash drive in while booting windows normally, it will hang ( the taskbar will not load nor will explorer, until the flash drive is removed then it proceeds normally to its current virus ridden state.

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


Did you try disabling TDSServ in device manager? Show hidden devices, and it is under nonsystem devices. After that, rename the malware bytes exe, update and run in safe mode.

Otacon
Aug 13, 2002



CalvinandHobbes posted:

I am a moderatly knowledegable user and i think i'm in over my head.

I'd recommend getting Gmer, a rootkit finder, and renaming the file to something else - ie, "SOMETHINGAWFUL.exe" and running that. I bet it'll find something ugly.

Just navigate with the tabs at the top of the screen. Entries in red are suspect and should be investigated.

Other than that, the TDSServ service will also do this. Give that a lookie, too.

CalvinandHobbes
Aug 4, 2004



oh boy, my first rootkit!

So Gmer found the Tdsserv rookit ( i thought i had disabled it i missed one).

Disabling it allowed combofix to run and i has just detected a rookit in windows\system32\ntos.exe.

This will be a long day.

CalvinandHobbes
Aug 4, 2004



*welp*

This is somewhat embarrassing but i, uh, seem to have lost access to explorer.exe. I ran combofix, it detected ntos.exe and prompted me to restart. However now when windows starts, either normally or in safe mode, it doesn't load the taskbar.

I got task manager running and noted that explorer.exe was not running. Attempting to start explorer.exe gets a prompt saying " windows cannot find explorer.exe. Make sure you typed the name in correctly...". I can load internet explorer however internet explorer cannot load the C drive...

As a somewhat Pyrrhic victory, I can now load malwarebytes with taskmanager and its running now...

Worse yet, I have an XP professional install disk, the computer runs XP home and i am not being given an option for a repair install. Is there something i can do with the recovery console?

edit: well, i copied explorer.exe and renamed the new file explorero.exe. Running explorero.exe gives me access to mycomputer but i still get no taskbar.

edit #2: I found a forum post that seems to describe whats going on: http://www.tomshardware.com/forum/86497-45-windows-find-explorer


tomshardware posted:


- System gets infected by virus
- Antivirus software is installed, including updates
- Antivirus software runs, cleans out several infected files
- At next boot, Windows shell does not run
- When in Task Manager (started by pressing CTRL-ALT-DEL), when choosing File, Run and entering explorer.exe, error message "Windows cannot find explorer.exe".
- If you open a DOS prompt and browse to C:\WINDOWS and do DIR EX*., explorer.exe shows up. You can rename the file, delete the file, etc.; the file is clearly there.
- If you try to replace explorer.exe with a copy from a Windows installation CD, you still get "Windows cannot find explorer.exe"

The registry entry HKLM/Software/Microsoft/Windows NT/Current Version/Image File Execution Options/explorer.exe has a key similar to "Debugger" with value similar to "C:\Windows\Infected.exe".

The antivirus software has successfully removed Infected.exe, but it has not done anything to remedy the registry entry created by the virus; it is this registry entry that is causing Windows not to be able to run explorer.exe, and unfortunately the Windows error message is not really accurate.

The solution then is to remove the "Debugger" registry key. Then, explorer.exe has no restrictions when you attempt to run it; after you do this, reboot, and you should find that the system is back to normal (assuming there are no other registry entries that have been altered, or other viruses on the system, etc.)

CalvinandHobbes fucked around with this message at Jan 4, 2009 around 19:30

GREAT BOOK OF DICK
Aug 14, 2008

by Ozma


I've never encountered TDSserv/TDSSserv yet, but these removal instructions might help. It's basically the process for removing the driver, some files, and doing scans with Malwarebytes and SUPERAntiSpyware.

Looks like they have other guides for removing nasty programs as well.

GREAT BOOK OF DICK fucked around with this message at Jan 4, 2009 around 20:54

darkforce898
Sep 11, 2007
Rawr

Cool new trojan here

http://torrentfreak.com/trojan-bloc...ininova-090104/

quote:

The trojan in question (Troj/Qhost-AC) identified by anti-virus company Sophos, is a rather unusual one. It doesn’t seem to install spyware or traditional malware, but instead blocks access to the two most popular BitTorrent sites.

Luigi Thirty
Apr 30, 2006

Emergency confection port.


Are there any new viruses that can cause fake MCE BSODs in XP? My computer threw one earlier, but my system event log is clean and there's no memory file in my Windows folder. I have AVG scanning every morning, and it hasn't spotted anything outside of about the evils of tracking cookies.

No, it's not Antivirus XP 2008.

Jaketeck
Jul 6, 2004

<3 Robots

Luigi Thirty posted:

Are there any new viruses that can cause fake MCE BSODs in XP? My computer threw one earlier, but my system event log is clean and there's no memory file in my Windows folder. I have AVG scanning every morning, and it hasn't spotted anything outside of about the evils of tracking cookies.

No, it's not Antivirus XP 2008.

Yes. The Blue screens are funny bescasue they will direct you to "maliciousurl.com" to fix the problem. Also your computer will fake restart in about 10 seconds.

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


Luigi Thirty posted:

Are there any new viruses that can cause fake MCE BSODs in XP? My computer threw one earlier, but my system event log is clean and there's no memory file in my Windows folder. I have AVG scanning every morning, and it hasn't spotted anything outside of about the evils of tracking cookies.

No, it's not Antivirus XP 2008.

It installs a screensaver. Which is in your system32 directory I believe, it starts with bluescrn*random characters* or something like that. It is easy to spot, the beginning of the name is some variant of blue with random letters after. It is a prank screensaver created years ago that throws up blue screens to your specific OS (probably not Vista) and it takes information from your system so they look real. After a few seconds, it pretends to restart. If you press a key on the keyboard, it will go back to normal. Run malware bytes or super antispyware and it will get rid of the trojan.

Stanley Pain
Jun 16, 2001

In humility and with no need for Divine Guidance, I make this pledge.


Anyone else reading this thread getting more and more paranoid? I think I need to lay off the weed a bit

vlack
Feb 7, 2004

Stay frosty, Sparky

Otacon posted:

I've done this in the past, and while Avast can scan the drive, nothing I find can scan the registry. SuperAntiSpyware can scan directories, but thats it. MBAM can't scan anything selectively. So while I'd remove any viruses, I'd only get some of the malware, which would still leave me unable to boot into Windows.

None of these are automatic, but if you know what keys to delete, BartPE can use Registry Editor PE (not installed by default, you have to add it as a plugin), which will load the registry on the hard disk, not the one on the BartPE cdrom. UBCD4Win is BartPE plus all of this poo poo, which inlcudes some registry editors as well. I haven't used those, but they'd be useless unless they could also load the registry hives off of a hard disk so I assume that that functionality is in there somewhere.

I know that UBCD has SUPERAntiSpyware included, as well as Ad Aware and several virus scanners. I've never used them though to learn if they scan the registry of the host system, or if they're just for scanning of individual files.

There's also the comedy Offline NT Password & Registry Editor option - edit the registry at the Linux command line!

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


UBCD4Win can load the registry off the machine. Well, registry restore can, and all the scanners can.

TheRationalRedditor
Jul 17, 2000

WHO ABUSED HIM. WHO ABUSED THE BOY.


Stanley Pain posted:

Anyone else reading this thread getting more and more paranoid? I think I need to lay off the weed a bit
Haha yeah, it's such a bad feeling to find any kind of malware as a savvy computer user though. I remember the MSblaster episode all too well, I had never gotten a virus of any type previous to that in over a decade of internet usage and I was freakin' out!!

Stanley Pain
Jun 16, 2001

In humility and with no need for Divine Guidance, I make this pledge.


hall n oates mom posted:

Haha yeah, it's such a bad feeling to find any kind of malware as a savvy computer user though. I remember the MSblaster episode all too well, I had never gotten a virus of any type previous to that in over a decade of internet usage and I was freakin' out!!

I remember the first time I got a virus (trading floppies with friends at school). I think it was sometime around the DOS 5.0 days. I didn't have a virus scanner at the time but something just didn't feel right. I was buggin' out pretty heavily.

I loaded up some .exes in a hex editor and noticed some strange text embedded in them. I think back then F-prot was the A/V of choice. Since then I've never had a full blown infection mainly due to paranoia

TheRationalRedditor
Jul 17, 2000

WHO ABUSED HIM. WHO ABUSED THE BOY.


I like how superantispyware is a strong part of the current vanguard of standard-issue protection, given that its name is in the vein of all these deceptive-yet-ludicrously titled malware programs that have been floating around for a while now.

Stanley Pain
Jun 16, 2001

In humility and with no need for Divine Guidance, I make this pledge.


I fully expect to see Malware PWN, Epic Spyware Win, and I can has Anti-Malware within the next year or two .

Cultural Imperial
Sep 17, 2004
hay

I spent close to 12 hours trying to clean up my laptop which was infected with TDSServ. I'm close to speechless at how difficult it was to determine the root of the problem and how easy the fix, or so it seems, is (disabling the tdss.sys driver and cleaning). I'm running another check with spybot S&D right now.

I've also run malwarebytes but I assume my job isn't done yet is it? Should I install and run SUPERAntispyware (god I hate that name)?

Stanley Pain
Jun 16, 2001

In humility and with no need for Divine Guidance, I make this pledge.


Cultural Imperial posted:

I spent close to 12 hours trying to clean up my laptop which was infected with TDSServ. I'm close to speechless at how difficult it was to determine the root of the problem and how easy the fix, or so it seems, is (disabling the tdss.sys driver and cleaning). I'm running another check with spybot S&D right now.

I've also run malwarebytes but I assume my job isn't done yet is it? Should I install and run SUPERAntispyware (god I hate that name)?

That's the thing with rootkits. They are by nature VERY hard to find, but once you know they are there are fairly easy to remove.

Things will start to get interesting when these stealthy boot sector viruses get more prevalent.

Midelne
Jun 19, 2002

I shouldn't trust the phones. They're full of gas.

darkforce898 posted:

Cool new trojan here

http://torrentfreak.com/trojan-bloc...ininova-090104/

Thanks, that was good for a laugh. I can't help but think it was some well-meaning torrenter hitting the torrent community in a relatively harmless way that would still make most of them panic and install the antivirus software they should've been running from the beginning. Viruses? Pssh, I'm careful. Torrent-blocking? OH GOD~~

Kaltag
Jul 29, 2003

WHAT HOMIE? I know dis ain't be all of it. How much of dat sweet crude you be holdin' out on me?

I keep my OS/programs and data on separate HDs so when I get this poo poo i just nuke the OS/programs HD.

The way I see it is if you take a poo poo on a plate, no matter how well you clean it you'll never want to eat off it again.

brc64
Mar 21, 2008

I wear my sunglasses at night.

Kaltag posted:

I keep my OS/programs and data on separate HDs so when I get this poo poo i just nuke the OS/programs HD.

The way I see it is if you take a poo poo on a plate, no matter how well you clean it you'll never want to eat off it again.
While I certainly appreciate the separate OS partition or drive, what's to stop a virus from infecting your data drive as well?

EnFuego468
Apr 25, 2008


I recently encountered a Halmark/Coca Cola/ McDonalds virus that infected nearly over 300 machines in about 24 hours. (I work as a support tech) It was smart enough to infect flash drives.
It really is amazing how many people deny opening this email virus despite the evidence against them. There were also a few cases of people not wanting to lose flash drive data, so they denied the fact that they used them only to reinfect their machine minutes after getting it back.
Removal tools were useless because reinfections were popping back up everywhere. The only thing we were able to do is backup and reimage all machines.

nail
Jul 15, 2005



EnFuego468 posted:

The only thing we were able to do is backup and reimage all machines.
And wipe flash drives, I take it? Haha, how did people react to that one?
edit: Also, don't be surprised to see the issue persist as flash drives (I assume) continue to be used between home computers and the office.

Suspicious
Apr 30, 2005
You know he's the villain, because he's got shifty eyes.


Disabling autorun is a lot less work than reimaging all the machines.

EnFuego468
Apr 25, 2008


hyperborean posted:

And wipe flash drives, I take it? Haha, how did people react to that one? edit: Also, don't be surprised to see the issue continue as flash drives (I assume) continue to be used between home computers and the office.

They acted like it was our fault (of course). I mainly deal with college professors/faculty who often use the argument "You should have checked your email to find out about this assignment" against students. My response was "You should have read the email warning you not to open it... Needless to say my butt was covered with that argument.
Also, once the 2 day lag on virus definitions (to avoid false alarms) kicked in, no one was reinfected.

Stanley Pain posted:

That's the thing with rootkits. They are by nature VERY hard to find, but once you know they are there are fairly easy to remove.

Things will start to get interesting when these stealthy boot sector viruses get more prevalent.
Once we see a computer running slow or behaving strangely, we generally pull the drive out and scan using an external drive connector to find rootkits. They generally just fool the OS on the said drive so that it cannot see the virus.

Suspicious posted:

Disabling autorun is a lot less work than reimaging all the machines.
We did this as well as disabling system restore before cleanup--however it doesn't exactly fix an already infected machine.

EnFuego468 fucked around with this message at Jan 6, 2009 around 19:26

bazaar apparatus
Nov 30, 2006

Whenever my body starts to feel sick, I just stop being sick and be awesome instead.

Ok, this mousehook.dll/frmwrk32.exe thing that's been popping up today has been a bit ridiculous

Noghri_ViR
Oct 19, 2001

Your party has died.
Please press [ENTER] to continue to the
Las Vegas Bowl


So I got ahold of a geeksquad cd the other day from a customer that took their laptop to them, found out what their prices were and then brought it to me. I have to say I like the concept of the LASER part of the CD. I like how it boots to BartPE and then runs all those different virus scanners and spyware scanners. Is there anything out there that's similar or a project that someone has started to replicate this?

Doc Faustus
Sep 6, 2005

Philippe is such an angry eater

I've got a machine on my hands with what appears to be (among other things) a fake java updater. Anyone seen this before?

Trinitrotoluene
Dec 25, 2004



Noghri_ViR posted:

So I got ahold of a geeksquad cd the other day from a customer that took their laptop to them, found out what their prices were and then brought it to me. I have to say I like the concept of the LASER part of the CD. I like how it boots to BartPE and then runs all those different virus scanners and spyware scanners. Is there anything out there that's similar or a project that someone has started to replicate this?

Does it run that automatically? I'd love to get hold of a PE CD that could run them all automatically.

Noghri_ViR
Oct 19, 2001

Your party has died.
Please press [ENTER] to continue to the
Las Vegas Bowl


Trinitrotoluene posted:

Does it run that automatically? I'd love to get hold of a PE CD that could run them all automatically.

Yea you click on it to run, it download all the virus/spyware updates, reboots in BartPE, runs about 4 antivirus programs and 5 spyware programs, displays a report and has you reboot. Granted running all that poo poo takes a long time, but if I could automate that I could just run it overnight and forget about it until morning.

Jonny 290
May 5, 2005


fully trained greenskeeper


I was playing around with VMWare Thinapp to do stuff like that, then I realized that it costs $$$$$$$$ and my small shop could never afford it.

Cool app though.

Bruegels Fuckbooks
Sep 14, 2004

i keep my word and i will kill you like i said
killing me? thats impossible for anyone


brc64 posted:

While I certainly appreciate the separate OS partition or drive, what's to stop a virus from infecting your data drive as well?

It's not unheard of for a virus to be able to hide in a data file (like a pdf, etc.) but it's rare. The vast majority of viruses/malware you'll encounter are going to infect Windows installs, and if you don't have an install of Windows on the drive, you're safe from those. There are the few oddball ones that will infect anything executable, and there are some that can hide in certain data files (waiting to be opened by a program with a security hole) but they're in the minority. In theory (and if you want to be secure) you should probably format both your data drive and your system drive if you get infected but that's probably unnecessary on a home pc - might be worth scanning the data drive with a virus scanner or something just to be on the safe side though.

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


For anyone having trouble with TDSServ and can't get malwarebytes or SAS to run no matter what. Run it in Windows 2000 compatibility mode.

^^^ A long time ago we had one guy who had every single mp3 on his computer infected.

Cojawfee fucked around with this message at Jan 7, 2009 around 02:53

Kaltag
Jul 29, 2003

WHAT HOMIE? I know dis ain't be all of it. How much of dat sweet crude you be holdin' out on me?

brc64 posted:

While I certainly appreciate the separate OS partition or drive, what's to stop a virus from infecting your data drive as well?

I've never had that happen to me or any of my friends that I've done this for, including the worst of the AV 2009 variants. I don't know if I've been conditioned not to fall for the worst stuff or just been lucky.

Adbot
ADBOT LOVES YOU

Cojawfee
May 31, 2006

THE CLAMPS!
or clamp like device


I don't think people really go for infecting files anymore. It's mostly just install something, and try to get some money.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«88 »