|
This thread is going to be fantastic and incredibly useful. The last thing I had trouble with was at work. Everything I tried came up clean, including MalwareBytes and Spybot. Running Combofix said something called Qoobox was the root of the problem and had no problem removing it. I too have been disappointed in NOD32 and I'm still upset that I paid for a 2 year subscription. As much as I like their upcoming version (tried the beta), their detection rate has fallen drastically compared to other scanners. Now it's just a matter of waiting and trying to find something better that might have Windows Home Server support.
|
#
¿
Dec 16, 2008 03:50
|
|
|
|
| # ¿ Apr 27, 2024 07:16 |
|
|
Another recommendation for GMER, but it's a little more advanced. Solutions like Malwarebytes and SuperAntiSpyware are fairly simplistic and almost anyone can operate them. GMER is good at showing you some really nasty poo poo (if it's there.) The latest AV-Comparatives report for November shows AntiVir and Kaspersky with the best rating, even though it's only around 70%. NOD32 is a well-built antivirus application with a small memory footprint. The problem with it is, in my opinion at least, is it's no longer capable of keeping up with the release rate of the latest infections. As for wiping and reinstalling Windows, it ultimately is the best solution to eliminating infections. However, it's important to keep in mind that MBR rootkits are making a comeback. Not to mention when people reinstall systems via a recovery partition, what's the possibility of a virus infecting that partition?
|
|
#
¿
Dec 18, 2008 21:41
|
|
|
bazaar apparatus posted:I've got something that I think is like this. It's just called RootkitRevealer, and I think I got it from the same site I got AutoRuns from. Anyone know which is the better of the two rootkit tools? RootkitRevealer is okay, but I think GMER is a more robust version of RootkitRevealer. Not to mention RootkitRevealer hasn't been updated since 2001 I think.
|
|
#
¿
Dec 18, 2008 23:24
|
|
|
HauntedRobot posted:New techniques for writing malware come out, little unheard-of tools that are the first to jump on them get the praise. The only bit of this that bothers me is when the previously leading antivirus company's response isn't "let's knuckle down and find ways to clean this stuff" but "let's sell out while we're ahead and go all bloaty and shite". I'm waiting to see which way NOD jumps... if it goes the AVG route I may have to switch. It almost kind of is going that way, but not in terms of program bloat. I used the latest NOD32 beta from their site and it has the same light memory footprint as version 3. Some new features and so forth. The problem seems to be that ESET is not doing a very good job of keeping up with malware and rootkits. To be fair, NOD32 was designed to be an anti-virus solution more than an anti-malware/rootkit one. However, when you have comparable free solutions like AntiVir and AVG able to handle these types of infections, you can't help but take a look at other software.
|
|
#
¿
Dec 22, 2008 18:41
|
|
|
It sounds like a browser hijacker. Try scanning it with SUPERAntiSpyware. The only reason I say that is because I'm seeing similar symptoms on a machine I'm working on at this very moment. One of our managers will use his laptop for about five minutes after logging on to the domain, then it will lose network connectivity. It doesn't matter if it's wired or wireless, just drops all network connections. HOSTS file is clean, Malwarebytes came up clean. ComboFix might have done something but the system was still showing the same symptoms. I'm scanning it with SUPERAntiSpyware right now and it's telling me it found 12 items of "Browser Hijacker.Internet Explorer Zone Hijack" and 53 "Adware.Tracking cookies". Probably just end up formatting it in the end. Looks like some kind of adware/spyware called atdmt.com. Research seems to indicate it's nasty poo poo. It apparently made a bunch of registry entries at the very least. GREAT BOOK OF DICK fucked around with this message at 01:27 on Dec 23, 2008 |
|
#
¿
Dec 23, 2008 01:17
|
|
|
thelightguy posted:Um, atdmt.com is an advertising company, like in page banner ads, not adware/malware. Unless you're one of the paranoid people who don't like tracking cookies. They were 12 REGISTRY entries from atdmt.com, not cookies. Even after removing them it still loses network connectivity so I'm sure there's still something somewhere.
|
|
#
¿
Dec 23, 2008 02:53
|
|
|
brc64 posted:I was onsite yesterday trying to figure out wtf was wrong with this Windows Server, and to kill time while it was updating (completely unpatched server, awesome), I decided to check Windows Update on a few of the PCs. I noticed that on this one Win2k box, Windows Update wouldn't load. Because the browser was so slow, I say it attempting to open 127.0.0.1. poo poo like this worries me every time I go to my doctor and see his laptop sitting on the counter, unlocked, with an RDP session into a Windows 2003 server. Granted, he does have NOD32 running on the server. Can't miss the icon when you're a few feet from the screen. 
|
|
#
¿
Dec 23, 2008 18:07
|
|
) I loaded up Housecall to see what came up.
hidden various places around the PC. I suspect that the doctor was probably responsible for the initial infection, but I kind of doubt he's smart enough to have a huge cache of installers and keygens hidden deep within his user profile. I suspect the bulk of that was due to one or more of the infections.
|
Toshi posted:I'm having major trouble with Trojan.bho , I've run malwarebytes and superantispyware, vundofix, combofix and they all catch it and say it's been removed. After a restart and rescan it's back. Short of wiping this install anyone else have an idea? Seems to be coming from my registry. The virus itself is probably still hiding on your system somewhere. You could try http://housecall.trendmicro.com/ and run their online virus scan there to see if it finds anything. If that doesn't work, there are other online virus scanners available from other companies. Just have to do a Google search because I'm not sure who else has one aside from ESET and Kaspersky.
|
|
#
¿
Dec 23, 2008 18:44
|
|
|
sov68n posted:Sorry for quoting something from the front page, but I've always hated that popup, how do you disable it? Here.
|
|
#
¿
Dec 23, 2008 19:30
|
|
|
I've never encountered TDSserv/TDSSserv yet, but these removal instructions might help. It's basically the process for removing the driver, some files, and doing scans with Malwarebytes and SUPERAntiSpyware. Looks like they have other guides for removing nasty programs as well. GREAT BOOK OF DICK fucked around with this message at 21:54 on Jan 4, 2009 |
|
#
¿
Jan 4, 2009 21:50
|
|
|
I've started scanning a machine I received from a client and so far it's found a total of 275 adware/spyware/malware infections. That's not even with using SuperAntiSpyware or Malwarebytes (I haven't gotten that far.) The original problem was a couple days ago the PC was able to access the Internet just fine but now it can't. I looked at it and it was unable to even obtain a DHCP address from the router. I ruled out the possibility of a bad cable or a bad onboard NIC so I could only presume some kind of infection had ruined the network connection. The worst part so far has been the fact that this PC only has XP SP1 installed.  Didn't see any hidden TDSServ entries in the Device Manager. Would that be obvious if I showed hidden devices and searched through the list for "TDSServ"? I've never encountered a PC with that yet.
|
|
#
¿
Jan 8, 2009 18:01
|
|
|
Looks like the problem is fixed. It was a software issue as I suspected (probably a malware/spyware of some kind.) The most prominent infection was something called win32.keenwall, or at least sounded like that. I've already removed the antivirus logs so I'm not sure. After cleaning the system, I was able to boot into safe mode with networking and was grabbing an IP address from the router's DHCP and could browse websites just fine. It was working fine in normal Windows mode as well. Did some more cleaning with SAS and Malwarebytes. What's interesting is I ran SAS first and it didn't find anything. When I ran Malwarebytes after SAS, it found remnants of an adware program that SAS didn't find. Both programs had the latest definitions. Regardless, the system is working fine on my end now and I've removed Norton Internet Security, updated to SP3, installed AntiVir, etc. Thanks for the tip on Norton Internet Security, I'll have to keep that in mind the next time I come across it.
|
|
#
¿
Jan 9, 2009 16:58
|
|
|
Symantec log entry: 260B0C0B1916,51,1,2,XX-XXX-XXX,X.XXXXXXXX,Trojan.Vundo,C:\Documents and Settings\X.XXXXXXXX\Local Settings\Temp\__72.tmp,5,1,19,256,37748804,"",0,,0,101 {2B95CA3A-CD4C-4840-AD74-A276289466D1} 11 3 Trojan.Vundo 1;0 0 0 ,135528452,28544,0,0,0,,,0,,0,0,1,0,XXXXX,{872CB071-7F57-4FF8-98BD-E1B1E5278705},Workstations,(IP)-172.22.2.62,,XXXXXXXXX,00:19:D1:5E:39:0C,10.1.4.4000,,,,,,,,,,,,,,,,999,,3736c986-b4b9-43b8-89b7-50423a4cb452,135528452,XXXXXXXXX Time for a reinstall of a corporate machine!
|
|
#
¿
Jan 15, 2009 17:23
|
|
|
GreenFuz posted:My general rule of thumb with Vundo is to put the user's files into a quarantine, zero the drive, and reinstall Windows while scanning the files. Trying to clean it out completely isn't worth the time and effort. It's funny you should mention that. My boss just logged into the machine in our office that sits across from mine. Trend Micro popped up red flagging DLL files in Windows\System32 as being Vundo. No idea how the gently caress it got there and why it found it today. Nasty poo poo, too. It won't let me boot into safe mode, stop it in msconfig, terminate processes, etc. Right now I put scanners on a jump drive and loaded them up on the infected machine (also unplugged its network connection).
|
|
#
¿
Jan 15, 2009 21:31
|
|
|
GreenFuz posted:Hilariously, a short time after I typed that, I got a nice little notification from our Officescan server: I used all of the programs I could possibly think of to clean the machine, but I still think there's something on there. The end task window appearing prompting me to shutdown cmd.exe upon logging out of an administrative account is a good hint. I'll just have to re-image the machine via the WDS server. Sucks I have to do it because this particular machine has a lot of AD, SMS, etc. utilities installed on it. I think this infection pissed my boss off so much, he called TrendMicro and cancelled our licensing. Looks like we're switching to Kaspersky! What I found interesting was a scan with SUPERAntiSpyware flagged a .gif image as being an infection and that image was in the profile of a former co-worker. If that's how Vundo actually got there in the first place color me impressed. GREAT BOOK OF DICK fucked around with this message at 04:23 on Jan 16, 2009 |
|
#
¿
Jan 16, 2009 04:20
|
|
|
brc64 posted:One of my coworkers who does some work on the side for a local hospital told me she was instructed not to log into the hospital network until further notice. Apparently there's been a crippling virus outbreak that they're still trying to contain, and they've instructed everybody on the hospital network to turn off their computers until they can clean up the mess. I heard the exact same thing from someone in my area as well about this. Are you sure there's not some spam e-mail going around with hospital IT experiences? Although it sounds completely feasible if there is lovely IT security within the majority of U.S. hospitals. That alone is a scary thought.
|
|
#
¿
Feb 8, 2009 23:40
|
|
|
Suspicious posted:Why flatten everything when you can use a live CD or plug the hard drive in a healthy system and scan it from there? Rootkits and such can't hide if they're not even loaded. Because something like the ultimate boot cd for windows can't necessarily help you clean everything. Something like the Geeksquad MRI CD can actually mount the Windows installation and have the ability to clean registry entries, hidden files, etc. I'm probably not as educated on utilizing an ultimate boot cd to its fullest potential, but I haven't found any easy way to clean everything with it.
|
|
#
¿
Feb 10, 2009 02:36
|
|
|
brc64 posted:I tested VIPRE Enterprise here and loved it. My boss proposed it to the owner as an alternative to OfficeScan (which STILL isn't Server 2008 compatible), citing better protection and management AND lower cost (which means we can make more money from it). Owner dismissed the idea without even giving it 2 seconds of thought. Is the owner some kind of OfficeScan fanboy? We just finished ridding our network of that poo poo and forced CDW to give us a refund on it AND exchange it with Kaspersky. $12,000 and a 400 user license later, we're now securing our systems with it and so far it's found plenty of infections that TrendMicro and Symantec did not. That's for a three year license and they even threw in a free, one year subscription to Kaspersky Internet Security for the first 300 users who ask our department for an activation key. That's not even the best part, either. When we e-mail the company employee instructions to obtain Kaspersky and their activation code, the e-mail also tells them to call Kaspersky for further support. 
|
|
#
¿
Feb 11, 2009 04:23
|
|
|
GreenFuz posted:Kaspersky is probably going to be a tougher sell, at least to people who've heard about their site getting hacked with a SQL injection. How the hell did your boss get CDW to refund you for TM, and how smoothly did the deployment go? Oh yeah, and did you notice any performance gains when moving to Kaspersky? OfficeScan is a bloody pig. Yeah, that whole SQL injection story came out a couple weeks after finishing the Kaspersky deployment. I linked my boss to it and his response was "Okay, so what? I don't have any account information, logins, etc. on their site." If you knew my boss like I have for the past couple years, you'd find out he's the type of person who would call Krispy Kreme and argue with the manager because the doughnut he received was cold upon arrival when it was supposed to be fresh and warm. He has little sympathy and patience for any vendor. If you don't meet his level of satisfaction, he will go over your head and find someone who will. That's how he got his CDW representative to take our TrendMicro purchase back and give us Kaspersky for the entire company. The deployment was okay for the most part. We had 10-15 machines out of 300 or so that didn't complete the automated installation. When I investigated, the majority of those machines were either turned off or locked up. The ones that were locked up were older machines (one had a 10GB hard drive with some local user profiles stored on it so the installation choked on a lack of free disk space.) The other problem we had were some mobile users who could no longer RDP their desktops because Kaspersky had its "Anti-Hacker" feature turned on by default. Apparently it's just a custom firewall set to block incoming RDP connections from the outside world. That's really it. Performance is about the same between Kaspersky and OfficeScan. I didn't notice any drastic differences, aside from OfficeScan's terrible default level of security. We also complete any scans or updates on all workstations after 10pm though when employees are gone.
|
|
#
¿
Feb 12, 2009 02:07
|
|
|
Bob Morales posted:I caught something from either Sherdog.com or Sportbikes.net Use the latest version of Java and Adobe Reader. This cannot be stressed enough when you consider how many different things will surprise-infect you via a vulnerability in either of those. I watched a machine in a domain that was fine and sitting unused for a month contract Virtumonde because of an outdated Java install/infected .GIF image.
|
|
#
¿
Feb 17, 2009 04:24
|
|
|
It looks like ESET has officially released NOD32 v4 to the public. I just installed it so I don't really know how well it works. What's neat so far is its SysInspector utility and RescueCD creator. It feels like v3 but it seems to do a little bit more. Maybe someone can try it out in the field and see if it's any better at picking up on the latest infections.
|
|
#
¿
Mar 3, 2009 06:30
|
|
|
I just came across that Antivirus 360 poo poo going around for the first time on a manager's laptop. I have to admit, I could understand why some people would think it's a legitimate program. Whoever makes it did a bang up job making it look good. I didn't even bother examining it though, he just gave the okay to flatten and reinstall. When I find Limewire installed on infected machines, I've only had to explain to teenagers/parents once not to use it because that's the likely source of their infections. They seem to listen to the person fixing the computer (as they should.)
|
|
#
¿
Mar 18, 2009 04:12
|
|
|
Elected by Dogs posted:Cute, theres a worm/virus with mipsel shellcode and bruteforcing ddwrt/etc routers. For those who don't know what that's about see this link. Anyone who set up a home router with these firmwares and configured it in this lovely way should be aware. They should also learn how to secure their poo poo.
|
|
#
¿
Mar 25, 2009 03:57
|
|
|
If the author(s) of Conficker are truly insane (like The Joker kind of crazy), they could simply use April Fool's day as a parting gift to the world. Force all infected clients to format C: on April 1st and delete everything, including Conficker. I'd have to give a round of applause to that.
|
|
#
¿
Mar 29, 2009 20:04
|
|
|
brc64 posted:I had this lovely email (slightly edited) when I came in this morning. The time on the email was 3:21 AM. From what I've noticed in our company, do not trust another anti-virus vendor (Kaspersky) having 100% success removing Trend from all workstations automatically before installing their product. We had a lot of machines that were crashing or running very slowly simply because Trend was never completely uninstalled. Trend really does have a horrible loving product.
|
|
#
¿
Apr 4, 2009 03:31
|
|
|
Looks like I'm dealing with Win32/Virut.NBM on my aunt's PC. She said she was searching Craigslist for things to buy and she opened a link on there that probably infected her. At least she came forward and admitted that she's been using McAfee and it's since been expired for 2+ years.
|
|
#
¿
Apr 6, 2009 00:12
|
|
|
BillWh0re posted:This thing is a real bastard once you're infected because the infection routine has a significant chance to just trash each file it infects so it can't be recovered. Fortunately it doesn't appear to corrupt .jpg files which is essentially all that needs to be saved from the machine. It looks like it also corrupted the Dell recovery partition as well because attempting to launch it only reaches a certain point. Thankfully Dell included recovery media. (The hard drive did pass a diagnostic check earlier in the day)
|
|
#
¿
Apr 6, 2009 00:50
|
|
|
1997 posted:I just did some digging and from what I see they are all hidden partitions, unmounted and accessible through Ctrl+F11. Learn something new everyday. The really old Dells came with CDs, but the newer ones come with recovery partitions on the primary drive. This one in particular is maybe a couple years old and it had a recovery partition and physical media. Maybe Dell has changed this recently to include both? Not sure, but I applaud the decision. As far as I recall, they used to only provide the recovery partition and no way to make media on your own. But yeah, on any recent Dell machine with Windows XP, you simply press Ctrl+F11 when you see a DOS window with a blue bar across the top that says Dell upon startup.
|
|
#
¿
Apr 6, 2009 03:40
|
|
|
BillWh0re posted:To be honest nine out of times I've been able to disinfect it fine booting into safe mode and using a command line scanner. Occasionally it will trash an executable beyond repair and that'll have to be restored from backup. The key is to realise it's a fast infector, so once Virut is loaded in memory any file you open will become infected (or all the files in any folder you browse in explorer), and using some anti-virus scanners will result in everything they scan becoming infected (which might not be a problem if they get immediately disinfected). Booting into safe mode and stopping all the non-essential services allows almost everything to be scanned and disinfected, aside from maybe cmd.exe if you're using a command line scanner since it'll be running. Yeah it was pretty much too late in this situation. She had initially called me saying "Internet Explorer keeps crashing when I try to open it." We had agreed to leave the machine off and I would come retrieve it. She called back again saying she started the machine back up and now it just has a blue screen. It was caught in an infinite BSOD loop at that point so I could only presume it was either a fake, or the virus had infected an important .exe file. Thanks for the heads up on the removable media, Otacon. I had a feeling it was an autorun type of virus but I didn't know the extent of the infection. I'll have to make sure she's formatted any of her camera cards and so forth.
|
|
#
¿
Apr 7, 2009 01:12
|
|
|
|
| # ¿ Apr 27, 2024 07:16 |
|
|
Luigi Thirty posted:I don't know any PC viruses that do that offhand, but virus writers have been doing things like that since the olden days. I want this virus.
|
|
#
¿
Apr 26, 2009 02:44
|
|