|
univbee posted:ComboFix specifically kills all network connectivity while running, so no remote login program is going to work, short of something like a KVM switch you can remote into. Even connecting to another computer local to it, the network is flat-out not there. This is mainly due to a lot of malware infecting the network stack in Windows for redirection purposes. You should be able to RDP into the machine after the reboot to log in. It's not ideal, but if it's absolutely necessary to be remote this might work. Or, find a lackey.
|
#
¿
Jul 16, 2012 22:43
|
|
|
|
| # ¿ Apr 28, 2024 23:51 |
|
|
Tapedump posted:After examining the system, it was found to have UAC disabled and was running IE8. I suspect the former to be a significant factor. It's really quite ingenious.
|
|
#
¿
Jul 25, 2012 02:23
|
|
|
Revitalized posted:The repair tool did something but it didn't seem to change anything for the windows Firewall, nor does it let MSE update. Combofix will get the firewall up again - MSE might be stalling as certain Windows services are dependencies and also likely stopped. If combofix won't get them working again you can either track down each non-functioning component and look up a fix, or just accept the inevitable re-install.
|
|
#
¿
Jul 30, 2012 13:50
|
|
|
tjl posted:I think I just found a great new password!
|
|
#
¿
Aug 11, 2012 17:00
|
|
|
angrytech posted:I think he's trying to gently caress up virus scanners on other servers 
Khablam fucked around with this message at 11:12 on Aug 13, 2012 |
|
#
¿
Aug 13, 2012 10:59
|
|
|
pixaal posted:Why hasn't something replaced java yet? The real question is why browsers execute Java-scripts (the common attack vector for attacking Java) from any source without asking. You can rant at people to just loving use no-script already, but the majority will expect an up-to-date browser to "do security" for them. Java is actually pretty cool, it's just implemented in the most insecure manner imaginable by browsers. e: The other answer, is whatever replaces Java would be the next thing attacked, just like there were no OSX viruses when no one used it. Khablam fucked around with this message at 13:11 on Sep 1, 2012 |
|
#
¿
Sep 1, 2012 13:07
|
|
|
TwoKnives posted:Java and JavaScript despite their names are totally different.
|
|
#
¿
Sep 1, 2012 16:42
|
|
|
code:I have literally no idea why people ever, ever trust a browser to interact with their base OS, or to that end, need it to. e: if we're talking about offering tech support to others, then anything that hooks itself in and requires indepth cleaning is pretty much "reinstall OS, fix everything" Khablam fucked around with this message at 17:47 on Sep 11, 2012 |
|
#
¿
Sep 11, 2012 17:44
|
|
|
Ceros_X posted:Can you post some specifics on what program you use (Sandboxie?) and any config steps you take? I don't know how it compares to other sandbox options on the market, so I can only recommend this one. The free version is functionally very similar to the paid version - you gain a nag and the inability to force programs to always run sandboxed; meaning you need to load the programs into it (right click).
|
|
#
¿
Sep 12, 2012 22:39
|
|
|
Zogo posted:Do you use the experimental protection mode (for 64-bit Windows OSs)? I haven't tried it because they say it can cause system instability but I'm curious if anyone uses it. I don't use it, since by that point you're looking at extreme edge cases in terms of a threat. From what I know about it, you would basically already need to be infected with a rootkit for any process running sandboxed to have something meaningful to do. The likelihood of someone writing incredibly complex malware which would end up targeting a very very small percentage of machines is pretty small, so I don't lose any sleep over it; it's a numbers game to them, like casting a net. I can tell you I can deliberately execute all of the worst rootkits out there, to no ill effect.
|
|
#
¿
Sep 13, 2012 01:23
|
|
|
omeg posted:When it comes to manual removal of Bad Stuff I didn't see one useful technique mentioned in this thread (or just missed it). Let's say you browse through processes with Process Explorer and you identify some rogue ones (or just injected threads). You kill one only to see it being resurrected by another one.
|
|
#
¿
Sep 26, 2012 14:46
|
|
|
Walter_Sobchak posted:Huh, wonder what's going on. We gotten no less than 4 separate detections this morning for "LooksLike.HTML.Blacole.a (v)". Anyone else been seeing this pop up recently?
|
|
#
¿
Oct 2, 2012 22:30
|
|
|
slightpirate posted:weeeeeeee User sent in a machine loaded with the 'FBI ransomeware' variant that accuses them of downloading child porn and music and whatnot and demands they go to walmart/cvs/walgreens/k-mart to get a MoneyPak worth $200 to get the FBI to release the machine, or you can put in your credit card information right from that interface! How convenient! I admire the thought put into this one though. The variants I have seen of this in the UK (looks different, same thing) simply disappear after a reboot, leaving behind a couple of files that don't seem to be properly linked to run at startup. If you get major issues, there's probably something else alongside it.
|
|
#
¿
Oct 9, 2012 22:27
|
|
|
NecessaryEvil posted:Throw in a sprinkle of SuperAntiSpyware and maybe a dash of SpywareBlaster. At which point your machine will be at 75% of it's actual performance or so. Multiple programs with an active resident is just not good. MSE is already an anti-virus/spyware/malware program so just stacking that isn't helpful. No-script will keep you safe from 99% of web-based threats, and sandboxing your browser will take that to 99.999999% (there is no known attack vector yet) - neither of which impact system performance. Neither is a good choice for a computer novice, but if you know what you're doing (to some level) simply preventing the intrusion / preventing it from leaving the browser is the best way to go. Sit behind a NAT-router, install MSE and consider it an on-demand scanner for things you're not sure about (USB sticks, etc) and sandbox your browser. You'll never encounter anything that will affect your system. You'll also enjoy much better performance as you won't have multiple residents bogging you down, and multiple services updating their engines every few minutes. E: vvvvvv I slightly misread and thought you were suggesting the non-free versions. Khablam fucked around with this message at 15:43 on Oct 14, 2012 |
|
#
¿
Oct 14, 2012 13:51
|
|
|
skipdogg posted:ugh, a guy just showed up with one of these and he actually sent them 200 bucks *the reason isn't always retardation
|
|
#
¿
Oct 17, 2012 18:34
|
|
|
NecessaryEvil posted:That's kind of what I thought as well...but I've also never run into that one before. Your company's IT structure needs a heavy handed professional look. A year old virus should not take out 1/3 of one system, let alone your entire workstation count. Especially when any combination of machine firewalls, an enterprise level AV or even just security updates would have prevented this. Unless you were just using weird plurals and superlatives to describe a single computer  What's confusing me is that removal of this particular virus is not at all complicated; when you say it is malicious, are you meaning it is reappearing or you are simply failing to find anything and think you're still infected? It sounds more likely you have contracted a much newer rootkit which has pulled down the virus you're discussing as an additional payload.
|
|
#
¿
Oct 18, 2012 22:08
|
|
|
mindphlux posted:So, when I run hijackthis, there are tons of references to files that no longer exist - basically anything that says "file missing". And yeah, I did give that rogue killer app a run too. no dice. You could very well have a system file that has been replaced with a modified version. Open a command prompt and hit "sfc /scannow" and let it verify your Windows files. You may need your installation media. If this doesn't work, backup and do a clean install, as there's no option available to you that would take less time, so you may as well invest that time in a guaranteed fix. I assume both your hosts file and DNS addresses are standard? If so, it looks like the dns dll has been modified, which is something a few rootkits do.
|
|
#
¿
Oct 19, 2012 11:30
|
|
|
There are too many unknowns for me to recommend something foolproof, so I will just ask some questions: - How are the firewalls configured for LAN traffic? It may help to set them to see the LAN adapter as "Public" - Are you swapping any USB drives in and out? - Do the computers share an admin password? - How do they connect to the internet? Sadly my experience of MSE is that it is completely useless, and 3rd party evaluation doesn't score it much higher.* It does nothing to block/analyse network traffic and executions until it's already in the working memory, by that time it's usually too late. Decent commercial AVs (Trend Micro is a good example, as is BitDefender) and Avast! Free will scan incoming traffic for these infections and stop the transfer a long time before they're able to execute. The fact MSE can absolutely know the file is a rootkit and still gets infected bogles my mind. Oh well. If you can plug a known-clean machine into the network running Avast! it may give some clue where it is coming from as it will log and block the traffic. Investigate getting your Trend Micro updated to 64bit, as it's also rated highly in tests. * - http://www.av-comparatives.org/images/docs/avc_beh_201207_en.pdf Best detection rate: 97%. Best free (Avast): 91% MSE: 76% Their simple grading system is probably easiest to use for reference:  Take anything from 3 star and you'll not be sunk by year old viruses 
|
|
#
¿
Oct 19, 2012 19:00
|
|
|
I can never work out how they inspire the engines to pop up so many false positives, since I have seen only about 2 or 3 (ever, across a myriad of machines) and they've all been the same thing; Warez files using virus-like or actual virus code to modify and inject code into DLLs (not a filthy pirate, this was back before Steam and no-cd keys were legitimately useful). I assume they have a lot of files like this in the sample to try to trip up the engines into showing false positives. It is absolutely at odds with how they work in the real world, where you just don't see machines returning any false positives on a full system scan. They weight the false positives report much too highly in my opinion, as it needs to fire off on more than synthetically dodgy looking files to be an issue. If MSE is deliberately designed to be 3-5% less effective in on-demand (http://www.av-comparatives.org/images/docs/avc_fdt_201209_en.pdf) and 20-30% less effective in pro-active, to make up for the one time Doris in accounting gets a false alarm on a joke Exe (or, much much much more common, simply detects malware in other programs quarantine; the majority case of false alerts and is harmless), then that's just a bad design decision. A false positive is an annoyance; a missed sample can lead to a completely compromised system. I have no idea why they try to balance that weighting how they do. I agree system performance is important, however. G-Data should really not be considered as it's a dual-engine and is silly. Most of the AVs these days offer less than 2% impact, which is negligible. The days of Norton hitting your system for 15% are long gone.* quote:Do note that that's for the proactive tests, I.E. brand new malware that nobody's seen before I know a URL that is infected with Zero-access (the nefarious rootkit) and if you want to see MSE fall on it's face for yourself, PM me for it. Avast, ESET and TM will block the page from loading after detecting the infected element. MSE will do absolutely nothing and will actually not BE able to do anything, as it will handily get uninstalled by it. It does this to nearly every virus that lands on your system via a Java exploit, which is drat near to all of them these days. This thread is all about "sexy malware" and the truth of it is, scanners like MSE are increasingly less relevant to these new types of threats. A scanner with perfect detection and zero false positives is exactly useless when it gets disabled by code it allowed to run, even though it matched a known virus. This was a problem with AV scanners in 2000 and MSE has barely made progress on that, whereas most of the rest intercept threats much further from the point of execution (yes, there are other weak scanners, I'm just making a point about this one). I'll close by saying AV-comparatives don't include MSE (and a couple others) in their "real world" tests, as it's not seen as full system protection, essentially because, as I said previously, it does very little to stop bad code from executing in the first place. * since MSE is insufficient on it's own anyway, you will need other active residents on your system to account for this, so the real world idea that you would get better performance here is a myth.
|
|
#
¿
Oct 20, 2012 00:47
|
|
|
Mr Chips posted:Microsoft aren't nostalgic enough for their massive legal battles enough with the EU & US governments enough to try and give away a complete AV/antimalware suite for free. Not sure if you're just trying to be humorous, but they could legally do this under the rulings placed on them. The kicker was always bundling the software with Windows; nothing stops them offering whatever software they want as long as it's not in such an uncompetitive manner. MSE doesn't come pre-installed for this reason as it stands. mindphlux posted:I was slapping myself for not doing a sfc, but it came up clean. hosts and DNS is clean. http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx You can WhoIS the connections it doesn't resolve and you may get some leads. If you see nothing with no browser open, try opening the browser and doing a search and seeing if it makes any connections to where it shouldn't. What is the URL of the re-direct?
|
|
#
¿
Oct 20, 2012 19:17
|
|
|
Toast Museum posted:If I recall correctly, MSE's features have been integrated into Windows 8. I'm predicting the EU Legal response as:  NecessaryEvil posted:As a follow up, they're getting ESET to replace Trend (it turns out that it hadn't udpated in 3 years (definition dates are for 9/9/09), due to the version (7.3) no longer receiving anything new from Trend!). The boss went back and looked, and apparently, nothing's been done as far as renewals (quotes or purchases) since I started in December 09. If salvage means anything other than "rescue key files using a non-live OS" then please beat some sense into them.
|
|
#
¿
Oct 20, 2012 21:48
|
|
|
Serfer posted:So I'm assuming there should be some sort of active network defense, but what would the recommended solution be? 9/10ths of any corporate environment hinges on the Group policy settings your domain controller gives out, and the inevitable lockdown of the general user environment. Windows updates are vetted for compatibility then fed to the machines by the controller, and you will typically have an AV solution that is centrally controlled. DNS requests are usually local, to the controller, and many will include some manner of known-bad URL filtering, as well as the usual time-sink culprits. It's mostly preventing your end users from getting access to, and the machine from executing, anything which you did not intend. In any larger environment your user settings and files (+programs) won't be stored locally, and any problem is solved by writing a clean disk image onto the client machine. If you're a small business then the usual solution is locked down (local) user accounts, a firewall/DNS filter, a good all-in A/V and daily backups. There's basically two ways of spending IT time: fixing individual problems and implementing policy that prevents/solves wider problems. There's a tipping point where it's better to spend time on the latter to prevent the former from arising. It's a lot larger than "3 people" but you get the basic gist. Crimson Harvest posted:What do you guys think about the current Symantec Endpoint? We sell it to business customers at work so we can manage their antivirus remotely (we do a lot of remote network monitoring/management). I got a copy of it at-cost for my mom's system to run in unmanaged mode and it seems to have a minimal performance impact. Benchmarks will disagree, but if it works for you and the price is right, there's no horrible reason why not. Disable the proactive detection/defence nonsense, though. Khablam fucked around with this message at 22:07 on Oct 20, 2012 |
|
#
¿
Oct 20, 2012 22:02
|
|
|
Crimson Harvest posted:Oh the heuristic stuff or the network intrusion or what? Or all of it, I guess? Seriously we have a NAT router so I don't see how the network intrusion stuff could even be remotely helpful. It trying to suss out what is malware or not based on loose definitions of what malware does, is a recipe for disaster. Comodo used to do something similar to this, and it was utterly terrible. They kick up a poo poo about java, flash and your browsers doing their normal update thing. If your end users are all computer experts then it's actually very very solid protection, but if they're not they can cripple their own systems by pressing no on "Do you REALLY want to modify this critical system file?" when they needed to press yes. Note I've not seen the Symantec version of this in action, so take this with a grain of salt. The core idea of it doesn't synergize with user terminals in my experience. I imagine as an enterprise solution it tries to remain transparent to the client operators ... so I honestly don't know what it does well. Intrusion protection is really about stopping a threat from phoning home, not the other way around, as like you say, NAT makes this impossible by design. My philosophy on this is to prevent the malware from landing and launching in the first place, and stopping it from dialing back is usually not going to save you a lot of manhours, as you still have a rootkit / trojan to remove all the same, you're just usually minus the fake AV asking for your CC# The other side of this, is leave it all on until/if you encounter issues. You're in a company recommending Symantec software, so you're already way off map for usual advice 
|
|
#
¿
Oct 21, 2012 01:30
|
|
|
Crimson Harvest posted:Hm thanks for the comments. Yeah the boss likes Symantec Endpoint for some reason. I think it's because there's a pretty decent margin in selling it. However I expect this to change in the future as we add more contract customers. We recently deployed N-able's managed service thing (moving away from Quest's) and it includes Panda-based antivirus and we have like 5000 licenses. Bitdefender has been in the Top 3 for both detection and performance for years and years (others tend to swing quite a bit on the former) and their business solution is pretty robust - http://www.bitdefender.co.uk/business/ ESET end-point is also an excellent choice - http://www.eset.co.uk/Business/Endpoint-Protection and they offer solutions (I hate that loving word, but it applies..) to remote management and phone security (android) that you can stick all under the same license. Android security is a legitimate need if you go to those kind of expo's where you all connect to the same WiFi connection (after paying £500 for it, of course!) Enterprise level firewalls and routers are a thing. We have used WatchGuard systems for years and never experienced an issue. The one we use currently (http://www.watchguard.com/products/xtm-5/overview.asp) can support 350,000 concurrent connections, which is essentially 1000 users running uTorrent and not giving a poo poo. But, of course it will block all torrent traffic if you ask it to These systems are less about stopping malware (some protection exists for it) and more about ensuring uptime where any downtime could be catastrophic to your business. For instance, we have our xtm-5 set to load balance and auto-fallover on two 100mbit fibre connections - if one dies for any reason it is almost totally transparent to the client machines. This also includes your VPN connections. Note you'll want a networking specialist to both install and maintain these units.
|
|
#
¿
Oct 21, 2012 14:31
|
|
|
pienipple posted:One of the computers in book keeping is infected with ZeroAccess, TDSSKiller doesn't see it though. I'm just gonna tell the kid who's ostensibly IT to flatten, delete the rootkit partition, and give this ancient piece of crap a fresh install, but what's the best tool for knocking out ZA? An offline scan (slaved HDD, liveCD) to remove the active components, then ComboFix on the running OS (safemode) to attempt a reversal of the system hooks. If that doesn't work, then your success rate will be pretty low, and your time is better spent on flattening/reinstalling. The easiest route if it works, is TDSS (did you try renaming the .exe?) >> ComboFix >> RogueKiller >> MBAM for cleaning anything it pulled down. ESET have a tool to remove it, also: http://kb.eset.com/esetkb/index?page=content&id=SOLN2895 -- try running this, then into ComboFix >> RK >> MBAM. ZA usually infects by exploiting out of date Java and weak AV that offers no HTTP scanning, something you might want to resolve.
|
|
#
¿
Oct 23, 2012 23:22
|
|
|
ColHannibal posted:There is some rootkit in an ad on the forums, I cant tell what ad as it instantly reboots my PC and I have to restart in safemode for TDSS killer to wipe it out. If you have NoScript installed this really shouldn't be the case; what is making you sure it is a Rootkit, and coming from an advert here? Specifically which RootKit is being detected and where?
|
|
#
¿
Oct 24, 2012 09:43
|
|
|
You pretty much need to manually remove that variant, and then manually repair the damage it has done to stop it rebooting and bluescreening. By which time, you would have managed to reinstall Windows - probably 2 or 3 times over. Flatten and reinstall the system, taking care to nuke the MBR and re-create the partitions. e: To be clear, I am pretty sure TDSS is not getting rid of that for you; these forums aren't infected with anything that anyone else has seen.
|
|
#
¿
Oct 24, 2012 21:01
|
|
|
NecessaryEvil posted:so...new AV installed, scans have been going on since Monday, and I've rebuilt all but 5 machines + server (of which 2 were clean, and never attacked). Khablam posted:If salvage means anything other than "rescue key files using a non-live OS" then please beat some sense into them.  Sorry dude. Also, I'm pretty sure you're dealing with SkyNet here, so convince them to do it your way, or just walk away. It's totally lovely for someone to repeatedly butt in to have you do it the way they want, then be loaded with the extra work doing it wrong creates. It's pretty much whynottoworkinIT.txt
|
|
#
¿
Oct 25, 2012 01:37
|
|
|
If it's not in your job description (and I'm guessing it's not) then you need to stop being a doormat about it. If they won't let you do it your way, then you don't do it and suggest an IT company who will. They either a) Decide your way works for them or b) hire the IT company; either result is a win for you.
|
|
#
¿
Oct 26, 2012 00:19
|
|
|
Just ask them to explain the literal point of "scanning" for something that there are no definitions for.
|
|
#
¿
Oct 27, 2012 03:10
|
|
|
The Something Awful Forums > Discussion > Serious Hardware / Software Crap > Rootkit.KInject is a sexy new virus, tell us about viruses that lead to E/N drama
|
|
#
¿
Oct 27, 2012 23:15
|
|
|
Most versions of the FBI program aren't in any way clever, and loading in as a different administrator and using system restore can be a perfectly viable fix. If you've got something dropping ZA and you're on XP/32bit Windows, then use your regular backups and just start from a clean drive. You can remove it, but at the cost of hours of your time and a certain level of uncertainty at the end.
|
|
#
¿
Dec 5, 2012 19:36
|
|
|
The first thing to try is to simply load into / make another user profile - if the new / other one works fine it's not a very smart variant and generic scans will clear out the executables.
|
|
#
¿
Dec 22, 2012 20:24
|
|
|
You can try either manually removing all the things it has changed (the ThreatExpert page you linked seems to be a good source) or you can try a system restore; the latter would be the better option. It doesn't look like it's doing anything too clever that a wind-back won't fix it.
|
|
#
¿
Feb 4, 2013 15:14
|
|
|
NecessaryEvil posted:A question about the other side of the malware coin...is there something I can run as a batch file to forcefully remove McAfee VirusScan Enterprise 8.7? This is the post-removal uninstallation tool: http://service.mcafee.com/FAQDocument.aspx?id=TS101331 If they are 200 machines running the same version of windows configured in the same way, you should be able to Autohotkey the removal process; create an exe of the script and run it on all the machines, then run the above tool to complete. ESET itself has a pretty simple network installation process.
|
|
#
¿
Apr 7, 2013 12:16
|
|
|
NecessaryEvil posted:Yeah, pushing out the new Eset will be easy, it's just the removal of the old that I fear will be more difficult. Especially with no McAfee server that could potentially automate it. If you know how to use either AHK or AutoIt, see: http://www.autohotkey.com/docs/Scripts.htm and scroll down to the section on ahk2exe.
|
|
#
¿
Apr 8, 2013 17:46
|
|
|
Shoot the person who didn't disable autorun via Group Policy? I'm not sure why you're in a situation where there's ~1400 machines and you'd need to manually clean each one; that's surely an area that needs massive and immediate review in your business. At this point, someone can use a USB stick in a coffee shop, bring it in, and cause dozens of man-hours in damage in seconds.
|
|
#
¿
May 7, 2013 19:48
|
|
|
Back in the year 2000 I crippled my schools IT room by running a dumb EXE/trojan and infecting all the machines on that network. It took IT staff about an hour to flatten the whole room and write the machines back from images. No files or software were local since it was a domain, serving userspace and programs centrally. The PCs were glorified thin clients. This was 13 years ago and it's a lot easier to achieve similar now. What I'm trying to say is that the scenario you presented shouldn't be the scenario you're working with, and there are some pretty cheap solutions out there to get this working on a school budget. When you pass 1000 machines, the break-even point on expensive prevention rather than costly (time) solutions is usually a single incident - and since you can be pretty sure a single incident will always happen, it's a no brainer. Someone somewhere needs to implement a decent IT policy, there. Khablam fucked around with this message at 22:28 on May 7, 2013 |
|
#
¿
May 7, 2013 22:24
|
|
|
Walter_Sobchak posted:I've had someone get hit by 2 variants of the "FBI found kiddie porn!" virus in one week. As it's the same person, I'm inclined to think that there was something I didn't get the first go round that let the PC get reinfected. Besides MBAM and ComboFix, what else am I forgetting to do here? It's also somewhat likely he's just visited the same site which has done a drive-by for the second time. You probably want to look at how you manage java on the machines.
|
|
#
¿
May 21, 2013 19:01
|
|
|
|
| # ¿ Apr 28, 2024 23:51 |
|
|
FDisk doesn't re-write the MMR on installing Windows to an existing partition or re-partitioning under most conditions. If you want to be safe and the drive is blank, there's really no reason why you wouldn't simply use the 'fdisk /mbr' command to write a new one. If your MBR is compromised and you want to preserve the current installation, then under newer versions of Windows you can boot into the recovery mode and go troubleshoot > advanced > command prompt then use the 'bootrec.exe /fixmbr' command.
|
|
#
¿
Jun 5, 2013 10:53
|
|