|
AceSnyp3r posted:I have a question kind of related to this thread. Are there/have there been any known ways for a virus to spread via e-mail without the use of an attachment or embedded image/audio/video/java/etc.? I can't remember any offhand but there have been a few that have sent emails with attachments then used a MIME vulnerability in Outlook to open the attachment without user intervention. Also if the mail reader is vulnerable to running HTML it shouldn't in the message body then the payload can come from a remote website rather than an attachment. quote:That's interesting, is there another new image vulnerability in Windows or something? I'm kind of interested in how exactly a hacked JPG like you're talking about works. Most infected JPEGs, GIFs and PNGs there days are just legitimate image files with iframes or script tags appended. I think there's some way to get a browser to render them as HTML so the tags work but I forget how it happens.
|
# ¿ Dec 16, 2008 21:50 |
|
|
# ¿ Mar 29, 2024 01:07 |
|
hyperborean posted:How does GMER compare to Process Explorer? Looking at the screenshots it seems similar, although it's hard to tell because I can't read Polish or whatever that is. Different tools for different jobs mainly. Process Explorer is great for seeing whats happening with loaded modules and handles. GMER is more of a rootkit-revealer type tool and extracts a lot of information about the internal state of the Windows kernel (and even the DOS IVTs and boot sectors). I haven't used Process Explorer for a year or so though so it might have changed since then.
|
# ¿ Dec 18, 2008 21:58 |
|
Hillridge posted:Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now. Are there other computers on your local network? The latest batch of Zlobs perform DNS poisoning so they end up redirecting DNS requests from clean computers that are networked to an infected one.
|
# ¿ Dec 24, 2008 19:29 |
|
Car posted:This is a cool little feature. Actually my post wasn't totally accurate as I seem to remember it poisons dhcp rather than dns directly, so you should be able to see it based on the dns server configured by dhcp. Still a nightmare to track down though.
|
# ¿ Dec 25, 2008 09:10 |
|
Cojawfee posted:Are some of you guys forced into paying for these programs? I will never understand why people would pay for antivirus or antispyware. I hate when people come in and say "I just bought this Norton can you put it on?" I dunno man kinda sounds like the reason you don't feel the need to buy antivirus is because you are illegally using the free personal editions for commercial use.
|
# ¿ Dec 25, 2008 21:17 |
|
Drighton posted:I did. I pulled the flash key back to my computer to put some files on it and Symantec started deleting all the executables on the disk all as W32.Wowinzi.A Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu. Instead of running tools from flash drives run them from CDs so this can't happen. Especially if the computer has a file infecting virus. Also, never use explorer to open or browse drives on an infected computer because the open and explore actions usually execute the worm. BillWh0re fucked around with this message at 21:16 on Dec 30, 2008 |
# ¿ Dec 30, 2008 21:13 |
|
Elected by Dogs posted:CDs can autorun too. They're read only which means they don't get infected the moment you stick them in an infected computer, which is what happens with USB sticks unless there happen to be some fancy ones that make themselves read only.
|
# ¿ Dec 30, 2008 21:28 |
|
Elected by Dogs posted:CDRW? If it was burned along with the files (dunno if any malware does this kind of insertion) - it would still infect anyways. I've not used Windows CD burning in some time but I don't think it kicks in automatically on file copies and no malware initiates the burn process. Probably just stays queued up in explorer forever or something. Drighton posted:Just grabbed the user's profile folder and started a format. gently caress this. Better confiscate all their USB sticks and scan them too if you don't want to get called out again in an hours time.
|
# ¿ Dec 30, 2008 21:45 |
|
There are no known attacks to spoof existing executable digital signatures so either the signature doesn't work or this is a false positive from Panda. Since no one else detects it I would assume the latter.
|
# ¿ Jan 10, 2009 15:58 |
|
SecretFire posted:So we recently had Trojan.Linkoptimizer spread around the office where I work, and one of the infected systems was mine. Seeing as I didn't browse any non-company sites in IE, or run anything new, and the system had the patch (or should have, I believe it was pushed out) for the new remote vulnerability, I have no idea how I got infected. I think Symantec sometimes refer to the Conficker worm as Trojan.Linkoptimizer, perhaps because they have very similar obfuscation of the main DLL code. If it's a Conficker variant it'll probably spread by all three of these: - MS08-67 exploit (server service vulnerability that you say is patched) - Writable shares with weak passwords, or unpassworded shares, on to which is copies the DLL file and sets up a scheduled task to run it - USB drives where it creates an autorun.inf file full of random crap that still works becuase it has the proper autorun text in it, the actual DLL is in the RECYCLER folder on the drive
|
# ¿ Jan 12, 2009 00:09 |
|
SecretFire posted:Wait...you can "share" the ability to schedule tasks? I had no idea. They're stored as .job files so with access to the C$ or ADMIN$ share you can just drop them I believe.
|
# ¿ Jan 12, 2009 09:15 |
|
RivensBitch posted:After fighting vundo for hours I finally managed to remove it, but now windows wont let me configure my wireless network adapter. Has anyone encountered this after a vundo removal, and is there a utility to rebuild the networking? A non-flatten windows reinstall doesn't work. Sounds like it could be a problem with the LSP (Layered Service Provider) chain. Often removing malware improperly can leave the chain broken. I'm sure there are lots of free tools around to fix it but I don't know of any offhand.
|
# ¿ Jan 15, 2009 01:03 |
|
Midelne posted:And you thought Storm was bad. At least this time around Microsoft is on top of it and the January MSRT will take out most versions of Conficker. The lesson today, as loving always? Update update update. The way Conficker works now it seem the actual exploit it uses is pretty much interchangeable with any other. The group could keep updating it to use whatever the newest big Windows exploit is. The way it's really nasty is in how it does everything else. The autorun.inf file is better obfuscated than anything seen before; usually you see a worm start using pretty simple autorun.inf files and gradually add more obfuscation over time as they become detected by AV software. Conficker starts off with something that's probably impossible for a lot of products to viably detect (not that they can't, but that they would have to look so deep into the file it would slow scans of clean files down too much). The way it names its files means that the worm DLL on any one computer will always use the same pseudorandom name. Doesn't seem important (and could just have been implemented to prevent multiple infections of the same machine) until you realise that means that any registry keys or scheduled tasks let lying around after the file is deleted will cause it to run again as soon as the file reappears... which happens all the loving time since other infected computers are copying the file back over Windows file sharing. Oh and it removes all permissions on its service registry keys which breaks most registry tools, forcing the user to add permissions back again just in order to see the worm's service entries. The deterministically generated domain name poo poo has been done before but it's still pretty smart. BillWh0re fucked around with this message at 01:16 on Jan 16, 2009 |
# ¿ Jan 16, 2009 01:07 |
|
fygar posted:All right, I think I may have messed up. I had a large PDF document to print for my job today, so I put it on my USB flash drive and took it to a local print shop. I scanned the drive the day before with AVG to make sure that it was clean. I plugged the flash drive into my computer at work after coming from the print shop, and OfficeScan quarantines an autorun.inf virus (some variant of Otorun). When I get home, I scan the drive again with AVG, and AVG quarantines two more virii (AutoRun.EQ and Heur). I'm pretty sure that these virii came from the print shop. OfficeScan picked up the one virus, but there was no notice about the other two. I'm not in the company's IT department, and I don't have the privileges on the machine at work to run a scan on my own. There are probably only two malicious files here, but AVG and Trend use different names for one of the components. Generally Otorun and Autorun refer to the same kinds of malware though that could be either the autorun.inf file itself or the executable it references. There may be another reason Officescan only picked up one of the files -- did it perform a full scan of the disk, or just a quick on-access scan when you plugged it in? A likely explanation is that Windows tried to load the autorun.inf when you plugged the drive it, causing Officescan to scan and report (and block) it, and the second file was never scanned since you don't have permission to scan the whole drive and Windows never tried to load it since the autorun.inf that points to it was blocked. Then when you got home you scanned the whole drive with AVG and got both of them.
|
# ¿ Feb 5, 2009 11:19 |
|
Sanctum posted:So I finally installed WinXP SP3 only 2 days ago and just today, browsing the internet, I notice my HD running too much, check processes and see acrord32.exe using 1.2 gigs of memory. I haven't been viewing any .pdf's since I booted. 5 minutes later my window is greyed out and I have a fake anti-virus program pretending to scan my system. There have been lots of exploited PDF files around lately and it looks like that's what happened here. That acrord32.exe was using 1.2gb suggests that the PDF probably contained some Javascript that was spraying the heap in preparation for triggering a vulnerability. You don't say what AV you're using but detection of these PDFs varies greatly between antivirus vendors and is generally pretty poor across the board so it could easily have slipped through embedded in a webpage somewhere. The sad thing is most people don't care as much about updating Acrobat reader as other software but the reality is it is just as much in the line of fire as a web browser or email client. I imagine it also doesn't help that a lot of the time if someone pirates Photoshop or other Adobe software they'll redirect the update domain to 127.0.0.1 in the hosts file to stop it phoning home -- I'm not totally sure but I imagine this also stops updates to Acrobat reader. Sanctum posted:prunnet.exe among other things in my processes now. I kill and delete everything, but I still have some randomly generated .dll's in system32 created at the same time which have hooked themselves into my winlogon.exe so I can't kill them or delete them. They generate new registry values every time I reboot so the same processes keep popping up no matter how many times I remove them from my registry and delete the files I can delete. How did you install Windows without any way to boot from CD? Can you boot from a USB memory stick? If so, you can probably get an install of Knoppix or an Ubuntu LiveCD going and mount the Windows drive from there.
|
# ¿ Feb 10, 2009 20:27 |
|
averagebloke posted:This is a good point. That's pretty much all I can think of although if Office is on there you'd want to update that as well, basically anything that can open embedded in a browser, or that embeds a browser itself, needs to be kept up to date.
|
# ¿ Feb 10, 2009 21:44 |
|
Hank Killinger posted:Doesn't automatic lockout of accounts on several authentication failures make it impossible/difficult to brute force an admin user password like the way conficker does? Is there any way for a malicious program to avoid the lockout? These account lockouts happen and they loving kill a windows network so quickly when it gets Conficker. Though they're a good way to find out which computer is infected since all the requests come from it. Even if it can't crack the account password it can still spread if someone logs on to the computer as a domain administrator as it will run with their account.
|
# ¿ Feb 14, 2009 00:43 |
|
univbee posted:Man, these are fun. Had a user with THREE major viruses, each one only "activating" when I killed one. It was a Russian nesting doll made of failure. After close to six hours, I got the system to a point where everything appears clean and running fine, but Windows XP does stall for 2 minutes while loading the desktop. I couldn't for the life of me find out why. That pause can mean something that was supposed to load in winlogon.exe wasn't accessible. Often this is because the anti-virus software on that machine is blocking it. You might want to check winlogon-related registry keys (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and friends) for any suspicious DLLs that are trying to load.
|
# ¿ Feb 21, 2009 20:28 |
|
Here's an excellent quote from The Register about some infected hospitals.quote:A senior Gartnavel staff member told The Herald: "They are calling it a worm and when they identify it it burrows deeper into the system and duplicates itself, and it is getting through some very strong firewalls." Yup straight out of Hackers. And apparently appointments for cancer patients were rescheduled because there guys are idiots.
|
# ¿ Mar 9, 2009 21:36 |
|
Luigi Thirty posted:Neat, Conficker.C has some super secret payload nobody can figure out scheduled to go off April 1. Will it blow up the internet like Slammer? Will it spawn 5 million "BUY ANTIVIRUS XP 2010!" windows on everyone's computer? Will it turn my toaster's dial to 7? It's not really that nobody can figure it out. It's more that it's not there yet. It will only download the payload on 1st April so no one can analyse it until then and anything in the press (the most ridiculous I've seen so far was "dark google") is just wild speculation. In fact, I'm surprised they aren't laying on the G20 hacktivism argument more thickly. The rest of Conficker as it exists right now really isn't that hard to analyse, it's just time consuming, which is why some companies are still trying to work out the complete operation of the peer to peer networking code (which is under further obfuscation, but it's fairly easy to work around in IDA).
|
# ¿ Mar 24, 2009 21:40 |
|
Midelne posted:I guess it's not so much of a stretch to assume that two of the most wildly prevalent and successful pieces of malware out there have related dev families. On the other hand, it's at least a little comforting to think that there's no real way that anyone using anything less than Google-level infrastructure could handle the traffic that would be generated by attempting to install malware on six million computers simultaneously. Actually, they've solved that bandwidth problem. Only a few Conficker infected computers will succeed in contacting their website to grab an update (each one only contacts a randomly chosen set of 500 domains a day out of a possible 50,000). Once those few succeed, they'll distribute it to the rest via a peer-to-peer network that Conficker has set up between infected machines.
|
# ¿ Mar 26, 2009 20:19 |
|
univbee posted:Is there a specific time Conficker is meant to go off on April 1st? I'm in the Pacific Time Zone and am a single Home/SOHO level IT support person and would like to know at what time poo poo is meant to hit the fan (like if New Zealanders will start receiving/distributing the infection early on the morning of the 31st my time and stuff like that). Can the "timebomb" part of the Conficker.C virus be removed pre-emptively to avoid April Fool's mega-infection (assuming that's what they're going for)? I want to be as ready as possible in case I end up with my service phone ringing off the hook on that day. It's not really such a precise "timebomb" as no one knows when Conficker will actually succeed in downloading an update -- it depends when the authors choose to register one of the domains it's going to contact, and they can do this any time on or after April 1st. So there's a fair chance you won't see anything at all happen on that date (aside from the traffic to those randomly named domains), but perhaps some time afterwards. This was the case with the previous version too which started calling home from January 1st and was eventually updated in February and March. The HTTP headers and user agents it uses are either completely normal (uses IE settings from the infected machine) or massively randomised so it'd be hard to write a signature for them. If you want to block the domains it contacts you can do that but it's 50,000 unique domains each day which might be tricky depending on your firewall or whatever you're using. BillWh0re fucked around with this message at 20:44 on Mar 26, 2009 |
# ¿ Mar 26, 2009 20:42 |
|
Customer Service posted:I'm confused: do you absolutely have to use a special program just to detect Conficker, or just to remove it? NOD32 and Superantispyware didn't find anything on mine but I want to be sure. No, the network scanning method is for checking remote computers that may or may not having working anti-virus installed. Your anti-virus product should detect it just fine on the local machine assuming it has the necessary updates (which it might not do if you're infected, since Conficker blocks that).
|
# ¿ Mar 30, 2009 19:31 |
|
GREAT BOOK OF DICK posted:Looks like I'm dealing with Win32/Virut.NBM on my aunt's PC. She said she was searching Craigslist for things to buy and she opened a link on there that probably infected her. At least she came forward and admitted that she's been using McAfee and it's since been expired for 2+ years. This thing is a real bastard once you're infected because the infection routine has a significant chance to just trash each file it infects so it can't be recovered.
|
# ¿ Apr 6, 2009 00:31 |
|
Otacon posted:Virut is NASTY. To be honest nine out of times I've been able to disinfect it fine booting into safe mode and using a command line scanner. Occasionally it will trash an executable beyond repair and that'll have to be restored from backup. The key is to realise it's a fast infector, so once Virut is loaded in memory any file you open will become infected (or all the files in any folder you browse in explorer), and using some anti-virus scanners will result in everything they scan becoming infected (which might not be a problem if they get immediately disinfected). Booting into safe mode and stopping all the non-essential services allows almost everything to be scanned and disinfected, aside from maybe cmd.exe if you're using a command line scanner since it'll be running.
|
# ¿ Apr 6, 2009 23:02 |
|
Ensign Expendable posted:drat, that does sound nasty. What's the point of it? Is it somehow profitable to its creators or did some jackass write it for kicks? The Virut family are all IRC backdoors.
|
# ¿ Apr 7, 2009 19:00 |
|
brc64 posted:Maybe I don't understand what you're saying here. Isn't the point of a backdoor to give yourself covert access to a system? If that's the case, why start breaking other stuff and increase your chances of getting noticed? The breaking stuff is accidental, as a result of the infection code being so randomized. It's probably a price worth paying for the authors as sometimes the infection code fucks up in a way that allows the file to run but is still weird enough that anti-virus programs can't properly disinfect it. In fact the infection code in Virut is so stupid that it actually tries to infect AMD64 executables with 32-bit code since it doesn't check the platform of the PE file its infecting -- this misinfected file actually runs briefly until it hits a stack operation where having an (unexpected) 8-byte stack causes it to crash.
|
# ¿ Apr 7, 2009 19:29 |
|
Midelne posted:SANS reports the spread of an actual payload to Conficker-infected machines using the P2P mechanism. Purported to be a keylogger/data-miner. Important to note that the Waledac link is just from a Conficker-infected machine being seen to contact a site that was known to host Waledac and be used as a link in spam emails. No one has statically analysed the new Conficker yet to determine a definite link. It might well be that the download occured as a result not of the Conficker update but one of the "mini updates" that can be pushed out over the Conficker P2P botnet -- small chunks of essentially shellcode that just runs and exits and is erased from the computer after 10 minutes, making it really hard to capture and analyse. From static analysis I haven't seen anything yet to suggest keylogger though the use of MS08-067 to spread has returned as well as a significant amount of HTTP client and server code that may or may not be related (the original use of MS08-067 in Conficker used an HTTP server running on the attacker to download the payload to the victim). Aside from that the main thing it drops is an update to the Conficker DLL, which is Conficker.C with some changes (process and domain block list updated, domain call-home code apparently completely removed or effectively obfuscated from quick analysis, NetpwCanonicalizePath hook updated to avoid network scanning from the likes of nmap). Also has an embedded sys file that it drops and loads as a driver, but this is exactly the same as the one from Conficker.B -- it just patches tcpip.sys to increase max connections then exits, no rootkit functionality at all. Also releasing this at the last minute before Easter is really smart. All the virus analysts are going to be at home, most places will be running with a skeleton crew. BillWh0re fucked around with this message at 21:53 on Apr 9, 2009 |
# ¿ Apr 9, 2009 21:51 |
|
Patchfoot posted:I noticed some talk about PDF exploits earlier in the thread, I've run into sudden GPFs from acroread32 from web sites seemingly without any pdf content. Is that connected to the pdf exploits? Yes and it generally means the exploit was successful though it might not have managed to download any malware. Websites can embed PDFs (I think they just open them in an iframe or something) and this can even happen on legitimate sites if they get owned via SQL injection or somesuch.
|
# ¿ Apr 10, 2009 00:08 |
|
LifeSizePotato posted:Somehow a virus got into the webserver my site's on. Is it a Windows server, or do Windows machines have write access to those files over a network share? If so, it could be a recent variant of Virut/Scribble which is a PE file infecting virus that also adds iframes to webpage files. Send one of the infected HTML or PHP files to www.virustotal.com to see what people other than Avast call it. BillWh0re fucked around with this message at 22:16 on May 15, 2009 |
# ¿ May 15, 2009 22:14 |
|
Ensign Expendable posted:Who gives viruses names? I can't imagine that a lot of them have their name inside the infected files or that the creator(s) actually give it one. Is there some kind of virus analysis consortium that does this sort of thing? The virus researcher that discovers it generally names something, often they pick a string or something about how it works and play around with the word, other times if its just not very interesting it gets a generic name like "Downloader" or "Agent". When its first discovered the at a company's lab, they will scan it with the scanners from every other AV company to see if any of them detect it already -- if so, they'll usually copy the existing name if another company already detects and named it. When new stuff spreads quickly it'll often be the case that several AV companies discover it around the same time and don't know each other's name for it, so you end up with something having several different names such as Conficker/Kido/Downadup and Storm/Zhelatin/Dorf/Peacomm.
|
# ¿ May 24, 2009 08:49 |
|
BangersInMyKnickers posted:If you hit a program that doesn't like DEP, you will see an error like this: DEP is great and its worth noting that some AV products do also include buffer overflow protection, though they achieve it with a different method than using the NX bit. If you're running AV with such a feature make sure its enabled as some of them really can stop almost all of these PDF javascript exploits despite not being "perfect" protection in the way that DEP is. Adobe really need to start shipping Reader (and probably Acrobat) with Javascript turned off by default anyway. Almost nothing uses it legitimately.
|
# ¿ Jun 29, 2009 19:29 |
|
Scaramouche posted:Or is the patch only useful for stopping cross-internet attacks, but once it's in your network it's not going to help (e.g. over file/print sharing)? Pretty much this. If the laptop brought in was infected, it might have brute forced some Administrator accounts on the network if they had weak passwords. Also Conficker spreads by removable drive autorun files so someone might have plugged an infected USB stick into a computer on your network, at which point it might have begun spreading from that computer. Particularly if the USB stick was plugged into a computer where a Domain Administrator was logged on, which allows Conficker to spread without having to brute force any passwords.
|
# ¿ Aug 20, 2009 19:56 |
|
Scaramouche posted:Hmm, I've got a GP that prevents USB-auto boot (though obviously that's not perfect), and the rep that plugged his laptop in wasn't actually a domain member. The only interaction he would have had is with DHCP to get his IP since he wouldn't have credentials to do anything else. Admin passwords are >10 chars with at least 4 non-alpha so I hope that's strong enough... It uses a dictionary to crack the passwords so if they're random or unusual at all it probably wasn't that. I'd put Wireshark on one of your test machines to see what's reinfecting it after you clean it off. You should be able to see the network copy if you filter for SMB traffic, then check the source machine to see if it's patched or has a Domain Admin logged on, and clean it if it's infected.
|
# ¿ Aug 20, 2009 20:53 |
|
Oddhair posted:I had posted earlier in the thread about finding a computer which had files infected with Virut, but not many. I scanned offline on a different, plain-Jane XP machine I keep off my network just for that kind of thing, and cleaned it up pretty well, and then did a repair install. It seems fine, even now months later. I keep thinking there's some glaring hole in my knowledge that I'm overlooking, like the blind spot in each eye. I should be good, though right? Virut is easy to remove as long as it's not active while you're doing it, and as long as you don't care about system files being slightly different compared to the original versions when it's all done.
|
# ¿ Nov 21, 2009 10:54 |
|
CraigK posted:I'm just waiting for viruses that can survive a format c:\ *.* /y. Mebroot/Sinowal already does. It loads its driver through an infected MBR and the driver itself is stored beyond the end of the last partition on the drive. Some versions also have a nasty bug in their stealthing code that will crash a lot of raw disk reading applications (such as hex editors) if they try to read the first few sectors of the disk.
|
# ¿ Nov 23, 2009 10:02 |
|
Jetsetlemming posted:Would this survive a format of the entire hard drive? When I installed Ubuntu last week I had it remove the ntfs partition and create a new ext4 one over it, that wouldn't leave anything at all on the hard drive, right? Assuming you were infected before (which I assume you aren't but hypothetically...): If you installed Ubuntu then the Ubuntu installer would have overwritten the MBR with Grub. However, if you set up Grub to dual-boot Windows it might have created a copy of the infected Windows MBR somewhere (not sure if the Ubuntu installer supports this or not). Also, assuming your partitions were the same size, the virus code at the end of the disk is probably untouched as it's not actually inside the NTFS partition -- it's just after it. But it doesn't load on anything except Windows anyway so you don't really need to care.
|
# ¿ Nov 23, 2009 12:08 |
|
Tapedump posted:How effective would fixmbr be on Sinowal? If you can get into the recovery console it works, but in a lot of cases it seems that the recovery console hangs while loading, even if you boot from the Windows install CD. Bootable linux and dd is the easiest solution, as the original MBR is saved just past the end of the last partition (directly before the Sinowal driver module) and if you copy it back everything should be fine.
|
# ¿ Nov 23, 2009 22:06 |
|
On the subject of rootkits, the new TDL3 (which is itself the new TDSS) has a really annoying method that it uses to stealth raw disk reads and writes on at the sector level. All you see from WinDbg when looking at the disk drivers is this: code:
code:
If you manually inspect the DEVICE_OBJECT and DRIVER_OBJECT structures for those "invalid" devices it's clear that only the Type field is has been zeroed. Apparently windows gives no gently caress about this field despite it being the main way to tell what kind of kernel object you're looking it. WinDbg isn't so carefree, unfortunately. code:
code:
There's a nice writeup of TDL3 here but at the time I write this, it hasn't been updated for this new hooking technique. Still a really interesting read, particulary as the rootkit maintains its own filesystem at the end of the disk -- so it doesn't have to store any component in any "real" files (much like the MBR rootkit).
|
# ¿ Jan 22, 2010 19:31 |
|
|
# ¿ Mar 29, 2024 01:07 |
|
bobua posted:I've seen this a lot over the years, almost always the userinit entry messed up\replaced in winlogon Try then and if you get nothing try Autoruns. This is almost certainly something that's set to run when you log in as any local user.
|
# ¿ Feb 4, 2010 09:03 |