|
A user got Antivirus Plus on their computer before the Christmas break and just now called me to his office to fix it. It's had enough time to download what ever else is on here that nearly all of my tools were disabled or could not be installed, and I couldn't open task manager or msconfig, even in safe mode. Managed to get Malwarebytes installed but after the first scan it BSOD'd and even on the second scan its still picking things up. Drighton fucked around with this message at 17:53 on Dec 30, 2008 |
#
¿
Dec 30, 2008 17:47
|
|
|
|
| # ¿ Apr 27, 2024 03:28 |
|
|
abominable fricke posted:Install Superantispyware to a flash key and run it I did. I pulled the flash key back to my computer to put some files on it and Symantec started deleting all the executables on the disk all as W32.Wowinzi.A The flash disk looks like this now.
|
|
#
¿
Dec 30, 2008 19:38
|
|
|
BillWh0re posted:Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu. Just grabbed the user's profile folder and started a format. gently caress this. VVV good idea. Drighton fucked around with this message at 21:53 on Dec 30, 2008 |
|
#
¿
Dec 30, 2008 21:41
|
|
|
CeciPipePasPipe posted:But I noticed that "SYS A:" caused two audible floppy drive seek sounds. I guessed that the first sound was the legit boot sector being written by "SYS", and the second sound would be the virus infecting the drive. So I did another take at "SYS A:", and by listening carefully and timing things correctly, I forcibly hit the eject button between the writes, pulling the floppy out of the drive as the virus was just about to infect it again. Pushed over the write protect tab and rebooted from floppy - virus gone! These moments always make me happy, but then I realize that I can't share the moment with anyone since they wouldn't understand just how clever it was, which is a downer. Well, a pat on the back for you. 
|
|
#
¿
Jan 14, 2009 17:41
|
|
|
On Friday computers started losing connections to the network and the only way I could find to get them going again was to assign a static ip address. I noticed the DHCP Server on the computers was different that what we use, and my boss just happened to make some changes to our subnet and DHCP settings that week, so I forwarded the problem to him. He got back to me yesterday and updated me today with what he found: -Guy has Bittorrent/P2P/whatever on his computer, most likely source of the virus -Virus spoof's itself as the default gateway -Virus listens for DHCP requests on the network, constructs a packet, tells the computer to keep it's current address and changes the DNS servers. -DNS servers resolve to Russia and redirect every major Bank's webpage to an duplicate Not very conspicuous on a business network, but for a home network that is one very sneaky virus. I'm hoping to get a better look at it before I wipe his computer, but my boss may have already tried removing it.
|
|
#
¿
Mar 9, 2009 21:07
|
|
|
Midelne posted:Out of all the protocols you're likely to be using in a business environment, it seems like DHCP is probably the one sitting widest open. After all, if it has an address in the right subnet and the request eventually gets to the right server you're not even going to see NACKs in the logs. I just love the idea of how it works. Most home users wouldn't even know the difference since they're gateway usually IS the DHCP server, if they even knew what it was. Go to BoA, type in account information, get identity stolen, go visit crochetinggrannies.com. Unless it can detect other services on the network and keep the user connected to them, the help desk will start getting whiffs of it almost immediately. darkforce898 posted:Do you have any more information about this? Someone at my school seems to have gotten this and it messed stuff up. Still haven't looked at it yet. It's Monday, so it's all Help Desk today. Thanks for this though.
|
|
#
¿
Mar 9, 2009 22:24
|
|
|
Whats with all these car analogies? Computers aren't at all like cars. They're more like blimps...
|
|
#
¿
Mar 18, 2009 19:51
|
|
|
Put in your IP address range in the Target field. I'm not sure which scan to do though, and I'm not sure what you will see if you are infected. Big red CONFICKER label on the IP address or maybe you're looking for a specific port, I don't know.
|
|
#
¿
Mar 30, 2009 15:22
|
|
|
Theres some instructions for running the Python script in the comments section. I'm putting that together now to give it a try. Interestingly, did a scan of the another subnet with nmap and a few returned with a red "6129/tcp closed unknown". edit: So you need to download Python 2.6 for Windows and Impacket. I had to extract the files directly to the python directory in order for the install to run. Extract the SCS zip anywhere. Open the command prompt, navigate to the python directory, execute "python setup.py install". When finished you can run "python [directory]\scs.py [IP 1] [IP 2]". I had to run it on a computer without SEP, though. Drighton fucked around with this message at 17:02 on Mar 30, 2009 |
|
#
¿
Mar 30, 2009 15:49
|
|
|
I had a fake antivirus try to shutdown the computer right toward the end of a Malwarebytes scan. It included a custom message in the prompt about the computer being compromised, but left the default 30 second delay - about enough time to shutdown -a. Only reason I mention it is because its a very clever and evil last effort (aka "gently caress You") by the virus and made me smile. If I had walked away and let the scan run like I normally do, the removal could have taken twice as long.
Drighton fucked around with this message at 23:15 on Jul 22, 2010 |
|
#
¿
Jul 22, 2010 22:26
|
|
|
Its in there. It aborts the command.
|
|
#
¿
Jul 22, 2010 23:17
|
|
|
Do antivirus LiveCDs ever work for anyone? I found a Kaspersky LiveCD a while ago that apparently isn't updated anymore, so it takes longer to download the latest definition updates as time goes on. I've yet to successfully clean an infection using this LiveCD. Still, I've run into remote users getting a nasty virus enough times to consider handing a copy to each of them. Since each one of them is visiting a client or otherwise need to have their files and can't ship the laptop back.
|
|
#
¿
Nov 1, 2010 19:47
|
|
|
I think Malwarebytes has become too popular for it's own good. Too many viruses target MB installations and/or prevent the setup from running, even after renaming the exe. MB has reported a clean scan while the virus is throwing out it's fake notifications, even after successfully ending the process or while in safe mode. Lately though, every infection I've run into identifies any cleanup tool as a "virus", runs in safe mode, and persists after removal sometimes actually getting worse. I already skip right to a reinstall if the first scan doesn't find it or the virus returns, and I've been having to do that too often. So using a LiveCD is probably the last stage before I resign to simply flatten and reinstall at the first sight of a virus.
|
|
#
¿
Nov 3, 2010 03:15
|
|
|
|
| # ¿ Apr 27, 2024 03:28 |
|
|
I've gotten a few popups from the flash ads before. I wasn't very helpful to the forums support since I didn't pay attention to which ad it was. It hit me a minute ago while helping someone install a Java update that these fake antiviruses are putting a little too much effort into their schemes. Just mask the virus as a Flash or Java update. Hell, the way Flash updates look now, the virus wouldn't have to be very elaborate at all. It might even pass the scrutiny of quite a few sysadmins or helpdesk monkies and get them to put in an administrator password.  I've scared myself into paying closer attention to released updates and installed versions now.But I suppose the purpose of the fake antivirus is to get the $50+ from someone's credit card. I began to wonder how often that works after someone asked me "Wouldn't it be quicker to just pay them the $50?"
|
|
#
¿
Mar 10, 2011 15:07
|
|