|
Cojawfee posted:I don't think people really go for infecting files anymore. It's mostly just install something, and try to get some money. If you're really clever, you'll encrypt their files and try to get money like the Russian extortion virus.
|
#
?
Jan 7, 2009 18:48
|
|
|
|
| # ? Apr 27, 2024 10:11 |
|
|
Luigi Thirty posted:If you're really clever, you'll encrypt their files and try to get money like the Russian extortion virus. 
|
|
#
?
Jan 7, 2009 19:07
|
|
|
I had a friend bring me her friends laptop to scan. It had Antivirus2009, Vundo and a few other trojans. After scanning with bitdefender, ccleaner, Malwarebytes, AVG, MS Live, MS Defender, XCleaner, F-Secure BlackLight, Sophos Anti-Rootkit & RootkitRevealer it still exhibited the following behavior. The DNS file was clean. When I tried to install several other AV products it prevented them from being installed/run by generating a Windows Crash every time. I did get some stuff to install by renaming the exe. If I opened MS Explorer 6 or 7 or 8 beta or Firefox and searched for variations of rootkit remover, rootkit cleaner etc. the browser would instantly close/crash. Sometimes I would get as far as the download link for the antivirus product and the instant it started downloading it would close/crash. If I searched/downloaded anything else the browsers were as stable as a rock. Unfortunately she took the laptop back to her friend and then their relationship broke up so I won't have a chance to complete. I bet Superantispyware would have finished the job. hairy fucked around with this message at 23:02 on Jan 7, 2009 |
|
#
?
Jan 7, 2009 22:40
|
|
|
^^^^^^ I bet it would have too
|
|
#
?
Jan 7, 2009 22:41
|
|
|
brc64 posted:I can think of all kinds of ingenious things for viruses to do. It's a good thing I'm not a programmer.
|
|
#
?
Jan 7, 2009 22:55
|
|
|
One of my friends is having virus problems. He said he deleted one earlier and that since then he can't log into windows except in safe mode. What happens is that it does a little bit of something then loops back to the black screen where you choose if you want to start in safe mode or not. Safe mode seems to work fine, but he has some virus on there that makes any search engine results link to virus sites. I don't know if he did get rid of the previous virus or really what happened there at all. I gave him the ultimate boot cd and he's running a scan on his hard drive right now, but have any of you seen things that will cause this? How did you fix this problem?
|
|
#
?
Jan 8, 2009 02:09
|
|
|
It's probably TDSServ, we could do with a megathread for it in Haus to be honest it's becoming that much of a problem.
|
|
#
?
Jan 8, 2009 12:05
|
|
|
do it posted:Doesn't even have to be that clever. I've had about six clients who paid $50 for Rapid Antivirus. Heh my coworker had one of those yesterday. The thing installed like 12 different fake spyware/antivirus scanners and they wondered how they could possibly be getting so many popups when they have so many programs trying to block them Not to mention they uninstalled the McAfee suite we install on all of our users' computers because "it told them to" and yeah I know McAfee sucks
|
|
#
?
Jan 8, 2009 15:54
|
|
|
.
A little backstory fucked around with this message at 09:10 on Nov 1, 2013 |
|
#
?
Jan 8, 2009 17:39
|
|
|
A little backstory posted:Hay here is question: Hay, here is answer, wrong thread bub.
|
|
#
?
Jan 8, 2009 17:48
|
|
|
I've started scanning a machine I received from a client and so far it's found a total of 275 adware/spyware/malware infections. That's not even with using SuperAntiSpyware or Malwarebytes (I haven't gotten that far.) The original problem was a couple days ago the PC was able to access the Internet just fine but now it can't. I looked at it and it was unable to even obtain a DHCP address from the router. I ruled out the possibility of a bad cable or a bad onboard NIC so I could only presume some kind of infection had ruined the network connection. The worst part so far has been the fact that this PC only has XP SP1 installed.  Didn't see any hidden TDSServ entries in the Device Manager. Would that be obvious if I showed hidden devices and searched through the list for "TDSServ"? I've never encountered a PC with that yet.
|
|
#
?
Jan 8, 2009 18:01
|
|
|
When you show hidden devices, it will always be under "Non Plug and Play Devices" the one with the gray diamond for the symbol. You'd think there would be some kind of security hotfix to block this thing since it breaks all your antiwares. How have you ruled out a bad onboard NIC? It IS SP1, there might be some exploit in SP1 that could block the internet. You might want to try installing SP3 downloaded from another computer. Or try Winsock Fix. And reinstalling the driver.
|
|
#
?
Jan 9, 2009 06:19
|
|
|
Cojawfee posted:When you show hidden devices, it will always be under "Non Plug and Play Devices" the one with the gray diamond for the symbol. You'd think there would be some kind of security hotfix to block this thing since it breaks all your antiwares. And uninstall the nVidia firewall thing, if it has it. I had this issue recently, and that was the culprit. Never liked the thing anyways.
|
|
#
?
Jan 9, 2009 06:47
|
|
|
GREAT BOOK OF DICK posted:I looked at it and it was unable to even obtain a DHCP address from the router. I ruled out the possibility of a bad cable or a bad onboard NIC so I could only presume some kind of infection had ruined the network connection. The worst part so far has been the fact that this PC only has XP SP1 installed. 1. Ensure the DHCP client service is running. 2. Ensure the NIC is set for DHCP and not a Static IP. 3. If it still does not work download and run SYMNRT (Norton Removal Tool). If its an OEM machine traces of Norton Internet security can cause networking problems. 4. Download and run LSP Fix (AKA Winsock Fix). I have yet to see a TDSS infection that blocks networking.
|
|
#
?
Jan 9, 2009 09:06
|
|
|
As of yesterday, our shop found a new virus/rootkit disguising itself as a Microsoft Windows driver, signed by Microsoft themselves. Be careful out there!
|
|
#
?
Jan 9, 2009 14:35
|
|
|
Otacon posted:As of yesterday, our shop found a new virus/rootkit disguising itself as a Microsoft Windows driver, signed by Microsoft themselves. Be careful out there! Do you care to share any info, or are you going to hold out?
|
|
#
?
Jan 9, 2009 16:19
|
|
|
abominable fricke posted:Do you care to share any info, or are you going to hold out? Seconded, since signed code infections are rare to begin with, let alone code signed by Microsoft. Needs a lot more details, up to and possibly including VirusTotal stats.
|
|
#
?
Jan 9, 2009 16:27
|
|
|
Looks like the problem is fixed. It was a software issue as I suspected (probably a malware/spyware of some kind.) The most prominent infection was something called win32.keenwall, or at least sounded like that. I've already removed the antivirus logs so I'm not sure. After cleaning the system, I was able to boot into safe mode with networking and was grabbing an IP address from the router's DHCP and could browse websites just fine. It was working fine in normal Windows mode as well. Did some more cleaning with SAS and Malwarebytes. What's interesting is I ran SAS first and it didn't find anything. When I ran Malwarebytes after SAS, it found remnants of an adware program that SAS didn't find. Both programs had the latest definitions. Regardless, the system is working fine on my end now and I've removed Norton Internet Security, updated to SP3, installed AntiVir, etc. Thanks for the tip on Norton Internet Security, I'll have to keep that in mind the next time I come across it.
|
|
#
?
Jan 9, 2009 16:58
|
|
|
GREAT BOOK OF DICK posted:Thanks for the tip on Norton Internet Security, I'll have to keep that in mind the next time I come across it. The best idea is whenever you have a problem, look for Norton. Or just run the removal tool anyway. You won't believe how hosed up Norton leaves your computer after uninstalling. I've seen Norton totally block iexplore.exe, it never lets you access network shares, and sometimes blocks the internet entirely. Not to mention that the whole thing slows your computer to a stand still. I don't know how Symantec can still be allowed to sell that shitstorm.
|
|
#
?
Jan 9, 2009 18:52
|
|
|
Cojawfee posted:The best idea is whenever you have a problem, look for Norton. Or just run the removal tool anyway. You won't believe how hosed up Norton leaves your computer after uninstalling. I've seen Norton totally block iexplore.exe, it never lets you access network shares, and sometimes blocks the internet entirely. Not to mention that the whole thing slows your computer to a stand still. I don't know how Symantec can still be allowed to sell that shitstorm. But the geeks at Best Buy told me it's the best antivirus software there is... 
|
|
#
?
Jan 9, 2009 19:38
|
|
|
abominable fricke posted:But the geeks at Best Buy told me it's the best antivirus software there is...
|
|
#
?
Jan 9, 2009 20:18
|
|
|
abominable fricke posted:Do you care to share any info, or are you going to hold out? Midelne posted:Seconded, since signed code infections are rare to begin with, let alone code signed by Microsoft. Needs a lot more details, up to and possibly including VirusTotal stats. My boss found it, and briefly told me about it. I'm not going into work until tomorrow, but when I do I'll see if he can remember anything else. He basically said that he had done a few scans, was still having problems, and ran down the list of drivers one more time. He ran into one he didn't recognize, and upon checking the details he noticed it was signed, spoofing Microsoft - which is why he didn't find it in the first place. The only scanner that picked it up was.... Panda. SASW missed it, MBAM missed it, Avast! missed it, Trend Micro missed it - the only thing that picked it up was Panda. Go figure. Otacon fucked around with this message at 21:02 on Jan 9, 2009 |
|
#
?
Jan 9, 2009 20:59
|
|
|
There are no known attacks to spoof existing executable digital signatures so either the signature doesn't work or this is a false positive from Panda. Since no one else detects it I would assume the latter.
|
|
#
?
Jan 10, 2009 15:58
|
|
|
After reading the first page of this thread I sought out ComboFix. When I start it I get a message that I have Norton Antivirus 2006 running and that I should stop it - but I've never had Norton-anything installed on my computer. The second time around I just continued anyway, ComboFix started doing it's thing, deleted some files and then stopped when it said something like "c:\Windows\system32 is not recognized as a executable, batch..." (I forget the rest). I restarted my computer and things seem fine. The reason I was looking into this is that the Windows Automatic Update icon was telling me that Auto Updates was shut off and the Security Center was saying it was off, but in the Control Panel>Automatic Updates it was definitely set to 'on'. After the latest restart the notification is gone and Security Center is now saying it is on. I'm going to guess that ComboFix got something, but I don't know...
|
|
#
?
Jan 10, 2009 21:48
|
|
|
heat vision posted:I'm going to guess that ComboFix got something, but I don't know... It should have saved a log file to C:\Combofix.txt or something. Check that and see what it says.
|
|
#
?
Jan 11, 2009 06:10
|
|
|
I work at my university's IT department, specifically for the helpdesk. On Friday I encountered two machines, both with a varient of WinAntivirus. One displayed a fake Windows Firewall window, and the other one had TWO varieties of WinAntivirus on it at the same time. The first time it was easy to remove as it was a dumb variety of the virus - find the process that's running, kill it, search for it in Windows, delete everything that's in the folder (this one was in Application Data/Google), or at least everything relevant to the virus, remove it from Startup under msconfig, and to be safe run SuperAntiSpyware and MalwareBytes. Reboot a couple times to make sure it doesn't come up again. The second one though I couldn't do anything. She took the laptop to Baylor Hospital's IT Department before she took it to our department. Somehow they messed it up - you can boot into Safe Mode, but you couldn't boot into regular Windows, as Chkdisk would run, report that the C:\ drive was in RAW format, and then it crashes giving you an Unknown Hard Error. There was other weird things going on with her computer - there was an Administrator account that didn't appear under User Settings. I did some Googling, and I was getting different reports on what this error means - and was getting everything from "It's a fake blue screen" to "It's memory". I consulted with my boss and he just told me that it's probably better to tell her to back up all her files and to reformat her disk. Now that I think about it, it was probably a fake Chkdesk and fake blue screen. But how could you do that in Windows XP? This was before you even had a chance to log into a user.
|
|
#
?
Jan 11, 2009 17:45
|
|
|
So we recently had Trojan.Linkoptimizer spread around the office where I work, and one of the infected systems was mine. Seeing as I didn't browse any non-company sites in IE, or run anything new, and the system had the patch (or should have, I believe it was pushed out) for the new remote vulnerability, I have no idea how I got infected. Is that malware known for using autorun on external drives or something? Or was an internal company page or something compromised with a drive-by for IE?
|
|
#
?
Jan 11, 2009 22:34
|
|
|
SecretFire posted:So we recently had Trojan.Linkoptimizer spread around the office where I work, and one of the infected systems was mine. Seeing as I didn't browse any non-company sites in IE, or run anything new, and the system had the patch (or should have, I believe it was pushed out) for the new remote vulnerability, I have no idea how I got infected. I think Symantec sometimes refer to the Conficker worm as Trojan.Linkoptimizer, perhaps because they have very similar obfuscation of the main DLL code. If it's a Conficker variant it'll probably spread by all three of these: - MS08-67 exploit (server service vulnerability that you say is patched) - Writable shares with weak passwords, or unpassworded shares, on to which is copies the DLL file and sets up a scheduled task to run it - USB drives where it creates an autorun.inf file full of random crap that still works becuase it has the proper autorun text in it, the actual DLL is in the RECYCLER folder on the drive
|
|
#
?
Jan 12, 2009 00:09
|
|
|
BillWh0re posted:I think Symantec sometimes refer to the Conficker worm as Trojan.Linkoptimizer, perhaps because they have very similar obfuscation of the main DLL code. Wait...you can "share" the ability to schedule tasks? I had no idea.
|
|
#
?
Jan 12, 2009 02:38
|
|
|
SecretFire posted:Wait...you can "share" the ability to schedule tasks? I had no idea. They're stored as .job files so with access to the C$ or ADMIN$ share you can just drop them I believe.
|
|
#
?
Jan 12, 2009 09:15
|
|
|
I've got something really impressive on my Vista machine, I've been virus free for almost my whole life last I think I was about 14. It's causing my http not to work at all, I can run torrents or other Internet/network traffic just fine though, web pages will load but it often takes upwards of 20 minutes for that to happen. Nod 32 antivirus, which to my knowledge for me has never let one slip by before now no longer updates and says it cannot connect to it's update database. I ran a full scan and the only thing that came up was some weird adware in my temporary files.
|
|
#
?
Jan 12, 2009 15:49
|
|
|
Any good registry guards around? I was using Spybot for a bit, but that seems outdated, and it was kinda unpolished in the first place. Still, it was a good line of defense against malware.
|
|
#
?
Jan 12, 2009 18:27
|
|
|
Nolgthorn posted:I've got something really impressive on my Vista machine, I've been virus free for almost my whole life last I think I was about 14. It's causing my http not to work at all, I can run torrents or other Internet/network traffic just fine though, web pages will load but it often takes upwards of 20 minutes for that to happen. Did you check your hosts file? Could be that or maybe your DNS got changed to something weird. Try 4.2.2.2 or something as a test.
|
|
#
?
Jan 12, 2009 21:27
|
|
|
Leonard Leroy posted:Any good registry guards around? I was using Spybot for a bit, but that seems outdated, and it was kinda unpolished in the first place. Still, it was a good line of defense against malware. I still vote for TeaTimer from Spybot... works marvelously.
|
|
#
?
Jan 12, 2009 21:37
|
|
|
darkforce898 posted:I still vote for TeaTimer from Spybot... works marvelously. Ya, it really does. I just took a look around, and there's nothing else free that does the same.
|
|
#
?
Jan 13, 2009 01:52
|
|
|
darkforce898 posted:I still vote for TeaTimer from Spybot... works marvelously. The problem with Teatimer is that if we install it on all the computers we are constantly fixing, the users would just mash accept or even worse delete a benign process/program/registry key.
|
|
#
?
Jan 13, 2009 02:28
|
|
|
Capnbigboobies posted:The problem with Teatimer is that if we install it on all the computers we are constantly fixing, the users would just mash accept or even worse delete a benign process/program/registry key. TeaTimer and other "bong! security alert" programs - GREAT if you can understand what it's asking, terrible if you don't. TT should never be installed for end users IMO, they either blindly click accept or block on every popup.
|
|
#
?
Jan 13, 2009 03:16
|
|
|
Jonny 290 posted:TeaTimer and other "bong! security alert" programs - GREAT if you can understand what it's asking, terrible if you don't. TT should never be installed for end users IMO, they either blindly click accept or block on every popup. I agree 100%, I always uncheck teatimer and the other thing SpyBot uses when I install it on a computer I am fixing. For us awesome computer guys we can use teatimer, but we never really run into spyware that often anyways.
|
|
#
?
Jan 13, 2009 03:22
|
|
|
Just finished cleaning off a friend's computer that got infected with TDSServ. Seems to be completely gone now, thanks to SUPER Antispyware and ComboFix. NOD32 only picked up on the problem when it noticed the SYSTEM account trying to download a Win32/Kryptik.EH trojan from an external website. That website is tied to a domain name, which surprisingly enough isn't through Domains By Proxy. I'll probably call the administrative contact tomorrow morning to ask why he's hosting malware.
|
|
#
?
Jan 13, 2009 03:28
|
|
|
|
| # ? Apr 27, 2024 10:11 |
|
|
zapf posted:Just finished cleaning off a friend's computer that got infected with TDSServ. Seems to be completely gone now, thanks to SUPER Antispyware and ComboFix. It wouldn't surprise me if this is news to him.
|
|
#
?
Jan 13, 2009 17:22
|
|