|
BorderPatrol posted:Anyone here use Counterspy/VIPRE security software? I've been using them for a few years now and they are one of the most underrated security companies I've seen, their stuff is very good (they originally made the first versions of the Microsoft Antispyware product) We use CounterSpy enterprise. It works well enough but there are a lot of bugs and false positives. Also many times it's failed to stop/remove what malwarebytes anti malware fixed straight away. A relatively up to date CounterSpy agent was detecting Utimaco Safeguard (encryption software) as a trojan and quarantining an important .dll file crippling my laptops. If I was using a brand new updated version of Safeguard I could understand but this version has been out for many many months.
|
#
?
Feb 10, 2009 20:19
|
|
|
|
| # ? Apr 27, 2024 12:03 |
|
|
Sanctum posted:So I finally installed WinXP SP3 only 2 days ago and just today, browsing the internet, I notice my HD running too much, check processes and see acrord32.exe using 1.2 gigs of memory. I haven't been viewing any .pdf's since I booted. 5 minutes later my window is greyed out and I have a fake anti-virus program pretending to scan my system. There have been lots of exploited PDF files around lately and it looks like that's what happened here. That acrord32.exe was using 1.2gb suggests that the PDF probably contained some Javascript that was spraying the heap in preparation for triggering a vulnerability. You don't say what AV you're using but detection of these PDFs varies greatly between antivirus vendors and is generally pretty poor across the board so it could easily have slipped through embedded in a webpage somewhere. The sad thing is most people don't care as much about updating Acrobat reader as other software but the reality is it is just as much in the line of fire as a web browser or email client. I imagine it also doesn't help that a lot of the time if someone pirates Photoshop or other Adobe software they'll redirect the update domain to 127.0.0.1 in the hosts file to stop it phoning home -- I'm not totally sure but I imagine this also stops updates to Acrobat reader. Sanctum posted:
How did you install Windows without any way to boot from CD? Can you boot from a USB memory stick? If so, you can probably get an install of Knoppix or an Ubuntu LiveCD going and mount the Windows drive from there.
|
|
#
?
Feb 10, 2009 20:27
|
|
prunnet.exe among other things in my processes now. I kill and delete everything, but I still have some randomly generated .dll's in system32 created at the same time which have hooked themselves into my winlogon.exe so I can't kill them or delete them. They generate new registry values every time I reboot so the same processes keep popping up no matter how many times I remove them from my registry and delete the files I can delete.
|
BillWh0re posted:The sad thing is most people don't care as much about updating Acrobat reader as other software but the reality is it is just as much in the line of fire as a web browser or email client. This is a good point. Once I've cleaned a system, removed the old system restore points, updated to the latest security patches and installed an anti virus product I always update the trifecta of Adobe Flash, Java and Adobe Reader to try and prevent reinfection. Is there anything else that I should be doing?
|
|
#
?
Feb 10, 2009 21:30
|
|
|
averagebloke posted:This is a good point. That's pretty much all I can think of although if Office is on there you'd want to update that as well, basically anything that can open embedded in a browser, or that embeds a browser itself, needs to be kept up to date.
|
|
#
?
Feb 10, 2009 21:44
|
|
|
BillWh0re posted:That's pretty much all I can think of although if Office is on there you'd want to update that as well, basically anything that can open embedded in a browser, or that embeds a browser itself, needs to be kept up to date.
|
|
#
?
Feb 10, 2009 23:35
|
|
|
brc64 posted:I tested VIPRE Enterprise here and loved it. My boss proposed it to the owner as an alternative to OfficeScan (which STILL isn't Server 2008 compatible), citing better protection and management AND lower cost (which means we can make more money from it). Owner dismissed the idea without even giving it 2 seconds of thought. Is the owner some kind of OfficeScan fanboy? We just finished ridding our network of that poo poo and forced CDW to give us a refund on it AND exchange it with Kaspersky. $12,000 and a 400 user license later, we're now securing our systems with it and so far it's found plenty of infections that TrendMicro and Symantec did not. That's for a three year license and they even threw in a free, one year subscription to Kaspersky Internet Security for the first 300 users who ask our department for an activation key. That's not even the best part, either. When we e-mail the company employee instructions to obtain Kaspersky and their activation code, the e-mail also tells them to call Kaspersky for further support. 
|
|
#
?
Feb 11, 2009 04:23
|
|
|
Otacon posted:I'm on my third computer today that's crossed my desk with TDSSrv, and it's only 2pm. Whoa, thanks for posting this. I just forwarded this one to everyone in my little group; you may have saved one computer from the scrap heap already.
|
|
#
?
Feb 11, 2009 08:11
|
|
|
Otacon posted:Has anyone here worked with Geeksquad? How efficient were those MRI disks? Incredibly efficient. Virus removal is almost completely automated, with any remaining bits needing manual removal. Mounts to Windows installations, has the ability to clean and modify the registry even if something like TDSSrv prevents boot up. Has all sorts of Winsock and dll fixes that are automated too. Much better than it was before last summer. Basically we just have to run it once for it to pave through what it finds and 99% chance there will be a usable system to come out of it in the end. We rarely have to restore units and even more rarely see them come back again for the same problems, unless the customer was an idiot and re-infected themselves. There's multiple scans that we use to give a system a clean diagnosis, we don't rely on just one. Also today some guy laughed at me when I told him we'd have to charge for his virus removal even though we installed his antivirus software like a week ago (on a brand new PC) because he's been using Limewire. Once you mess with P2P/BitTorrent, you're on your own and you gotta pay. Basically he thinks we were responsible for telling him NOT to and should do it free. Whatever, no.
|
|
#
?
Feb 11, 2009 14:17
|
|
|
1997 posted:Incredibly efficient. Virus removal is almost completely automated, with any remaining bits needing manual removal. Mounts to Windows installations, has the ability to clean and modify the registry even if something like TDSSrv prevents boot up. Has all sorts of Winsock and dll fixes that are automated too. Much better than it was before last summer. Basically we just have to run it once for it to pave through what it finds and 99% chance there will be a usable system to come out of it in the end. We rarely have to restore units and even more rarely see them come back again for the same problems, unless the customer was an idiot and re-infected themselves. There's multiple scans that we use to give a system a clean diagnosis, we don't rely on just one. I had a guy yesterday call in, and asked me about Limewire - then, he put me on speakerphone so his crotchspawn could hear me say "Limewire will put viruses on your computer." Then, the kid said "Well, how else am I supposed to get music?" My response? "You pay for it in iTunes."
|
|
#
?
Feb 11, 2009 17:33
|
|
|
GREAT BOOK OF DICK posted:Is the owner some kind of OfficeScan fanboy? We just finished ridding our network of that poo poo and forced CDW to give us a refund on it AND exchange it with Kaspersky. $12,000 and a 400 user license later, we're now securing our systems with it and so far it's found plenty of infections that TrendMicro and Symantec did not. That's for a three year license and they even threw in a free, one year subscription to Kaspersky Internet Security for the first 300 users who ask our department for an activation key. That's not even the best part, either. When we e-mail the company employee instructions to obtain Kaspersky and their activation code, the e-mail also tells them to call Kaspersky for further support. Kaspersky is probably going to be a tougher sell, at least to people who've heard about their site getting hacked with a SQL injection. How the hell did your boss get CDW to refund you for TM, and how smoothly did the deployment go? Oh yeah, and did you notice any performance gains when moving to Kaspersky? OfficeScan is a bloody pig.
|
|
#
?
Feb 11, 2009 20:54
|
|
|
GREAT BOOK OF DICK posted:Is the owner some kind of OfficeScan fanboy? There's a reason I started the Job thread...
|
|
#
?
Feb 11, 2009 21:07
|
|
|
GreenFuz posted:Kaspersky is probably going to be a tougher sell, at least to people who've heard about their site getting hacked with a SQL injection. How the hell did your boss get CDW to refund you for TM, and how smoothly did the deployment go? Oh yeah, and did you notice any performance gains when moving to Kaspersky? OfficeScan is a bloody pig. We are now on Sophos. (Which is a bit of a pig when HD scanning but at least doesn't play silly buggers with our data.)
|
|
#
?
Feb 12, 2009 00:25
|
|
|
GreenFuz posted:Kaspersky is probably going to be a tougher sell, at least to people who've heard about their site getting hacked with a SQL injection. How the hell did your boss get CDW to refund you for TM, and how smoothly did the deployment go? Oh yeah, and did you notice any performance gains when moving to Kaspersky? OfficeScan is a bloody pig. Yeah, that whole SQL injection story came out a couple weeks after finishing the Kaspersky deployment. I linked my boss to it and his response was "Okay, so what? I don't have any account information, logins, etc. on their site." If you knew my boss like I have for the past couple years, you'd find out he's the type of person who would call Krispy Kreme and argue with the manager because the doughnut he received was cold upon arrival when it was supposed to be fresh and warm. He has little sympathy and patience for any vendor. If you don't meet his level of satisfaction, he will go over your head and find someone who will. That's how he got his CDW representative to take our TrendMicro purchase back and give us Kaspersky for the entire company. The deployment was okay for the most part. We had 10-15 machines out of 300 or so that didn't complete the automated installation. When I investigated, the majority of those machines were either turned off or locked up. The ones that were locked up were older machines (one had a 10GB hard drive with some local user profiles stored on it so the installation choked on a lack of free disk space.) The other problem we had were some mobile users who could no longer RDP their desktops because Kaspersky had its "Anti-Hacker" feature turned on by default. Apparently it's just a custom firewall set to block incoming RDP connections from the outside world. That's really it. Performance is about the same between Kaspersky and OfficeScan. I didn't notice any drastic differences, aside from OfficeScan's terrible default level of security. We also complete any scans or updates on all workstations after 10pm though when employees are gone.
|
|
#
?
Feb 12, 2009 02:07
|
|
|
More on TDSServ/Anti Spyware 2009: http://trollitc.com/2009/02/how-to-remove-antivirus-2009-from-your-computer-so-you-can-game-properly/
|
|
#
?
Feb 12, 2009 03:45
|
|
|
$250,000 Bounty for Conficker CreatorThe Register posted:Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of the virus writers behind the infamous Conficker (Downadup) worm. This all seemed much more impressive prior to the last couple paragraphs.
|
|
#
?
Feb 12, 2009 21:25
|
|
|
Otacon posted:I had a guy yesterday call in, and asked me about Limewire - then, he put me on speakerphone so his crotchspawn could hear me say "Limewire will put viruses on your computer." Then, the kid said "Well, how else am I supposed to get music?" Yeah, that's pretty much exactly what I tell them too. We had a guy install Bearshare the morning after he got his computer back and then proceeded to lie to us on the phone, telling us that the very first thing he saw in the morning when he booted the PC up, was popups for viruses. We checked his PC when he brought it in and saw Bearshare and that it was installed that morning and that he had already been infected, then we promptly sent him back home with it because he didn't listen to us when we told him not to use that stuff anymore. Who the gently caress uses Bearshare still though? Why people don't listen to us is beyond me.
|
|
#
?
Feb 13, 2009 06:13
|
|
|
The entire thing is just messed up. Sometimes I see what should be a dumb teenager with some sort of torrent program, and think maybe kids have gotten with the times. And then I see someone with limewire and lots of lovely pornos "hidden" in the fonts directory.
|
|
#
?
Feb 13, 2009 07:29
|
|
|
http://www.sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm/ List of default passwords that Conficker attempts to use on ADMIN$ shares Hope your domain controller isn't set up with any of these :<
|
|
|
#
?
Feb 13, 2009 19:18
|
|
|
Good thing I use 1234asdf as my password, They missed it by one letter.
|
|
#
?
Feb 13, 2009 19:48
|
|
|
Let's just say that if conficker hits my company, we are hosed, unless they have implemented reeeeally good detection rules in the IDSs. Guess who is supposed to be monitoring the SAV server? Guess who hasn't been able to get on the SAV system console to make sure everything is running as it should and change the virus alert notification email from the old admin to the new one because the server team can't figure out how to give me permissions to the security console? e: Orange Juilius posted:List of default passwords that Conficker attempts to use on ADMIN$ shares It doesnt have the most commonly used passwords on there. I'm safe. 
devmd01 fucked around with this message at 20:13 on Feb 13, 2009 |
|
#
?
Feb 13, 2009 20:05
|
|
|
hyperborean posted:That is awesome, and reminds me of something. My wife works in a Jewish family's house every Friday and recently they had been having PC (WinXP) issues. So I head over about a week or so ago and check it out. Well, my wife had said that Norton was up and a few other windows, but I said I'd just have to take a look to be usre. So I look and Norton is up along with a few other windows. After a minute I realize that the other's don't say Norton 360 they say Antivirus 360. God damnit, another variant. So all the sudden the screen blanks and restores, except it's blown up and in some insanely small res that only shows about a quarter of the screen. After about 30 seconds it BSoDs (and I haven't done anything yet). Well I read the BSoD and towards the bottom it stops looking legit. It said something about checking your antivirus/antispyware or something. Then it says that it's restarting so I let it. The BSoD goes away and the Windows loading screen pops up. So I'm thinking that was way to quick, especially considering the BIOS poo poo didn't popup and all that jazz. So I look at the screen again and under the little XP loading bar there was some text that went to the tune of: Microsoft Security Center has detected that your antivirus program is out unregistered. Please register Antivirus 360 blah blah blah. And then it loads back into the exact layout and windows as when I first saw it. So I fire up Malwarebytes and about an hour later I'm done. Nothing major, I just thought it was interesting the type of tactics they used, including the mostly legit looking BSoD and Windows 'Security Center' warning. Man I wish I got screens of that stuff
|
|
#
?
Feb 13, 2009 20:07
|
|
|
Sounds like a modified blue screen screen saver.
|
|
#
?
Feb 13, 2009 20:12
|
|
|
Cojawfee posted:Sounds like a modified blue screen screen saver. Yeah, that's been there since one of the original WinXPAntivirus variants. Someone said it was original a SysInternals joke if I remember right. I found another one that ran a fake chkdsk, but whoever was typing out the information hadn't been paying much attention and just kind of mashed number keys for drive stats. It was reporting like 10 petabytes of total drive space.
|
|
#
?
Feb 13, 2009 20:22
|
|
|
I caught something from either Sherdog.com or Sportbikes.net I had an up to date AVG running, I'm behind a NAT'd router, and had Windows firewall on. After a couple minutes, routing table gets filled with static entries and the net becomes un-surfable. And I have a bazillion SMTP connections going, to all around the world. Malwarebytes finds nothing. Neither does AVG. What should I try?
|
|
#
?
Feb 13, 2009 20:33
|
|
|
Bob Morales posted:Malwarebytes finds nothing. Neither does AVG. What should I try? SUPERAntispyware is pretty decent at finding late-model crap. To clarify, do the static routes go away when you reboot?
|
|
#
?
Feb 13, 2009 20:46
|
|
|
Midelne posted:SUPERAntispyware is pretty decent at finding late-model crap. I'm fairly sure. I have been doing a route -f, then I hurry the hell up and get online (to update Malwarebytes, for example) But it won't stay online long enough to run Windows updates.
|
|
#
?
Feb 13, 2009 20:47
|
|
|
Midelne posted:Yeah, that's been there since one of the original WinXPAntivirus variants. Someone said it was original a SysInternals joke if I remember right. yes, but the original ones simply just put the actual screen saver in system32 (but changed the filename) and left it at that. This one appears to have been modifed. Poorly at that, as the real screen saver takes real information from your system.
|
|
#
?
Feb 13, 2009 21:48
|
|
|
BillWh0re posted:How did you install Windows without any way to boot from CD? Can you boot from a USB memory stick? If so, you can probably get an install of Knoppix or an Ubuntu LiveCD going and mount the Windows drive from there. So what I had must have been Anti Spyware 2009 bundled with some other serious poo poo because after following the steps to remove that I've noticed I have web results randomly hijacked and bring me to a different page. When it's some innoculous google search I'll occasionally click on a link to wikipedia or something and each time I try it I get taken to a different fake search page. But as if hijacking my search results and re-directing me wasn't scary enough, when I search for something relating to spyware all of the results take me to fake sites unless I copy the URL manually instead of clicking it. On top of that, I had to change the name of the SuperAntiSpyware installer to run it, and attempting to scan my computer results in a BSOD.  I give up, this virus wins, I'm re-installing windows even if it means I'll have to do it by dropping an old IDE drive into my computer to boot to.
|
|
#
?
Feb 13, 2009 22:54
|
|
|
Doesn't automatic lockout of accounts on several authentication failures make it impossible/difficult to brute force an admin user password like the way conficker does? Is there any way for a malicious program to avoid the lockout?
|
|
#
?
Feb 13, 2009 22:59
|
|
|
The administrator account doesn't lock out.
|
|
#
?
Feb 13, 2009 23:32
|
|
|
Suspicious posted:The administrator account doesn't lock out. And even if it did, it's not like Conficker is going anywhere on a network that uses one of those passwords. It'll be there for plenty long enough to try them all.
|
|
#
?
Feb 14, 2009 00:21
|
|
|
Hank Killinger posted:Doesn't automatic lockout of accounts on several authentication failures make it impossible/difficult to brute force an admin user password like the way conficker does? Is there any way for a malicious program to avoid the lockout? These account lockouts happen and they loving kill a windows network so quickly when it gets Conficker. Though they're a good way to find out which computer is infected since all the requests come from it. Even if it can't crack the account password it can still spread if someone logs on to the computer as a domain administrator as it will run with their account.
|
|
#
?
Feb 14, 2009 00:43
|
|
|
Sanctum posted:I honestly have no idea since I haven't changed jumper settings on my HDs or DVD drive, but BIOS refuses to recognize the DVD drive now. The first sounds like an issue in C:\windows\system32\drivers\etc\HOSTS - open HOSTS in notepad, see if there are any other lines that don't begin with a #. If there are any others than 127.0.0.1, delete those additions. The second is common with these viruses - they have a list of programs that won't run/install if they match the name of a known virus/malware scanner. Easiest way to get around these is to rename installer, install, and then log into Safe Mode as an Administrator to run the scanner. This is of course, if you haven't already run a reinstall. Even though - some of these will crash the Windows Installer as it's trying to copy files from the CD. So, YMMV.
|
|
#
?
Feb 14, 2009 02:58
|
|
|
Bob Morales posted:I'm fairly sure. Nod32 will find it. I had that one last week. Does it look for a host on port 8221 or 9882 or 8991 or something like that? It was sneaky. It wouldn't show any activity on netstat or tcpview but we could see it happening on our gateway. The only reason I found it is because my tech machine uses nod32 and I was scanning with something else offline and just happened to find it.
|
|
#
?
Feb 17, 2009 01:03
|
|
|
Bob Morales posted:I caught something from either Sherdog.com or Sportbikes.net Use the latest version of Java and Adobe Reader. This cannot be stressed enough when you consider how many different things will surprise-infect you via a vulnerability in either of those. I watched a machine in a domain that was fine and sitting unused for a month contract Virtumonde because of an outdated Java install/infected .GIF image.
|
|
#
?
Feb 17, 2009 04:24
|
|
|
Just finished a 2 day virus infection extravaganza. Installed a bad file, didn't scan first, walked away with Virut, MS Antispyware 2009, and some new form of rootkit that NOTHING would clean. It created a bunch of new drivers for devices I didn't even know existed. (Saitek Magic Bus? Who let the magic bus into my computer???) Long story short, 5 repair installs, countless loops of Combofix/SDFix/Smitfraud, MBAM, SASW, Panda, Rootkit scanners, etc. All boils down to a nuke and reinstall. I've learned my lesson. I've also made a Ghost image. (Virut turns all EXEs and all HTMLs into viruses. Every single EXE file in /Windows/ was infected. Look out for MS ANTISPYWARE 2009. It installs itself in C:\D&S\All Users\Application Data\CrucialSoft\MS AntiSpyware 2009\ and WILL NOT DELETE no matter HOW MANY TIMES YOU DELETE IT! Argg!)
|
|
#
?
Feb 18, 2009 18:55
|
|
|
Otacon posted:Just finished a 2 day virus infection extravaganza. Installed a bad file, didn't scan first, walked away with Virut, MS Antispyware 2009, and some new form of rootkit that NOTHING would clean. It created a bunch of new drivers for devices I didn't even know existed. (Saitek Magic Bus? Who let the magic bus into my computer???) Trannysurprise.exe is a no-click zone okay?  Never heard of of Saitek Magic Bus. Sounds pretty drat awesome though.\ edit: Are you sure the saitek magic bus is malware? Seems to be some kind of keyboard driver.
|
|
#
?
Feb 18, 2009 19:14
|
|
|
Otacon posted:It created a bunch of new drivers for devices I didn't even know existed. (Saitek Magic Bus? Who let the magic bus into my computer???)
|
|
#
?
Feb 18, 2009 19:19
|
|
|
You know what I'm thankful for? A lightning storm that fried my parents router back in November. They live a thousand miles away. Because of that I made them get a WRT54GL and while I was there for Christmas I got it all tweaked with Tomato, wireless security and SSH enabled. Fast forward to yesterday, and I get a call from my mom about some antivirus 2009 warning popup thing. Thanks to the router having ssh all I had to do was talk my dad through downloading and running tightvnc server. I could take care of the rest through ssh tunneling, instead of talking him through things that would be a pain in the rear end to explain. They apparently had some new variant called "XP Police 2009", though malwarebytes seems to have cleaned it right up. It's probably time to get Symantec Corp 7.5 changed out for AVG, update other possible infection vectors, and get noscript+adblock installed and explained. Dammit, I just realized that they just got a 22" widescreen, and are still running it at 1024x768.
|
|
#
?
Feb 18, 2009 19:43
|
|
|
|
| # ? Apr 27, 2024 12:03 |
|
|
devmd01 posted:They apparently had some new variant called "XP Police 2009", though malwarebytes seems to have cleaned it right up. It's probably time to get Symantec Corp 7.5 changed out for AVG, update other possible infection vectors, and get noscript+adblock installed and explained. poo poo, I don't even want to think about trying to explain how to use Noscript to someone with minimal technical literacy. Good luck man.
|
|
#
?
Feb 18, 2009 19:49
|
|