|
I've had a few computers come through with Virut. I tried to clean the first one, and wasted a lot of time and frustration. Now if I find it, its backup and flatten time. No ifs ands or buts.
|
# ? Feb 19, 2009 00:32 |
|
|
# ? Apr 27, 2024 08:14 |
|
Haha, had some customer today come in right before I left with a virus that was talking to him. He booted up the computer and a voice said "Warning! You are infected with spyware!" I'm gonna have fun with this one tomorrow
|
# ? Feb 19, 2009 08:12 |
|
Otacon posted:Look out for MS ANTISPYWARE 2009. It installs itself in C:\D&S\All Users\Application Data\CrucialSoft\MS AntiSpyware 2009\ and WILL NOT DELETE no matter HOW MANY TIMES YOU DELETE IT! Argg!) I got that loving virus and did everything from safemode to scanning from another computer and that fucker stayed tight. After 5 hours of crashes and cries of anguish I reformatted that drive and threw Windows 7 on it. I lost so much data because whenever I would pull over individual files from the infected drive it would be fine, but anything more and the HD would crash, and I would need to restart. After a couple hours of scan one file, copy one file, and crash I said gently caress it and reformatted.
|
# ? Feb 19, 2009 09:07 |
|
Otacon posted:Just finished a 2 day virus infection extravaganza. Installed a bad file, didn't scan first, walked away with Virut, MS Antispyware 2009, and some new form of rootkit that NOTHING would clean. It created a bunch of new drivers for devices I didn't even know existed. (Saitek Magic Bus? Who let the magic bus into my computer???) I'm also in the throes of cleaning up after Virut. What a quick and insidious piece of work it is. It just jumped on any app., I tried to run, even Sophos, Superantispyware and Malwarebytes, and rendered them useless and slowed my machine to a halt. After 1/2 a day running every cleaner upper I could trust I still couldn't get satisfactory results. So laid waste and start again. How I managed to wipe my external b/u disk in the process is another story.....
|
# ? Feb 19, 2009 12:00 |
|
I generally assume that anyone in SH/SC is a competent computer user, so do you guys have any idea what the vector was for your infection?
|
# ? Feb 19, 2009 19:40 |
|
Doc Faustus posted:I generally assume that anyone in SH/SC is a competent computer user, so do you guys have any idea what the vector was for your infection? Parents browsing pornography?
|
# ? Feb 19, 2009 21:35 |
|
Doc Faustus posted:I generally assume that anyone in SH/SC is a competent computer user, so do you guys have any idea what the vector was for your infection? mis-click
|
# ? Feb 19, 2009 21:52 |
|
Elected by Dogs posted:Parents browsing pornography? I think this is almost always the case... I work University IT, and I still see AV 2009 or whatever again and again. I think my favorite story was "I was looking at a website about macs and got a virus." Right. Those crafty Mac zealots, out to infect your inferior windows machine.
|
# ? Feb 19, 2009 23:32 |
|
Doc Faustus posted:I think this is almost always the case... I work University IT, and I still see AV 2009 or whatever again and again. I think my favorite story was "I was looking at a website about macs and got a virus." Is that virus HIV?
|
# ? Feb 20, 2009 00:38 |
|
I've had 2 users get AV 2009. One user got it twice in a week "I only go to Yahoo!" Yeah right. One I was able to clean with safe mode + MBAM but the slow learner, his machine required formatting both times. Freakin' headache.
|
# ? Feb 20, 2009 01:14 |
|
d3rt posted:I've had 2 users get AV 2009. One user got it twice in a week "I only go to Yahoo!" Yeah right. I had a user get AV 2008 on their assigned laptop twice in a week when it was first becoming de rigeur for the malware scene. I assume that whatever vector it used allowed several other things to come on in as well, since we had a merry old time cleaning it both times. Denial, denial, denial the whole way up until the executives got involved, at which point she admitted that she pretty much just used the company-issued chock-full-of-confidential-information laptop as an electronic babysitter for her two children whenever she wanted to have a night on the town. If it gets infected again or she ever says anything about her children using the company laptop again, she loses her laptop. Which would be entertaining, since she's on-the-road Sales and Marketing and has no other computer. I would enjoy that.
|
# ? Feb 20, 2009 01:25 |
|
Doc Faustus posted:I generally assume that anyone in SH/SC is a competent computer user, so do you guys have any idea what the vector was for your infection? Did a google search, clicked a link. Chrome says "Hey! this page is known to have malware on it!" Then the page forwards to a PDF, I frantically try to smash the X to close it. Of course, that's when the computer chugs a bit and refuses to do anything for a few seconds, then finally lets me close the PDF. Voila, Vundo install complete.
|
# ? Feb 20, 2009 02:45 |
|
Doc Faustus posted:Right. Those crafty Mac zealots, out to infect your inferior windows machine.
|
# ? Feb 20, 2009 03:22 |
|
Argh...I work at a university and just discovered this rootkit/trojan. So far I've found it on 25 computers in various departments. I have no loving idea how far it has infiltrated the university but I'm willing to bet it's on a lot more PCs. It creates a file in c:\windows\system32\ called sysrestore.exe. It then adds itself as a service and makes itself a dependency of other Windows Services. If you remove it then it fucks up Windows because all other services not depend on the "Backup" Service. I first noticed the problem when I was scanning a machines and discovered it had approximately 40gb of movies/warez hidden in C:\System Volume Information. I believe it is functioning as an FTP server or XDCC serve bot on an IRC network. Possibly all part of some botnet. It also BREAKS almost every Vista machine it infects because it adds itself as a dependency to many Windows Services and as a result several key services in Windows are prevented from starting such as Workstation Server, Netlogon and Computer Browser. It also adds itself to the same services in Windows XP but does not break them. Malwarebytes, Trend OfficeScan, and Trendmicro Sysclean do not seem to find it but I was able to manually look through the services where it created a fake/rogue service called “Backup” under the executable c:\windows\system32\sysrestore.exe. Another computer just called this service “Backup Service” You can also check by going to HKLM\System\CurrentControlSet\Services and look for a service called “Backup” Several online websites such as Sophos identify this trojan as “Troj/ServU-FP” however this variant seems to have many differences. Here is what I have gathered so far… Creates a service called Backup with executable c:\windows\system32\sysrestore.exe -Modifies the service Lanmanworkstation and removes all other dependencies and adds itself as a dependency as “Backup” -Modifies the service Lanmanworkserver so that depends on Backup and removes dependencies from lanmanworkserver -Modifies Eventlog Service so that it depends on backup and removes other dependencies -Modifies Spooler so that it depends on Backup and remove other dependencies -Modifies Dnscache so that it depends on Backup and remove other dependencies -Modifies EventSystem so that it depends on Backup and remove other dependencies. -Modifies ProtectedStorage so that it depends on Backup and remove other dependencies. -Stores data in C:\System Volume Information so that user cannot find it -Installs DameWare NT Utilities 2.6 Installs the following files in c:\windows\system32 java.dat java.ico pv.exe sisbackup.dll sysregpro.dll refdmnx32.dll sysrestore.exe Nasty loving poo poo.
|
# ? Feb 20, 2009 17:11 |
|
macado posted:crazy virus If you haven't already I would send the file in and let them analyze it because the fix seems kind of nasty and would be better off preventing. Good catch with all of that stuff.
|
# ? Feb 20, 2009 18:02 |
|
quote:Several online websites such as Sophos identify this trojan as “Troj/ServU-FP” however this variant seems to have many differences. Here is what I have gathered so far… Dameware is usually used to keep ServU/iroffer running.
|
# ? Feb 20, 2009 18:33 |
|
Elected by Dogs posted:ServU is a light windows ftpd that many warez/xdcc places use. More information... All of the infected computers are running an FTP server on Port 5946 Most of the hidden shares have anywhere between 40gb to 200gb of pirated movies/games. gently caress this poo poo..
|
# ? Feb 20, 2009 18:37 |
|
I don't know, automated movie downloading service. You could perhaps, look at some of the popular titles it has and replace them with gross videos.
|
# ? Feb 20, 2009 19:23 |
|
If you wanted a roundabout sort of damage control you could block FTP to/from any workstations that shouldn't need it. Doesn't do poo poo to the infection, but it should at least prevent them from chewing up your bandwidth and from potentially leaving your organization open to hosting illegal material even inadvertently. You could do this at your primary perimeter firewall, through Windows Firewall / GPO, IPSEC and netsh/GPO, or whatever.
|
# ? Feb 20, 2009 19:32 |
|
devmd01 posted:Thanks to the router having ssh all I had to do was talk my dad through downloading and running tightvnc server. I could take care of the rest through ssh tunneling, instead of talking him through things that would be a pain in the rear end to explain. That's nice, but did you know that you can connect from a VNC server (realvnc at least) to a VNC client? That makes it possible to do VNC assistance even if the server is NAT/firewalled off. Look for "Listening VNC viewer" - and the "Add client" option on the server (right click the systray icon). (Of course, if an ssh server is already available, going through a tunnel, like you did, is probably easier and more safe)
|
# ? Feb 20, 2009 19:44 |
|
Has anyone come across a virus that only has om.cmd on the root as its consistent file? It generates somewhat random names for its files, but it has some standbys it seems as I managed to find one other person, on a japanese website, with the same string and the symptoms. Installing Comodo was the only way I could get it flagged, but it still does its thing. Nothing else even sees it. It doesn't do anything apparent for awhile, but it gradually slows the computer down (seems over a week or so) as it downloads extra trojans then it completely fucks every program you try to run. I also have a nice little outbreak of this guy: http://www.threatexpert.com/report.aspx?md5=c320f2be780d60daa651aec2b47fda95 I just found out about a few minutes ago. Sophos has it listed as something it now protects against so hopefully I can take this thing down for all the machines instead of just wiping them like I did this current one. I may have around 40 people with this. gently caress you McAfee Enterprise!
|
# ? Feb 20, 2009 23:32 |
|
RusteJuxx posted:I also have a nice little outbreak of this guy: Our McAfee Enterprise just came up for renewal and the parent company is pitching a fit about the $2345 in licensing fees plus tax that it'll cost to renew for the first 2/3rds of our workstations that are due to expire soon. I don't have much hope that they'll use anything different, though -- the laptops I've seen walk in and out of our sites on the parent company's employees all have the little red M of despair in the notification area. Incidentally, Microsoft's malware blog just had a post that gave a nod to W32/Taterf -- the one in the threat report you linked -- for being persistant, aggressively polymorphic, and actively maintained. They also said that they can remove it at http://safety.live.com though you may run into problems if it's already moved into the position of pulling down trojans that their automation can't handle yet. If it's the one you're experiencing though, it very well might be a lot easier than you think. edit: Comprehensive information about Taterf, modifications it makes, file patterns, and whatnot here. Midelne fucked around with this message at 23:58 on Feb 20, 2009 |
# ? Feb 20, 2009 23:55 |
|
New Adobe Reader vuln: http://www.adobe.com/support/security/advisories/apsa09-01.html They say it won't be patched until March 11th. 205b fucked around with this message at 00:29 on Feb 21, 2009 |
# ? Feb 21, 2009 00:18 |
|
I saw this twice yesterday, and I've never seen it before - did a google search for something mundane (I think it was BBQ Chicken Recipes and NYU Protest), and the second result I clicked on took me to a page that was supposed to look like it was scanning my computer, and a dialog popped up that said my computer had spyware on it. I didn't give it permission to do anything, and I closed the site immediately, but is there any way I already got a virus? I'm running Windows XP SP3, and Firefox 3.0.6. I have Dreamweaver installed, but I don't think I have the pdf viewer - I use Foxit. I just searched for NYU Protest again, and it was the 3rd and 4th result. DO NOT CLICK THIS URL 2009022111.kajdoo.bee.pl/nyu_protest.html DO NOT CLICK THIS URL
|
# ? Feb 21, 2009 18:48 |
|
Man, these are fun. Had a user with THREE major viruses, each one only "activating" when I killed one. It was a Russian nesting doll made of failure. After close to six hours, I got the system to a point where everything appears clean and running fine, but Windows XP does stall for 2 minutes while loading the desktop. I couldn't for the life of me find out why. Since I'm a new hire and am running the Home/SOHO division of my troubleshooting company, I get to propose software for us to license for use. What's good and legal without being crazy-expensive, considering at this stage it's only a few cases a week if that? I've mostly been running with freeware tools sans "personal use only" clauses thus far.
|
# ? Feb 21, 2009 20:05 |
|
univbee posted:Man, these are fun. Had a user with THREE major viruses, each one only "activating" when I killed one. It was a Russian nesting doll made of failure. After close to six hours, I got the system to a point where everything appears clean and running fine, but Windows XP does stall for 2 minutes while loading the desktop. I couldn't for the life of me find out why. That pause can mean something that was supposed to load in winlogon.exe wasn't accessible. Often this is because the anti-virus software on that machine is blocking it. You might want to check winlogon-related registry keys (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and friends) for any suspicious DLLs that are trying to load.
|
# ? Feb 21, 2009 20:28 |
|
BillWh0re posted:That pause can mean something that was supposed to load in winlogon.exe wasn't accessible. Often this is because the anti-virus software on that machine is blocking it. You might want to check winlogon-related registry keys (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and friends) for any suspicious DLLs that are trying to load. Also, use CCleaner for registry cleaning goodness.
|
# ? Feb 21, 2009 20:43 |
|
Ranma4703 posted:is there any way I already got a virus? Sure. The XPAntivirus variants pop up a window that looks like a popup window but is actually an image of a popup window (i.e. there is not actually a Close/Red X button there, there's a picture of one) , and if you click on any part of it you're infected. Or for added fun if the webpage was genuinely hostile or compromised instead of just being stupid there could have been an invisible iframe in the page serving out literally anything. Basically, yes. You could have gotten a virus going to CNN.com these days. A shady site? More possible.
|
# ? Feb 22, 2009 07:36 |
|
What happened to Spybot and Ad-Aware for cleaning up poo poo on computers? Am I living in the past?
|
# ? Feb 22, 2009 08:42 |
|
Luk0r posted:What happened to Spybot and Ad-Aware for cleaning up poo poo on computers? Am I living in the past? I still use Spybot but more for the back end clean up than for the initial cleanup. It will find and allow you to fix security center overrides and that sort of thing that other programs do not find.
|
# ? Feb 23, 2009 16:12 |
|
brc64 posted:I once used some software years ago to make an image of my computer after installing everything. Then I tested it. Format to up and running in 20 minutes. Awesome! And then I realized how utterly useless it was going to be once I REALLY needed to use it. I also don't know why I keep a stash of installers around because I ALWAYS end up downloading a newer version (and keeping that around, for whatever reason) when I reformat. Heck yes. That's what I do. I don't even mess with removal. If I so much as suspect any minor breech, I just restore the image. And yes 20 minutes is absolutely sublime compared to a 1 hour scan. Really. E: with TrueImage I can fit my entire image on 1 burnt DVD. So I drop it in. Reboot. Set and done. F2B fucked around with this message at 16:51 on Feb 23, 2009 |
# ? Feb 23, 2009 16:48 |
|
Ranma4703 posted:I saw this twice yesterday, and I've never seen it before - did a google search for something mundane (I think it was BBQ Chicken Recipes and NYU Protest), and the second result I clicked on took me to a page that was supposed to look like it was scanning my computer, and a dialog popped up that said my computer had spyware on it. I didn't give it permission to do anything, and I closed the site immediately, but is there any way I already got a virus? I'm running Windows XP SP3, and Firefox 3.0.6. I have Dreamweaver installed, but I don't think I have the pdf viewer - I use Foxit. e: jesus christ, the thing does like 50 redirects. If your referrer isn't off a search engine, instead of redirecting you further, it'll document.write() a fake apache 404 page. Does some activex control poo poo, possibly an exploit, not sure: 6BF52A52-394A-11D3-B153-00C04F79FAA6 [jQuery1235412648121] ---- Does annoying poo poo like this, looks like a fake popup in-page (looks like it's using jquery.js, which is a compressed version, clean, of jquery): $(".file_scanner").html("Scan complete. 527 threats was found!"); ---- Attempts to download a file while playing a really annoying .wav repeatedly: [ebd@nexus ~]$ file download.php\?affid\=04802 download.php?affid=04802: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit Elected by Dogs fucked around with this message at 22:01 on Feb 23, 2009 |
# ? Feb 23, 2009 21:45 |
|
I'm thinking it might not be a terrible idea to just edit my hosts file to point *.pl to 127.0.0.1 I really don't think I've ever needed to visit polish websites before, and I don't foresee it happening soon.
|
# ? Feb 23, 2009 21:55 |
|
Bonus points for Adobe: http://www.theregister.co.uk/2009/02/24/adobe_flash_vulnerability/
|
# ? Feb 25, 2009 01:48 |
|
liquidXenon posted:Bonus points for Adobe: http://www.theregister.co.uk/2009/02/24/adobe_flash_vulnerability/ Bonus points for Adobe Photoshop pirates: 127.0.0.1 whatever.host.adobe.uses.for.everything oh my god i get virus
|
# ? Feb 25, 2009 02:22 |
|
Stupid TDSserv. It doesn't use that driver anymore. And it doesn't use TDS in the file names anymore. It calls its dlls UAC*random characters*.dll. I didn't know Windows XP had UAC. And it doesn't let you run Malwarebytes in Win 2000 compatibility mode anymore (even if renamed). You have to do Windows NT 4.0. If they block NT, I'm hosed, because malwarebytes won't run under 98.
|
# ? Feb 25, 2009 03:39 |
|
Just curous but how many computers do you guys usually work on at a time? How many other people work with you, if any? For the record we work on anywhere between 10-30 computers at any given time with nine people that are mixed full time and part time.
|
# ? Feb 25, 2009 03:50 |
|
Elected by Dogs posted:Bonus points for Adobe Photoshop pirates: Yes, because activate.adobe.com is definitely the url they use to push updates And the fact that they aren't going to push a patch for it until March 11. Oh my god i get virus indeed
|
# ? Feb 25, 2009 03:52 |
|
Cojawfee posted:Stupid TDSserv. It doesn't use that driver anymore. And it doesn't use TDS in the file names anymore. It calls its dlls UAC*random characters*.dll. I didn't know Windows XP had UAC. We just cleaned this off a computer, System32 was packed with "UAC" files. It required renaming ComboFix and getting that off the ground before we could even get the computer to look at Malwarebytes or SuperAntiSpyware (malwarebytes wouldn't do anything, SAS crashed on run), but once Combofix did its thing, Malwarebytes cleaned it out to the point where SuperAntiSpyware only found a tracking cookie. Then we followed up with AntiVir which found something like 8 infected files to nuke...
|
# ? Feb 25, 2009 04:45 |
|
|
# ? Apr 27, 2024 08:14 |
|
Thanks for the UAC*.dll update, a co-worker asked me 5 minutes before closing if a file called UACsomething was suspicious, and I said negative. I'll let him know tomorrow. Thanks again.
|
# ? Feb 25, 2009 09:12 |