|
liquidXenon posted:I've definitely seen Dells with recovery partitions, although the installation media is probably the way to go if you have it. I just did some digging and from what I see they are all hidden partitions, unmounted and accessible through Ctrl+F11. Learn something new everyday. Dell Support link here: http://support.dell.com/support/top...ng=&toggle=&dl=
|
#
?
Apr 6, 2009 02:40
|
|
|
|
| # ? Apr 27, 2024 12:14 |
|
|
1997 posted:I just did some digging and from what I see they are all hidden partitions, unmounted and accessible through Ctrl+F11. Learn something new everyday. The really old Dells came with CDs, but the newer ones come with recovery partitions on the primary drive. This one in particular is maybe a couple years old and it had a recovery partition and physical media. Maybe Dell has changed this recently to include both? Not sure, but I applaud the decision. As far as I recall, they used to only provide the recovery partition and no way to make media on your own. But yeah, on any recent Dell machine with Windows XP, you simply press Ctrl+F11 when you see a DOS window with a blue bar across the top that says Dell upon startup.
|
|
#
?
Apr 6, 2009 03:40
|
|
|
They are still including the discs and that page has instructions for Vista machines, this is going to come in handy. I can't believe nobody at work knows about this. We fail so bad.
|
|
#
?
Apr 6, 2009 03:42
|
|
|
GREAT BOOK OF DICK posted:Looks like I'm dealing with Win32/Virut.NBM on my aunt's PC. She said she was searching Craigslist for things to buy and she opened a link on there that probably infected her. At least she came forward and admitted that she's been using McAfee and it's since been expired for 2+ years. As for fixing it, sounds like you should salvage what you can, before it's too late.
|
|
#
?
Apr 6, 2009 10:21
|
|
|
Virut is NASTY. Every .EXE, every .HTML file - all are probably infected by now. Any removable media that's been connected? USB drives? The cameras SD cards? All infected using an autorun.ini file. Here's your game plan - remove the drive, install it in your own computer. Use Knoppix, or another CD-based Linux OS. Recover ONLY *.jpg, *.doc, and if she uses Outlook, any *.pst or *.wab files. After you get those files, format the drive. Don't keep the Dell partitions, don't keep anything. It's infected. After you format, mount her USB sticks and SD cards. Format those, too. Reboot, remove the drives, and install the hard drive back into the Dell. Pop in a Dell Recovery CD, and return the computer to factory settings. All in all you're looking at about 1-2 hours - possibly longer depending on how much searching you have to do for your aunt's files. But don't even try to resurrect the drive - it's too late. Virut is NASTY.
|
|
#
?
Apr 6, 2009 15:36
|
|
|
When XP Antivirus first came out there was a version that would pop up errors at you randomly. This led to my favorite error message:  I had never in my life had a computer threaten me with terrorism.
|
|
#
?
Apr 6, 2009 18:59
|
|
|
Otacon posted:Virut is NASTY. To be honest nine out of times I've been able to disinfect it fine booting into safe mode and using a command line scanner. Occasionally it will trash an executable beyond repair and that'll have to be restored from backup. The key is to realise it's a fast infector, so once Virut is loaded in memory any file you open will become infected (or all the files in any folder you browse in explorer), and using some anti-virus scanners will result in everything they scan becoming infected (which might not be a problem if they get immediately disinfected). Booting into safe mode and stopping all the non-essential services allows almost everything to be scanned and disinfected, aside from maybe cmd.exe if you're using a command line scanner since it'll be running.
|
|
#
?
Apr 6, 2009 23:02
|
|
|
BillWh0re posted:To be honest nine out of times I've been able to disinfect it fine booting into safe mode and using a command line scanner. Occasionally it will trash an executable beyond repair and that'll have to be restored from backup. The key is to realise it's a fast infector, so once Virut is loaded in memory any file you open will become infected (or all the files in any folder you browse in explorer), and using some anti-virus scanners will result in everything they scan becoming infected (which might not be a problem if they get immediately disinfected). Booting into safe mode and stopping all the non-essential services allows almost everything to be scanned and disinfected, aside from maybe cmd.exe if you're using a command line scanner since it'll be running. Yeah it was pretty much too late in this situation. She had initially called me saying "Internet Explorer keeps crashing when I try to open it." We had agreed to leave the machine off and I would come retrieve it. She called back again saying she started the machine back up and now it just has a blue screen. It was caught in an infinite BSOD loop at that point so I could only presume it was either a fake, or the virus had infected an important .exe file. Thanks for the heads up on the removable media, Otacon. I had a feeling it was an autorun type of virus but I didn't know the extent of the infection. I'll have to make sure she's formatted any of her camera cards and so forth.
|
|
#
?
Apr 7, 2009 01:12
|
|
|
Otacon posted:Virut is NASTY.
|
|
#
?
Apr 7, 2009 01:32
|
|
|
Ensign Expendable posted:drat, that does sound nasty. What's the point of it? Is it somehow profitable to its creators or did some jackass write it for kicks? Well even the "trashes your poo poo just for kicks" type is profitable... to McAfee and Norton... 
|
|
#
?
Apr 7, 2009 01:38
|
|
|
GREAT BOOK OF DICK posted:Yeah it was pretty much too late in this situation. She had initially called me saying "Internet Explorer keeps crashing when I try to open it." We had agreed to leave the machine off and I would come retrieve it. She called back again saying she started the machine back up and now it just has a blue screen. It was caught in an infinite BSOD loop at that point so I could only presume it was either a fake, or the virus had infected an important .exe file. You're welcome. I had a number of stock WinXP EXEs on my thumb drive - keyword had - because it turned them all to infected swiss cheese. MSCONFIG? Infected. Notepad.exe? Infected. Explorer.exe, winlogon.exe, userinit.exe? Infected. But, it also goes after other EXEs - Smitfraud? Infected. Catchme.exe? Infected. Hijackthis? Infected. It seems to only go after EXEs that are under a certain filesize - in the same folder as a number of the apps were also installers for MalwareBytes, SuperANTISpyware, CCleaner, etc - all of those were untouched. That however is definitely one virus the author must be very proud of - Combofix doesn't work on it because once explorer, userinit, and winlogon are infected, you're SOL - no possibility of safe removal. It even ENJOYS repair installs. Long story short - when I see virut at work, I call the customer immediately and tell them the only thing we can do at this point is salvage their DOCs and Pictures, and restart from scratch. Two hours of CAREFUL file backup and a Windows install is a lot more productive than six to eight hours of cursing and repair installs and running Combofix 17 times. Like was said earlier - if it's a relatively new infection, you stand a fighting chance - but honestly - how often do customers/family call you the day that these things happen? Never. They ignore it until the computer refuses to boot, at which point they call you. By then, it is far too late. Good luck again! Otacon fucked around with this message at 03:21 on Apr 7, 2009 |
|
#
?
Apr 7, 2009 02:56
|
|
|
But I have Norton
|
|
#
?
Apr 7, 2009 03:17
|
|
|
Cojawfee posted:But I have Norton By Symnatech.
|
|
#
?
Apr 7, 2009 18:39
|
|
|
Ensign Expendable posted:drat, that does sound nasty. What's the point of it? Is it somehow profitable to its creators or did some jackass write it for kicks? The Virut family are all IRC backdoors.
|
|
#
?
Apr 7, 2009 19:00
|
|
|
BillWh0re posted:The Virut family are all IRC backdoors.
|
|
#
?
Apr 7, 2009 19:16
|
|
|
brc64 posted:Maybe I don't understand what you're saying here. Isn't the point of a backdoor to give yourself covert access to a system? If that's the case, why start breaking other stuff and increase your chances of getting noticed? The breaking stuff is accidental, as a result of the infection code being so randomized. It's probably a price worth paying for the authors as sometimes the infection code fucks up in a way that allows the file to run but is still weird enough that anti-virus programs can't properly disinfect it. In fact the infection code in Virut is so stupid that it actually tries to infect AMD64 executables with 32-bit code since it doesn't check the platform of the PE file its infecting -- this misinfected file actually runs briefly until it hits a stack operation where having an (unexpected) 8-byte stack causes it to crash.
|
|
#
?
Apr 7, 2009 19:29
|
|
|
Otacon posted:VIRUT You haven't even began to scratch the surface of how unbelievably evil this virus is. It injects itself into key files in the i386 folder and waits. If something changes to a file in the windows system folder and windows system file protection determines that it is compromised and be re-expanded then *boom* the payload is executed and begins to run rampant on the computer. I actually find virut on 2/3 of infected machines, it just turns out that it is hiding in the i386 folder waiting for its moment. However, at this point it is easily dealt with. I noticed this a couple of weeks ago and was shocked at the sneakiness of this motherfucker. God damned evil genius that author is. Also, I completely agree that onces a system has virut running on it, your hosed. Boot to a live disk and get what you need. NEVER BOOT INTO WINDOWS AGAIN TO RECOVER FILES. VIRUT IS LIKE THE EBOLA OF COMPUTER VIRUSES. YOU WILL UNWITTINGLY INFECTED ALL YOUR OTHER COMPUTERS. Reformat and cut your losses.
|
|
#
?
Apr 9, 2009 05:23
|
|
|
abominable fricke posted:You haven't even began to scratch the surface of how unbelievably evil this virus is. I work at a computer shop and I ran into virut for the first time this weekend. God drat that fucker. Even running from a booted PE disk and trying to run a couple of the command-line Virut disinfectors did nothing, they didn't so much as find one infected file even though they were all loving infected. It was the first time in quite a while that I've had to give up on an install because of some malware; usually we just get WinAntivirus variants in and those are reasonably easy to remove once I've dealt with the TDSS and UAC random DLL and sys files.
|
|
#
?
Apr 9, 2009 07:30
|
|
|
Is there a decent and up to date LiveCD virus scanner? My paranoia mode is kicking in and I just want to make sure my drive is clean from an external scanner. I don't feel like taking the drive out and hotplugging it in for fear of breaking the drive through bumps or shakes or whatever.
|
|
#
?
Apr 9, 2009 13:32
|
|
|
parasyte posted:I work at a computer shop and I ran into virut for the first time this weekend. God drat that fucker. Even running from a booted PE disk and trying to run a couple of the command-line Virut disinfectors did nothing, they didn't so much as find one infected file even though they were all loving infected. It was the first time in quite a while that I've had to give up on an install because of some malware; usually we just get WinAntivirus variants in and those are reasonably easy to remove once I've dealt with the TDSS and UAC random DLL and sys files. What is the best way to detect a Virut infection?
|
|
#
?
Apr 9, 2009 16:02
|
|
|
Zwabu posted:What is the best way to detect a Virut infection? Eset online scanner will find it, and so will dr.web
|
|
#
?
Apr 9, 2009 16:14
|
|
|
SANS reports the spread of an actual payload to Conficker-infected machines using the P2P mechanism. Purported to be a keylogger/data-miner. edit: The Register has more details. Appears to be talking to W32.Waledac sites, speculation is that Conficker would be used to compound infections with W32.Waledac. For those of you following along at home, this would mean a lot more spam. Midelne fucked around with this message at 16:47 on Apr 9, 2009 |
|
#
?
Apr 9, 2009 16:44
|
|
|
Cedra posted:Is there a decent and up to date LiveCD virus scanner? My paranoia mode is kicking in and I just want to make sure my drive is clean from an external scanner. I don't feel like taking the drive out and hotplugging it in for fear of breaking the drive through bumps or shakes or whatever. I've had some good luck with the F-secure rescue CD.
|
|
#
?
Apr 9, 2009 17:24
|
|
|
chizad posted:I've had some good luck with the F-secure rescue CD. This is excellent, though slower than most. I use it frequently. Also Trinity Rescue Kit can update and run AVG, BitDefender, F-Prot, and Vexira and I use that frequently as well.
|
|
#
?
Apr 9, 2009 18:52
|
|
|
Midelne posted:SANS reports the spread of an actual payload to Conficker-infected machines using the P2P mechanism. Purported to be a keylogger/data-miner. Important to note that the Waledac link is just from a Conficker-infected machine being seen to contact a site that was known to host Waledac and be used as a link in spam emails. No one has statically analysed the new Conficker yet to determine a definite link. It might well be that the download occured as a result not of the Conficker update but one of the "mini updates" that can be pushed out over the Conficker P2P botnet -- small chunks of essentially shellcode that just runs and exits and is erased from the computer after 10 minutes, making it really hard to capture and analyse. From static analysis I haven't seen anything yet to suggest keylogger though the use of MS08-067 to spread has returned as well as a significant amount of HTTP client and server code that may or may not be related (the original use of MS08-067 in Conficker used an HTTP server running on the attacker to download the payload to the victim). Aside from that the main thing it drops is an update to the Conficker DLL, which is Conficker.C with some changes (process and domain block list updated, domain call-home code apparently completely removed or effectively obfuscated from quick analysis, NetpwCanonicalizePath hook updated to avoid network scanning from the likes of nmap). Also has an embedded sys file that it drops and loads as a driver, but this is exactly the same as the one from Conficker.B -- it just patches tcpip.sys to increase max connections then exits, no rootkit functionality at all. Also releasing this at the last minute before Easter is really smart. All the virus analysts are going to be at home, most places will be running with a skeleton crew. BillWh0re fucked around with this message at 21:53 on Apr 9, 2009 |
|
#
?
Apr 9, 2009 21:51
|
|
|
F-Secure says this latest strain will destroy itself on May 3, 2009. Like I said, these guys are pretty smart - the patch to remove previously exposed vulnerabilities indicates that they're spending some serious effort to keep it intact, along with their very sophisticated peer-to-peer payload system. This part, though, I can't figure out. Best I can think of is that they plan to release another strain in the future and they don't want this current one conflicting with it. I thought maybe they were trying to wipe it to cover their tracks or show that it was a prank, but it doesn't look like the new version (E) will replace the old (C) version, so past May the prior (<= C) infections will still exist. This is really fascinating.
|
|
#
?
Apr 9, 2009 23:06
|
|
|
I noticed some talk about PDF exploits earlier in the thread, I've run into sudden GPFs from acroread32 from web sites seemingly without any pdf content. Is that connected to the pdf exploits?
|
|
#
?
Apr 9, 2009 23:57
|
|
|
Patchfoot posted:I noticed some talk about PDF exploits earlier in the thread, I've run into sudden GPFs from acroread32 from web sites seemingly without any pdf content. Is that connected to the pdf exploits? Yes and it generally means the exploit was successful though it might not have managed to download any malware. Websites can embed PDFs (I think they just open them in an iframe or something) and this can even happen on legitimate sites if they get owned via SQL injection or somesuch.
|
|
#
?
Apr 10, 2009 00:08
|
|
|
Our university was just hit by Conficker this morning. We have isolated the file and I'm attempting to infect one of our test computers as a test case. I was just wondering if anyone had any advice on the issue or what you have all run into with Conficker. This thing locked out half of our accounts and is turning into a nightmare.
|
|
#
?
Apr 17, 2009 21:25
|
|
|
What's the best way to keep my flash drive full of tools used for cleaning systems from getting infected with machines that have malware designed to infect flash drives as well? I figured maybe creating an empty, read-only autorun.ini to prevent that from getting copied over, but anyone have any other ideas?
|
|
#
?
Apr 17, 2009 23:51
|
|
|
Some flash drives have a write-protect switch like SD cards do, which is pretty useful for things like that.
|
|
#
?
Apr 18, 2009 00:15
|
|
|
Nybble posted:Our university was just hit by Conficker this morning. We have isolated the file and I'm attempting to infect one of our test computers as a test case. I was just wondering if anyone had any advice on the issue or what you have all run into with Conficker. This thing locked out half of our accounts and is turning into a nightmare. Fixing Conficker is pretty much the same as fixing any other widespread infection at this point, now that antivirus signatures have caught up to it. Determine the scope of infection. Partition off machines, disinfect, repeat. If you're significantly compromised on any given machine, reimage and move on. If you don't have an imaging procedure in place, take this as an opportunity to recommend that your organization develop one. When the dust clears, find out how this happened. Are your Windows systems not being updated? Is antivirus deployment spotty? Are the antivirus clients in place not updating? Are users running as administrators when they should be running as normal users?
|
|
#
?
Apr 18, 2009 00:27
|
|
|
parasyte posted:I work at a computer shop and I ran into virut for the first time this weekend. God drat that fucker. Even running from a booted PE disk and trying to run a couple of the command-line Virut disinfectors did nothing, they didn't so much as find one infected file even though they were all loving infected. It was the first time in quite a while that I've had to give up on an install because of some malware; usually we just get WinAntivirus variants in and those are reasonably easy to remove once I've dealt with the TDSS and UAC random DLL and sys files. I can't decide if it is insanely clever or just aggresive and badly coded. Perhaps both? I had to flatten and re-install his box and won't let any of the old files touch the new install yet, have been stuck re-scanning and pruning files off his old drive via Trinity Rescue Kit. ClamAV, AVG and F-Prot found the handful of obvious files that contained nothing more than the Virut/Vundo payloads. Because I had read about how it mutates and spreads to any available exe/scr/htm/html/php/zip/etc file I didn't trust the scans and hit it with BitDefender, which I never really use. Every single goddamned exe and scr file (and a decent chunk of zips and html files too) on that machine were infected, and clam and avg didn't make a peep. That scares the poo poo out of me, and I didn't think anything like this would. The whole point of me helping him out is that he has half of our recording sessions sitting on his external, and I am scared shitless of pulling those files over on to my machine. So yea, as the above posters were saying - consider the entire box infected and just blow away every file that isn't a raw document. After pruning like 80% of the files off all the data drives the number of infections went from around 5000 to about 3 (misnamed exes that Vundo still managed to find and infect that were easy to prune by hand, etc). I really wish he had just yanked the power like I had asked him to instead of paying a company for virus removal services. They gave it back after a few days still infected and said that nobody on their staff could kill it. Still charged him though, of course. Even ComboFix failed to nail it when the shop tried that, which completely blows my mind. Oh and sidenote, the virusscan script in TRK is kinda busted right now which sucks because that is one of my favorite utilities on there (maintainer is working on it). It will still log and detect everything it can for the scanner you selected, but it silently errors out and bails on the disinfect/pruning stage if the list of infected files is too huge due to a shell limitation. Which, with this Vundo poo poo, is pretty much garunteed to be the case. (Also, I finally donated to the TRK project because of this nightmare and how many times TRK has saved my rear end, everyone should seriously have a copy of that on hand at all times if not just for the dd_rescue wrapper scripts) repeater fucked around with this message at 02:59 on Apr 20, 2009 |
|
#
?
Apr 20, 2009 02:23
|
|
|
Just chipping in to say I failed miserably trying to save my wifes desktop from Virut. I've never been unable to resolve a computer issue quite so spectacularly. That is a seriously tenacious little fucker, even trying multiple command line AV's from safe mode and all the other standard approaches was fruitless. One exe somewhere always snuck by or couldn't be cleaned, and then it all started over again. I ended up mounting the drive in knoppix and pulling our pictures off of it and then completely reinstalling XP. The computer was running a fully patched XP and NOD32 4.0.314.0 My faith in NOD32 is seriously jilted, and I am seriously impressed/pissed off with the creator(s) of that bastard.
|
|
#
?
Apr 20, 2009 05:33
|
|
|
repeater posted:I've been cleaning off machines for about 15 years now and that is how I got my start in computers (luckily don't have to do that as my job anymore, can't imagine doing it now with how annoying this poo poo is) - and I've never met an infection as frustrating as the Virut/Vundo variants. I watched two people at work get it on Friday just from drive-by ads and they were 100% up to date with all system patches and were running the (unfortunately mandatory in our shop) Trend Micro suite. But still, goddamn. Both people were super anal security devs who don't ever click anything they shouldn't and know how to smell a fishy site a mile away.
|
|
#
?
Apr 20, 2009 13:09
|
|
|
mischief posted:Just chipping in to say I failed miserably trying to save my wifes desktop from Virut. I've never been unable to resolve a computer issue quite so spectacularly. That is a seriously tenacious little fucker, even trying multiple command line AV's from safe mode and all the other standard approaches was fruitless. One exe somewhere always snuck by or couldn't be cleaned, and then it all started over again. I ended up mounting the drive in knoppix and pulling our pictures off of it and then completely reinstalling XP. Did you have NOD32's heuristics set to max and the option of "unwanted programs" checked off?
|
|
#
?
Apr 20, 2009 13:16
|
|
|
So uh, how do you guys know that Virut is on your machine? I'm reading a couple of write ups from AV vendors like Symantec (useless) to McAfee (slightly more informative, but barely) and there appears to be little information about obvious symptoms. Are your .exes failing to execute? Are you using something like IceSword to see what TCP connections are open? Additionally, does it try and hide from AV or is the mass infection a big neon sign for AV to sound the sirens? I'm running the latest Avast! here, but I don't know if it's compromised or not, what with all this .exe infection poo poo. Cedra fucked around with this message at 15:20 on Apr 20, 2009 |
|
#
?
Apr 20, 2009 15:08
|
|
|
Cedra posted:So uh, how do you guys know that Virut is on your machine? I'm reading a couple of write ups from AV vendors like Symantec (useless) to McAfee (slightly more informative, but barely) and there appears to be little information about obvious symptoms. Are your .exes failing to execute? Are you using something like IceSword to see what TCP connections are open? I found it on one customer's machine by deciding to upload one of the randomly-named files to virustotal.com because they just would not stop being made. That ended up being my first tip to Virut and what it does.
|
|
#
?
Apr 20, 2009 15:19
|
|
|
Cedra posted:So uh, how do you guys know that Virut is on your machine? I'm reading a couple of write ups from AV vendors like Symantec (useless) to McAfee (slightly more informative, but barely) and there appears to be little information about obvious symptoms. Are your .exes failing to execute? Are you using something like IceSword to see what TCP connections are open? I noticed it on hers because Ad Muncher failed its CRC check and shut itself off after getting infected. From that point on it was like trying to walk off of a floor covered in something sticky. Everything you did just made the mess worse. Stanley Pain posted:Did you have NOD32's heuristics set to max and the option of "unwanted programs" checked off? I did not, but I do now! I think I just got complacent, honestly. I hadn't had a virus since Michelangelo so I was probably a little lax.
|
|
#
?
Apr 20, 2009 15:33
|
|
|
|
| # ? Apr 27, 2024 12:14 |
|
|
mischief posted:I did not, but I do now! I think I just got complacent, honestly. I hadn't had a virus since Michelangelo so I was probably a little lax. Yeah, it's good to crank the heuristics into the paranoid levels. I'll take the slight increase in FPs
|
|
#
?
Apr 20, 2009 17:24
|
|