|
What do false positives tend to be, out of curiosity? Are they usually easy to spot as false?
|
#
?
Apr 20, 2009 17:27
|
|
|
|
| # ? Apr 27, 2024 09:32 |
|
|
Customer Service posted:What do false positives tend to be, out of curiosity? Are they usually easy to spot as false? They tend to get tripped up on .exe compressors, and oddly enough .TIFF files on my computer (Using Avira). If you download something from download.com, or another well known software repository, chances are you're safe. If you just downloaded a keygen from getyourcrackhere.ru or something like that, I wouldn't trust it.
|
|
#
?
Apr 20, 2009 17:29
|
|
|
I think I came pretty close to getting rid of Virut the other week. I scanned and cleaned using UBCD4Win with the Sophos plugin which cleaned over 1,300 infected files and deleted a few it could not clean. I was still able to load Windows and get into this persons profile fine after this. I then tried to install XP SP3 but it gave a message Access Denied so I Reset the registry and the file permissions (method 1) and it allowed it to install. The only thing wrong at this point was all the networking components were broken (AFD, TCP/IP etc in device manager non plug and play drivers all showed yellow exclamation mark) I was going to run sfc with the Windows disk to repair these but they could not produce this so I ended up just using the restore partition to flatten and reinstall. I think it is just down to the luck of the draw which exe's are infected and/or corrupted.
|
|
#
?
Apr 20, 2009 17:40
|
|
|
averagebloke posted:I think I came pretty close to getting rid of Virut the other week. I scanned and cleaned using UBCD4Win with the Sophos plugin which cleaned over 1,300 infected files and deleted a few it could not clean. I was still able to load Windows and get into this persons profile fine after this. Don't worry - virut will be back in full swing on your machine within the week.
|
|
#
?
Apr 20, 2009 23:49
|
|
|
Zuffox posted:Did they use OpenDNS? At home I run my own caching DNS server from back when I was on dial-up, and even though I don't really have a reason to anymore I stick with it these days out of habit. I don't do a whole ton of blocking on there but killing the handful of major ad networks and blocking .ru domains has been nice in this climate. There have been a few times when I have looked at the logs after getting a funny feeling and see it trying to hit some obviously funky site that would have nailed me. parasyte posted:I found it on one customer's machine by deciding to upload one of the randomly-named files to virustotal.com because they just would not stop being made. That ended up being my first tip to Virut and what it does. This. My friend started asking about a bunch of oddly named processes, files showing up everywhere and his machine just absolutely crawling. Doing random google searches for what he was seeing always lead back to Vundo/Virut. He was also able to scan for it and got confirmation that it was there, but every scanner he tried would get shut down or crippled before he could repair the files. For the work one, Trend Micro actually alerted on Virut but by the time the alert popped up the suite was hung and stuck with the alert window open and unkillable (hah). On all of them I have seen "reader_s.exe" as a running process, and that was the only file that ClamAV and AVG alerted on when I scanned via TRK. Good times. EDIT: Oh and I finished cleaning the machine off and plugging back in the cleaned off drives yesterday. Not a sign of it in sight and the thing is running like a champ. Blowing away every infectable file and leaving behind just the documents with a "sorry man you will just have to start over on some stuff" was the only way. Only machine I have not been able to bring back to life. Otacon posted:Don't worry - virut will be back in full swing on your machine within the week. repeater fucked around with this message at 00:15 on Apr 21, 2009 |
|
#
?
Apr 20, 2009 23:50
|
|
|
Aaaaand pretty sure my gaming box has it now as well. That's where I dumped the pictures from the first computer infected. I was really, really cautious about what I transferred and thought it was all pretty sanitized. I first noticed the system clock resetting to 2003 and got worried, and then the random connections to .pl sites started and Ad Muncher failed the CRC check. Please note that this was with NOD32 "set to 11" so to speak, and it still hasn't actually alarmed for having the virus... It's kind of frustrating when the user can detect the virus before the anti-virus.  It's powered down in the corner waiting for the Knoppix treatment. Good times! drat shame for Time Warner here in Greensboro, though, that'll be about 24 gigs of Steam games downloaded tomorrow putting that computer back together. Thank goodness they fixed that pricing idea. 
|
|
#
?
Apr 21, 2009 03:36
|
|
|
mischief posted:Aaaaand pretty sure my gaming box has it now as well. That's where I dumped the pictures from the first computer infected. I was really, really cautious about what I transferred and thought it was all pretty sanitized. I first noticed the system clock resetting to 2003 and got worried, and then the random connections to .pl sites started and Ad Muncher failed the CRC check. Please note that this was with NOD32 "set to 11" so to speak, and it still hasn't actually alarmed for having the virus... It's kind of frustrating when the user can detect the virus before the anti-virus. Yeah it seems Nod32 is really slipping these days. It seems a lot of machines with Nod32 are getting infected. I wonder how Avast!, Antivir and Kaspersky hold up.
|
|
#
?
Apr 21, 2009 06:04
|
|
|
All this talk makes me want to just get a cheap Netbook for the internet so none of this crap gets on my main computer  Especially since I use NOD32 and apparently it's no good anymore. Goddamnit and I just bought another 2 years on it...Okay, just how do these viruses get on someone's computer? Just from looking at infected sites or being dumb enough to download something weird? After that virus scare here with the banner ads, it really showed that even 'trusted' sites can have issues- but is it just through banner ads or is there some other way they can get through? So if you block all ads and all scripts, what other ways are there? Is there any extra ways you can really make sure you avoid this crap or is it really just a matter of time if you use the internet at all?
|
|
#
?
Apr 21, 2009 13:09
|
|
|
Customer Service posted:All this talk makes me want to just get a cheap Netbook for the internet so none of this crap gets on my main computer quote:Okay, just how do these viruses get on someone's computer? Just from looking at infected sites or being dumb enough to download something weird? After that virus scare here with the banner ads, it really showed that even 'trusted' sites can have issues- but is it just through banner ads or is there some other way they can get through? So if you block all ads and all scripts, what other ways are there? Is there any extra ways you can really make sure you avoid this crap or is it really just a matter of time if you use the internet at all? Not that it will probably protect you 100%. Therefore, do some bloody backups. Perhaps the occasional format (and subsequent backup restore) is better than living in a digital plastic bubble for the rest of your life.
|
|
#
?
Apr 21, 2009 13:29
|
|
|
Thanks  OpenDNS sounds useful, I'll have to look into that. Hopefully I can convince my dad to enable it for our router or something.I have extra internal and external hard drives for backup. But of course, internal ones would get any virus the main one did, and I worry about these viruses that aren't immediately detected- if I plugged in my external to backup and didn't realize it... yeah. THAT is what scares me, those sneaky sorts of viruses. But it does sound like the virut/vundo things start messing stuff up pretty quick to make themselves obvious at least. Small comfort.
|
|
#
?
Apr 21, 2009 13:42
|
|
|
New Vundo Behavior Yeah, you thought you were having fun before? Now there's a new Vundo variant that's replicating over mapped network drives.
|
|
#
?
Apr 23, 2009 18:00
|
|
|
Midelne posted:New Vundo Behavior Fun fact: our worst vundo-offending client shares a mapped drive on the server between all of the PCs. I don't quite get why that's a problem in this case, though... what is so bad about dropping a randomly named vundo DLL on a mapped drive? I mean, that's not going to magically infect anybody who uses that drive, is it?
|
|
#
?
Apr 23, 2009 18:11
|
|
|
brc64 posted:Fun fact: our worst vundo-offending client shares a mapped drive on the server between all of the PCs. Is it not dropping an autorun.inf there to? Otherwise that would be silly.
|
|
#
?
Apr 23, 2009 22:22
|
|
|
abominable fricke posted:Is it not dropping an autorun.inf there to? Otherwise that would be silly.
|
|
#
?
Apr 23, 2009 22:23
|
|
|
brc64 posted:I never thought about that... does Windows process autorun upon connection to a mapped drive? By default? Yes.
|
|
#
?
Apr 23, 2009 23:28
|
|
|
This makes me happier and happier that I made my disc with nlite and disabled autorun from the get go.
|
|
#
?
Apr 24, 2009 00:04
|
|
|
I think there was an update passed along by microsoft after sp3 that disables that function. If someone can substantiate this that would be great, I only say so because a lot of the machines I work on don't autorun anymore. With the advent of flash drives that can carry a payload this is (would be) a welcome change in my eyes.
|
|
#
?
Apr 25, 2009 02:03
|
|
|
Pre-SP3 machines can still have autorun disabled by downloading an update.
|
|
#
?
Apr 25, 2009 02:21
|
|
|
Ensign Expendable posted:Pre-SP3 machines can still have autorun disabled by downloading an update. Or you could use any of a number of registry value tweakers.
|
|
#
?
Apr 25, 2009 02:45
|
|
|
So I just restarted my computer and started hearing music coming out of my speakers. It was like this repeating electronic beat. Kind of remenicent hacker dick-waving music, like you would hear in a keygen or something of that nature. I ended as many proceses as I could before windows shut down on me but I wasn't able to stop it. After another restart, it's gone. Fun. Is this a surefire sign of a virus? Anyone encountered anything like this before? The next thing I do is going to be a scan obviously but I'm curious if anyone else has had experiences like this. It just kept repeating...
|
|
#
?
Apr 25, 2009 20:52
|
|
|
amirite posted:Is this a surefire sign of a virus? Anyone encountered anything like this before? The next thing I do is going to be a scan obviously but I'm curious if anyone else has had experiences like this. It just kept repeating... I don't know any PC viruses that do that offhand, but virus writers have been doing things like that since the olden days. quote:Name: Chopin Virus.
|
|
#
?
Apr 25, 2009 21:19
|
|
|
Luigi Thirty posted:I don't know any PC viruses that do that offhand, but virus writers have been doing things like that since the olden days. I want this virus.
|
|
#
?
Apr 26, 2009 02:44
|
|
|
GREAT BOOK OF DICK posted:I want this virus. Couldn't find it, but here's a ton of old viruses: http://cd.textfiles.com/thegreatunsorted/live_viruses/ Who else misses nice simple viruses? code:
|
|
#
?
Apr 26, 2009 03:39
|
|
|
If someone reworked that AIDS one it would cause more terror than conflicker.
|
|
#
?
Apr 28, 2009 10:28
|
|
|
What is the current Live CD of course for removing viruses and cleaning up infections? I know that a lot of people use Linux Live CD's for that, but I'm wondering if 1 build is better than another for fixing Windows machines.
|
|
#
?
Apr 28, 2009 14:14
|
|
|
Trinity Rescue Kit is my personal fave - it does everything you can possibly hope to do from a live CD. Both Fprot and ClamAV can download updated virus definitions, and there are tools for data recovery, backups, HDD tests, Mem tests, and tons more. Hiren's is also wonderful as well, and has XP-AntiSpy which can update the definitions as well. Bart's PE and Ultimate Boot are another two that I use occasionally, but neither have been updated in a while. All of these free downloads can be found as ISOs on any major torrent site.
|
|
#
?
Apr 28, 2009 17:05
|
|
|
Just dealt with an insidious little bastard that I wouldn't of found without GMER. My mother was complaining of her computer acting funny; certain links on yahoo.com wouldn't work, occasional redirects when clicking on google search results, little things that I would of figured to be quirks in her aging computer and issues with the website, not her computer. Except cmd and regedit would crash explorer if I tried to run them. Malwarebytes and SUPERAntiSpyware didn't find anything. Through GMER I found two things in the registry that raised suspicion: a dll in AppInit that shouldn't be there (turned out not to be the issue, the dll didn't exist anyway) and an entry in Drivers32. The "aux" keyword was pointing to "C:\WINDOWS\System32\..\rpc.smv". That turned out to be the culprit. Anybody know what it was? Google doesn't give any relevant results on a search for rpc.smv.
|
|
#
?
May 3, 2009 20:22
|
|
|
hihifellow posted:Except cmd and regedit would crash explorer if I tried to run them. I'm dealing with something very similar with the symptoms I quoted. AVG, MBAM and SUPER were all saying the system was clean, but cmd and regedit both would cause Explorer to poo poo itself when you ran them. AVG and MBAM also wouldn't update themselves, AVG was saying "Access is forbidden" or something like that. Only after a manual definition update did AVG pick it up as "Defiler". On this box it's constantly writing the files C:\Windows\hgtwr.ppc and hgtwr.ppcx. I cannot find any real information about the virus though. I just whacked that "aux" keyword (it referenced that hgtwr.ppc file) from the registry, going to see if that helps.
|
|
#
?
May 14, 2009 00:26
|
|
|
I can't use GMER, it crashes when it gets to VolumeShadowCopy, if you try to start it a second time it BSODs. Google shows a few people having this problem but no-one really tried to work out the cause.
|
|
#
?
May 14, 2009 17:29
|
|
|
Carecat posted:I can't use GMER, it crashes when it gets to VolumeShadowCopy, if you try to start it a second time it BSODs. Google shows a few people having this problem but no-one really tried to work out the cause. Disable System Restore, disable System Hibernation, and set your swap file to disabled - then try and run it again.
|
|
#
?
May 14, 2009 19:47
|
|
|
gently caress the Gumblar virus 
|
|
#
?
May 15, 2009 16:21
|
|
|
Hirez posted:gently caress the Gumblar virus Also; the Police
|
|
#
?
May 15, 2009 16:40
|
|
|
Somehow a virus got into the webserver my site's on. What it seems to do is go through all my files, and on any of the index .php/.html/.htm files, outside the </html> it adds a bit of Javascript. Avast alerted me to the issue when I visited the site, saying it's a IFrame-EE trojan. The webhost has done a couple virus scans, but they say it comes up clean. The code it adds looks like: <?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,106,61,52,50,52,52,52,51, ....... and so on, with a bunch of other random numbers. The only way I've found to "disable" it is to CHMOD every index.* file to 444/read only, after removing the Javascript. I've kept one blank index file in an empty hidden folder set to owner-writeable, and I can see by the modified dates that it gets hit just about every day, so I'm pretty sure it's an automatic thing. Has anyone seen this? VVVVVVVVVVVVVVVVVVVV Edit: It's a Linux server, I'm not sure what the network share setup is like. The files are uploaded from clean Windows computers, though. I tried that site and out of the 40 scanners they have, only 3 caught it. Avast and GData said it's an HTML:IFrame-EE, and McAfee says "JavaScript.InfectedPage.gen!High (suspicious)." LifeSizePotato fucked around with this message at 22:30 on May 15, 2009 |
|
#
?
May 15, 2009 22:12
|
|
|
LifeSizePotato posted:Somehow a virus got into the webserver my site's on. Is it a Windows server, or do Windows machines have write access to those files over a network share? If so, it could be a recent variant of Virut/Scribble which is a PE file infecting virus that also adds iframes to webpage files. Send one of the infected HTML or PHP files to www.virustotal.com to see what people other than Avast call it. BillWh0re fucked around with this message at 22:16 on May 15, 2009 |
|
#
?
May 15, 2009 22:14
|
|
LifeSizePotato posted:<?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,106,104,106,61,52,50,52,52,52,51, http://malzilla.sourceforge.net/downloads.html
|
|
|
#
?
May 17, 2009 17:45
|
|
|
Apparently I managed to get infected with something. I don't know what because its managed to kill both AVG and spybot, and any attempts to redownload stuff results in corrupted .exe's, and weird errors about temp files being changed. Ironic I guess Ive been downloading the windows 7 iso today and was going to give it a spin tonight anyway, I just might use it full time now if I can't fix this. Anyone have any shot in the dark of what I can do? I've tried a ton of things and nothing I can really think of to get around the whole loving up my exe's and blocking access to a ton of antvir sites in general. It's mostly hosed up so much stuff I almost want to just write it off and nuke it..
|
|
#
?
May 18, 2009 00:13
|
|
|
hobb posted:Apparently I managed to get infected with something. I don't know what because its managed to kill both AVG and spybot, and any attempts to redownload stuff results in corrupted .exe's, and weird errors about temp files being changed. Nuke it from orbit, it's the only way to be safe.
|
|
#
?
May 18, 2009 00:26
|
|
|
Yeah I'm thinking I might as well. I found the dll "LVPRCINJ01.DLL" running from my windows/temp/logishrd directory and while it seems to be something related to my logitech webcam, it makes no sense it would be in /temp/. It also seems to pull up hits for the vundo virus to masquarade as I think. Lovely way to spend the rest of my sunday. 
|
|
#
?
May 18, 2009 00:35
|
|
|
LifeSizePotato posted:Somehow a virus got into the webserver my site's on. You have virut, and you are hosed. It infects every single htm/html file with an iframe, as well as infecting every exe and dll file. Run Dr, Web Cureit! to have it clean most of the files, but I have yet to have a system cured of this bastard.
|
|
#
?
May 18, 2009 04:35
|
|
|
|
| # ? Apr 27, 2024 09:32 |
|
|
hobb posted:Yeah I'm thinking I might as well. I found the dll "LVPRCINJ01.DLL" running from my windows/temp/logishrd directory and while it seems to be something related to my logitech webcam, it makes no sense it would be in /temp/. I ran into this last week - that is a legitimate program. Logitech got a lot of complaints about it though and their newest drivers no longer run from a temp directory. They said they had to do it that way originally so that Windows could allow the program to hook into the shell - but after enough people bitched, they found some other way. But yeah - a lot of spyware programs detect it as bad because of how it works with Windows.
|
|
#
?
May 18, 2009 06:11
|
|