|
Yeah. Well its all pretty moot anyway, I said gently caress it and didn't deal with it yesterday so I'll be hopefully just killing my install and starting over new this morning. Theres's pretty much no way I can figure to get rid of this by any practical means. It's blocked every single malware removal website I can try to access, and its blocking any related .exe's from even running/installing. I can't say I've ever personally come across a rootkit/virus this persistent before. I'm still not entirely sure what it even is. edit: oh yay eset confirms its virut. 
hobb fucked around with this message at 12:54 on May 18, 2009 |
#
?
May 18, 2009 11:43
|
|
|
|
| # ? Apr 27, 2024 14:07 |
|
|
hobb posted:edit: oh yay eset confirms its virut. Welcome to the wonderful world of fast infectors. The next thing you should research is how to image your hard drive, and how much storage space it'll take to image it once a month or so after a full malware scan, and then how to reapply those images in a minimum amount of time to get up and running even if Virut was your problem.
|
|
#
?
May 18, 2009 14:33
|
|
|
Midelne posted:Welcome to the wonderful world of fast infectors. The next thing you should research is how to image your hard drive, and how much storage space it'll take to image it once a month or so after a full malware scan, and then how to reapply those images in a minimum amount of time to get up and running even if Virut was your problem. In the mean time, since this has happened to many people in this thread: Make a backup of everything EXCEPT for any EXEs or HTMLs. All your Docs, images, movies, saved games are all kosher - but any EXE or HTML file (or HTM for that matter) is now infected. With these backed up to a CD-R, begin the nuking and paving. Make sure you format the drive, and then install that Windows 7 you were talking about. It's better to start fresh on a new OS anyway  Good luck! (Oh, by the way - virus scan that CD-R when you burn it. Just to be sure.)
|
|
#
?
May 18, 2009 15:45
|
|
|
BorderPatrol posted:You have virut, and you are hosed. It infects every single htm/html file with an iframe, as well as infecting every exe and dll file. Run Dr, Web Cureit! to have it clean most of the files, but I have yet to have a system cured of this bastard. I wonder if it's a variant of Virut? From what I can find online, Virut affects all htm/html files, but none of my htm/html files are hit except ones named index.htm or index.html. In my case, it's only files named index.* .
|
|
#
?
May 18, 2009 15:59
|
|
|
Weird thing is my variant of it seems to have not touched htm's and basically had hosed every which way every exe and system file it could find. It was a hilarious cascade effect of every windows service and process eventually cannabilzing itself. I can't stress enough how weird it was.
|
|
#
?
May 18, 2009 16:27
|
|
|
I downloaded some tool to prep a sega cd iso for a psp emulator and Antivir a day later said it had virut. I don't remember running it and after removing the file Antivir scans clean. I ran norton's virut scanner and some other one and they were clean too. I should be safe right? After following this thread so long I am scared of virut. EDIT: Why is there no patch from MS to prevent an infection from virut? Is running an antivirus enough?
|
|
#
?
May 19, 2009 10:14
|
|
|
Capnbigboobies posted:I downloaded some tool to prep a sega cd iso for a psp emulator and Antivir a day later said it had virut. I don't remember running it and after removing the file Antivir scans clean. I ran norton's virut scanner and some other one and they were clean too. I should be safe right? After following this thread so long I am scared of virut. If you ran a file that was infected with Virut, you're probably boned, but who knows. You could have the world's most perfect operating system and if you ran a file infected with Virut, the world's most perfect operating system would obediently infect itself with Virut. Coupled with the fact that you can't patch a user who thinks running a downloaded tool intended for use in a legal grey area without virus-scanning first is a good idea, it seems safe to say that viruses will be around for a long time. edit: Another possibility is that you already had Virut and the tool was infected when you ran it, but that should've showed up prior.
|
|
#
?
May 19, 2009 15:40
|
|
|
How do you guys deal with license keys, whether you're a shop or reformatting at home? Are you simply screwed in that aspect? I've used up my license keys on 2 computers for my Office 2007, and was planning to install Windows 7 soon on one of them, infection or not. I was just wondering how others dealt with it if there was no disc image available.
|
|
#
?
May 19, 2009 17:05
|
|
|
Cedra posted:How do you guys deal with license keys, whether you're a shop or reformatting at home? Are you simply screwed in that aspect? If someone's system needs a reformat and they don't have the disk for the program they want to retain, they get to decide whether they want the system in working condition or that program available to them in the theoretical world where their system works. I am not a software piracy service, and will not provide advice or services in that regard, which is pretty much the only way I can think of right off-hand for someone who mysteriously doesn't have the Office disk anymore to get the program without purchasing it again. At work we use volume licensing for things like Office, so when there's a problem there aren't really many hard choices to make other than whether I'm going to call the activation help line in India now or later.
|
|
#
?
May 19, 2009 17:15
|
|
|
Midelne posted:If you ran a file that was infected with Virut, you're probably boned, but who knows. I like how you had to throw in the subtle insult about patching users, but whatever. I just wanted to compress a sega cd disk I have, not zero day filez. I have been sort of short on sleep due to finals, but I realized it detected vundo not virut. I got them mixed up. The first time I downloaded the file it was scanned by my antivirus (antivir) and it came up with nothing. The next day antivir popped up with a message that it found TR/Vundo.Gen. I just re-downloaded the file and ran it through virus total and here is the results. http://www.virustotal.com/analisis/354f0981c740f15f7bb61b8e14a8d924 It looks like it was a false positive anyways.
|
|
#
?
May 19, 2009 21:29
|
|
|
Cedra posted:How do you guys deal with license keys, whether you're a shop or reformatting at home? Are you simply screwed in that aspect? There's a program called Belarc Advisor that will remind you of any product keys you're currently using and allow you to print out an information list. This helps when we get a system without a Microsoft product key sticker attached to the case.
|
|
#
?
May 19, 2009 21:52
|
|
|
Cedra posted:How do you guys deal with license keys, whether you're a shop or reformatting at home? Are you simply screwed in that aspect? If they insist we reinstall programs we ask them for the discs or the keys if we happen to have a disc available to us. Usually my boss has us try various discs if we end up having to get a Windows key from the registry though I usually will refuse to install some random customer's Windows if it happens to need a VLK disk.
|
|
#
?
May 19, 2009 23:06
|
|
|
parasyte posted:If they insist we reinstall programs we ask them for the discs or the keys if we happen to have a disc available to us. Usually my boss has us try various discs if we end up having to get a Windows key from the registry though I usually will refuse to install some random customer's Windows if it happens to need a VLK disk. From a business standpoint (and a lot of the posters in this thread are in the repair business) it's a bad idea to not take every step possible, provided you know how, to recover 'lost' MS key codes. Most of the time I will reinstall their office for them even if they don't have the key. Typically I use the digital product id found in HKLM\Software\... to decode their license key. Then, I can use the \MSOCACHE directory to reinstall the program. I never alert the client that there is a possibility that I might be able to recover their office until I already know the answer. I just do it and tell them that I was able to do it and when they get the computer home with Office installed they are ecstatic. There is nothing illegal with what I do, I merely assume that the keys I am recovering are legal. It's in poor taste to even allude to a client that they are a thief, and so I assume that they have a legitimate copy of software that they presumably bought legally. I am certainly not in the business of being a pirated software supermarket. I could loose my ability to ever make money in the field again if I were to act like one. However, I am also not in the business of software license enforcement. Unless a client is being stupid and using near iconic key codes like the 'FCKGW' key on their XP with SP1 machine or using the 'GWH28' key code for Office 2003 Pro VLK, it's no skin off my back to reinstall the software. The last thing either I or my clients have time for is going through the effort of finding out if each and every key I recover is in fact legal; instead of putting myself in a situation where I might loose a client (and all the potential clients that I might have gained through them) if I know that there is software piracy taking place on the machine I will tell them that there is no way I can recover their key and unless they have the box at home somewhere, there is nothing I can do. Additionally, if it is something that I have to call in the activation for, and Microsoft lady cheerfully activates it then who I am to complain. Now that I have derailed the discussion I will contribute that I am growing increasingly spiteful toward virut. Even with backup flatten and reinstall it is a bitch because you have to be certain that there are no .exe files left behind that someone stupid could run on a whim and restart the whole process. The creator(s) are evil loving genius(es) and if I were to meet them I would first shake their hands and congratulate them on the success of their hell spawn. I would then kick them in the balls.
|
|
#
?
May 21, 2009 00:27
|
|
|
Here's a good one I ran across today? Which one is Norton Internet Security 2006 and which one is Spy Defender? Click here for the full 2038x936 image. Even the "Live Update" link is the same.
|
|
#
?
May 21, 2009 04:40
|
|
|
BorderPatrol posted:Here's a good one I ran across today? Which one is Norton Internet Security 2006 and which one is Spy Defender? More importantly, which one causes more damage to your computer?
|
|
#
?
May 21, 2009 05:59
|
|
|
abominable fricke posted:From a business standpoint (and a lot of the posters in this thread are in the repair business) it's a bad idea to not take every step possible, provided you know how, to recover 'lost' MS key codes. This is sort of what I do. I still really don't like it if a customer that's not a business has a machine where the recovered key only works on a volume license disc of XP, but I'm fine with whatever else. Usually I'm extra annoyed by the time I get to a VLK disc as there's no sticker and they don't know what disc they used, so it's probably the fourth time I've had to try since going through OEM/Retail/Upgrade discs. If a key is there I'll often try reinstalling Norton or other antivirus software by redownloading it, even. I'll join you in your hate for Virut, it's gloriously horrific and I'm seeing it more now. One thing I want to ask is how I can unregister fake antivirus apps from Windows Security Center. Usually we install another antivirus program, but in the cases where the customer would rather do it themselves I'd like to keep it from claiming CoreAntivirus or AntivirusXP or whatever is out of date when other than that, there's no trace of it remaining in the system.
|
|
#
?
May 21, 2009 06:56
|
|
|
parasyte posted:One thing I want to ask is how I can unregister fake antivirus apps from Windows Security Center. Usually we install another antivirus program, but in the cases where the customer would rather do it themselves I'd like to keep it from claiming CoreAntivirus or AntivirusXP or whatever is out of date when other than that, there's no trace of it remaining in the system. The fake security center is part of the fake antivirus program, unless something drastic has changed. I think the most recent variant I've actually had sitting in front of me it was still possible to tell the difference because of minor changes to the icons -- the one I remember is that the "firewall" icon was nearly identical to the authentic Windows version, but someone had decided that it would be more exciting if there were actual fire in the icon as well. I'm not aware of any fake antivirus products that actually register as antivirus products with Security Center, which would lead me to believe that you are still infected. If someone has information to the contrary, I would love to read up on it.
|
|
#
?
May 21, 2009 15:47
|
|
|
Midelne posted:The fake security center is part of the fake antivirus program, unless something drastic has changed. I think the most recent variant I've actually had sitting in front of me it was still possible to tell the difference because of minor changes to the icons -- the one I remember is that the "firewall" icon was nearly identical to the authentic Windows version, but someone had decided that it would be more exciting if there were actual fire in the icon as well. I've seen it a few times, notably yesterday with Coreguard Antivirus. Malwarebytes and SuperAntiSpyware both showed a system was clean, it'd been ComboFix'd and I'd gone through the system directories looking for randomly-named files with recent modified dates and everything was fine. The security center was definitely the real Windows security center, as the Windows Firewall toggle and alert worked as expected and the various options for "I have an X I'll monitor myself" also worked as expected. Doing some googling I found it has something to do with the WMI database but I don't know enough about WMI to know what to do with that, or the potential downsides to simply removing the entire WMI database.
|
|
#
?
May 21, 2009 21:16
|
|
|
Ran into a brand new variant of WinPC Antivirus that infected a machine on Wednesday. This son of a bitch is one of the worst fake security center programs, because even in safe mode it's preventing anything from running properly, like GMER and MBAM. Nasty poo poo. Usually I resort to using the most recent version of Avira's boot CD to take care of this one, but they still aren't catching it.
|
|
#
?
May 23, 2009 19:35
|
|
|
I got some garbage on my pc that I couldn't get rid of and so I reformatted. My current av/spyware software suite is a full version of AVG and spybot. Anything else I need, or are these two enough for my purposes?
|
|
#
?
May 23, 2009 20:10
|
|
|
Stegosaurus posted:I got some garbage on my pc that I couldn't get rid of and so I reformatted. My current av/spyware software suite is a full version of AVG and spybot. Anything else I need, or are these two enough for my purposes? Just watch what you're clicking on and where you are going, because that's where most of it is coming from.
|
|
#
?
May 23, 2009 20:21
|
|
|
-Dethstryk- posted:Honestly, some of the nastiest stuff going around isn't giving a gently caress what you have installed. This TDSS crap and all of the other malware posing as antiviruses has been slipping through everything for the past year because of how quickly they update.
|
|
#
?
May 23, 2009 20:34
|
|
|
Patch everything Adobe, Firefox and Java as soon as it comes out. Don't download stuff, especially keygens. Disable autorun. Of course, scan all incoming files. That should take care of most viruses out there.
|
|
#
?
May 24, 2009 00:19
|
|
|
Who gives viruses names? I can't imagine that a lot of them have their name inside the infected files or that the creator(s) actually give it one. Is there some kind of virus analysis consortium that does this sort of thing?
|
|
#
?
May 24, 2009 01:04
|
|
|
Ensign Expendable posted:Who gives viruses names? I can't imagine that a lot of them have their name inside the infected files or that the creator(s) actually give it one. Is there some kind of virus analysis consortium that does this sort of thing? I remember reading one article on W32/Waledac that indicated that the name came from a typo in the code containing the string FIREWALED.ACK, which presumably has something to do with whether the target is firewalled. Now, I couldn't say why they went with W32/Waledac out of that rather than W32/Waledack for instance, but it really seemed in that instance like they were flat out thumbing their noses at the author for not knowing how to spell a word that in his line of work he really ought to have known. edit: "They" in this case, I think, was probably a Microsoft article.
|
|
#
?
May 24, 2009 02:50
|
|
|
parasyte posted:If they insist we reinstall programs we ask them for the discs or the keys if we happen to have a disc available to us. Usually my boss has us try various discs if we end up having to get a Windows key from the registry though I usually will refuse to install some random customer's Windows if it happens to need a VLK disk. This is pretty much what I do, as well. I'll pull the keys using Belarc or some other software, reinstall and call Microsoft to activate if needed. I have almost every variant of Windows XP disc (OEM, Retail, Dell, HP, etc. all in Pro and Home variants) but will also stop short of installing a Volume License edition if it comes to that. Surprisingly, though, almost every computer I've worked on has been almost completely legit. I had one sketchy-looking one that Microsoft re-activated when I called them, which is pretty much seal-of-approval, and only one VLK that updated and tripped the genuine advantage flag. Surprisingly, that last customer just bought a new key online from Microsoft using the links in the "not activated" window; she was willing to pay $200 to legitimize her software.
|
|
#
?
May 24, 2009 04:49
|
|
|
Ensign Expendable posted:Who gives viruses names? I can't imagine that a lot of them have their name inside the infected files or that the creator(s) actually give it one. Is there some kind of virus analysis consortium that does this sort of thing? The virus researcher that discovers it generally names something, often they pick a string or something about how it works and play around with the word, other times if its just not very interesting it gets a generic name like "Downloader" or "Agent". When its first discovered the at a company's lab, they will scan it with the scanners from every other AV company to see if any of them detect it already -- if so, they'll usually copy the existing name if another company already detects and named it. When new stuff spreads quickly it'll often be the case that several AV companies discover it around the same time and don't know each other's name for it, so you end up with something having several different names such as Conficker/Kido/Downadup and Storm/Zhelatin/Dorf/Peacomm.
|
|
#
?
May 24, 2009 08:49
|
|
|
 Before I reinstall Windows 7, would anyone have any ideas regarding this? The site seems to be related to some pretty iffy malware from what I can Google-search, but if anyone knows a way of getting rid of it (tried Malwarebytes, CCleaner and ESET Smart Security already), feel free to let me know, so I won't have to bother with the format.
|
|
#
?
May 25, 2009 19:47
|
|
|
Zuffox posted:
Check your hosts file and see if 007guard.com is 127.0.0.1 I get the same thing with AVIRA and initially freaked out. Your traffic is being redirected by NOD32 to a daemon that sits on localhost (127.0.0.1) and if your first entry in your hosts file is https://www.007guard.com it'll show up as that.
|
|
#
?
May 25, 2009 19:55
|
|
|
Zuffox posted:
Upload it to jotti.org
|
|
#
?
May 25, 2009 19:59
|
|
|
Stanley Pain posted:Check your hosts file and see if 007guard.com is 127.0.0.1
|
|
#
?
May 25, 2009 20:26
|
|
|
Can someone explain what it means for a file to be "quarantined" by an antivirus utility? As opposed to deleted/removed?
|
|
#
?
May 26, 2009 03:21
|
|
|
Zwabu posted:Can someone explain what it means for a file to be "quarantined" by an antivirus utility? As opposed to deleted/removed?
|
|
#
?
May 26, 2009 04:38
|
|
|
It's a precaution so you could still recover the file in the event of a false positive.
|
|
#
?
May 26, 2009 18:46
|
|
|
wolffenstein posted:The file is marked as unreadable/unusable to the operating system until the user decides what to do with the file. More specifically, in most antivirus suites I've seen the file is encrypted/obfuscated in some way to render it harmless, then moved to a special directory. So anything attempting to use the original file won't work.
|
|
#
?
May 26, 2009 21:03
|
|
|
While we're on this topic, if I'm just surfing the 'net and I get a detection like this:  which option should I go for? And why is it "dangerous" to note the action taken?
|
|
#
?
May 26, 2009 23:25
|
|
|
Starno posted:While we're on this topic, if I'm just surfing the 'net and I get a detection like this: I think their use of "Note action taken" just means "remember my choice and always do this" So it could be dangerous to "ignore" it forever when really it's an evil deadly virus ready to kill everyone you love.
|
|
#
?
May 26, 2009 23:32
|
|
|
I have been absolutely amazed at some of the infections I've encountered recently, I just don't understand how these people manage to do it. One place in particular, I ran across a nasty infection of what Sunbelt VIPRE labeled as Virus.Win32.Sality.az, which caused practically all program executables to be quarantined. Speaking of Sunbelt, their customer service loving sucks in my opinion, they've been less than helpful and take forever to even respond to any support requests I've submitted. I had a server that recently would BSOD any time it started a scan (quick or deep). Memory dumps pointed to SBREdrv.sys as the culprit, which is their Rootkit Scanning Engine. Took me nearly 5 days, and going through cookie cutter emails to finally get a response that this is a known issue and will be fixed in a new version.
|
|
#
?
May 30, 2009 21:38
|
|
|
I don't really have time to read through every page but I recently had a virus that redirected Google to odd pages and made my C drive occasionally inaccessible. It also prevented Spyware programs from running or updating. I think it's gone now, but I still think my internet is running much slower than usual. 
|
|
#
?
May 31, 2009 20:16
|
|
|
|
| # ? Apr 27, 2024 14:07 |
|
|
One of my coworkers has been battling something nasty on her laptop for the last couple of weeks that I haven't had any time to look into. A couple weeks ago she told me that her computer "lost" her audio device. Last week she started getting bluescreens and error messages on startup referencing chkdsk.dll (it was in Start Menu/Programs/Startup), and I noticed that OfficeScan was not only outdated but the real time scanner wasn't even running anymore. I've been at a local hospital every day last week so I haven't had any time to look closer into the problem. I downloaded VIPRE rescue to see if it would have any more luck than Trend crap, but her computer couldn't browse the network. Burned it to a CD instead, started it up, then went to the hospital. When I got back she said it didn't do anything when it finished but try to open some website that never loaded (and based on the URL I'm pretty sure VIPRE didn't launch it). I'm pretty sure I'm just going to have to nuke the laptop. I just hope I have some time to look into it this week. Last week was hell.
|
|
#
?
Jun 1, 2009 00:57
|
|
