|
A few articles to mention related to this thread: America's 10 most wanted botnets Adobe Flash Player Arbitrary Code Execution Vulnerability Adobe Reader/Acrobat SWF Content Arbitrary Code Execution Prepare your businesses for a round of Adobe exploits. Looks like these won't be patched until the 30th at the latest.
|
#
?
Jul 24, 2009 00:31
|
|
|
|
| # ? Apr 27, 2024 08:58 |
|
|
Oh god. Get a USB with a switch. I got virut (I suspect someone borrowed my usb key off my desk) and infected a machine I had just reimaged. It's like throwing open the door for every wacky fake virus scanner out there. It took all of 30 seconds to cripple a Core Duo E8500.
|
|
#
?
Jul 24, 2009 00:35
|
|
|
I just got some insane virus which is apparently crashing and breaking every virus scanner which scans it. I've used probably five different programs at this point, and each of them either crashes upon scanning or finds nothing. MBAM and hijack this crash and then the program doesn't work until I reinstall them. What is this 
|
|
#
?
Jul 24, 2009 01:08
|
|
|
My computer seems to have caught a really nasty virus that is screwing up proquote.exe, messing up IE, and seems to be impossible to remove. Every time I try to scan it with anti-virus software (I've tried Avast, Malwarebytes and Spyhunter) it simply deletes the anti-virus software. I think it's the "pp10.exe" virus because that's the only process I have running that comes up as a virus when I Google search it. I have no idea how I got it because I wasn't going to any suspicious sites and had Avast Anti-Virus running (which is now broken). It actually found the virus when I first got infected but it crashed when I tried to delete it. Can anyone help me?
|
|
#
?
Jul 24, 2009 03:03
|
|
|
General reply: try Trinity Rescue Kit. Boots off CD, finds your hard drive and NIC, updates itself, and gets to scanning. Otherwise, back up your data and dust-off-and-nuke-the-site-from-orbit. It really is the only way to be sure.
|
|
#
?
Jul 24, 2009 04:04
|
|
|
I just got over TDSS.rtk. It's a very nasty little piece of rootkit assholery and is the new 'big thing' of Usenet viruses. I had to use combofix in the end to cleanse it, after A-Squared and Malwarebytes both failed to even show it. A-Squared did, however, show the processes it was running behind. Spybot showed the actual culprits but couldn't delete, and it probably would have been system crippling if I hadn't manually replaced my explorer, svchost, services,lsass and userinit files right before running combofix, since it seems to like to lurk in those.
|
|
#
?
Jul 24, 2009 06:38
|
|
|
Can anyone recommend an antivirus that runs on Linux and also scans for Windows stuff? Preferably one with an RPM package.
|
|
#
?
Jul 24, 2009 08:56
|
|
|
sfwarlock posted:General reply: try Trinity Rescue Kit. Boots off CD, finds your hard drive and NIC, updates itself, and gets to scanning. Ok I downloaded Trinity, put it on a CD and tried running it on my work computer as a test run. Problem is that I have no idea how to get it to run an anti-virus scan when it finishes loading and goes to the command prompt (I've never used linux before).
|
|
#
?
Jul 24, 2009 14:48
|
|
|
Smoking_Dragon posted:Ok I downloaded Trinity, put it on a CD and tried running it on my work computer as a test run. Problem is that I have no idea how to get it to run an anti-virus scan when it finishes loading and goes to the command prompt (I've never used linux before). You can just select option 6 off the bootmenu, or, once you get to a prompt, type trkhelp to browse the help or virusscan -h to get things going.
|
|
#
?
Jul 24, 2009 16:38
|
|
|
I've recently come across a virus on our work network that appears to have been started by someone bringing in an infected USB key. It runs off of a USB flash drive and infects the main HDD, while also adding an autorun.inf file that will auto-run any removable drives that are inserted into the infected machine, and then infect the USB drive itself. Our anti virus "solution" (Comodo Internet Security) detects the virus on the C:\ as mb9x.exe and will attempt to clean it. It has no errors during cleaning, as all appears to go well. However, even after the "successful" cleaning attempt, the file (and autorun.ini) still exist on the drive. The clincher here is that this virus will not allow you to select the "View hidden files and folders" option from the drop down menu. As soon as you make a selection and close the window, the desktop flashes and your selection is undone. The only way to actually "see" the file is to go to command line and list the directory with a "/a" switch. Another symptom of this virus (although I have noticed that it doesn't affect every pc) is that you are unable to switch your drive away from C:\ in command line. I have Google searched for this specific mb9x.exe virus and have found very little (in English) that would help me to kill this fucker. The best information I have found so far is at this site which would seem to indicate that this is a rootkit. I have tried running the Trinity Rescue cd, but none of the tools on there worked at detecting/removing this guy. Any help is appreciated, because at this point I'm betting the majority of computers on our network have this thing installed. Wicaeed fucked around with this message at 21:11 on Jul 31, 2009 |
|
#
?
Jul 31, 2009 19:59
|
|
|
Wicaeed posted:Any help is appreciated, because at this point I'm betting the majority of computers on our network has this thing installed. Seems like a good time to ask how good your backup/restore procedures have been, and whether you've got an imaging solution in place. This sounds nasty. Can you change directories with PUSHD? Have you had any luck with Combofix for removal or Dial-A-Fix to eliminate restrictive permissions?
|
|
#
?
Jul 31, 2009 20:52
|
|
|
Nice, seems like Combifix did the trick, ran it on a machine that had the virus on it and it's clean now.
|
|
#
?
Aug 1, 2009 00:35
|
|
|
EDIT: I don't think you need one, you could try the local security policy editor (secpol.msc)
The Pro fucked around with this message at 13:41 on Nov 12, 2009 |
|
#
?
Aug 1, 2009 00:47
|
|
|
I LOVE those solutions and would implement them on everyone yesterday...if we had a Domain to do such a thing
|
|
#
?
Aug 12, 2009 19:53
|
|
|
Wicaeed posted:I LOVE those solutions and would implement them on everyone yesterday...if we had a Domain to do such a thing Why not just build one and migrate everyone's data over? http://www.forensit.com/downloads.html has a program that can move a person's data over without skipping a beat. It adds a person to the selected domain, migrates their profile so everything is intact, and does it in about 5-15 minutes.
|
|
#
?
Aug 12, 2009 20:36
|
|
|
We have to get to the planning/deployment stages first 
|
|
#
?
Aug 12, 2009 21:13
|
|
|
This thread has me slightly spooked. I used to run Avast!, but a while back I noticed a flash drive of mine getting virus alerts when inserted into a couple of machines running McAfee. (I've since switched to Avira, but I'm still a little worried.) If I wanted to scan the everloving gently caress out of my computer and flash disks, what steps should I take?
|
|
#
?
Aug 12, 2009 23:14
|
|
|
Crazy Achmed posted:This thread has me slightly spooked. I used to run Avast!, but a while back I noticed a flash drive of mine getting virus alerts when inserted into a couple of machines running McAfee. (I've since switched to Avira, but I'm still a little worried.) What exactly are you asking for? More thorough virus-scanning tools?
|
|
#
?
Aug 13, 2009 00:28
|
|
|
I'm trying to figure out how my in-laws computer gets infected with a virus so quickly. Apparently they take the computer to get formatted and reinstalled and get it home, I quickly put on a free version of AVG 8. It doesn't take more than two weeks and AVG 8 is disabled, you can't download anything and the IE explorer icon is deleted. This is on Windows Vista. This has happened for the third time in a row. The culprit is a 11 year old boy, what the hell is he doing?
|
|
#
?
Aug 13, 2009 01:29
|
|
|
Telven posted:I'm trying to figure out how my in-laws computer gets infected with a virus so quickly. Apparently they take the computer to get formatted and reinstalled and get it home, I quickly put on a free version of AVG 8. It doesn't take more than two weeks and AVG 8 is disabled, you can't download anything and the IE explorer icon is deleted. This is on Windows Vista. This has happened for the third time in a row. Probably looking at porn. Tell his parents to monitor what he's doing online. He's 11 and seems to be causing a headache with this, probably not much else can be done besides that. Also maybe try a different anti-virus program?
|
|
#
?
Aug 13, 2009 01:38
|
|
|
Telven posted:I'm trying to figure out how my in-laws computer gets infected with a virus so quickly. Apparently they take the computer to get formatted and reinstalled and get it home, I quickly put on a free version of AVG 8. It doesn't take more than two weeks and AVG 8 is disabled, you can't download anything and the IE explorer icon is deleted. This is on Windows Vista. This has happened for the third time in a row. He's running on an administrator account when he should be a standard user, for one thing, and UAC is off for the other. Yes, being able to guess that the password to the administrator account is the name of the family dog counts as running an administrator account. edit: And Vista has a marvelous parental control feature for people whose children continually infect their system.
|
|
#
?
Aug 13, 2009 02:39
|
|
|
So can anyone tell me how respected (or not) Endpoint is? I've been using it for a little while and I'm reasonably confident it's saved me on a couple of occasions.
|
|
#
?
Aug 16, 2009 12:42
|
|
|
Telven posted:I'm trying to figure out how my in-laws computer gets infected with a virus so quickly. Apparently they take the computer to get formatted and reinstalled and get it home, I quickly put on a free version of AVG 8. It doesn't take more than two weeks and AVG 8 is disabled, you can't download anything and the IE explorer icon is deleted. This is on Windows Vista. This has happened for the third time in a row. Like any kid, he's probably scouring Google for free porn and downloading lovely P2P programs for free music. I remember messing up my parent's computer with iMesh and going to about every sample porn site on the internet. Funny thing is I thought I was being clever and didn't put 2 & 2 together that I was loving up the computer. You need to either tell his parents to put the computer in a common area (like the living room) and have them watch him like a hawk or teach him how to use torrents and how to avoid viruses/be safe.
|
|
#
?
Aug 16, 2009 13:14
|
|
|
I'm seeing some conficker.b activity in my network on a segment I'd already isolated as a proto-DMZ. The weird thing is, these machines are patched with MS08-67/KB958644 already. We never got hit during the lead up to April so I thought conficker was 'over' basically. Has anyone heard anything about new variants that can get around the patch? These computers are: - Windows XP Pro SP3 - Patched with MS08-67/KB958644 - Users running standard (not administrator) accounts My test box in the network segment in question has been hit 6 times already in the last 3 hours. I've been using http://www.bdtools.net for removal, and have already done a network agent removal, but it came back within minutes. Now, correct me if I'm wrong but there might be one or two machines that aren't patched which are obviously at risk. But shouldn't they be the only ones at risk? Or is the patch only useful for stopping cross-internet attacks, but once it's in your network it's not going to help (e.g. over file/print sharing)? As for the source, I'm pretty sure it was a Windows 2000 laptap a rep brought in since it all started happening 10 minutes after he plugged it in.
|
|
#
?
Aug 20, 2009 19:18
|
|
|
Scaramouche posted:Or is the patch only useful for stopping cross-internet attacks, but once it's in your network it's not going to help (e.g. over file/print sharing)? Pretty much this. If the laptop brought in was infected, it might have brute forced some Administrator accounts on the network if they had weak passwords. Also Conficker spreads by removable drive autorun files so someone might have plugged an infected USB stick into a computer on your network, at which point it might have begun spreading from that computer. Particularly if the USB stick was plugged into a computer where a Domain Administrator was logged on, which allows Conficker to spread without having to brute force any passwords.
|
|
#
?
Aug 20, 2009 19:56
|
|
|
BillWh0re posted:Pretty much this. If the laptop brought in was infected, it might have brute forced some Administrator accounts on the network if they had weak passwords. Hmm, I've got a GP that prevents USB-auto boot (though obviously that's not perfect), and the rep that plugged his laptop in wasn't actually a domain member. The only interaction he would have had is with DHCP to get his IP since he wouldn't have credentials to do anything else. Admin passwords are >10 chars with at least 4 non-alpha so I hope that's strong enough... How do I stop it inside, if anyone knows? Shut down file and print sharing completely, clean?
|
|
#
?
Aug 20, 2009 20:43
|
|
|
Scaramouche posted:Hmm, I've got a GP that prevents USB-auto boot (though obviously that's not perfect), and the rep that plugged his laptop in wasn't actually a domain member. The only interaction he would have had is with DHCP to get his IP since he wouldn't have credentials to do anything else. Admin passwords are >10 chars with at least 4 non-alpha so I hope that's strong enough... It uses a dictionary to crack the passwords so if they're random or unusual at all it probably wasn't that. I'd put Wireshark on one of your test machines to see what's reinfecting it after you clean it off. You should be able to see the network copy if you filter for SMB traffic, then check the source machine to see if it's patched or has a Domain Admin logged on, and clean it if it's infected.
|
|
#
?
Aug 20, 2009 20:53
|
|
|
I'm pretty sure one of my friends has conflicker, or something similar. Trying to boot into safe mode is a bluescreen, and DNS isn't working. Also all sorts of fun little "LOL YOU HAVE A VIRUS DOWNLOAD THIS SOFTWARE" popups. Anyone have a recommendation on a tool to use on an already badly compromised PC?
|
|
#
?
Aug 20, 2009 21:20
|
|
|
frabba posted:I'm pretty sure one of my friends has conflicker, or something similar. Trying to boot into safe mode is a bluescreen, and DNS isn't working. Also all sorts of fun little "LOL YOU HAVE A VIRUS DOWNLOAD THIS SOFTWARE" popups. Anyone have a recommendation on a tool to use on an already badly compromised PC? Conficker doesn't give a garden variety user any real indication that it's there, let alone spam you with popups. Run MalwareBytes and see what comes up.
|
|
#
?
Aug 20, 2009 21:40
|
|
|
BillWh0re posted:It uses a dictionary to crack the passwords so if they're random or unusual at all it probably wasn't that. Yeah that's done it. At first it was pretty crazy in that I was getting about 500 rows/sec in wireshark but I eventually whittled them down. I did an nmap of the whole subnet with --script=check-vuln to get my list of infected computers by IP and then ran the bdtools.net network client on all of them. Then rolled a gpupdate to prevent everyone (including domain admins) from setting tasks, launching services, or running usb-autoplay (which I'd already done but hey, better safe than sorry). I'll probably do another couple network agent rollouts just to be sure, but the number of infected computers is finally going down instead of always increasing. It's just a matter of slowly closing the circle now.
|
|
#
?
Aug 21, 2009 00:16
|
|
|
Sorry for the double but thought I'd post this in case it helped anyone else. This is the nmap script command I used to identify conficker compromised stations (must be using nmap 4.85 or greater):code:This microsoft KB article helped nail down preventing the spread internally over shares/usb: http://support.microsoft.com/kb/962007 Basically summarized you make group policies to: - Prevent access for ALL (yes including admins) to netsvcs registry value to prevent randomly named services from being put into queue - Prevent access for ALL to %windir%\Tasks to stop infection tasks from being created - Turn off USB autoplay The first two are obviously not long term desirable settings, but are working pretty good preventing the spread in the here and now. I'll give it a couple of days and turn them back on. Thanks a lot for the help billwh0re, and again hope this helps somebody.
|
|
#
?
Aug 21, 2009 20:17
|
|
|
My parents PC has picked up a horrible little SuperAntiSpyware 2010 infection, claiming that they have 38 trojans and really should input their credit card details to get rid of them. I have no idea how to get rid of it. They had AVG and Spybot installed originally, but both were uninstalled when I came to it. I ran MalwareBytes and that gets rid of it as far as I know it gets rid of it completely, subsequent scans with both MalwareBytes and Spybot both report that it's clean, so I installed Avast, set Avast and MalwareBytes to scan every day and left them to it. A few days later, it was reinfected, Avast and Spybot had been uninstalled, MalwareBytes was still installed but it crashed whenever I tried to scan. I took the PC home and ran a full scan of their HDD with ClamAV. That removed it, so I booted it up and scanned with MalwareBytes, Spybot and Avast and it came up clean. Now they have it again, and I just can't figure out how the gently caress they keep on being reinfected or how it comes back again. The first, last (and possibly the second) times it has popped up, when the PC boots it tries to install an app called "PhotoGallery" from what looks like a MSI installer, but it stops part of the way through and asks for a disk to be inserted in drive "\" and never goes further. I used FileMon to find the file and delete it, and quizzed the family to make sure they hadn't tried to install anything. At this point, I figure it has to be something nasty installed on a peripheral device (though they all swear after the 2nd time that they haven't plugged anything in) - there are 2 ipods, 2 digicams and a handful of USB memory sticks hanging around, but Autorun is disabled so I really don't think that's the problem. Does anyone have any idea how I can get rid of it and stop it from ever coming back?
|
|
#
?
Sep 3, 2009 21:13
|
|
|
hobofood posted:My parents PC has picked up a horrible little SuperAntiSpyware 2010 infection, claiming that they have 38 trojans and really should input their credit card details to get rid of them. I have no idea how to get rid of it. They had AVG and Spybot installed originally, but both were uninstalled when I came to it. I ran MalwareBytes and that gets rid of it as far as I know it gets rid of it completely, subsequent scans with both MalwareBytes and Spybot both report that it's clean, so I installed Avast, set Avast and MalwareBytes to scan every day and left them to it. Its most likely Vundo. Go to http://vundofix.atribune.org/ and download vundofix, hopefully this will kill it for you.
|
|
#
?
Sep 3, 2009 21:47
|
|
|
hobofood posted:My parents PC has picked up a horrible little SuperAntiSpyware 2010 infection, claiming that they have 38 trojans and really should input their credit card details to get rid of them. I have no idea how to get rid of it. They had AVG and Spybot installed originally, but both were uninstalled when I came to it. I ran MalwareBytes and that gets rid of it as far as I know it gets rid of it completely, subsequent scans with both MalwareBytes and Spybot both report that it's clean, so I installed Avast, set Avast and MalwareBytes to scan every day and left them to it. Combofix should nuke it. It's probably from a web ad in yahoo mail.
|
|
#
?
Sep 3, 2009 22:25
|
|
|
River Raid posted:Its most likely Vundo. Go to http://vundofix.atribune.org/ and download vundofix, hopefully this will kill it for you. Independence posted:Combofix should nuke it. It's probably from a web ad in yahoo mail. AFAIK none of my family use Yahoo for anything at all - I think hotmail is the tool of choice for lovely web-based email, they did originally have outdated versions of Java and Flash, but I fixed those after the first infection. Anything else in particular I should make sure is up to date? I'll try Vundofix and Combofix on Saturday. Is there anything else that they should have sitting around to stop this from ever happening again in the future?
|
|
#
?
Sep 3, 2009 22:41
|
|
|
hobofood posted:The first, last (and possibly the second) times it has popped up, when the PC boots it tries to install an app called "PhotoGallery" from what looks like a MSI installer, but it stops part of the way through and asks for a disk to be inserted in drive "\" and never goes further. I used FileMon to find the file and delete it, and quizzed the family to make sure they hadn't tried to install anything. Welcome to the wonderful world of hating the gently caress out of Hewlett-Packard, because that's one of theirs.
|
|
#
?
Sep 3, 2009 23:00
|
|
|
hobofood posted:AFAIK none of my family use Yahoo for anything at all - I think hotmail is the tool of choice for lovely web-based email, they did originally have outdated versions of Java and Flash, but I fixed those after the first infection. Anything else in particular I should make sure is up to date? And it doesn't have to be Yahoo. These things come from plenty of sources. Just make sure you update Flash and Java to the latest versions, and if they use Adobe Reader, update to the latest point release.
|
|
#
?
Sep 3, 2009 23:02
|
|
|
-Dethstryk- posted:This kind of crap will get on a casual PC user's machine no matter what. I haven't seen a single AV solution work effectively against this because of how rapidly these things change. Came across a Rogue Antivirus today at work that would blue screen on Safe Mode, but let you into Windows normally. All EXE, BAT and DLL associations were changed and no longer allowed to run - I'd try launching Combofix, and Windows would ask me "Please choose a program to run this Application." Found some registry tweaks online, installed those, and finally ComboFix came up with about 25 infected GIF files sitting in System32/Config - turns out whatever this Rogue AV included allowing GIF files to be run as programs. The culprit? A single PDF file sitting in the dudes My Documents. I loving HATE Adobe based solely on their response to this issue.
|
|
#
?
Sep 4, 2009 00:46
|
|
|
hobofood posted:AFAIK none of my family use Yahoo for anything at all - I think hotmail is the tool of choice for lovely web-based email, they did originally have outdated versions of Java and Flash, but I fixed those after the first infection. Anything else in particular I should make sure is up to date? The last time I dealt with SuperAntiSpyware it was coming in through a Java exploit, so you might be part of the way there already. Combofix is pretty good though if I'm in a bind I usually just fake it and boot to recovery console and dir *.exe, .dll, and .dat in system32. From there you can kill all of the randomly named files that have been created in the last few days. Boot again and trim out the fat with hijack this. (note: should probably only do this if you've almost memorized all the "legit" system32 files like I have from having to deal with it so often)
|
|
#
?
Sep 4, 2009 05:59
|
|
|
|
| # ? Apr 27, 2024 08:58 |
|
|
Scaramouche posted:SuperAntiSpyware Erm.
|
|
#
?
Sep 4, 2009 06:04
|
|