|
Ensign Expendable posted:Most of the time Virut digs in so deep that purging all infected files renders the system unusable. You pretty much have to reinstall after that anyway. It's really fun when you run ComboFix on a particulary bad infection and you start seeing things like: *Scanned Notepad.exe - File Infected - Action Taken: Deleted *Scanned IExplore.exe - File Infected - Action Taken: Deleted *Scanned Freecell.exe - File Infected - Action Taken: Deleted *Scanned ccSvcHst.exe - File Infected - Action Taken: Deleted *Scanned Explorer.exe - File Infected - Action Taken: Deleted Whoops! Powerful program but you really have to be careful. Oddhair, if you catch it early enough and it hasn't really spread, you're probably fine. My opinion though is that I can never trust that computer again. Flatten and reinstall is the option for ALL virus problems as far as I'm concerned.
|
#
?
Nov 21, 2009 03:04
|
|
|
|
| # ? Apr 27, 2024 06:30 |
|
|
Oddhair posted:I had posted earlier in the thread about finding a computer which had files infected with Virut, but not many. I scanned offline on a different, plain-Jane XP machine I keep off my network just for that kind of thing, and cleaned it up pretty well, and then did a repair install. It seems fine, even now months later. I keep thinking there's some glaring hole in my knowledge that I'm overlooking, like the blind spot in each eye. I should be good, though right? Virut is easy to remove as long as it's not active while you're doing it, and as long as you don't care about system files being slightly different compared to the original versions when it's all done.
|
|
#
?
Nov 21, 2009 10:54
|
|
|
What if there was a virus that helped your computer? Wouldn't that be pretty crazy?
|
|
#
?
Nov 22, 2009 01:25
|
|
|
Jihad Me At Hello posted:What if there was a virus that helped your computer? Wouldn't that be pretty crazy? Well, Conficker does patch a vulnerability ..
|
|
#
?
Nov 22, 2009 03:26
|
|
|
Jihad Me At Hello posted:What if there was a virus that helped your computer? Wouldn't that be pretty crazy? http://en.wikipedia.org/wiki/Welchia
|
|
#
?
Nov 22, 2009 07:21
|
|
|
I'm just waiting for viruses that can survive a format c:\ *.* /y.
|
|
#
?
Nov 23, 2009 04:22
|
|
|
CraigK posted:I'm just waiting for viruses that can survive a format c:\ *.* /y. So any virus that is on A, B, or D-Z? 
|
|
#
?
Nov 23, 2009 05:12
|
|
|
You know how in the fine print household cleaners say you need to soak it on the surface for 30 seconds to really kill bacteria? Well, if you haven't done a 3-pass wipe it's possible that your computer could become breeding ground for format-resistant superviruses!
|
|
#
?
Nov 23, 2009 05:21
|
|
|
CraigK posted:I'm just waiting for viruses that can survive a format c:\ *.* /y. Mebroot/Sinowal already does. It loads its driver through an infected MBR and the driver itself is stored beyond the end of the last partition on the drive. Some versions also have a nasty bug in their stealthing code that will crash a lot of raw disk reading applications (such as hex editors) if they try to read the first few sectors of the disk.
|
|
#
?
Nov 23, 2009 10:02
|
|
|
BillWh0re posted:Mebroot/Sinowal already does. It loads its driver through an infected MBR and the driver itself is stored beyond the end of the last partition on the drive. Some versions also have a nasty bug in their stealthing code that will crash a lot of raw disk reading applications (such as hex editors) if they try to read the first few sectors of the disk.
|
|
#
?
Nov 23, 2009 11:22
|
|
|
Jetsetlemming posted:Would this survive a format of the entire hard drive? When I installed Ubuntu last week I had it remove the ntfs partition and create a new ext4 one over it, that wouldn't leave anything at all on the hard drive, right? Assuming you were infected before (which I assume you aren't but hypothetically...): If you installed Ubuntu then the Ubuntu installer would have overwritten the MBR with Grub. However, if you set up Grub to dual-boot Windows it might have created a copy of the infected Windows MBR somewhere (not sure if the Ubuntu installer supports this or not). Also, assuming your partitions were the same size, the virus code at the end of the disk is probably untouched as it's not actually inside the NTFS partition -- it's just after it. But it doesn't load on anything except Windows anyway so you don't really need to care.
|
|
#
?
Nov 23, 2009 12:08
|
|
|
How effective would fixmbr be on Sinowal?
|
|
#
?
Nov 23, 2009 21:36
|
|
|
Tapedump posted:How effective would fixmbr be on Sinowal? If you can get into the recovery console it works, but in a lot of cases it seems that the recovery console hangs while loading, even if you boot from the Windows install CD. Bootable linux and dd is the easiest solution, as the original MBR is saved just past the end of the last partition (directly before the Sinowal driver module) and if you copy it back everything should be fine.
|
|
#
?
Nov 23, 2009 22:06
|
|
|
Jetsetlemming posted:Would this survive a format of the entire hard drive? When I installed Ubuntu last week I had it remove the ntfs partition and create a new ext4 one over it, that wouldn't leave anything at all on the hard drive, right? If I'm switching operating systems (Windows <-> Linux) or reinstalling Windows if it's the only operating system on the machine, I almost always boot from a Linux something-or-other and do code:
|
|
#
?
Nov 24, 2009 01:06
|
|
|
I'm trying to help my boyfriend get rid of a virus on his computer. I was checking QCS since we're thinking he got it from an ad, possibly here or facebook, and it seems like a few other people had similar issues and had a few suggestions, and someone suggested that I come here to ask. One problem is that we are currently 4 hours away, so I need to relay this stuff over phone or text message and neither of us knows a lot about computers. It is not letting him run his virus check in regular Windows XP, so he went into Safe Mode and he said it would only check command lines, but all it came up with was a few .dat files. I've never had a virus that I couldn't just clear up by running my antivirus software. He has a free version of Symantec we got from school. I've heard AVG is pretty good, and possibly better, so I guess getting that once this clears up. I'm sorry that I can't explain this too well, but please provide any suggestions you can and I will try to answer any questions. Thanks.
|
|
#
?
Nov 26, 2009 21:40
|
|
|
Yeah, a bunch of people are getting these. I've been hit twice so far, but Avast! intercepted it both times. From what I saw, it looked like a Javascript thing that tried to start up Acrobat Reader. Avast killed it before it finished, so all I got was the Visual Studio debugger message about it. Anyway, Symantec sucks. Use MalwareBytes AntiMalware to clean up most of it and then scan with Avast to clean up the remains, if any. Both of those are free, and if the malware won't let you run them, just rename the executable.
|
|
#
?
Nov 27, 2009 01:19
|
|
|
He tried to rename the exe to get MalwareBytes to run he gets the message "The name ____ in the target box is not valid. Make sure the path and file name are correct." Is he trying to rename the wrong file? Or what else could be causing that?
|
|
#
?
Nov 27, 2009 04:03
|
|
|
MentalStaples posted:He tried to rename the exe to get MalwareBytes to run he gets the message "The name ____ in the target box is not valid. Make sure the path and file name are correct." Is he trying to rename the wrong file? Or what else could be causing that?
|
|
#
?
Nov 27, 2009 04:13
|
|
|
He renamed the mbam file in the program files folder and says that it still won't open and that it pops up and error saying that the file is infected. When he tried to open it in Safe Mode, he got run time error. What could fix this? Edit: He's trying to get CCleaner to work, since it seems like runtime errors mean you might need a registry cleaner but that's not running either. MentalStaples fucked around with this message at 04:36 on Nov 27, 2009 |
|
#
?
Nov 27, 2009 04:17
|
|
|
If you're desperate, get ComboFix and run that. It will ruthlessly exterminate every last remnant of that virus. Unfortunately if you're not careful or if the infection is too deep it will take down a lot of vital system files as well.
|
|
#
?
Nov 27, 2009 05:46
|
|
|
Combofix is such an amazing tool. I really don't know where i would be without it. I am almost at the point now if combofix and a virus scan wont 100% fix it ill just flatten and reinstall the machine. It's faster that way anyhow. Also why are people still using Avast! (?) Isn't MSE overall a much better antivirus? Is it because people still roll their eyes when they think 'Microsoft' and 'security?' MSE scores very well on those AV comparative websites and seems to perform pretty much just as well as any of the paid AV applications. MSE is great, it's like the best product ever for non-computer savvy people. It just chills in the tray and wont bug the user unless something is wrong. And unlike other free AV programs it wont have popup banners or crappy interfaces to confuse a novice user. I say the only thing to knock it on is that it uses up a lot of ram. I think around 50 MB. Oh well ram is a cheap as dirt these days and even a new middle of the line HP comes with 6gb of ram.
|
|
#
?
Nov 27, 2009 12:44
|
|
|
Capnbigboobies posted:Combofix is such an amazing tool. I really don't know where i would be without it. I am almost at the point now if combofix and a virus scan wont 100% fix it ill just flatten and reinstall the machine. It's faster that way anyhow. MSE is apparently not available outside the US.
|
|
#
?
Nov 27, 2009 15:31
|
|
|
So my (Windows XP) laptop is a bit of a clunker and is, when shutting down, confronted with quite a few "End Now/Cancel" windows. This time, however, a window popped up for a certain "n.exe". Curious, I entered this file name into Google Search and unsurprisingly it turns up a definition for a virus/trojan file. I've run multiple virus scans (Norton Antivirus) since then, all of which have turned up nothing. Also, earlier this week, Auto-Protect caught, quarantined, and deleted a Trojan Downloader file. Could these two have any relation, and if so, why am I dealing with a trojan file that seemingly has already been deleted?
|
|
#
?
Nov 27, 2009 16:52
|
|
|
ymgve posted:MSE is apparently not available outside the US. Using a UK proxy the download link comes up just fine. Also its pretty trivial to just download it off softpedia.
|
|
#
?
Nov 28, 2009 06:50
|
|
|
ymgve posted:MSE is apparently not available outside the US. I got it just fine from the EU. 
|
|
#
?
Nov 28, 2009 10:13
|
|
|
Broken Knees Club posted:I got it just fine from the EU.
|
|
#
?
Nov 28, 2009 13:06
|
|
|
Saukkis posted:I think there was some wonkyness depending on your browsers language settings. IIRC, when I tried to download it with Opera it complained it wasn't available in my country, but either IE or Firefox worked. Try setting the language to US english.
|
|
#
?
Nov 28, 2009 18:17
|
|
|
Well, that explains it then. Carry on.
|
|
#
?
Nov 29, 2009 01:52
|
|
|
Avira just released an Antivir update that flags uTorrent in all forms, including the installer directly from their website, as a trojan called "TR/Ag.289584.AA". http://forum.avira.com/wbb/index.php?page=Thread&postID=883032&s=b3a3a06a05f4a6f1733fb8d964720f382c65d059  First time I've heard Antivir bug me about anything at all since I installed it. Goddamn that bleep noise it uses to alert you is annoying.
|
|
#
?
Dec 8, 2009 11:44
|
|
|
Yeah and the lastest Dragon Age .exe gets flagged as well 
|
|
#
?
Dec 8, 2009 15:32
|
|
|
MentalStaples posted:He renamed the mbam file in the program files folder and says that it still won't open and that it pops up and error saying that the file is infected. When he tried to open it in Safe Mode, he got run time error. What could fix this? On XP go to C:\Documents and Settings\{your name}\Local Settings\Application Data if you can't see it... it's hidden so enable hidden files/folders. Look for a folder with a randomly generated sequence of letters (i.e. gkhsds) it may be closer to english, or look like something real. The tipoff is that the folder will have one .exe file in it. Open Run and type 'tskill (name of exe)'. tskill will try to kill the process before the process kills tskill so you might need to do it a few times before it takes. Once that process dies it will allow you to clean with malwarebytes, etc. I have to do this all the time to fix infected computers after-hours when I can't be there physically to reboot into safe mode or do other tricks.
|
|
#
?
Dec 8, 2009 16:28
|
|
|
Jetsetlemming posted:Avira just released an Antivir update that flags uTorrent in all forms, including the installer directly from their website, as a trojan called "TR/Ag.289584.AA".
|
|
#
?
Dec 8, 2009 20:40
|
|
|
What's up with Microsoft Security Essentials? Are they trying to wipe out Norton, McAfee etc. then start charging money once they are all dead?
|
|
#
?
Dec 9, 2009 02:53
|
|
|
Zwabu posted:What's up with Microsoft Security Essentials? Are they trying to wipe out Norton, McAfee etc. then start charging money once they are all dead? Try to make it so people don't instantly assume that all Windows machines are virus infested? Besides, tons of people will continue to rely on McAfee and Symmantec because free products can't possibly compete, right? MS knows they will get smacked to hell and back if they try to strong arm the market.
|
|
#
?
Dec 9, 2009 03:30
|
|
|
Well, IE killed browser sales, maybe they're trying to kill antivirus sales?
|
|
#
?
Dec 9, 2009 04:07
|
|
|
Ensign Expendable posted:Well, IE killed browser sales, maybe they're trying to kill antivirus sales? They're trying to kill lovely "free" antivirus. Their attempt to kill paid antivirus ended back in summer when OneCare was canceled.
|
|
#
?
Dec 9, 2009 04:22
|
|
|
Hopefully this results in a decline of Antivirus_2009_XP_Pro_weswearitsreal.notmalware.exe infestation. At least some users might think twice before downloading random stuff if they know they have an antivirus already.
|
|
#
?
Dec 9, 2009 05:29
|
|
|
Ensign Expendable posted:Hopefully this results in a decline of Antivirus_2009_XP_Pro_weswearitsreal.notmalware.exe infestation. At least some users might think twice before downloading random stuff if they know they have an antivirus already. I don't think it'd really help. You can tell people a thousand times that they have an antivirus, give them all the best tools to scan their systems, but nope, when it comes down to it, that little gif is still blinking... YOU HAVE 59 INFECTED FILES! INSTALL RETARD RAPER PRO TO REMOVE THEM NOW BEFORE ALL OF YOUR PERSONAL INFORMATION IS STOLEN!!! I really have had customers bring back systems, telling me "it has a virus", the knowledge of which comes from one of these antivirii. We usually try to explain why they're stupid before telling them to get out.
|
|
#
?
Dec 9, 2009 09:26
|
|
|
fishmech posted:They're trying to kill lovely "free" antivirus. Their attempt to kill paid antivirus ended back in summer when OneCare was canceled.
|
|
#
?
Dec 9, 2009 16:24
|
|
|
|
| # ? Apr 27, 2024 06:30 |
|
|
Combofix needs to be able to work on Win7 64-bit damnit. Or at least something comparable should work, Malwarebytes' and MSE are ok, but I don't like to rely on just those two.
|
|
#
?
Dec 9, 2009 16:36
|
|