|
Diocletian posted:Combofix needs to be able to work on Win7 64-bit damnit. Or at least something comparable should work, Malwarebytes' and MSE are ok, but I don't like to rely on just those two. I am not aware of anything that would infect a x64 system that would require combofix to remove. Combofix works on 32bit systems only.
|
# ? Dec 9, 2009 21:59 |
|
|
# ? Apr 29, 2024 03:00 |
|
So the other day MSE popped up with a warning that one of my buddies on aim (which one I do not know) had some sort of exploited .jpeg. I imagine this was a false positive. I wanted to run it through virus total, but I was too lazy and just let MSE delete it.
|
# ? Dec 10, 2009 04:38 |
|
Capnbigboobies posted:So the other day MSE popped up with a warning that one of my buddies on aim (which one I do not know) had some sort of exploited .jpeg. I had this problem the other day with a collection of PNG/GIF and PDF files. I doubt they had any problems but they weren't important enough to save.
|
# ? Dec 10, 2009 05:11 |
|
Is there anything out there to kind of assist with tracking where an end user may have gotten a virus/spyware? We've been getting a massive rash of people infected by the fake antivirus programs. Most of them have disabled task manager or close out task manager, CMD, and MSCONFIG before I can do anything. We've got a student body of about 600 that are responsible for keeping and maintaining their laptops for exams but they're not. None of the students remember when/where it came from, only that it just showed up.
|
# ? Dec 10, 2009 20:51 |
|
n0manarmy posted:Is there anything out there to kind of assist with tracking where an end user may have gotten a virus/spyware?
|
# ? Dec 11, 2009 15:48 |
|
I got myself infected with an interesting one, two days ago: 1) Firefox crashed with an error meassage after I clicked on a link. 2) After that Firefox starts with its crash dialog, but you can't get it to restart properly. The crash dialog is the only thing you get to see in Firefox, even after a complete full reinstall. 3) If I try to open Opera, Internet Explorer opens, but it's complete execution is blocked by Windows. ('Datenausführungsverhinderung' I dunno how it's called in English.) 4) I can't restart or shutdown the PC with the Windows menu. 5) Pushing the power button in front of the case doesn't work anymore. (3 second push unsurprisingly still works.) 6) Malwarebytes and Avast can still scan the computer, but they crash if I try to remove the infected files. I did a scan with an Ubuntu Live CD and ClamAV after using the power switch on the back: All my important measurement data disks are completely unaffected. Phew. I sadly can't access the system disk and thus cannot scan it. Some NTFS stuff going on... I'm already reinstalling and the only thing I lost is time to measure new data. But gently caress was this strange. Hungry Gerbil fucked around with this message at 10:34 on Dec 12, 2009 |
# ? Dec 12, 2009 10:28 |
|
Hungry Gerbil posted:Datenausführungsverhinderung DEP, apparently. Sorry it didn't protect your system disk.
|
# ? Dec 12, 2009 10:39 |
|
Ah, thanks.
|
# ? Dec 12, 2009 10:42 |
|
So what is the best way to scan an XP machine infected by a Virus/Rootkit/Trojan these days? Does booting into safe mode and installing some scanner actually help anymore? If so, what scanner? And what is the best Live CD for virus scanning right now?
|
# ? Jan 4, 2010 17:51 |
|
Fehler posted:So what is the best way to scan an XP machine infected by a Virus/Rootkit/Trojan these days? Does booting into safe mode and installing some scanner actually help anymore? If so, what scanner? Copy the data you need from it, cleanse the drive with fire, and put the data back when it's clean. Now, if that (two hour) procedure isn't an option, then it's generally reccomended to use things like MalwareBytes, SuperAntiSpyware, and Combofix to mop up the mess. I'm unsure in the way of live CDs (I can just pull the drives, so they're moot). Note: One thing that REALLY helps disinfection is if you have safe mode access. Go in there, clear out the temp and temporary internet files folders, open up MSConfig and disable EVERYTHING, and then look for abnormalities - go kill those by hand. Then check the services list for anything abnormal. That should help deal with a lot of more minor infections. PopeOnARope fucked around with this message at 18:10 on Jan 4, 2010 |
# ? Jan 4, 2010 18:07 |
|
Fehler posted:So what is the best way to scan an XP machine infected by a Virus/Rootkit/Trojan these days? Does booting into safe mode and installing some scanner actually help anymore? If so, what scanner? If you can get your hands on it, the Geek Squad MRI CD is very very useful. There's a component you can run inside Windows to clean out temp files, disable startup items, do common windows fixes (winsock reset, fix automatic updates if they've stopped working right, etc), and that sort of stuff. If the system isn't too far gone, it'll also let you start up the automated scanner (FACE), which downloads updates for the like 6 AV scanners it comes with, then reboots from the CD and scans the system with all the scanners; you can also have it run a chkdsk/defrag, do hardware diags, and so on but I usually skip those when I'm using it for virus cleanup. If you can't get into the system normally (or whatever nasty is preventing you from downloading the latest definitions), you can always run it on a clean PC and then download the updates to a thumbdrive. Then you can boot from the CD and start the scan from there, and it will automatically use the definitions from the thumbdrive. I still run SUPER/MBAM after the MRI CD has done it's work, but usually all those find are stray registry entries or empty folders.
|
# ? Jan 4, 2010 18:25 |
|
I'm a huge fan of the Ultimate Boot CD for Windows. It has several antivirus/antispyware programs and a bunch of other maintenance utilities. Safe mode is better than the normal environment, but I've found that it's usually completely useless for any kind of advanced infection.
|
# ? Jan 4, 2010 19:24 |
|
Is anyone aware of anything that's come out recently that infects c:\windows\system32\smss.exe as well as the backup copies in c:\windows\repair\smss.asr and c:\windows\servicepackfiles\i386\smss.exe? I'm trying to figure out if a situation I encountered yesterday afternoon/this morning is a false positive or a new virus that's just hitting the scene. I had a couple machines in to have other work done on them, and as part of my standard operating procedure I've started scanning anything that comes in with FACE even if it's not showing any symptoms of infection. Well, on the two systems I scanned yesterday, McAfee VirusScan (with definition version v5866 from yesterday) flagged those three files as being infected with "Generic Downloader.ab" and deleted them. That, of course, lead to a nice SESSION3_INITIALIZATION_FAILED blue screen when I rebooted them. Luckily, copying smss.exe from a working XP machine back into c:\windows\system32 got the systems to boot properly again.
|
# ? Jan 20, 2010 17:25 |
|
chizad posted:Is anyone aware of anything that's come out recently that infects c:\windows\system32\smss.exe as well as the backup copies in c:\windows\repair\smss.asr and c:\windows\servicepackfiles\i386\smss.exe? I'm trying to figure out if a situation I encountered yesterday afternoon/this morning is a false positive or a new virus that's just hitting the scene. http://www.virustotal.com will give you a wider perspective on the situation if you can manage to upload a copy of the potentially infected file. If it's already gone that link won't help much.
|
# ? Jan 20, 2010 17:27 |
|
Midelne posted:http://www.virustotal.com will give you a wider perspective on the situation if you can manage to upload a copy of the potentially infected file. If it's already gone that link won't help much. VirusScan just straight deleted the files, so yeah, that doesn't really do me any good. :/ I'm heavily leaning towards false positive, since McAfee is the 4th or 5th scanner the MRI disc runs and nothing that ran before it had any problems with smss.exe.
|
# ? Jan 20, 2010 18:01 |
|
You know, guys, I'm pretty worried about our phone company. My wife began working at one of our phone companies here at the call-center, where she noticed that all computers not only allow the users easy access to client data (including stuff that in Brazil is like the Americans' social security number), but also run loving Windows 2000. They're also some truly jurassic Compaqs and don't seem to have any internet use restrictions. So any worker there can haplessly browse facebook, myspace, orkut, youtube, etc. Now, say someone enters a sketchy site or passes by some sketchy ad (oh, did I mention they run IE?), what are the odds some malware could install itself, take over the network and steal quite a bit of client information? Quick Edit: or, to phrase it better, what are the odds something is already there? Granted, it's not credit card information, but still... One would think a serious corporation would have unix/linux machines or at the very least fully patched Windows.
|
# ? Jan 22, 2010 16:24 |
|
Crimsonjewfro posted:What are the odds some malware could install itself, take over the network and steal quite a bit of client information? Probability that this has already occurred is 1, and most organizations with Windows do not appear to understand what Windows Update actually does. And it seems likely that unless they've got people with UNIX/Linux experience that they would find running the usual line of business applications (for Windows) on a UNIX/Linux desktop environment to be rather challenging.
|
# ? Jan 22, 2010 16:47 |
|
Midelne posted:Probability that this has already occurred is 1, and most organizations with Windows do not appear to understand what Windows Update actually does. Yeah, that's what I figured. I'm not much of a computer-savvy guy and I confess having caught my own share of nasty stuff (from Seekmo and Ebates MoeMoneyMaker to Vundo and Conficker... yeah, we learned our lesson already), but a personal computer being hosed up is one thing. But, for a company, this stuff is a real threat. I can't imagine what sort of idiots they have there who think they can save a few bucks by risking it and having old computer with old software. Wanna know what's the funniest part? their business application isn't even Windows-based, but instead it's one of those ugly-rear end DOS interfaces. I imagining going to work there must feel like walking right back into the 90's again.
|
# ? Jan 22, 2010 18:30 |
|
On the subject of rootkits, the new TDL3 (which is itself the new TDSS) has a really annoying method that it uses to stealth raw disk reads and writes on at the sector level. All you see from WinDbg when looking at the disk drivers is this: code:
code:
If you manually inspect the DEVICE_OBJECT and DRIVER_OBJECT structures for those "invalid" devices it's clear that only the Type field is has been zeroed. Apparently windows gives no gently caress about this field despite it being the main way to tell what kind of kernel object you're looking it. WinDbg isn't so carefree, unfortunately. code:
code:
There's a nice writeup of TDL3 here but at the time I write this, it hasn't been updated for this new hooking technique. Still a really interesting read, particulary as the rootkit maintains its own filesystem at the end of the disk -- so it doesn't have to store any component in any "real" files (much like the MBR rootkit).
|
# ? Jan 22, 2010 19:31 |
|
Stanley Pain posted:Check your hosts file and see if 007guard.com is 127.0.0.1 This is from a few pages back, but I'm getting this same thing; when I look at my network activity in Process Hacker, I see that many of my connections are listed as "www.007guard.com". I checked my hosts file, and it is indeed there, along with a bunch of other equally suspicious URLs. Is this something I should be worried about, or is this just SpyBot S&D's way of preventing any attempts to bring you to these URLs?
|
# ? Jan 25, 2010 05:25 |
|
BillWh0re posted:On the subject of rootkits, the new TDL3 (which is itself the new TDSS) has a really annoying method that it uses to stealth raw disk reads and writes on at the sector level. Now that is quite technically cool. I'll need to find and play with a variant when I finish zbot and insebro... thanks for the link!
|
# ? Jan 25, 2010 06:17 |
|
When i was at my parents over christmas, i picked up a virus on my eee pc. I only found out about it because eset SS picked it up and said it prevented/detected something and has stopped it, and then it deleted a file that was downloaded. These are the messages: quote:Object This cycle just goes on and on and on with the device constantly being attacked and it got to the point where i ended up having to turn off the alert windows because they kept popping up every couple of minutes. The strange thing is that i took it to a friends house on new years and when i booted it up and logged into windows, a small msdos window popped up with a little dashed line pattern that kept looping until i closed it. Suddenly there were no more attacks for the entire time i was at my friends place (days). Get back to my parent's though and bam, i'm attacked again. I've been unable to get the attacks to stop and now it's pulling out this DEP and retarting all the time. Prior to the DEP, it was just the moneyuk1 and ssvchost messages that were appearing, so i figure this new1.exe must be related to the constant restarts. As far as i can figure, there's something on the drive that's telling the laptop to connect to someplace, which eset allegedly blocks, but doesnt, then a file is downloaded and then automatically quarantined but scans dont show any virus at all. The biggest problem is that it was a gift from my parents as they bought themselves a new one and as it's an eee with XP installed, there's no easy way to just reformat it. Does anyone have a clue as to what i should maybe run in order to hunt down whatever the source of all of this is.
|
# ? Jan 25, 2010 08:38 |
|
Anunnaki posted:This is from a few pages back, but I'm getting this same thing; when I look at my network activity in Process Hacker, I see that many of my connections are listed as "www.007guard.com". I checked my hosts file, and it is indeed there, along with a bunch of other equally suspicious URLs. It's part of Spybot's protection. It's making sure those URLs don't actually resolve to anything but your local computer.
|
# ? Jan 25, 2010 14:29 |
|
Stanley Pain posted:It's part of Spybot's protection. It's making sure those URLs don't actually resolve to anything but your local computer. Its the "Immunize" part of Spybot. I have heard that filling up your HOSTS file in this manner can slow things down, but I have never noticed a difference and I think its a pretty helpful function as long as you keep up to date.
|
# ? Jan 25, 2010 15:16 |
|
Dyscrasia posted:Its the "Immunize" part of Spybot. I have heard that filling up your HOSTS file in this manner can slow things down, but I have never noticed a difference and I think its a pretty helpful function as long as you keep up to date. This is the sort of thing spouted by the people that tell you to declog your registery and whatnot. If it did result in any slow performance it would be so negligable to be unnoticable.
|
# ? Jan 25, 2010 16:22 |
|
BillWh0re posted:hosed up poo poo. Oh my god, loving what the gently caress I thought the MBR rootkit I found on a machine not too long ago was bad, this is about ten times worse.
|
# ? Jan 26, 2010 01:19 |
|
We had a delicious trojan pop up at work a few days ago. This was on a fully-patched, firewalled XP SP3 system. Our accountant suddenly had a sasser-style forced reboot screen pop up. I canceled the reboot and found that there were no strange processes running and nothing loading the system (cpu essentially at idle). I quickly discovered that links in firefox would randomly redirect to crazy chinese spam sites and ad pages (IE was unaffected). Every anitivirus/malware program I could think of would fail to install or fail to run. In safe mode I finally got malwarebytes to run, which found a bunch of mediocre crap, but they weren't the main problem. From there I could get other programs running. McAfee picked up nothing. SuperAntispyware picked up nothing. MSE finally picked up something it called Trojan Gord.A which it claimed to remove, but which would magically reappear later. Gord.A is apparently a trojan which hijacks the XUL layer in firefox to cause crazy redirects and act as a dropper for other malware. The internet doesn't seem to contain very much information about it, and much of what is out there was simply flat-out wrong with what I was seeing. Even after nuking firefox, all profiles, and every file that firefox could have ever touched, it still would pop back up and cause forced reboots and redirects. It got to the point where every malware scanner I tried would turn up clean, but the symptoms remained. Ended up wiping the box. gently caress that poo poo. The accountant later said she may have gotten it from looking at a gossip site about Heidi Montag's platic surgery.
|
# ? Jan 26, 2010 06:05 |
|
Anyone seeing any DCOM errors lately that restarts your computer in 60 seconds? It is similar to the blaster, sasser, and that other worm. I've had about 4 customers call in about it in the past 2 days.
|
# ? Jan 26, 2010 06:45 |
|
Been getting a few of these in the shop lately, I've started running fixmbr on every machine I touch before I even boot into Windows. Although, the information BillWh0re posted is very interesting and I will be sure to stay tuned for information.
|
# ? Jan 26, 2010 08:18 |
|
Reading this thread and having to spend three hours removing a rootkit on a resident's computer recently has made me really long for the days when you could clean a malware infestation out pretty much entirely with hijackthis
|
# ? Jan 26, 2010 10:49 |
|
Twotone posted:Anyone seeing any DCOM errors lately that restarts your computer in 60 seconds? It is similar to the blaster, sasser, and that other worm. I've had about 4 customers call in about it in the past 2 days. See my post right above yours. This was one of the symptoms of the crazy trojan that we had at work last week.
|
# ? Jan 26, 2010 15:44 |
|
It's not a rootkit, but it's just as annoying... has anyone else noticed a huge increase lately in the amount of spyware coming from pages that people find from random Google searches? I cannot count the number of computers I have had to work with in the last 2 weeks that were compromised by some sort of "Security Tool" variation. These are always coming from web pages that have been hacked or otherwise infected and were found with seemingly innocuous web searches for vacations or wedding dresses or other everyday searches.
|
# ? Jan 26, 2010 16:30 |
|
lazer_chicken posted:See my post right above yours. This was one of the symptoms of the crazy trojan that we had at work last week. What does MSE stand for? I'll try it. Malwarebytes and Superantispyware come up with nothing. AVG of course comes up with nothing as well.
|
# ? Jan 26, 2010 18:55 |
|
Twotone posted:What does MSE stand for? I'll try it. Malwarebytes and Superantispyware come up with nothing. AVG of course comes up with nothing as well. Microsoft Security Essentials
|
# ? Jan 26, 2010 19:03 |
|
tadashi posted:It's not a rootkit, but it's just as annoying... has anyone else noticed a huge increase lately in the amount of spyware coming from pages that people find from random Google searches? I cannot count the number of computers I have had to work with in the last 2 weeks that were compromised by some sort of "Security Tool" variation. These are always coming from web pages that have been hacked or otherwise infected and were found with seemingly innocuous web searches for vacations or wedding dresses or other everyday searches. It's actually a very common method of infection. The McAfee security blog has a pretty neat flow-through of some clickjacking and fake codecs being installed an Haiti-related searches. The Sunbelt Blog is a good read for this sort of thing too.
|
# ? Jan 26, 2010 19:11 |
|
abominable fricke posted:Microsoft Security Essentials
|
# ? Jan 26, 2010 23:59 |
|
So yesterday, the Antivirus Vista 2010 virus infected my computer. I ran Malwarebytes in safe mode, and it got rid of it. However, now, anytime I try and run a program, it says a few variations of things. When I try and run iTunes, for instance, it says iTunes.exe cannot be found. The same thing for Modern Warfare 1 and 2, and anything that had a shortcut on the desktop. A few programs, IE 7, for instance, will make me select which program to use to run it. When I select IE 7 from the list, it doesn't really open up. At least Firefox still works. This also appears to have affected a lot of other programs. iTunes, at least, runs when I select 'Run in Administrator Mode'. So does a few other programs. But it really isn't worth the hassle. I made a new account on the computer, and everything is working fine on that one, but my main one is still hosed up. What can I do to fix this? Is it not worth the hassle?
|
# ? Jan 28, 2010 23:50 |
|
Probably not. I've heard of the "feature" where it doesn't allow you to run executables, but I've never heard of a fix for it.
|
# ? Jan 28, 2010 23:52 |
|
Syphilicious! posted:So yesterday, the Antivirus Vista 2010 virus infected my computer. I ran Malwarebytes in safe mode, and it got rid of it. However, now, anytime I try and run a program, it says a few variations of things. When I try and run iTunes, for instance, it says iTunes.exe cannot be found. The same thing for Modern Warfare 1 and 2, and anything that had a shortcut on the desktop. A few programs, IE 7, for instance, will make me select which program to use to run it. When I select IE 7 from the list, it doesn't really open up. At least Firefox still works. This also appears to have affected a lot of other programs. iTunes, at least, runs when I select 'Run in Administrator Mode'. So does a few other programs. But it really isn't worth the hassle. I made a new account on the computer, and everything is working fine on that one, but my main one is still hosed up. Sounds like something Dial-A-Fix would be good for if it worked with Vista, which I assume you're running. These may be of some value if it's just simple file associations that are screwed up.
|
# ? Jan 29, 2010 01:24 |
|
|
# ? Apr 29, 2024 03:00 |
|
Twotone posted:Anyone seeing any DCOM errors lately that restarts your computer in 60 seconds? It is similar to the blaster, sasser, and that other worm. I've had about 4 customers call in about it in the past 2 days. I've been seeing a lot of these the past few days as well. Only fix I've been able to find that works is reinstalling Windows. All the information I could find online seemed to be old or outdated.
|
# ? Jan 30, 2010 18:42 |