|
Twotone posted:Anyone seeing any DCOM errors lately that restarts your computer in 60 seconds? It is similar to the blaster, sasser, and that other worm. I've had about 4 customers call in about it in the past 2 days. Do you mean that it does this every 60 seconds? Like, causes a restart 60 seconds after it's started in a loop? Or just restarts 60 seconds after the intial infestation?
|
# ? Jan 30, 2010 18:59 |
|
|
# ? Apr 28, 2024 23:23 |
|
Syphilicious! posted:What can I do to fix this? Is it not worth the hassle? You could try running system restore to a point before you got infected. That's all my boss does to fix computers that have caught the Antivirus Virus.
|
# ? Jan 30, 2010 21:33 |
|
Zwabu posted:Just restarts 60 seconds after the intial infestation?
|
# ? Jan 30, 2010 22:27 |
|
Maniaman posted:I've been seeing a lot of these the past few days as well. Only fix I've been able to find that works is reinstalling Windows. All the information I could find online seemed to be old or outdated.
|
# ? Jan 30, 2010 22:28 |
|
Well, this is lovely. Had 4 computers with Conficker.c. While it's not difficult in and of itself to get rid of, neither Malwarebytes' Anti-Malware nor Combofix detects it. I had to run the BitDefender removal tool specifically designed for it in order to kill it from http://www.bdtools.net/ , so I'm adding this to my standard scan rotation (BD Downadup, then ComboFix, then Malwarebytes).
|
# ? Feb 3, 2010 22:20 |
|
Syphilicious! posted:So yesterday, the Antivirus Vista 2010 virus infected my computer. I ran Malwarebytes in safe mode, and it got rid of it. However, now, anytime I try and run a program, it says a few variations of things. When I try and run iTunes, for instance, it says iTunes.exe cannot be found. The same thing for Modern Warfare 1 and 2, and anything that had a shortcut on the desktop. A few programs, IE 7, for instance, will make me select which program to use to run it. When I select IE 7 from the list, it doesn't really open up. At least Firefox still works. This also appears to have affected a lot of other programs. iTunes, at least, runs when I select 'Run in Administrator Mode'. So does a few other programs. But it really isn't worth the hassle. I made a new account on the computer, and everything is working fine on that one, but my main one is still hosed up. Basically the file association for .exe files in Windows has been broken; windows is treating those files like 'something.zzx' as an unknown type. This is probably because Mbytes removed a bad registry link that was causing the baddie to copy itself into memory every time you ran an exe. You can probably google a bunch of fixes but this is the first one I've found; note I haven't tested it or even know if it's appropriate: http://forums.techarena.in/windows-xp-support/746133.htm
|
# ? Feb 3, 2010 22:25 |
|
Hooray, my exchange server now reboots when I try to log in as anybody. It gets to the login prompt and I can remote in at that point, but when I try to physically log into it it reboots. in safe mode NOD and Malwarebytes aren't finding anything. Will combofix run on server 2003, should I try it, and what are the chances of it going all willy nilly on my system files?
|
# ? Feb 4, 2010 00:00 |
|
Sadly, no, Combofix won't run on Server 2003, I've tried Run GMER and RootkitRevealer, and hit up Microsoft's online onecare scan here: http://onecare.live.com/site/en-us/center/howsafe.htm
|
# ? Feb 4, 2010 00:35 |
|
PowderKeg posted:Hooray, my exchange server now reboots when I try to log in as anybody. It gets to the login prompt and I can remote in at that point, but when I try to physically log into it it reboots. in safe mode NOD and Malwarebytes aren't finding anything. What do the logs say? My first assumption on a login-causes-restart wouldn't probably be malware, particularly if you're able to use Remote Desktop to log in. If Safe Mode is preventing the problem and you're not finding any malware from those two scanners combined, I'd go through msconfig and disable everything you don't absolutely need, then slowly enable them until the problem starts up again. edit: I like his answer better vvvvvv Midelne fucked around with this message at 03:47 on Feb 4, 2010 |
# ? Feb 4, 2010 01:27 |
|
PowderKeg posted:Hooray, my exchange server now reboots when I try to log in as anybody. It gets to the login prompt and I can remote in at that point, but when I try to physically log into it it reboots. in safe mode NOD and Malwarebytes aren't finding anything. I've seen this a lot over the years, almost always the userinit entry messed up\replaced in winlogon hklm\software\microsoft\windows nt\current version\winlogon\ somewhere in there is a userinit entry
|
# ? Feb 4, 2010 03:45 |
|
bobua posted:I've seen this a lot over the years, almost always the userinit entry messed up\replaced in winlogon Try then and if you get nothing try Autoruns. This is almost certainly something that's set to run when you log in as any local user.
|
# ? Feb 4, 2010 09:03 |
|
univbee posted:Well, this is lovely. Hmm... How did you know you had Conficker? Did you just randomly run the Bitdefender tool and found it, or did you know that *something* was going on, even though your AV software hadn't found it?
|
# ? Feb 4, 2010 10:02 |
|
plaguedoctor posted:Hmm... How did you know you had Conficker? Did you just randomly run the Bitdefender tool and found it, or did you know that *something* was going on, even though your AV software hadn't found it? Not the person you were asking but when my environment had it we noticed it from lots of inexplicable network activity and some quick wiresharking found it. This was pretty handy then too though it might not be accurate any more: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
|
# ? Feb 4, 2010 10:46 |
|
BillWh0re posted:Try then and if you get nothing try Autoruns. This is almost certainly something that's set to run when you log in as any local user. Thanks a ton for all the help. Rootkitrevealer had a couple of things (I'll edit into here as soon as I can get the txt file off of that machine), Onecare scan showed nothing. GMER shot all of my processors to 100% (is that normal), so I killed it after awhile. I checked the userinit entry against another working machine and everything matches up, even the file sizes. I'm looking over the autoruns list now while shutting off all non-necessary services and gradually adding them back in. A couple of times I've tried remoting in as the admin which fails and kills the session before the desktop appears, my personal login worksbut the 'send/don't send' error popup appears about winlogon.exe. (szAppName : winlogon.exe szAppVer : 0.0.0.0 szModName : ntdll.dll szModVer : 5.2.3790.4455 offset : 0001bd02) The original reason that triggered all of this is because my SMTP email wasn't working. Internal mail is working fine, just no external. I didn't change anything in exchange and my ASA is showing all traffic as fine. edit: ok.. I added all services back in (10 at a time) except for the exchange ones and it let me log in fine, then I manually started my excahnge services and everything's working again. Haven't tried to reboot it with exchange auto starts, though. I'll wait until the weekend to do that so it can probably blow up again. Thanks again guys. PowderKeg fucked around with this message at 17:41 on Feb 4, 2010 |
# ? Feb 4, 2010 16:29 |
|
A friend's PC has been overrun with viruses and she wants to reinstall Windows XP; however, she's realized that because her laptop came with most of the software preinstalled (e.g. Office, XP itself, Nero, etc.) she doesn't have any of the license keys to successfully reinstall everything. Is there a way to find these keys in her PC's registry or something before reinstalling XP? I figured people posting in this thread may have experience with this, but let me know if the post is better suited somewhere else. vvvv - Perfect. Thanks! do it fucked around with this message at 22:22 on Feb 4, 2010 |
# ? Feb 4, 2010 21:59 |
|
do it posted:A friend's PC has been overrun with viruses and she wants to reinstall Windows XP; however, she's realized that because her laptop came with most of the software preinstalled (e.g. Office, XP itself, Nero, etc.) she doesn't have any of the license keys to successfully reinstall everything. Is there a way to find these keys in her PC's registry or something before reinstalling XP? Magic Jellybean Keyfinder.
|
# ? Feb 4, 2010 22:18 |
|
Girlfriend's laptop is redirecting Google search results to rev-advert.com/search.php. Haven't been able to find any solid info about this anywhere. Thoughts?
|
# ? Feb 7, 2010 03:29 |
|
Is this XP? If so, put in your Windows Install CD, reboot to Windows Install, and press R when everything loads. This is your Recovery Console. Type the number for your /windows directory, type your password if you have one, and then at C:> type "fixmbr" and press enter. If she's on Vista, check this out - different procedure but does the same thing. Type Exit to reboot, remove your Windows CD, and get back to your desktop. Download Combofix from https://www.combofix.org run it and walk away until it tells you it's done. Follow up with a full system scan using MalwareBytes (https://www.malwarebytes.org) and that should fix it. It's probably not an redirect using your HOSTS file, but if it's still going on after all this, open Notepad, open up C:\windows\system32\drivers\etc\ and select a file called "HOSTS" - it's not a text file, you so may need to look for All Files instead of Text Documents. But still, it's probably not that. Otacon fucked around with this message at 03:46 on Feb 7, 2010 |
# ? Feb 7, 2010 03:41 |
|
Anyone know whats up with the very elaborate fake virus scanners that I'm assuming are coming from infected ads? My mom told me the other night that she was on facebook, when this full page fake scanner came up, and attempts to close the window would trigger a prompt with accept/cancel and what not, trying to close that would just loop it. She's relativly smart about not loving with stuff like that, and all scans I've done today seem clean with nothing obvious going on, so I'm fairly sure it wasn't installed, but just contained to the browser from an ad. The base URL was don't click this > prime-defendere.com < with random gibberish at the end of the address that I'm assuming randomises it so that its harder to purposefully find.
|
# ? Feb 10, 2010 00:09 |
|
hobb posted:Anyone know whats up with the very elaborate fake virus scanners that I'm assuming are coming from infected ads? Ive spent the last 3 weeks removing these goddamn things. Best thing to do is install Firefox with Adblock Plus.
|
# ? Feb 10, 2010 00:13 |
|
Cleaned some random Fake.AV variant off of a company laptop with fully up-to-date DATs on McAfee Enterprise 8.7 today. It only really had two noteworthy features -- killing cmd.exe/msconfig/Task Manager processes whenever they came up and blanking out the desktop while forcing itself in front of any window that you managed to open after it popped up, including Internet Explorer, which I would've presumed that it would leave alone so that you could purchase the fake AV product they were pushing. It couldn't handle Safe Mode, the file locations were plainly visible in the Startup tab of msconfig, and there was nothing stopping me from deleting the (numerically named, rather than alphanumerically) folders it dumped in C:\Documents and Settings\All Users\Application Data once I had that information. Sure did make me feel sorry for the average home user, though, since the average home user either doesn't know what Safe Mode is or wouldn't be able to use it effectively, and the antivirus wasn't so much as throwing up a peep while the desktop was hijacked and the Good Guy processes were dropping like flies. edit: It also made me feel vaguely embarrassed for anyone associated with making this particular variant.
|
# ? Feb 10, 2010 00:50 |
|
Midelne posted:edit: It also made me feel vaguely embarrassed for anyone associated with making this particular variant. Just need to consider who they're targeting; novel / complex / stealthy kits are interesting to researchers. Banal, easy, and plain-jane ones work just as well against the at-home-user without attracting undue attention. They only need to outsmart the home user - outsmarting the security/techie isn't necessarily a plus. The more researcher interest, the faster patching and/or better coverage signatures are engaged.
|
# ? Feb 10, 2010 03:07 |
|
At about 444AM, an e-mail blast went out from my address to all of my current contacts - confirmed by a friend of mine online at the time. I've since scanned the system with MBAM, Sophos Anti-Rootkit, and Avast! I'm watching my connections like a hawk in cFosSpeed's connection monitor - nothing suspiscious. The only oddity is that when I audited the system logs, two .tmp files in the System32 folder "failed to run due to an incompatibility with the system" - this would be them http://uploading.com/files/72aa3ema/Infection.zip/ - each is 6.00KB in size. What the gently caress is going on, you guys think? Edit - checked the MIME info, and the mail blasted out from 115.49.34.112. With ads for https://www.nsehwop.com. Fuckin' Chinese. I've changed the login - this should fix the issue, yeah? PopeOnARope fucked around with this message at 12:06 on Feb 10, 2010 |
# ? Feb 10, 2010 11:34 |
|
PopeOnARope posted:Edit - checked the MIME info, and the mail blasted out from 115.49.34.112. With ads for https://www.nsehwop.com. Fuckin' Chinese. I've changed the login - this should fix the issue, yeah? How is your contact list stored?
|
# ? Feb 10, 2010 15:03 |
|
Ugh, I had almost finished cleaning out a computer which apparently had the katusha.e trojan, only to discover that it had hosed with the MBR so much that the windows recovery console wouldn't even load to let me run fixmbr. Ended up booting to a live linux disc and backing up the important files to USB then flattening/reinstalling. This is the first time I've had to totally reformat a computer because of viruses in years. Virus writers need to go and die.
|
# ? Feb 12, 2010 09:39 |
|
It appears that a lot of people infected with the TDSS/TDL3 rootkit I was talking about before are now getting bluescreened after patch Tuesday. http://tech.slashdot.org/story/10/02/12/1455203/Rootkit-May-Be-Behind-Windows-Blue-Screen (slashdot but the original source seems to be down) Most likely because the update may try to patch the stealthed atapi.sys file, with all those file writes going through the rootkit, and the rootkit doesn't properly implement them so the system is left in some horrible intermediate state when it reboots. MS can't tell that atapi.sys has already been patched by the rootkit since it's stealthed and appears totally normal, and the rootkit can't properly apply the MS update since it won't allow writing to its patched code. Nice.
|
# ? Feb 12, 2010 20:36 |
|
BillWh0re posted:It appears that a lot of people infected with the TDSS/TDL3 rootkit I was talking about before are now getting bluescreened after patch Tuesday. I came in here to post exactly this. This find it mildly humorous until I remember that I will be fixing a lot of this next week. I've also notice a lot of highjacked userinit.exe entries at HKLM\Software\Microsoft\Windows NT\Winlogon\Userinit key. It appears that they are typically altering the key to point to winlogon32.exe. Needless to say it causes a logon logout loop. This can be fixed via ERD and altering the key to point at userinit.exe again. As a safe measure I have also been replacing msgina.dll, winlogon.exe and userinit.exe.
|
# ? Feb 13, 2010 02:01 |
|
After exorcising a couple friends computers of Vundo and various Fake.AV infections, I would like to praise combofix as my one true god.
|
# ? Feb 15, 2010 19:50 |
|
PopeOnARope posted:At about 444AM, an e-mail blast went out from my address to all of my current contacts This is why I don't use an email client. This scares the poo poo out of me, as I have contacts that I never talk to and wouldn't want to have to explain stuff like this to. Hopefully nobody ever figures out how to email all of your gmail contacts through the web interface.
|
# ? Feb 15, 2010 20:16 |
|
I don't understand this... I spent 4 hours installing every toolbar, IE addon, flash games, etc that I could find trying to get a virtual machine infected with one of those fake antivirus programs. I failed miserably at infecting the machine. How do these people manage to catch these viruses without trying when I couldn't catch it after 4 hours of actively trying?
|
# ? Feb 16, 2010 02:47 |
|
Maniaman posted:I don't understand this... You know that one torrent website that everyone uses to PIRATE things, BAYbe? Check that site out. They have an add that hijacks your browser to "my"computer"anti"virus"1".com" - if you remove the "s I added in, that is. Give that a whirl!
|
# ? Feb 16, 2010 02:57 |
|
Maniaman posted:virtual machine Many viruses and malware will refuse to "function" if they detect that they are running inside a VM.
|
# ? Feb 16, 2010 05:50 |
|
m2pt5 posted:Many viruses and malware will refuse to "function" if they detect that they are running inside a VM. A) How does this detection work and can it be spoofed for an actual machine? B) Is it feasible then to do all casual surfing inside a VM?
|
# ? Feb 16, 2010 05:53 |
|
sfwarlock posted:A) How does this detection work and can it be spoofed for an actual machine? There is no single way that they detect it. Some pull the system manufacturer name out of WMI, some look for specific drivers that are loaded, some look for virtualization helper services and processes. Trying to emulate that on your personal workstation in the hopes that you come across one that is tricked and doesn't run is a silly thing to do and not worth the effort. If you want your system to remain secure, use a user account or UAC, patch, keep AV updated, run an ad-blocker, fully enable DEP, and uninstall browser plugins that you don't need. If you're still on 2000/xp, for the love of god get off that insecure piece of poo poo. If you are on Vista/7, enable SEHOP.
|
# ? Feb 16, 2010 06:25 |
|
m2pt5 posted:Many viruses and malware will refuse to "function" if they detect that they are running inside a VM. But my idea is roughly this: Create a virtual machine image that includes everything the client needs (I assume this would require volume licensing for the Microsoft apps). Have the physical computer effectively be a thin client that does nothing but load this image at startup. Have documents redirected to a share on the server to preserve changes. When they reboot the computer, the same base image is loaded again, so it effectively acts as Deep Freeze as well (undoing any malicious changes since the past reboot). This method would also make keeping things up-to-date easy, since you only have a single image to update. The downsides I can think of are that it might make things like antivirus definitions and windows updates slightly more tedious, and the obvious aforementioned bandwidth issues with loading the image at startup. BangersInMyKnickers posted:If you are on Vista/7, enable SEHOP.
|
# ? Feb 16, 2010 15:39 |
|
brc64 posted:This sounds like more reason to push my "everybody at works runs a prebuilt VM image" agenda. It sounds like a completely awesome idea, and there's probably some standard implementation for it already. I think the biggest concern would be bandwidth to pull the image each morning. This is a pretty standard idea. There are many ways to do it, but Microsoft streamlined it with Virtual Desktop Infrastructure.
|
# ? Feb 16, 2010 17:47 |
|
brc64 posted:I had to look this up because I've never even heard of it. What's the downside of enabling it? Potential for compatibility issues? I'm guessing there's a reason it's not turned on by default. Disabled by default for compatibility concerns, just like DEP OptOut mode. Frankly I would like to see Microsoft pull the trigger on more of these technologies on their desktop OS's because they do wonders for system security.
|
# ? Feb 16, 2010 19:05 |
|
Maniaman posted:How do these people manage to catch these viruses without trying when I couldn't catch it after 4 hours of actively trying? m2pt5 posted:Many viruses and malware will refuse to "function" if they detect that they are running inside a VM. sfwarlock posted:A) How does this detection work and can it be spoofed for an actual machine? Kelson fucked around with this message at 02:44 on Feb 19, 2010 |
# ? Feb 17, 2010 06:39 |
|
Kelson posted:System fingerprinting, Bangers hit a lot of ways, but the underlying idea is to identify details that differ between real CPUs and VMs, then check the detail in question. If VM, FuckWithResearcher(), else PwnHomePC() More viruses with the code lying about should have function names like those.
|
# ? Feb 18, 2010 09:35 |
|
|
# ? Apr 28, 2024 23:23 |
|
I was just doing something on my sister's computer went WinAntivirus2010 popped up. I instantly responded by holding down the power button until it shut off. I'm reasonably sure it wasn't infected before, and I don't know if the popup "warning" from antivirus2010 is post or during infection. The system's running Vista Home Premium and AVG, both up to date, and the latest version of IE, with UAC active and working. How hosed is it? Got it in safe mode running a full AVG scan right now, but it said that "Documents and Settings" is a locked folder and skipped scanning it entirely so I'm not feeling too confident. Got Combofix downloaded on a different PC and ready to be transferred over.
|
# ? Feb 18, 2010 18:46 |