|
Maybe not so notable, buut: http://yro.slashdot.org/article.pl?sid=10/08/15/0512228 quote:Ikatako is a virus that spreads through Japanese P2P network Winny, aided by the pirates' lack of wit. Once downloaded and run, the virus sends their data to a central server and replaces it with cephalopod and cnidarian imagery.
|
#
?
Aug 15, 2010 10:21
|
|
|
|
| # ? Apr 29, 2024 08:21 |
|
|
BorderPatrol posted:Holy poo poo. How would a Mac user find out if they are infected or not?
|
|
#
?
Aug 15, 2010 11:43
|
|
|
jet_dee posted:Holy poo poo. How would a Mac user find out if they are infected or not?  quote:This article was updated to remove erroneous information concerning Mac OS X. The OS is not vulnerable to the crimeware kit.
|
|
#
?
Aug 19, 2010 00:14
|
|
|
Ah cheers. I actually tried running with Adblock Plus and NoScript for a few days but I've just disabled them cos hell, I like seeing the occasional targeted ad and god drat, I am sick of clicking the flash icon to see a vid or clicking "Temporarily allow all this page" to watch some Family Guy episodes...
|
|
#
?
Aug 19, 2010 09:35
|
|
|
ymgve posted:Maybe not so notable, buut: nsfw but very related. http://www.sankakucomplex.com/2010/04/16/romancing-eroge-virus-blackmails-pirates/
|
|
#
?
Aug 19, 2010 18:22
|
|
|
So what does it mean if a co-worker had a bunch of Viagra spam emails go out with her email address as the sender to all of her contacts? Her level of tech savvy is so low she couldn't even tell me if she used a program like Microsoft Outlook to read her email, on questioning it sounded like she just does it through her web browser but I couldn't be too confident of her answers. I suggested to her that a lot of malware likes to do stuff like use an Outlook contact list to send out its spam but I'm not sure what the most common specific causes are.
|
|
#
?
Aug 20, 2010 00:41
|
|
|
Zwabu posted:So what does it mean if a co-worker had a bunch of Viagra spam emails go out with her email address as the sender to all of her contacts? Define "go out with her email". Are you seeing the actual emails sent from her Outlook? If not, it might be the case that a spammer has selected her address at random to use in the "from" field. This happened to a domain I own, the spammers for some reason picked randomword@mydomain.com which isn't even a real account on my system, and the catch-all at my domain got thousands of bounce mails in return.
|
|
#
?
Aug 20, 2010 01:25
|
|
|
ymgve posted:Define "go out with her email". Are you seeing the actual emails sent from her Outlook? If not, it might be the case that a spammer has selected her address at random to use in the "from" field. This happened to a domain I own, the spammers for some reason picked randomword@mydomain.com which isn't even a real account on my system, and the catch-all at my domain got thousands of bounce mails in return. This had occurred to me, but she said the emails went out to her actual contact list. That implies more than just her email address being used, the spambot/malware had to get her contact list somehow didn't it? With something like Outlook that would be easy, but I'm not sure how it works if you just use webmail.
|
|
#
?
Aug 20, 2010 02:19
|
|
|
Zwabu posted:This had occurred to me, but she said the emails went out to her actual contact list. That implies more than just her email address being used, the spambot/malware had to get her contact list somehow didn't it? With something like Outlook that would be easy, but I'm not sure how it works if you just use webmail. If her level of tech savvy is too low to verify whether she uses Outlook, her level of tech savvy is too low to distinguish meaningfully between "spam went to everyone on my contact list" and "someone on my contact list said they got this from me, and someone else said they got spam, which I have decided means it's all connected". The human mind is an amazing tool for drawing connections between things that aren't related in any way, and it's often not until you start pushing for precise details that you discover this to have occurred. If a malware scan comes up clean I'd probably assume that the user either clicked something they shouldn't have and entered information into some really lame variety of phishing scam or that they'd misinterpreted the situation entirely to begin with.
|
|
#
?
Aug 20, 2010 02:50
|
|
|
drat, just got hit with a drive-by and it really bothers me that I don't know how it got in. A Java window popped up for a second - I was on 1.6.0_20, which isn't the latest, but seemed like there was no security updates in _21. Latest version of Flash too. I also got a download dialog for an .asx file, but that obviously didn't infect anything. And now the site that originally infected me won't serve up the malware again so I can study it closer..
|
|
#
?
Aug 20, 2010 15:27
|
|
|
ymgve posted:I also got a download dialog for an .asx file, but that obviously didn't infect anything. Yeah, ASX never has exploit-related issues. As usual, there's always a good possibility that you were hit by a single infected ad rather than the specific website that you're associating with the infection. The ad may have been identified and taken out of rotation or it might just not be coming up on the specific times that you're visiting the site.
|
|
#
?
Aug 20, 2010 16:35
|
|
|
Midelne posted:Yeah, ASX never has exploit-related issues. I meant that Opera brought up a download dialog like it does with any non-plugin data, which means the file wasn't parsed in any way. And yeah, I assume it was an infected ad, it's just bothering me that I don't know its attack vector.
|
|
#
?
Aug 20, 2010 22:32
|
|
|
 So how ugly are these customers? Obviously MSE found and dealt with them but who knows how long they were sitting on my machine. Thanks Java!  What's the most likely vector? Do I need to start changing passwords?
|
|
#
?
Aug 21, 2010 04:48
|
|
|
Detroit Q. Spider posted:So how ugly are these customers? Obviously MSE found and dealt with them but who knows how long they were sitting on my machine. Thanks Java! Ah gently caress, just found out I got the same thing - I started being suspicious when starcraft 2 would run like molasses only to mysteriously run fast again when I opened the task manager. I'm running a full scan with security essentials, anything else I could do save do a full reinstall? Blacklight and other rootkit detection tools doesn't seem to run on Win 7 and I don't know if I can trust MSE enough if there's anything malicious installed.
|
|
#
?
Aug 22, 2010 16:24
|
|
|
Zwabu posted:This had occurred to me, but she said the emails went out to her actual contact list. That implies more than just her email address being used, the spambot/malware had to get her contact list somehow didn't it? With something like Outlook that would be easy, but I'm not sure how it works if you just use webmail. We had some nasty poo poo running around that got brought in from a PDF from the chinese consular website that would infect IE, and if you used IE with OWA it would start spamming like a motherfucker. . . As in sending out around 1000-2000 emails per second (which oddly enough would fill up their email quota, and stop the spams for a bit) Nothing caught it, but since I'm in a position where I can re-image, I'd just slap the hand of the grad student BAD GRAD STUDENT and re-image the machine, and tell them not to get on any other computers until the re-imaging was complete.
|
|
#
?
Aug 22, 2010 19:31
|
|
|
More of an FYI but I'm seeing some AntiMalwareDoctor in my environment on of course the 4 new computers that haven't had Kaspersky installed yet. Not hard to remove but I guess letting you all know that it's on the roam again.
|
|
#
?
Aug 26, 2010 18:49
|
|
|
TDL3 now has a 64-bit variant that infects the MBR instead of an existing driver. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19&start=370 This will be interesting to follow since with Patchguard MS removed many of the tools anti-rootkit software uses to detect and remove things. The ball is really in their court to stop Patchguard being bypassed. Until then you can probably remove it really easily with fixmbr or some other boot CD solution. Easier than 32-bit TDL3 at least.
|
|
#
?
Aug 26, 2010 19:19
|
|
|
BillWh0re posted:TDL3 now has a 64-bit variant that infects the MBR instead of an existing driver. I have a system here that I've been scanning and cleaning. It's Vista 32-bit and I believe it had some variant of the fake antivirus malware going around. It looks clean for the most part. Every scanner I toss at it comes up clean, but when I run GMER, it crashes when it reaches the point where it scans what appears to be the volume on the hard disk. I'm thinking it has an MBR infection but it's hard to say. Are there any tools to determine this for sure or should I just use something like the Microsoft Vista Recovery disk to run a FIXMBR? Or maybe Microsoft DaRT? PUBLIC TOILET fucked around with this message at 02:11 on Aug 27, 2010 |
|
#
?
Aug 27, 2010 02:07
|
|
|
COCKMOUTH.GIF posted:I have a system here that I've been scanning and cleaning. It's Vista 32-bit and I believe it had some variant of the fake antivirus malware going around. It looks clean for the most part. Every scanner I toss at it comes up clean, but when I run GMER, it crashes when it reaches the point where it scans what appears to be the volume on the hard disk. I'm thinking it has an MBR infection but it's hard to say. Are there any tools to determine this for sure or should I just use something like the Microsoft Vista Recovery disk to run a FIXMBR? Or maybe Microsoft DaRT? Some Sinowal/Torpig/Mebroot variants crash when a usermode app tries to read from the raw disk. Howver this could just be gmer crashing like usual... You might want to try the two MBR-related tools from eSage: http://www.esagelab.com/
|
|
#
?
Aug 27, 2010 10:09
|
|
|
Not sure if this is the right thread to ask in, since I am not a tech person and I am not sure if this is notable, but after a brief look in google, I see nothing on the topic, so here goes: A friend had his gmail account hijacked by what he is assuming is a virus. It basically just sends out an e-mail to everyone on his contacts list with a link to a pillsxcanx.com. Doing a google search on the website reveals that blogs are also being hit by this - people doing posts of just the URL, and the date is today, August 30th. He's trying to get on the horn with gmail to no avail, saying they have no live support. He changed his password twice and apparently it is still sending out e-mails. Any ideas on what could hijack a gmail account like that and how to close it asap until the issue is resolved? edit: as far as I know, he has antiviral software installed and it is up to date. He ran a scan and found nothing, I'll suggest MSE and the other tools that are commonly recommended in this forum.
|
|
#
?
Aug 30, 2010 19:18
|
|
|
He needs to change the password from a known clean computer first. Changing the password on the infected computer won't help anything.
|
|
#
?
Aug 30, 2010 19:21
|
|
|
I came across a new one, since google and such has no idea what it is, maybe you guys can help. Last night my friend was browsing as usual, and avg went nuts on some random page. I think it was USA today or some news page. Anyways, it flags gpdkat.exe as a virus. So far so good. Avg deletes it, he restarts his computer and it takes literally 5 minutes to boot to windows. Here is where it gets interesting, running a hijack this scan it found 11 entries in the runonce at launch all named, gpdka0~.exe through gepd~11.exe. It doesn't do anything that I am aware of but it is running several process in the task manager. All it does it constantly scan a range of ports from 30112 all the way up to 55000 and then restarts at 30112. We took the thing off the network and it sits there using 10% cpu on these port scanning processes. Oh, and the computers gonna be nuked and reloaded, since there is no fix for it. Not even google can find it. Any ideas what it is though is what I am asking?
|
|
#
?
Aug 30, 2010 19:57
|
|
|
MiddleNotch posted:Oh, and the computers gonna be nuked and reloaded, since there is no fix for it. Not even google can find it. The nuking and reloading is probably a decent idea anyway, but you could just remove it from the list of things that open on startup with msconfig if it hasn't removed access to it. You didn't mention any access restrictions, which means this is probably going to be trivial to remove either manually (delete the profile's Temporary Internet Files and Temp files, use the msconfig Startup tab to find out where the programs live, uncheck them, kill the processes, delete the files, run a Find in the registry to look for entries pointing to appropriate filenames or newly-created folders and delete the keys, etc) or automatically with MalwareBytes or something. It's not really relevant, honestly, but when you say that it's "scanning" a range of ports, do you mean that it's listening on those ports locally (netstat -a) or that it's actually scanning those ports on other systems on the network? If it's listening on local ports, then that makes it sound more like it's backdoor of some kind waiting to be told what to do with the system. It sounds very poorly written and the reason you're most likely not finding a specific fix for it is that it's a piece of junk that isn't good enough at spreading to come up on anyone's radar.
|
|
#
?
Aug 30, 2010 20:29
|
|
|
Midelne posted:The nuking and reloading is probably a decent idea anyway, but you could just remove it from the list of things that open on startup with msconfig if it hasn't removed access to it. You didn't mention any access restrictions, which means this is probably going to be trivial to remove either manually (delete the profile's Temporary Internet Files and Temp files, use the msconfig Startup tab to find out where the programs live, uncheck them, kill the processes, delete the files, run a Find in the registry to look for entries pointing to appropriate filenames or newly-created folders and delete the keys, etc) or automatically with MalwareBytes or something. Yeah, did the remove entries in hijackthis, and msconfig startup, but it comes back with more mutated names. Like gmp~12.exe and junk. It has 112 registry entries that I could find. It is just scanning ports. It doesn't send anything out. It manifests itself in the sys32 folder, temp folder for all local login entities, and has its own process in dllhost. I don't know what it is, probably a botnet maybe? Access restrictions were set as administrator rights too. Hard to tell someone to make a USER account with limited access, they feel like they are gimped or something. Some people never learn. If it helps, he was running ie 8 with a fully up to date vista machine. One of the ads must have done it. Now to show him the wonders of noscript, flashblock, and such. It is tricky though, even deleting the keys and .exes it still comes back making me think it is a rootkit, or I am not looking hard enough for it.
|
|
#
?
Aug 30, 2010 20:41
|
|
|
MiddleNotch posted:It is tricky though, even deleting the keys and .exes it still comes back making me think it is a rootkit, or I am not looking hard enough for it. GMER is a good first stop when you suspect that you're rooted in Windows. One other non-root way to replicate the behavior of putting itself back together once you've deleted it would be to change the file associations for .exe and such. Might take a look to see if those are intact, but if you're having substantial difficulty after MalwareBytes and GMER it's probably gone past the point of being too annoying to bother with and should probably just be wiped.
|
|
#
?
Aug 30, 2010 20:46
|
|
|
Midelne posted:GMER is a good first stop when you suspect that you're rooted in Windows. Malwarebytes found 12 tracking cookies. GMER and rootkitrevealer both found some 413 entries dated from last night to current. I should congratulate my friend on being the first infected in the wild. I would zip this and send it in to a/v sites and junk but the computers pretty much unresponsive at this point. Whatever it is, it is weird. By unresponsive I mean, when you click on the start button it kicks you out to the login screen. When you relogin the only things you can click on and run are on the desktop. Using shortcut keys reboots the system. Safe mode doesn't work. This things bad. edit: safe mode works when you rehook it up to a network, normal boot crashes to a atapi.sys bluescreen. MiddleNotch fucked around with this message at 21:15 on Aug 30, 2010 |
|
#
?
Aug 30, 2010 21:09
|
|
|
MiddleNotch posted:By unresponsive I mean, when you click on the start button it kicks you out to the login screen. When you relogin the only things you can click on and run are on the desktop. Using shortcut keys reboots the system. Safe mode doesn't work. I ran into somewhat similar behavior when I'd manually removed a trojan that set itself as the default handler for .exe and various other files. Every time Windows attempted to run something, bad things happened. The proper course of action at this point is wipe/reinstall after retaining vital documents and cat pictures, but I'd probably just keep poking at it if there's no deadline. If you can still use context menus, then a right-click, create shortcut, cmd.exe would give you command shell access and allow you to happily traverse the file system. From there, you mentioned that you had access to the task manager, but command line equivalents for some of the same functionality would be tasklist to list running processes nice as you please and tskill once you have the process number from tasklist to end a process. tasklist /svc may also give you a somewhat deeper perspective on what is actually running in terms of services and what those mysterious svchost.exe processes are being used for. That said, if GMER and the other are finding root-like processes running, it's entirely possible that you wouldn't even be able to see the questionable code without lateral measures. If you want to dig a little more with the available data, look for broad patterns in the GMER results (is it all coming from the same folder?), boot the system from a Backtrack or other live CD that can handle NTFS, and take a look at those folders from outside of the existing Windows installation. Mind you, this is purely for poking-at-things-is-fun value. If you're rooted, then the existing installation of Windows can never be trusted again and will need wiping. edit: quote:atapi.sys bluescreen. This probably means you can't trust Windows' display of the file system and it's pretty much pointless to look without an outside operating system. 
Midelne fucked around with this message at 21:23 on Aug 30, 2010 |
|
#
?
Aug 30, 2010 21:21
|
|
|
Midelne posted:I ran into somewhat similar behavior when I'd manually removed a trojan that set itself as the default handler for .exe and various other files. Every time Windows attempted to run something, bad things happened. What I don't get is why this thing runs the computer normal under safe mode when no network drivers are found. Normal boot with the ethernet plugged in causes atapi bluescreens. Yeah, I am playing with this thing because its interesting. It is kind of funny I can run desktop things and junk, but hit the start button you get the bluescreen. It's weird. the right click on the taskbar to bring up the the task manager crashes the system. But it gives an IO error instead. edit: windows sees the partition as "undefined". Repair console says go to hell when trying to fix it. Good luck to you guys when you come across this thing. MiddleNotch fucked around with this message at 21:36 on Aug 30, 2010 |
|
#
?
Aug 30, 2010 21:27
|
|
|
MiddleNotch posted:edit: windows sees the partition as "undefined". Repair console says go to hell when trying to fix it. Good luck to you guys when you come across this thing. Use something other than Windows to take a look and see if you get a different result.
|
|
#
?
Aug 30, 2010 21:46
|
|
|
Midelne posted:Use something other than Windows to take a look and see if you get a different result. Sorry, it took awhile to track down a linux distro. It sees the hard drive as empty. It reads the partition as NTFS. I don't know what this thing was but it did a number to the system. I asked my friend what else he was doing when this thing happened. Apparently he was browsing a .ru domain for things. Easiest 50 bucks I ever made anyways. A total partition wipe, reformat and 50 minutes of install time later, all is back to normal.
|
|
#
?
Aug 31, 2010 21:20
|
|
|
Unless it's a friend, I always charge at least $100 for a wipe/reload. Extra if there's data to back up.
|
|
#
?
Aug 31, 2010 21:40
|
|
|
Considering most places charge $70 for 'speeding up your computer' that isn't bad.
|
|
#
?
Aug 31, 2010 23:16
|
|
|
I charge either $30 or imported beer for "fixing" Wipe and installs will cost someone $50. They have to get their own [legit] copy of Windows or find their restore disks before I will even loving look at their machine. e: The nearest shop will charge ~$100 for "virus removal", $90 for building a machine [before installing an os], and some random price for OS install. The most I charge is $50 because the people are mates and are on the same lovely pay I am.
|
|
#
?
Sep 1, 2010 14:00
|
|
|
Like I said, that's if they're not friends. I'm usually down for just getting a 12-pack of some good beer if they're friends. The reinstall is generally just 30 minutes or so of actual work. The rest is waiting, eating dinner, playing on my computer, rubbing one out, whatever.
|
|
#
?
Sep 1, 2010 14:18
|
|
|
I've been tackling an older Dell system still running on XP SP2 and so far every bootable Linux-based virus scanner has found different infections. It's like a never ending pit of despair. On top of that, it can make a successful connection with the network but can't open any websites. Proxy settings are fine, hosts file is fine as well.
|
|
#
?
Sep 2, 2010 00:37
|
|
|
Well, the system is trashed. Just backup what you can and reinstall windows. The Dell discs work with any Dell branded computer.
|
|
#
?
Sep 2, 2010 02:18
|
|
|
Syphilicious! posted:So yesterday, the Antivirus Vista 2010 virus infected my computer. I ran Malwarebytes in safe mode, and it got rid of it. However, now, anytime I try and run a program, it says a few variations of things. When I try and run iTunes, for instance, it says iTunes.exe cannot be found. The same thing for Modern Warfare 1 and 2, and anything that had a shortcut on the desktop. A few programs, IE 7, for instance, will make me select which program to use to run it. When I select IE 7 from the list, it doesn't really open up. At least Firefox still works. This also appears to have affected a lot of other programs. iTunes, at least, runs when I select 'Run in Administrator Mode'. So does a few other programs. But it really isn't worth the hassle. I made a new account on the computer, and everything is working fine on that one, but my main one is still hosed up. Download AVZ4 from the Kaspersky website and rename the executable to AVZ.com. Run it, select "system restore" from the file menu and select option 1 and execute it. That should solve your issue. Edit: Holy poo poo didn't notice how far back this post was when I answered it. Fix still works for these issues though so it's still relevant. MrDorf fucked around with this message at 08:40 on Sep 2, 2010 |
|
#
?
Sep 2, 2010 08:36
|
|
|
Ted Stevens posted:Well, the system is trashed. Just backup what you can and reinstall windows. The Dell discs work with any Dell branded computer.
|
|
#
?
Sep 2, 2010 14:49
|
|
|
What the hell you charge people for reinstalling windows? I should do that with my parents and their neighbors, I'm getting exploited here(or there, whatever). OK, virus problem. I'm pretty sure my girlfriend has managed to get that weird fake anti-spyware spyware on her laptop. She's saying that her browser is now pretty much unusably slow(though skype still works fine) and downloads in general are greatly slowed. She had AVG free installed and said that whatever popped up kinda looked like it. Is that what happened or is some other cocktail of viruses at work here(I know this is low info, but hey she's computer illiterate). I'm in a different country, so short of telling her to get Windows reinstalled(which I did, she'd have to pay for it at a shop so that's not happening) what can I do for her? Additional question: getting a new hard drive for my laptop and I'm planning on installing windows from files saved on the HDD(legit files, that newriver student offer thing). Would this run a risk of infecting my new hdd with whatever my current one has(as far as I know it's totally clean, but hey you never know)? Should I burn the files to a DVD instead?
|
|
#
?
Sep 7, 2010 21:52
|
|
|
|
| # ? Apr 29, 2024 08:21 |
|
|
Quick and odd question: Lately, we've noticed that after having MalwareBytes clean up infections, a lot of systems are losing the ability to connect to the net via ethernet. Other systems can connect just fine, but the system that just got disinfected? Nada. The lights are on on both ends, the cable is fine, and reinstalling the OS fixes the issue. Oh, and re-installing network drivers does poo poo all. What the hell?
|
|
#
?
Sep 7, 2010 21:57
|
|
