|
co199 posted:That's true, and I was over simplifying the process. I've been out of the research game for a couple years now so I don't have the details I used to. That being said, it's really hard to find an explanation for a customer when they ask "well why didn't xxx program detect this?" The "malware kit", while not 100% correct, works when you're dealing with someone who doesn't give a poo poo about the technical details and just wants an answer. Hell, it's a better answer than a bunch of other shops around here give, which is "because that one is a bad AV program, buy this one". Neither answer solves the problem, but one doesn't cost the customer unnecessary money. I knew some support techs that just told them that no one product detects everything and point them to the usual comparatives sites. Seemed to work OK. Generally it's easier now because if a product has good HIPS or in-memory detection the customer can at least clean it all up (hopefully with a single click) after getting infected.
|
# ? May 26, 2011 16:57 |
|
|
# ? Apr 29, 2024 07:14 |
|
warning posted:Just got a call from a tech who is very technically sound who claims a new variant of Windows Recovery deleted the users documents. He did also mention that the user may have tried some things on his own before he gave the laptop to IT. Make sure it didn't just mark the relevant folders as hidden. The newer Windows 7 Security 2011 family loves to do that, it's part of the intimidation/extortion routine.
|
# ? May 26, 2011 17:32 |
|
Back on page 50 someone posted this: code:
|
# ? May 26, 2011 19:30 |
|
There's something about malware I'd like to know. In Windows, administrators have total control over the system, but not directly. ACLs can be configured to block all users, including administrators, from accessing an object. To gain control, the administrator has to take ownership of the object before changing permissions to allow access. ("System Volume Information" is a good example.) I'd like to know how many malware programs go as far as examining and trying to alter the ownership of files in order to further the infection, and how many security programs do the same to counteract infections. Malware could make some pretty severe changes, such as adding services to the Safe Boot registry keys and blocking changes to those keys. A malware removal program would need to gain ownership of the keys and change permissions to remove the infection. Scareware could also move files to a directory set to block all access. Has anyone encountered malware that alters file permissions?
|
# ? May 26, 2011 20:49 |
|
Yeah, many of them do this. I forget the variant but there was one that would mess up attributes/permissions so you couldn't see the files in Windows explorer or command shell (even with show hidden/system) and you had to go into recovery console to find them.
|
# ? May 26, 2011 23:04 |
|
Oddhair posted:Back on page 50 someone posted this: This cleans up a user profile without screwing with a bunch of files it shouldn't be. BangersInMyKnickers posted:
|
# ? May 26, 2011 23:23 |
|
dpbjinc posted:There's something about malware I'd like to know. In Windows, administrators have total control over the system, but not directly. ACLs can be configured to block all users, including administrators, from accessing an object. To gain control, the administrator has to take ownership of the object before changing permissions to allow access. ("System Volume Information" is a good example.) Yeah, I've seen this fairly often. Usually something with a rootkit component will do this - and they'll use it to lock down registry keys too.
|
# ? May 27, 2011 00:19 |
|
Pope Guilty posted:Make sure it didn't just mark the relevant folders as hidden. The newer Windows 7 Security 2011 family loves to do that, it's part of the intimidation/extortion routine. It's probably worth mentioning that a version of Windows Recovery I ran into recently also hides the Program Files folder. Luckily this one didn't try to embed itself with exe associations as well so it's probably just about on par with XP Antivirus for being annoying to cut up. Although a pro-tip that I learned from the initial reaction of one of my users, if they try closing the popup windows it seems to start some sort of countdown to a forced reboot after like 15 minutes.
|
# ? May 27, 2011 02:32 |
|
I got a version of it the other day (Windows Recovery) that was a real prick. It hid all the files, nothing new. It also removed the poo poo on the start menu. There were no icons on the start of it, and only a bunch of folders in All Programs. These folders were empty. I checked them in their programdata location, and they all showed as 0 bytes. I also made sure to have ownership of the folders, that hiding was off, et al. System restore fixed it.
|
# ? May 27, 2011 03:49 |
|
One of these days the malware authors are going to figure out how to infect System Restore points, and on that day we are so hosed.
|
# ? May 27, 2011 05:02 |
|
Pope Guilty posted:One of these days the malware authors are going to figure out how to infect System Restore points, and on that day we are so hosed. Some already do. Don't ask me which ones, its been ages since I read about those few bastards.
|
# ? May 27, 2011 05:23 |
|
Pope Guilty posted:One of these days the malware authors are going to figure out how to infect System Restore points, and on that day we are so hosed. They've been doing this for a while, annoying as hell.
|
# ? May 27, 2011 06:03 |
|
Welp.
|
# ? May 27, 2011 06:21 |
|
Pope Guilty posted:Welp. Thank gently caress for heuristics being a deterrant. Otherwise we'd need to worry about the superbugs. Rootkits + Fully hide and perms deny all files + gently caress with the .exe / .lnk / .com / .bat assoscs + Infecting all accounts including admin + Popping up in WinRE + loving with system restore + Infecting factory images. :fwee:
|
# ? May 27, 2011 10:24 |
|
What exactly am I supposed to do about "Windows cannot find rsrtui.exe" or being asked how to open .exe files?
|
# ? May 27, 2011 11:15 |
|
I read six pages of this thread and it was mostly foreign, but I was able to understand enough to be scared shitless. I run avast free edition on both my machines and do full scans with malwarebytes every 2-4 weeks to catch anything avast might have missed, so I felt reasonably secure until reading this thread. I was under the assumption that keeping your OS and malwarebytes updated would generally deal with anything outside of rare instances. I'm running vista 32-bit on my laptop and windows 7 64-bit on my desktop (I think I updated to sp1). I recently ran malwarebytes on a relatives computer and found 254 infected items, which just might be the most I have ever seen at once.
|
# ? May 27, 2011 12:44 |
|
So what's the current consensus on the best programs to keep your PC secured? I'm running Win7 64 bit SP1. I use firefox as a browser, with noscipt, adblock, betterprivacy and HTTPS-Everywhere. I run MSE as my antivirus, and use SecuniaPSI to keep me informed of which programs need updating. My windows update checks for and autoinstalls updates every day at 3am. I use MalwareBytes resident thingy and run a MWB scan and a SpyBot scan once a week or so. Do I need to do anything else? I don't really visit any dodgy sites, but this whole idea of malicious software using GIS result pages to install itself worries me somewhat. Also, what are some good arguments against Norton Antivirus? My girlfriend's mum uses it and doesn't want to switch to MSE because she thinks something you pay for is necessarily better than something you don't.
|
# ? May 27, 2011 13:26 |
|
Pope Guilty posted:What exactly am I supposed to do about "Windows cannot find rsrtui.exe" or being asked how to open .exe files? Grab the .exe fix from here. That should fix you right up, on XP anyways. It's one of the things I keep on my flash drive toolkit. I haven't ran into a windows 7 computer with messed up file associations yet, I don't know if you need something different to fix one of those.
|
# ? May 27, 2011 13:35 |
|
AlphaDog posted:So what's the current consensus on the best programs to keep your PC secured? Two weeks ago I had a client with 3 laptops, all of them running slow as balls. The common theme? All of them had variants of Norton on them. While they were 99.9% clean from common viruses and spyware, I uninstalled Norton on all of them and the speed boost was HIGHLY noticeable.
|
# ? May 27, 2011 14:01 |
|
quote:Also, what are some good arguments against Norton Antivirus? My girlfriend's mum uses it and doesn't want to switch to MSE because she thinks something you pay for is necessarily better than something you don't. Over 75% of the computers I see in my shop infected with viruses have either Norton or McAfee on them, up to date, with an active subscription. There is a noticeable speed increase on many machines when we uninstall Norton. I've seen many a machine where Norton has completely screwed network/internet connectivity, and the only way to fix it was to uninstall Norton, which crashed and wouldn't uninstall, then run their special Norton Removal tool. While it has gotten better, Norton generally sucks at uninstalling itself and often times has to be removed using their special Norton Removal Tool. If she wants to pay for AV convince her to buy a NOD32 license.
|
# ? May 27, 2011 14:20 |
|
J posted:I haven't ran into a windows 7 computer with messed up file associations yet, I don't know if you need something different to fix one of those. I met one yesterday. I eventually gave up and threw Combofix* at it. (*: renamed to .scr)
|
# ? May 27, 2011 15:13 |
|
Norton is a total hog and it's catch rate is pretty low, especially on the ransomware that's so prevalent at the moment. Computers at my job run SAV 10 Corporate and all definitions are up to date but it didn't make a peep when I got hit with Windows Antivirus 2011 or some variant thereof from a bad ad on these forums.
|
# ? May 27, 2011 15:15 |
|
Norton isn't even a speedbump to these things.
|
# ? May 27, 2011 15:56 |
|
go3 posted:Norton isn't even a speedbump to these things.
|
# ? May 27, 2011 16:49 |
|
J posted:Grab the .exe fix from here. That should fix you right up, on XP anyways. It's one of the things I keep on my flash drive toolkit. I haven't ran into a windows 7 computer with messed up file associations yet, I don't know if you need something different to fix one of those. You need a different one for 7 the xp one doesn't work. I have .reg files for both which I found via google. Also from earlier the tech did claim the documents were gone not hidden. I know on the one I worked on all the program shortcuts and all users desktop shortcuts were moved into temp directories. I ran combofix which deleted temp files and welp.
|
# ? May 27, 2011 16:56 |
|
-Dethstryk- posted:I'm getting a lot of machines now where MSE isn't helping much now, either. For about a year, I didn't have any problems with any of my clients running it. Now it's regularly letting them through. I've been seeing a few with MSe getting nailed lately now too, which sucks because it's what we've been recommending everyone. People don't like getting infected after installing an antivirus that we recommended them. Usually I just tell them that no antivirus is perfect and they probably caught a new variant before updated definitions were released. Still though, I wish there was one that was perfect, or very very very close to it
|
# ? May 27, 2011 17:46 |
|
Maniaman posted:Still though, I wish there was one that was perfect There is but the cure is worse than the disease:
|
# ? May 27, 2011 18:13 |
|
I can't think of a single antivirus I haven't seen on a machine with a rogue AV, except possibly NOD32. Then again, I've only seen NOD32 once, so.
|
# ? May 27, 2011 19:01 |
|
MSSE seems to keep the worst stuff out, the infections I've encountered on up to date MSSE machines were all of the "kill the process, delete the rogue files" relatively easy to clean up stripe. I haven't been doing that much clean up work lately since i've been getting extra hours at my real job, so it may not be a representative sample.
|
# ? May 27, 2011 20:16 |
|
I've been happy with KAV enterprise here at the mother ship. Sometimes someone will get Windows Antivirus XXXX but inevitably I've found that it's: - A new machine that hasn't had the install rollout yet or - An 'out of control' installation due to AD problems So far if it's actually running and updated I haven't had to clean out anything (wood knocking).
|
# ? May 27, 2011 20:23 |
|
I used to get infected machines in my shop where McAfee would delete the removal tools off my flash drive I ended up just getting a flash drive with a write lock switch on it.
|
# ? May 27, 2011 21:12 |
|
Warp Zone posted:I read six pages of this thread and it was mostly foreign, but I was able to understand enough to be scared shitless. Honestly, here's whate you need to do:
Everything else is just window dressing. I have two computers that have run for the past four years using Avast/Firefox and have never gotten a virus. If you can, though, consider using a seperate hard drive for your windows install and keeping everything else on a different drive. I have a little 40GB boot drive that I install all my utility programs to (firefox, avast, Word, etc) and that way if something goes wrong I just reinstall Windows. Including the Windows install it takes about two hours and I'm back exactly where I was. Use a second hard drive if you can, that way you can completely blow away the drive with DBAN if you need to. That boot-sector virus can't do much when it turns into a bunch of 0's
|
# ? May 27, 2011 22:12 |
|
bbcisdabomb posted:Honestly, here's whate you need to do: To add to the list some other useful things:
But definitely get adblock plus and noscript, those will save your rear end.
|
# ? May 27, 2011 23:37 |
|
FlashBlock too. Also, go into your Firefox Addon settings and disable Java and Adobe Reader. Enable them when needed, then disable them when not in use.
|
# ? May 28, 2011 00:13 |
|
FCKGW posted:I used to get infected machines in my shop where McAfee would delete the removal tools off my flash drive This is why now I just remove any anti-virus that isn't MSSE or Avast. That's really how I judge how good an anti-virus is, how much poo poo it DOESN'T break. Also about keeping Java, Flash and Reader up to date, if you're working with a lot of computers go grab those three offline installers and write a quick batch script to silently install them. It saves so much drat time. Ghost Mutt fucked around with this message at 10:45 on May 28, 2011 |
# ? May 28, 2011 10:38 |
|
beastathon posted:Also about keeping Java, Flash and Reader up to date, if you're working with a lot of computers go grab those three offline installers and write a quick batch script to silently install them. It saves so much drat time. It's a drat shame that Windows Update and Apple Software update don't do the job themselves, given how many exploits occur with these three programs.
|
# ? May 28, 2011 11:09 |
|
Yeah, but Adobe is missing from that list. WU and ASU could work brilliantly, but the way things are now you're still gonna see infections. And Adobe ain't gonna let those two do jack. That's the shame.
|
# ? May 29, 2011 04:13 |
|
Some friends with a new laptop running Windows 7 have had Windows Media Center take over their computer. After looking at their laptop, it would appear to be a virus, and googling Windows Media Center virus brings up some hits, but nothing definitive. All the file associations have been changed to open this WMC copycat, Microsoft Security Essentials has been disabled, the Malwarebytes .exe link opens the WMC, etc. The setup for WMC shows that it is not set to load at startup, but of course it does anyway. Can't run msconfig, etc, and it shows there are no restore points. They did not make a system backup of this Dell laptop, and it does not come with a restore disk. (Makes me like my Asus restore partition even more!) They bought it about 40 days ago at Best Buy, which now wants $200 to fix it for them. I am really too busy to flatten, reinstall from a Win 7 image and go driver hunting, plus that would get me even deeper into the "can you look at this for me (for free, of course) hole." Basically, if this is an easy fix I will try to help them, otherwise its off to Best Buy for them, I guess. Anyone have experience with this virus/malware?
|
# ? May 31, 2011 21:42 |
|
Does it do the same thing in safe mode? Try running RKill and see if that kills the processes and lets you run Malwarebytes. Speaking of Malwarebytes... I'm not sure what to do about licensing in my shop. They apparently phased out their technicians license and now want you to buy a separate license for every computer you use it on. I'm really considering just using the free version and leaving it installed. I'm not sure what corporate licenses cost, but many customers won't want to pay extra for it and its the only thing that will remove some of the infections we see.
|
# ? Jun 1, 2011 02:00 |
|
|
# ? Apr 29, 2024 07:14 |
|
coldsnap posted:Some friends with a new laptop running Windows 7 have had Windows Media Center take over their computer. After looking at their laptop, it would appear to be a virus, and googling Windows Media Center virus brings up some hits, but nothing definitive. As an aside, I'm pretty sure you have a recovery partition on your hard drive. Try Ctrl-F11 or whatever is says to press during the BIOS startup screen. Also, you can usually press F8 to get into Windows recovery and it'll have an option there.
|
# ? Jun 1, 2011 03:49 |