Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
abominable fricke
Nov 11, 2003

What does Pottsylvania have more than any other country? Mean! We have more mean than any other country in Europe! We must export mean.
I've kinda lost track of this thread over the last year or so. It was slow at work today so I decided to peruse it and came accross the following post with requests that it go into the OP. So here it is.

Megiddo posted:

There's really a lot more to it than that, if you want to keep your machine secure:

Use Firefox or Chrome with NoScript and Adblock Plus and disable/uninstall any unneeded plugins. Make sure your browser is kept up to date with automatic updates. Check Mozilla's plugin check regularly to see if you have vulnerable plugins. Make sure you are receiving Microsoft updates for all Microsoft software (not just Windows), and keep all third-party software up-to-date that interacts with downloaded material of any kind, whether it has a plugin for a browser or not.

Only install Java when you actually need it and uninstall it promptly when finished. If you need to have Java installed all the time due to Java-dependent software, keep it updated at all times and disable Java plug-ins/add-ons in all your browsers. Keep in mind that Oracle rarely issues "out-of-band" critical updates/patches for Java, leaving security and bug fixes for the next quarterly release - and leaving you vulnerable until Oracle's next scheduled release. Unless you don't have it installed in the first place, of course.

Keep Adobe Acrobat, Adobe Reader, or any third-party PDF viewers up-to-date and ideally disable their plug-in/add-on. Make sure Acrobat/Reader security settings are set for maximum security: delete the Flash authplay.dll that's bundled with Acrobat/Reader, disable javascript, disallow multimedia operations, enable enhanced security, disallow opening of non-PDF files.

Keep Adobe Flash and Adobe Shockwave updated. Make sure Flash is set to check for updates automatically. Do not install Shockwave unless you actually need it as many people neglect to check for Shockwave updates and Adobe does not have an option to automatically check for Shockwave updates.

Keep Apple Quicktime updated, or either disable the plug-in/add-on on all browsers or just don't install Quicktime. If you use VLC, Winamp, or some other media player, make sure that it is updated as they have been known to have critical vulnerabilities with some types of files.

Any other programs that interact with downloaded files should be kept updated. For example, if you use uTorrent, even without a browser plug-in, you are still opening downloaded .torrent files that could exploit older versions of uTorrent with critical vulnerabilities.

If you're in a locked-down corporate, university, or public machine where you cannot update plugins, browsers, uninstall Java, etc. - use a USB flash drive with Portable Apps configured for secure and private browsing.

But good luck getting even experienced computer enthusiasts or professionals to do the above, let alone the casual user.

I will also add that you need to have a good antivirus, preferably in my opinion NOD32 which is for pay. Other here will argue until they die from lack of air that Microsoft Security Essentials is just as good. I respectfully disagree. To each their own. Also adblock and no script are your friends, learn them love them use them. Any thing else that anyone thinks of should PM me as I don't check this so much anymore, but I am flattered that what was essentially a rant and an exercise in blowing off steam has become the MEGATHREAD for viruses in SHSC.



So this week at the shop starts off kind of bad since 7 people decided to call at 4:55pm on Saturday to approve virus removals effectively making my bench a virus removal station for at least the first half of the week. I don't really care for virus removals because they are routine, boring, and there is not a lot of money in them. So I get in begin the removals and go drink coffee and smoke while the first scans were running.

The first one I do has to run in safe mode and everything is operating as expected, I can network fine and explorer is responsive. So I come back about 30 minutes later and since the machines have rebooted into normal startup, I go about logging them in to a user account. One of them locks as soon as I select a user, another gets to the desktop and explorer is immediately unresponsive and another works very slowly but will not network thus keeping me from accessing my tech tools on the server.

So I reboot these three machines back into safe mode and run anything that will install without needing windows installer service. I find the usual on all three; vundo, smitfraud, zedo, random rootkit a, random rootkit b and some other nondescript malwares. Having finished what I could in safe mode, I reboot to normal startup with all msconfig entries disabled with the exception of Microsoft services. Same thing.

Back to safe mode and this time I install autoruns and have a look at what is going on at startup. I don't see anything that raises an eyebrow, curse, reboot the machines and start repair installs. One of them took two attempts to finish the repair install, the other two went alright. One by one they finish and reboot. All three get to the welcome screen and want to be reactivated. I make a fuss about how pissed I'm going to be if I have to call Microsoft for all three activations, but I don't ever get the opportunity to find out if that would have been the case. All three freeze with the border of the activation prompt displayed but the rest of the windows never get drawn.

So I reboot to safe mode on the first one and am reminded that a) you cannot activate in safe mode, and b) you cannot log into safe mode without activating. I contemplate the prospect of having to call three customers and cajole them into giving me more money to backup their data so I can wipe and reload their OS. Since that was not a particularly desirable outcome, I pull one of the drives connect it to one of my shop machines and run it through nod32, avg, avast, bitdefender, and a2. These scanners didn't find anything at all. Frustrated I decided to run them through Panda Active Scanner. It finds stuff that it considers minor, and shows me where they are but will not fix them itself without signing up for an account. gently caress that. I delete the things it found and made mental note of what they were called and where they were located.

I reconnected the hard drive to the first computer and viola! it works. Hell yeah. I go to the second machine and look in the places I had looked on the first machine and find nothing. So I run it through panda and notice that both machines had rootkit.kinject present. I look it up on Google, and it turns out that only superantispyware has it in their definitions. I update my copy of superantispyware on my shop machine and connect the third and find it in like 90 seconds.

It turns out rootkit.kinject just breaks windows in a bad way. It installs as a hidden service and nothing can see it there, even auotruns. You must pull the drive and scan it elsewhere if you hope to get rid of it. Superantispyware and Panda are the only two outfits that I know detect it and there is absolutely no English literature on the Internet of anyone encountering it. You can only use Superantispyware to get rid of it on the local machine if you can get to a desktop and browse the file system. If not you got to pull the drive.

I thought I would share this with everyone because it took me like 4 days to narrow down (bear in mind that I was working on 15 or more machines at any given time this week so I might have only gotten around to those machines only 4 or 5 times the first couple of days). Personally I haven't seen anything like this since the spools earlier this summer.

tl:dr

Rootkit.kinject will gently caress your poo poo up. So far I only know of two AV scanners that get rid of it, panda and superantispyware. Read the post and do not perform a repair install if you have a machine that exhibits any of the symptoms I describe.

What have you seen recently that has made you gnash your teeth?

abominable fricke fucked around with this message at 01:10 on Jun 14, 2011

Adbot
ADBOT LOVES YOU

Mandals
Aug 31, 2004

Isn't it pretty to think so.
I don't know if it qualifies as a virus but that XP Antivirus 2009 poo poo was hell for a few weeks. It was actually the first time in years that we had so many outbreaks.

Fun fact: Sophos couldn't detect it, and we had to use superantispyware to remove it.

netwerk23
Aug 22, 2000
I spelled 'network' wrong.

Mandals posted:

I don't know if it qualifies as a virus but that XP Antivirus 2009...
I was coming in here to post this exact poo poo. AntivirusXP or 2008 or 2009 or whatever variant, it's a pain in the rear end. Malwarebytes from Safe Mode can kill it, the last one I had was super embedded and required that ComboFix utility, which was a godsend.

Catch 22
Dec 1, 2003
Damn it, Damn it, Damn it!

Mandals posted:

I don't know if it qualifies as a virus but that XP Antivirus 2009 poo poo was hell for a few weeks. It was actually the first time in years that we had so many outbreaks.

Fun fact: Sophos couldn't detect it, and we had to use superantispyware to remove it.
Things like this make me hug my SonicWALL for removing things like this, packet level at the gateway. I never had a issue, but the people on the guess access connecting off a PIX did.

Jaketeck
Jul 6, 2004

<3 Robots

Mandals posted:

I don't know if it qualifies as a virus but that XP Antivirus 2009 poo poo was hell for a few weeks. It was actually the first time in years that we had so many outbreaks.

Fun fact: Sophos couldn't detect it, and we had to use superantispyware to remove it.

Get a live CD. Makes the removal take seconds.

OneEightHundred
Feb 28, 2008

Soon, we will be unstoppable!
Semi-on-topic: I've got a PDF file from a malicious banner ad that makes Vista crash when it previews it and makes Acrobat crash with a Data Execution Protection error, which might mean the PDF has a buffer overflow exploit of some sort. What should I do with this thing?

Fishstick
Jul 9, 2005

Does not require preheating
I had an interesting trojan that disabled regedit, disabled safemode booting, disallowed access to virus-scanner related sites (even though they resolved in commandline), disabled activeX and other cool stuff. In the end only some AVG tool specific for that trojan was able to remove it.

bardonaut
Nov 18, 2003

OneEightHundred posted:

Semi-on-topic: I've got a PDF file from a malicious banner ad that makes Vista crash when it previews it and makes Acrobat crash with a Data Execution Protection error, which might mean the PDF has a buffer overflow exploit of some sort. What should I do with this thing?

Send it to friends as a joke. Or get rid of it.

hihifellow
Jun 17, 2005

seriously where the fuck did this genre come from

netwerk23 posted:

I was coming in here to post this exact poo poo. AntivirusXP or 2008 or 2009 or whatever variant, it's a pain in the rear end. Malwarebytes from Safe Mode can kill it, the last one I had was super embedded and required that ComboFix utility, which was a godsend.

I think Spyware Guard 2008 is a cousin of this, embeds itself real deep into the system and will actively prevent Malwarebytes (and any antivirus, or anti-spyware, and it even blocks websites telling you how to get rid of it) from running, even in safe mode. Took me two hours of cursing and gnashing of teeth to finally stumble across ComboFix. God bless that little program.

MagicAlex
Jan 6, 2007

I regularly get to deal with AV2009 and co at work. We have a branded version of F-Secure that our customers can download for free, and because of that we're restricted to only using it or Microsoft Live OneCare. On the plus side, since we're licensing F-Secure's product we get to report to them when it doesn't work, and send them virus samples so they can update their definitions. They're pretty quick about it too, but getting the sample to them can be a pain since we have to get it off the customer's computer.

OneEightHundred
Feb 28, 2008

Soon, we will be unstoppable!

BeardFacer posted:

Send it to friends as a joke. Or get rid of it.
I mean to send it as a virus sample or something considering I've run 3 online virus scanners on it and all come up clean.

Alan Greenspan
Jun 17, 2001

OneEightHundred posted:

Semi-on-topic: I've got a PDF file from a malicious banner ad that makes Vista crash when it previews it and makes Acrobat crash with a Data Execution Protection error, which might mean the PDF has a buffer overflow exploit of some sort. What should I do with this thing?

Upload it somewhere because I want to have it.

abominable fricke
Nov 11, 2003

What does Pottsylvania have more than any other country? Mean! We have more mean than any other country in Europe! We must export mean.

people posted:

Antivirus 2009

I would say that 65% of the computers that come in for diagnostics at my shop have this or some variant of it installed. It does make for an easy diagnosis though.

Jirolico
Jan 27, 2005

My ambition is handicapped by my laziness
AntiVirus 2008 has been wreaking havoc on my laptop for the past few weeks, it's annoying as hell. The only program I had that could kill it was malwarebytes'. After reading this thread, I will have to check out ComboFix.

OneEightHundred
Feb 28, 2008

Soon, we will be unstoppable!

Alan Greenspan posted:

Upload it somewhere because I want to have it.
From the source:
MALICIOUS LINK CLICK AT OWN RISK >>> o

Kaspersky apparently started detecting it 10 days ago. NOD32 doesn't.

corgski
Feb 6, 2007

Silly goose, you're here forever.

The current version of Avast detects it.

MeestarK
Aug 12, 2004
Its cold outside
http://www.virustotal.com/analisis/95f7057960fbc26c9f99e325e8f5d3d1

I'm surprised that NOD32 doesn't detect it, whereas even something crappy likes Windows Live OneCare detects it

Capnbigboobies
Dec 2, 2004

OneEightHundred posted:

From the source:
MALICIOUS LINK CLICK AT OWN RISK >>> o

Kaspersky apparently started detecting it 10 days ago. NOD32 doesn't.

The free version of AntiVir caught it almost instantly. Once you disable the stupid popup antivir is a great antivirus.

Alan Greenspan
Jun 17, 2001

OneEightHundred posted:

From the source:
MALICIOUS LINK CLICK AT OWN RISK >>> o

Kaspersky apparently started detecting it 10 days ago. NOD32 doesn't.

Thanks a lot. The PDF exploits the vulnerability described here.

bazaar apparatus
Dec 1, 2006

Whenever my body starts to feel sick, I just stop being sick and be awesome instead.
Nthing Antivirus 2009 and its variants. Sometimes that loving "tatemupuku" registry entry just won't go away without using something like ComboFix (awesome little utility, by the way).

Panty Saluter
Jan 17, 2004

Making learning fun!
I got a fun little trojan downloader from a hacked JPG a little while ago. Apparently that's the favored vector of WoW gold farmers. It was a slippery little bastard so I wound up reformatting (I was considering one since windows had gotten a little wonky anyway).

Wish I could remember the name. :o:

Namlemez
Jul 9, 2003
Got this on a machine through some random Java applet. This was like the most nefarious one I've ever had by far:

http://en.wikipedia.org/wiki/Vundo

Ashex
Jun 25, 2007

These pipes are cleeeean!!!
At work we had a remote user who couldn't connect via vpn for some reason. When she brought it in, we'd work on it and we would just remove the vpn adapter and after it reinstalled she could connect so we would call it good.
She would go home and the issue would happen again. So we had her give it to us for the day, and while working on it, we noticed that it would try to redirect to http://assist.qwest.net before any site for some reason. We figured out this was why she couldn't connect, as the initial login would do a pre-authentication (check for antivirus, windows updates, etc.) and then direct to the site, and this part would fail consistently. If we re-created the vpn adapter it would work until reboot.

It was the most rediculous thing and we couldn't figure out how to get rid of it for a few hours, tried rebuilding her profile, network connections, clear out the registry. Everything short of rebuilding the network stack. Finally we go to the http://assist.qwest.net to see what it's doing, and it's some remote assistance support site, and if you look closely enough, there's an opt-out link.

We clicked that and the problem was fixed.
What is really disturbing to us though, is that she didn't have admin or power user privileges and it effected any user who logged on to that laptop.

NotWearingPants
Jan 3, 2006

by Nyc_Tattoo
Nap Ghost
I just removed something called rootkit.TDSServe and rootkit.TDSServe/fake from a computer with NOD32 installed, thanks to SUPERAntiSpyware. I had never heard of SUPERAntiSpyware before this thread, so I'm glad I read about it here.

I wasn't able to do anything without removing the hard drive and putting it in another computer for the scan - SUPERAntiSpyware wouldn't install otherwise. And then I had to scan again after booting the drive and installing SUPERAntiSpyware.

Once the spyware scan started finding it, NOD32 popped up with threat messages and quarantined the files, but I wish it would have caught it before it ever got on the computer.

Over the past year I have been steadily losing the faith I once had in NOD32. Once upon a time it seemed like viruses and spyware were a thing of the past once I installed NOD32, but now more and more of my clients are getting infected. I'm also not very happy with their refusal to integrate their product with any of the common managed services monitoring solutions out there. As soon as my clients' subscriptions are up, I will probably move in another direction.

NotWearingPants fucked around with this message at 21:24 on Dec 14, 2008

abominable fricke
Nov 11, 2003

What does Pottsylvania have more than any other country? Mean! We have more mean than any other country in Europe! We must export mean.

Namlemez posted:

Got this on a machine through some random Java applet. This was like the most nefarious one I've ever had by far:

http://en.wikipedia.org/wiki/Vundo

http://vundofix.atribune.org/

Namlemez
Jul 9, 2003

abominable fricke posted:

http://vundofix.atribune.org/

Tried that, said nothing was infected but even Ad-Aware could still see it and the files were still present in \System32. It unfortunately does not catch all variants and they admit it does not have 100% coverage because of how it infers infection.

abominable fricke
Nov 11, 2003

What does Pottsylvania have more than any other country? Mean! We have more mean than any other country in Europe! We must export mean.

Namlemez posted:

Tried that, said nothing was infected but even Ad-Aware could still see it and the files were still present in \System32. It unfortunately does not catch all variants and they admit it does not have 100% coverage because of how it infers infection.

Yeah, I generally don't use that tool unless I feel like I'm out of options. Generally I find that combofix gets rid of the major nastiness that is vundo. I think SDFix will get rid of it too.

malkman
Oct 4, 2004

NotWearingPants posted:

Over the past year I have been steadily losing the faith I once had in NOD32. Once upon a time it seemed like viruses and spyware were a thing of the past once I installed NOD32, but now more and more of my clients are getting infected. I'm also not very happy with their refusal to integrate their product with any of the common managed services monitoring solutions out there. As soon as my clients' subscriptions are up, I will probably move in another direction.

I'm surprised it didn't catch the spyware with the whole real-time scanning engine thing. I'm using the Beta 4 of Smart Security and it seems to work fairly well.

Nomean
Jul 14, 2003
Both of my hands are currently in my pants
I just had 2 trojans/viruses go undetected by nod32. One at home, another at my father's work. Kaspersky detected the one at home as "Trojan-PSW.Win32.Agent.lhd" I don't know what the one at his work has and it is screwed up to the point that I don't want to take the time to try and repair it. I was in the process of getting approval to have about 50 computers at my work switched to nod32. Not anymore.

Midelne
Jun 19, 2002

I shouldn't trust the phones. They're full of gas.
W32.Winsky something something has been bouncing off Groupshield with remarkable tenacity this last weekend. Makes me blink to see it in the scan logs, since we're usually squeaky-clean after the usual suspects are dropped in transit.

NickBlasta
May 16, 2003

Clearly their proficiency at shooting is supernatural, not practical, in origin.

Namlemez posted:

Tried that, said nothing was infected but even Ad-Aware could still see it and the files were still present in \System32. It unfortunately does not catch all variants and they admit it does not have 100% coverage because of how it infers infection.

My brother managed to get vundo yesterday and vundofix didn't find anything. Malwarebytes killed it though.

Paul MaudDib
May 3, 2006

TEAM NVIDIA:
FORUM POLICE
Generally booting up BartPE with McAfee some recent definitions will cure most viruses or spyware but I haven't had to do this recently for anyone. This sounds insane. :psyduck:

twofish
Apr 17, 2006

.

Mandals posted:

I don't know if it qualifies as a virus but that XP Antivirus 2009 poo poo was hell for a few weeks.

Yes, this loving thing.

Is there anything out there besides Malwarebytes and superantispyware that gets rid of it as of yet? My toolkit is lacking.

Otacon
Aug 13, 2002


TekLok posted:

Yes, this loving thing.

Is there anything out there besides Malwarebytes and superantispyware that gets rid of it as of yet? My toolkit is lacking.

My Toolkit lately has included 4 pieces of software:

1. ComboFix
2. Malwarebytes/SuperANTIspyware
3. CCleaner

That seems to fix 98% of the things I come across at my job. One client had a particularly bad rootkit like the ones above - it would not let me install any of these tools. I had to take the drive out and scan using another machine.

With these 4 tools, you can do no wrong.

Briantist
Dec 5, 2003

The Professor does not approve of your post.
Lipstick Apathy
Win32.Polip is something I came across recently. Total pain in the rear end, infected system files and they couldn't be cleaned, only deleted. It was on a work laptop for someone else and I reformatted it.

Mizaq
Sep 12, 2001

Monkey Magic
Toilet Rascal
Thanks for this thread, I was quite a bit behind the times when I saw this thread a few days ago, and then sure enough a coworker gets Antivirus 2009 today and I helped him get rid of it using superantispyware.

GREAT BOOK OF DICK
Aug 14, 2008

by Ozma
This thread is going to be fantastic and incredibly useful. The last thing I had trouble with was at work. Everything I tried came up clean, including MalwareBytes and Spybot. Running Combofix said something called Qoobox was the root of the problem and had no problem removing it.

I too have been disappointed in NOD32 and I'm still upset that I paid for a 2 year subscription. As much as I like their upcoming version (tried the beta), their detection rate has fallen drastically compared to other scanners. Now it's just a matter of waiting and trying to find something better that might have Windows Home Server support.

Sikreci
Mar 23, 2006

I have a question kind of related to this thread. Are there/have there been any known ways for a virus to spread via e-mail without the use of an attachment or embedded image/audio/video/java/etc.?

deviant. posted:

I got a fun little trojan downloader from a hacked JPG a little while ago. Apparently that's the favored vector of WoW gold farmers.
That's interesting, is there another new image vulnerability in Windows or something? I'm kind of interested in how exactly a hacked JPG like you're talking about works.

corgski
Feb 6, 2007

Silly goose, you're here forever.

The last JPG arbitrary code execution vulnerability I've heard of was one that affected Windows 2000 and, I think, Windows XP RTM. I don't think there have been any since then but I may be wrong.

Adbot
ADBOT LOVES YOU

HauntedRobot
Jun 22, 2002

an excellent mod
a simple map to my heart
now give me tilt shift

TekLok posted:

Yes, this loving thing.

Is there anything out there besides Malwarebytes and superantispyware that gets rid of it as of yet? My toolkit is lacking.

It has a few strains, which complicates things. I got rid of it from the machines here with a rescue console and some manual cleanup after a run through with Nod and Ccleaner but by god, you miss one little bit of it, and the whole thing's back on the next boot, it literally took me all day to locate all the traces of it so I could get it all in one go. It's an evil bit of code, I almost wanted to save it off and decompile it on a clean machine to find out how it works.

  • Locked thread