|
highme posted:After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result? I got that with McAfee Enterprise. After I cleaned a computer out using ComboFix, McAfee's on access scanner automatically deleted it. Thanks, McAfee.
|
#
?
Dec 25, 2008 07:39
|
|
|
|
| # ? Apr 23, 2024 19:21 |
|
|
highme posted:After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result? I just scanned a copy of combofix from bleepingcomputer with antivir and it says its virus free.
|
|
#
?
Dec 25, 2008 07:43
|
|
|
BillWh0re posted:Are there other computers on your local network? The latest batch of Zlobs perform DNS poisoning so they end up redirecting DNS requests from clean computers that are networked to an infected one. This is a cool little feature.
|
|
#
?
Dec 25, 2008 07:49
|
|
|
combofix is actually dozens of little utilities... some of them probably have to do some pretty crazy stuff to get at rootkits, and it's possible AV heuristics think you've got evil hacking tools.
|
|
#
?
Dec 25, 2008 08:02
|
|
|
The worst I had to deal with recently was one of those bastard child XPAntiSpyware things. I remember infecting myself with the 2007 variant. Since then, it's come with friends that lock your DNS down to the 85.255 hell, and cause all sorts of wonderous crashing. Formatted that computer.
|
|
#
?
Dec 25, 2008 08:39
|
|
|
Car posted:This is a cool little feature. Actually my post wasn't totally accurate as I seem to remember it poisons dhcp rather than dns directly, so you should be able to see it based on the dns server configured by dhcp. Still a nightmare to track down though.
|
|
#
?
Dec 25, 2008 09:10
|
|
|
I work for a large corporation's help desk and the occasional malware infection comes up on the computers of the people who call me. I've been able to scrub these computers clean manually by just a combination of resourcefulness, a good solid knowledge of known-good processes, and having Process Explorer at hand. Process Explorer is great because it'll let you see every DLL file that an executable loads. Even better, it somehow is able to mark suspect DLL files in the list. It took a combination of using the sword of regsvr32 /u and being able to quickly get to certain file locations. Also there were times where I'd boot up the computer to the login screen, then go delete the bad files remotely because they attach to winlogon.exe. I've been able to defeat everything that came up at me so far. I'm aware that nastier things are out there, but I already feel pretty competent against the current wave of shitware that's out there.
|
|
#
?
Dec 25, 2008 10:11
|
|
|
Are some of you guys forced into paying for these programs? I will never understand why people would pay for antivirus or antispyware. I hate when people come in and say "I just bought this Norton can you put it on?" I haven't come across an infection that I can't get rid of with free programs. And in the rare case I do have to fresh install, it is usually because Windows has become so messed up anyway. I usually start off with UBCD and scan with antivir, a squared, super antispy, and web cureit. Then go into windows with a hijack, and then run malware bytes in safe mode. After that it's mostly just running spybot and adaware to clean up anything that was missed. And we install AVG to stop windows from nagging about there being no antivirus. I don't personally like AVG all that much, it got much better in version 8 but it is still a pain and doesn't find all that much. We used to install antivir but it was always with the pop ups about buying it. I'd say malware bytes is the best program I have come across recently. But I will start trying this combofix thing. Should I use combofix mainly for stubborn malwares or just run it every time?
|
|
#
?
Dec 25, 2008 10:59
|
|
|
fishmech posted:I'd advise alerting the owners of the sites that they may have been exploited, and posting what sites and search results are giving you redirects. I don't think this is it, since it's happening way too often, and with sites like walmart.com I did a google search for "christmas" and clicked the first link and it happened. It looks like it is redirecting through http://goougly.com Here's where the christmas link took me before it redirected to some other crap page: http://goougly.com/c.php?url=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26source%3Dweb%26ct%3Dres%26cd%3D4%26url%3Dhttp%253A%252F%252Fen. wikipedia.org%252Fwiki%252FChristmas%26ei%3DQ49SSZWLKce_tgeGn-nmBg%26usg%3DAFQjCNHBERwlZenm8jlqrLxALb-57ddTfw%26sig2%3D1UfxyEfkLC_AekJrHrKR4A&p=3&rf=http%3A%2F%2Fchristmas.asdos.com%2Findex.php Edit: This is with Firefox 3.0.5 Hillridge fucked around with this message at 20:27 on Dec 25, 2008 |
|
#
?
Dec 25, 2008 20:21
|
|
|
Have you tried immunization with spybot? I don't know if it does more than the hosts file, but it is worth a shot.
|
|
#
?
Dec 25, 2008 20:38
|
|
|
highme posted:After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result? Combofix isn't something you install - it's for wiping out viruses and shitware. It WILL be detected as a virus, and this is normal. Just keep it on a flash drive, and only run it when your system is hosed. Bleepingcomputer is their main site. The reason is returns as a virus is because of the heuristics built in. Don't worry about it.
|
|
#
?
Dec 25, 2008 21:16
|
|
|
Cojawfee posted:Are some of you guys forced into paying for these programs? I will never understand why people would pay for antivirus or antispyware. I hate when people come in and say "I just bought this Norton can you put it on?" I dunno man kinda sounds like the reason you don't feel the need to buy antivirus is because you are illegally using the free personal editions for commercial use. 
|
|
#
?
Dec 25, 2008 21:17
|
|
|
I read something from Reddit a couple nights ago that I can't find anymore. Some hackers have figured out how to use other site's redirect pages against us. The example I remember (which is now patched) was that Microsoft has a redirect page, that tells you "You are now leaving Microsoft.com, we are not responsible for the content on this linked page, etc etc etc". These hackers have used this redirect against them by posting blog comments that read "http://www.microsoft.com/redirect/www.malwaresite.com/?frooty+loops+6+download" Now, when someone searches Google for "frooty loops 6 download" Google returns the biggest site results - most notably, microsoft.com. Clicking that link will then forward the user to Malwaresite.com, which seems to be able to load up some real-looking virus alerts, which users stupidly click on and download something. Microsoft patched it, but a number of other sites still have their old redirect pages not secured. Be careful Googling, folks.
|
|
#
?
Dec 25, 2008 21:33
|
|
|
BillWh0re posted:I dunno man kinda sounds like the reason you don't feel the need to buy antivirus is because you are illegally using the free personal editions for commercial use. These are people's personal computers, so it doesn't make sense to buy enterprise licenses. But there are lot of shady things my business does that I don't totally agree with. But in the end, no one really cares, because there is no money to be made in suing us. Everyone would rather go after the people who are actually selling fake versions.
|
|
#
?
Dec 25, 2008 21:34
|
|
|
The most infections I've ever seen on a computer was 145,000+ spread through 80GB of all sorts of pirated anime and porn. The computer itself was hilariously dirty and somehow, miraculously, we were able to remove all the viruses off of it without reformatting it. I think the scans themselves took about 3 days to complete and after that, finishing up was butter. Antivirus XP/Pro/2009 and all of it's variants are funny as hell. I'd say about 85 percent of all the computers that come in have a form of it. I don't know how so many people can get this stuff, but just from speaking from them I can see how they got it. They're not always bright.
|
|
#
?
Dec 25, 2008 22:27
|
|
|
I ran combofix again, and it quarantined a bunch of stuff. Judging from the file names of some of the .dlls it reported (8 letters, alternating vowel-consonant pattern), it looks like loving vundo was still kicking around. I haven't seen any redirects yet, but I'm not going to declare this machine clean until it stays that way for a few days. Also, I recently started having a problem where if I was running uTorrent any web browsing was incredibly slow, if not impossible. That seems to be fixed now. My dad just asked about antivirus 2009 popups, so I may get to repeat all this, only over the phone.
|
|
#
?
Dec 25, 2008 22:58
|
|
|
Otacon posted:I read something from Reddit a couple nights ago that I can't find anymore. Ars seems to have an OK writeup on this: http://arstechnica.com/news.ars/post/20081224-url-redirects-open-scareware-loophole.html. I'd suggest if you see a site that this happens on, send feedback. Since the attack relies on the target site having a reputation, one can hope they pay attention to these things.
|
|
#
?
Dec 25, 2008 23:20
|
|
|
Crap, still seeing goougly links in google. I found some info on it, but nothing helpful. I also turned off 3rd party cookies in Firefox. I think I'm going to drop into safe mode and run: spybot, superantispyware, ccleaner, malwarebytes, then combofix. If that combo doesn't cure it, I don't know what will.
|
|
#
?
Dec 26, 2008 00:32
|
|
|
Hillridge posted:Crap, still seeing goougly links in google. All you have to do is find what's starting up and running via hijackthis or the silent runners vbscript, then pull the power, boot the computer to the recovery console, and delete or replace the affected files. If you need to remove registry entries, use BartPE or similar, they have offline registry editors.
|
|
#
?
Dec 26, 2008 02:17
|
|
|
Hillridge posted:Crap, still seeing goougly links in google.
|
|
#
?
Dec 26, 2008 06:40
|
|
|
Hillridge posted:Crap, still seeing goougly links in google. I had this but I also ran SDFix, and found out I had TDSServ on the machine. IF you see anything related to that you need to uninstall the driver or else nothing will work
|
|
#
?
Dec 26, 2008 06:44
|
|
|
AceSnyp3r posted:It probably goes without saying, but have you tried changing your DNS server to something like OpenDNS temporarily, to make sure the redirects are only on your end, and not just your ISP's DNS's fault? I have not, but other PCs on my network do not have this problem. I just found a post in another forum from someone with a similar problem, and he was told to use GooredFix.exe I ran this, found a problem, removed it, and I think it is fixed. I'd still like to find the guy who wrote this browser hijack and punch him in the sack though. Hillridge fucked around with this message at 16:39 on Dec 27, 2008 |
|
#
?
Dec 27, 2008 16:25
|
|
|
Hillridge posted:I'd still like to find the guy who wrote this browser hijack and punch him in the sack though. Wouldn't we all...
|
|
#
?
Dec 27, 2008 21:52
|
|
|
I recently had to deal with vundo(actually, some variant, nothing found it except adaware and it couldnt remove it). and good lord was it a pain in the rear end. is there a good tutorial somewhere about making a live cd that has ad-aware+definitions and a good antivirus+definitions? I played with bartPE years ago but never really followed it through.
|
|
#
?
Dec 27, 2008 23:13
|
|
|
Just download UBCD.
|
|
#
?
Dec 28, 2008 00:48
|
|
|
A user got Antivirus Plus on their computer before the Christmas break and just now called me to his office to fix it. It's had enough time to download what ever else is on here that nearly all of my tools were disabled or could not be installed, and I couldn't open task manager or msconfig, even in safe mode. Managed to get Malwarebytes installed but after the first scan it BSOD'd and even on the second scan its still picking things up. Drighton fucked around with this message at 17:53 on Dec 30, 2008 |
|
#
?
Dec 30, 2008 17:47
|
|
|
Install Superantispyware to a flash key and run it
|
|
#
?
Dec 30, 2008 18:47
|
|
|
I'm enjoying having my ads hijacked so that I can be sold vimax and other lovely products. While I solved the problem of the ads by blocking through the hosts file I'd like to eliminate the problem instead of working around it. Oh and for the hell of it, it seems to block any attempts to update anti virus malware software.
|
|
#
?
Dec 30, 2008 19:22
|
|
|
Win32/Yektel infection chiming in. SUPERAntiSpyware picked up the bulk of it on the first run, Combofix grabbed the good old ieupdater.exe out of System32, and now we appear to be clean. I get a genuine kick out of Win32/Yektel infections. It's got some genuine thought behind it, and that's nice to see even if it does make my day a bit more entertaining than I usually like it. As a bonus, the first user to report the infection took one look at the fake security center popup and called for help without touching anything. How often does that happen? Loving it.
|
|
#
?
Dec 30, 2008 19:32
|
|
|
abominable fricke posted:Install Superantispyware to a flash key and run it I did. I pulled the flash key back to my computer to put some files on it and Symantec started deleting all the executables on the disk all as W32.Wowinzi.A The flash disk looks like this now.
|
|
#
?
Dec 30, 2008 19:38
|
|
|
Midelne posted:As a bonus, the first user to report the infection took one look at the fake security center popup and called for help without touching anything. How often does that happen? Loving it. Why can't my users do this.... By the time I ever get to look at most of their systems, they've hosed it up so bad just clicking on things without thinking that a 15-minute call turns into a few hours just trying to get everything out of there.
|
|
#
?
Dec 30, 2008 19:40
|
|
|
bazaar apparatus posted:Why can't my users do this.... Trade you jobs.
|
|
#
?
Dec 30, 2008 20:01
|
|
|
Drighton posted:I did. I pulled the flash key back to my computer to put some files on it and Symantec started deleting all the executables on the disk all as W32.Wowinzi.A Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu. Instead of running tools from flash drives run them from CDs so this can't happen. Especially if the computer has a file infecting virus. Also, never use explorer to open or browse drives on an infected computer because the open and explore actions usually execute the worm. BillWh0re fucked around with this message at 21:16 on Dec 30, 2008 |
|
#
?
Dec 30, 2008 21:13
|
|
|
BillWh0re posted:Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu. CDs can autorun too.
|
|
#
?
Dec 30, 2008 21:23
|
|
|
Elected by Dogs posted:CDs can autorun too. CDs can't be written to once they're burned.
|
|
#
?
Dec 30, 2008 21:27
|
|
|
Elected by Dogs posted:CDs can autorun too. They're read only which means they don't get infected the moment you stick them in an infected computer, which is what happens with USB sticks unless there happen to be some fancy ones that make themselves read only.
|
|
#
?
Dec 30, 2008 21:28
|
|
|
Midelne posted:Trade you jobs. Heh, I'm entry-level at this place, you probably make a lot more than I do
|
|
#
?
Dec 30, 2008 21:35
|
|
|
BillWh0re posted:They're read only which means they don't get infected the moment you stick them in an infected computer, which is what happens with USB sticks unless there happen to be some fancy ones that make themselves read only. CDRW? If it was burned along with the files (dunno if any malware does this kind of insertion) - it would still infect anyways.
|
|
#
?
Dec 30, 2008 21:37
|
|
|
BillWh0re posted:Looks like it has an autorun.inf file, probably hidden, from some Chinese autorun worm on there. Most likely it got infected after you plugged it in. You'll probably find the same file on the root of every other drive, including network shares writable from that computer that are mapped to a drive letter, though perhaps not the C: drive. Symantec probably detected and removed the executable but not the autorun.inf file itself which is what causes explorer to show that menu. Just grabbed the user's profile folder and started a format. gently caress this. VVV good idea. Drighton fucked around with this message at 21:53 on Dec 30, 2008 |
|
#
?
Dec 30, 2008 21:41
|
|
|
|
| # ? Apr 23, 2024 19:21 |
|
|
Elected by Dogs posted:CDRW? If it was burned along with the files (dunno if any malware does this kind of insertion) - it would still infect anyways. I've not used Windows CD burning in some time but I don't think it kicks in automatically on file copies and no malware initiates the burn process. Probably just stays queued up in explorer forever or something. Drighton posted:Just grabbed the user's profile folder and started a format. gently caress this. Better confiscate all their USB sticks and scan them too if you don't want to get called out again in an hours time. 
|
|
#
?
Dec 30, 2008 21:45
|
|