|
Otacon posted:Oh boy, interesting day at the office. I'm by no means a hardware wizard and probably have no right posting in this thread other than being one to ASK for help instead of to give (  ) but could you pull the internal drive out of the laptop and plug it in as an extra drive on a different PC and scan it that way?
|
#
?
Jan 3, 2009 22:52
|
|
|
|
| # ? Apr 19, 2024 05:18 |
|
|
slidebite posted:I'm by no means a hardware wizard and probably have no right posting in this thread other than being one to ASK for help instead of to give ( I've done this in the past, and while Avast can scan the drive, nothing I find can scan the registry. SuperAntiSpyware can scan directories, but thats it. MBAM can't scan anything selectively. So while I'd remove any viruses, I'd only get some of the malware, which would still leave me unable to boot into Windows. I'm almost absolutely sure that one of her graphic drivers was infected, and since it was from the VAIO setup CD, and didn't come installed with Windows, that the Windows Repair didn't replace it. I guess I could take a look in the system32 folder through ERD and look for suspicious files, I was just hoping someone would post something like: "Hi! Here are the drivers you need, in .sys and .ini format. Just unzip them to system32 and reboot!" A man can wish, right?
|
|
#
?
Jan 3, 2009 23:06
|
|
|
If it is just a driver, and not a hardware problem. You can just delete the driver totally and see if that lets you get into windows. This is assuming that the machine doesn't need a sata driver to see the hard drive that is part of the chipset.
|
|
#
?
Jan 4, 2009 00:49
|
|
|
Otacon posted:The other case was a Toshiba laptop that freezes upon the insertion of any USB plug. All of the plugs freeze the system. Flashdrives, Printers, anything USB will freeze it. This sounds like hardware to me, but she claims it just started happening a few weeks ago. Any ideas on this one? I've never experienced these problems before. Please help. I would try removing and putting the motherboard drivers and chipset back on. It could be as simple as user error deleting something hat is needed. Also, all you people with malware and spyware issues, I would head over to bleepingcomputer and post there. They are amazing at this kind of stuff.
|
|
#
?
Jan 4, 2009 07:59
|
|
|
I am a moderatly knowledegable user and i think i'm in over my head. I'm trying to fix my sister in law's computer which had the spyguard 2008 on it for at least a week. Unfortunatly its downloaded several other viruses (i've detected winlogun, winlogin, prunnet, and one more that starts with r32). The big problem is that i can't install or run ANY programs. I had malware bytes on it from earlier but attempting to run it does nothing ( the process appears in task manager but it never loads anything). I can't install combofix even in safe mode. I tried installing superantispyware to a flash drive but attempting to run it just says superantispyware has encountered a problem and needs to close ( thanks to this thread for the forewarning that my flash drive would get infected!). I've go through msconfig and disabled all the startup files from the virus' i could find (which is how i know it is infected by the above). The winlogin and winlogun still appear on reboots however. Do i have any options left other than flatten and reinstall? Oh, i if i leave the flash drive in while booting windows normally, it will hang ( the taskbar will not load nor will explorer, until the flash drive is removed then it proceeds normally to its current virus ridden state.
|
|
#
?
Jan 4, 2009 09:58
|
|
|
Did you try disabling TDSServ in device manager? Show hidden devices, and it is under nonsystem devices. After that, rename the malware bytes exe, update and run in safe mode.
|
|
#
?
Jan 4, 2009 10:07
|
|
|
CalvinandHobbes posted:I am a moderatly knowledegable user and i think i'm in over my head. I'd recommend getting Gmer, a rootkit finder, and renaming the file to something else - ie, "SOMETHINGAWFUL.exe" and running that. I bet it'll find something ugly. Just navigate with the tabs at the top of the screen. Entries in red are suspect and should be investigated. Other than that, the TDSServ service will also do this. Give that a lookie, too.
|
|
#
?
Jan 4, 2009 10:55
|
|
|
oh boy, my first rootkit! So Gmer found the Tdsserv rookit ( i thought i had disabled it i missed one). Disabling it allowed combofix to run and i has just detected a rookit in windows\system32\ntos.exe. This will be a long day.
|
|
#
?
Jan 4, 2009 18:21
|
|
|
*welp* This is somewhat embarrassing but i, uh, seem to have lost access to explorer.exe. I ran combofix, it detected ntos.exe and prompted me to restart. However now when windows starts, either normally or in safe mode, it doesn't load the taskbar. I got task manager running and noted that explorer.exe was not running. Attempting to start explorer.exe gets a prompt saying " windows cannot find explorer.exe. Make sure you typed the name in correctly...". I can load internet explorer however internet explorer cannot load the C drive... As a somewhat Pyrrhic victory, I can now load malwarebytes with taskmanager and its running now... Worse yet, I have an XP professional install disk, the computer runs XP home and i am not being given an option for a repair install. Is there something i can do with the recovery console? edit: well, i copied explorer.exe and renamed the new file explorero.exe. Running explorero.exe gives me access to mycomputer but i still get no taskbar. edit #2: I found a forum post that seems to describe whats going on: http://www.tomshardware.com/forum/86497-45-windows-find-explorer tomshardware posted:
CalvinandHobbes fucked around with this message at 20:30 on Jan 4, 2009 |
|
#
?
Jan 4, 2009 19:27
|
|
|
I've never encountered TDSserv/TDSSserv yet, but these removal instructions might help. It's basically the process for removing the driver, some files, and doing scans with Malwarebytes and SUPERAntiSpyware. Looks like they have other guides for removing nasty programs as well. GREAT BOOK OF DICK fucked around with this message at 21:54 on Jan 4, 2009 |
|
#
?
Jan 4, 2009 21:50
|
|
|
Cool new trojan here http://torrentfreak.com/trojan-blocks-the-pirate-bay-and-mininova-090104/ quote:The trojan in question (Troj/Qhost-AC) identified by anti-virus company Sophos, is a rather unusual one. It doesn’t seem to install spyware or traditional malware, but instead blocks access to the two most popular BitTorrent sites.
|
|
#
?
Jan 5, 2009 05:35
|
|
|
Are there any new viruses that can cause fake MCE BSODs in XP? My computer threw one earlier, but my system event log is clean and there's no memory file in my Windows folder. I have AVG scanning every morning, and it hasn't spotted anything outside of  about the evils of tracking cookies.No, it's not Antivirus XP 2008.
|
|
#
?
Jan 5, 2009 05:49
|
|
|
Luigi Thirty posted:Are there any new viruses that can cause fake MCE BSODs in XP? My computer threw one earlier, but my system event log is clean and there's no memory file in my Windows folder. I have AVG scanning every morning, and it hasn't spotted anything outside of Yes. The Blue screens are funny bescasue they will direct you to "maliciousurl.com" to fix the problem. Also your computer will fake restart in about 10 seconds.
|
|
#
?
Jan 5, 2009 07:41
|
|
|
Luigi Thirty posted:Are there any new viruses that can cause fake MCE BSODs in XP? My computer threw one earlier, but my system event log is clean and there's no memory file in my Windows folder. I have AVG scanning every morning, and it hasn't spotted anything outside of It installs a screensaver. Which is in your system32 directory I believe, it starts with bluescrn*random characters* or something like that. It is easy to spot, the beginning of the name is some variant of blue with random letters after. It is a prank screensaver created years ago that throws up blue screens to your specific OS (probably not Vista) and it takes information from your system so they look real. After a few seconds, it pretends to restart. If you press a key on the keyboard, it will go back to normal. Run malware bytes or super antispyware and it will get rid of the trojan.
|
|
#
?
Jan 5, 2009 07:46
|
|
|
Anyone else reading this thread getting more and more paranoid? I think I need to lay off the weed a bit
|
|
#
?
Jan 5, 2009 16:03
|
|
|
Otacon posted:I've done this in the past, and while Avast can scan the drive, nothing I find can scan the registry. SuperAntiSpyware can scan directories, but thats it. MBAM can't scan anything selectively. So while I'd remove any viruses, I'd only get some of the malware, which would still leave me unable to boot into Windows. None of these are automatic, but if you know what keys to delete, BartPE can use Registry Editor PE (not installed by default, you have to add it as a plugin), which will load the registry on the hard disk, not the one on the BartPE cdrom. UBCD4Win is BartPE plus all of this poo poo, which inlcudes some registry editors as well. I haven't used those, but they'd be useless unless they could also load the registry hives off of a hard disk so I assume that that functionality is in there somewhere. I know that UBCD has SUPERAntiSpyware included, as well as Ad Aware and several virus scanners. I've never used them though to learn if they scan the registry of the host system, or if they're just for scanning of individual files. There's also the comedy Offline NT Password & Registry Editor option - edit the registry at the Linux command line!
|
|
#
?
Jan 6, 2009 09:14
|
|
|
UBCD4Win can load the registry off the machine. Well, registry restore can, and all the scanners can.
|
|
#
?
Jan 6, 2009 09:16
|
|
|
Stanley Pain posted:Anyone else reading this thread getting more and more paranoid? I think I need to lay off the weed a bit
|
|
#
?
Jan 6, 2009 13:15
|
|
|
hall n oates mom posted:Haha yeah, it's such a bad feeling to find any kind of malware as a savvy computer user though. I remember the MSblaster episode all too well, I had never gotten a virus of any type previous to that in over a decade of internet usage and I was freakin' out!! I remember the first time I got a virus (trading floppies with friends at school). I think it was sometime around the DOS 5.0 days. I didn't have a virus scanner at the time but something just didn't feel right. I was buggin' out pretty heavily. I loaded up some .exes in a hex editor and noticed some strange text embedded in them. I think back then F-prot was the A/V of choice. Since then I've never had a full blown infection mainly due to paranoia 
|
|
#
?
Jan 6, 2009 13:43
|
|
|
I like how superantispyware is a strong part of the current vanguard of standard-issue protection, given that its name is in the vein of all these deceptive-yet-ludicrously titled malware programs that have been floating around for a while now.
|
|
#
?
Jan 6, 2009 14:02
|
|
|
I fully expect to see Malware PWN, Epic Spyware Win, and I can has Anti-Malware within the next year or two  .
|
|
#
?
Jan 6, 2009 14:08
|
|
|
I spent close to 12 hours trying to clean up my laptop which was infected with TDSServ. I'm close to speechless at how difficult it was to determine the root of the problem and how easy the fix, or so it seems, is (disabling the tdss.sys driver and cleaning). I'm running another check with spybot S&D right now. I've also run malwarebytes but I assume my job isn't done yet is it? Should I install and run SUPERAntispyware (god I hate that name)?
|
|
#
?
Jan 6, 2009 14:44
|
|
|
Cultural Imperial posted:I spent close to 12 hours trying to clean up my laptop which was infected with TDSServ. I'm close to speechless at how difficult it was to determine the root of the problem and how easy the fix, or so it seems, is (disabling the tdss.sys driver and cleaning). I'm running another check with spybot S&D right now. That's the thing with rootkits. They are by nature VERY hard to find, but once you know they are there are fairly easy to remove. Things will start to get interesting when these stealthy boot sector viruses get more prevalent.
|
|
#
?
Jan 6, 2009 15:04
|
|
|
darkforce898 posted:Cool new trojan here Thanks, that was good for a laugh. I can't help but think it was some well-meaning torrenter hitting the torrent community in a relatively harmless way that would still make most of them panic and install the antivirus software they should've been running from the beginning. Viruses? Pssh, I'm careful. Torrent-blocking? OH GOD~~
|
|
#
?
Jan 6, 2009 15:35
|
|
|
I keep my OS/programs and data on separate HDs so when I get this poo poo i just nuke the OS/programs HD. The way I see it is if you take a poo poo on a plate, no matter how well you clean it you'll never want to eat off it again.
|
|
#
?
Jan 6, 2009 18:42
|
|
|
Kaltag posted:I keep my OS/programs and data on separate HDs so when I get this poo poo i just nuke the OS/programs HD.
|
|
#
?
Jan 6, 2009 19:02
|
|
|
I recently encountered a Halmark/Coca Cola/ McDonalds virus that infected nearly over 300 machines in about 24 hours. (I work as a support tech) It was smart enough to infect flash drives. It really is amazing how many people deny opening this email virus despite the evidence against them. There were also a few cases of people not wanting to lose flash drive data, so they denied the fact that they used them only to reinfect their machine minutes after getting it back. Removal tools were useless because reinfections were popping back up everywhere. The only thing we were able to do is backup and reimage all machines.
|
|
#
?
Jan 6, 2009 20:02
|
|
|
EnFuego468 posted:The only thing we were able to do is backup and reimage all machines. edit: Also, don't be surprised to see the issue persist as flash drives (I assume) continue to be used between home computers and the office.
|
|
#
?
Jan 6, 2009 20:04
|
|
|
Disabling autorun is a lot less work than reimaging all the machines.
|
|
#
?
Jan 6, 2009 20:06
|
|
|
hyperborean posted:And wipe flash drives, I take it? Haha, how did people react to that one? edit: Also, don't be surprised to see the issue continue as flash drives (I assume) continue to be used between home computers and the office. They acted like it was our fault (of course). I mainly deal with college professors/faculty who often use the argument "You should have checked your email to find out about this assignment" against students. My response was "You should have read the email warning you not to open it... Needless to say my butt was covered with that argument. Also, once the 2 day lag on virus definitions (to avoid false alarms) kicked in, no one was reinfected. Stanley Pain posted:That's the thing with rootkits. They are by nature VERY hard to find, but once you know they are there are fairly easy to remove. Suspicious posted:Disabling autorun is a lot less work than reimaging all the machines. EnFuego468 fucked around with this message at 20:26 on Jan 6, 2009 |
|
#
?
Jan 6, 2009 20:20
|
|
|
Ok, this mousehook.dll/frmwrk32.exe thing that's been popping up today has been a bit ridiculous
|
|
#
?
Jan 6, 2009 21:21
|
|
|
So I got ahold of a geeksquad cd the other day from a customer that took their laptop to them, found out what their prices were and then brought it to me. I have to say I like the concept of the LASER part of the CD. I like how it boots to BartPE and then runs all those different virus scanners and spyware scanners. Is there anything out there that's similar or a project that someone has started to replicate this?
|
|
#
?
Jan 6, 2009 21:26
|
|
|
I've got a machine on my hands with what appears to be (among other things) a fake java updater. Anyone seen this before?
|
|
#
?
Jan 7, 2009 00:55
|
|
|
Noghri_ViR posted:So I got ahold of a geeksquad cd the other day from a customer that took their laptop to them, found out what their prices were and then brought it to me. I have to say I like the concept of the LASER part of the CD. I like how it boots to BartPE and then runs all those different virus scanners and spyware scanners. Is there anything out there that's similar or a project that someone has started to replicate this? Does it run that automatically? I'd love to get hold of a PE CD that could run them all automatically.
|
|
#
?
Jan 7, 2009 01:04
|
|
|
Trinitrotoluene posted:Does it run that automatically? I'd love to get hold of a PE CD that could run them all automatically. Yea you click on it to run, it download all the virus/spyware updates, reboots in BartPE, runs about 4 antivirus programs and 5 spyware programs, displays a report and has you reboot. Granted running all that poo poo takes a long time, but if I could automate that I could just run it overnight and forget about it until morning.
|
|
#
?
Jan 7, 2009 01:52
|
|
|
I was playing around with VMWare Thinapp to do stuff like that, then I realized that it costs $$$$$$$$ and my small shop could never afford it. Cool app though.
|
|
#
?
Jan 7, 2009 02:53
|
|
|
brc64 posted:While I certainly appreciate the separate OS partition or drive, what's to stop a virus from infecting your data drive as well? It's not unheard of for a virus to be able to hide in a data file (like a pdf, etc.) but it's rare. The vast majority of viruses/malware you'll encounter are going to infect Windows installs, and if you don't have an install of Windows on the drive, you're safe from those. There are the few oddball ones that will infect anything executable, and there are some that can hide in certain data files (waiting to be opened by a program with a security hole) but they're in the minority. In theory (and if you want to be secure) you should probably format both your data drive and your system drive if you get infected but that's probably unnecessary on a home pc - might be worth scanning the data drive with a virus scanner or something just to be on the safe side though.
|
|
#
?
Jan 7, 2009 03:49
|
|
|
For anyone having trouble with TDSServ and can't get malwarebytes or SAS to run no matter what. Run it in Windows 2000 compatibility mode. ^^^ A long time ago we had one guy who had every single mp3 on his computer infected. Cojawfee fucked around with this message at 03:53 on Jan 7, 2009 |
|
#
?
Jan 7, 2009 03:50
|
|
|
brc64 posted:While I certainly appreciate the separate OS partition or drive, what's to stop a virus from infecting your data drive as well? I've never had that happen to me or any of my friends that I've done this for, including the worst of the AV 2009 variants. I don't know if I've been conditioned not to fall for the worst stuff or just been lucky.
|
|
#
?
Jan 7, 2009 04:56
|
|
|
|
| # ? Apr 19, 2024 05:18 |
|
|
I don't think people really go for infecting files anymore. It's mostly just install something, and try to get some money.
|
|
#
?
Jan 7, 2009 05:15
|
|