|
Hillridge posted:Something weird is still going on here. Take a travel to C:\windows\system32\drivers\etc, and open the HOSTS file in notepad. See if there's anything in there, other than the default which would be: code:EDIT: You might need to check permissions on HOSTS, sometimes it is write protected. If there's anything in there in addition to localhost, delete those lines, save, and write protect the file.
|
#
?
Dec 23, 2008 00:49
|
|
|
|
| # ? Apr 25, 2024 22:32 |
|
|
Regarding XP Antivirus 2009 and its variants, I ran into this by accident this weekend. If you do a Google search for salon808, the first result should be for www.salon808.com . However, clicking this link, which in the status bar is shown as http://www.salon808.com , leads to http://antivirusonlinescanner.com/360/1/en/_freescan.php . This, to me, is the strangest part. If I look at the Google cache of the Salon 808 page, it shows a legit page, and typing www.salon808.com into the address bar manually leads to the legit page, but clicking the Google search result will lead to the antivirusonlinescanner.com page every time. If I type in the URL manually and get to the legit page, then clicking the Google search result link will also go to the legit page. How does it do this; where along the line is the hijack happening? The results are consistent across 3 machines, and all 3 machines are clean to the best of my knowledge.
|
|
#
?
Dec 23, 2008 00:53
|
|
|
It sounds like a browser hijacker. Try scanning it with SUPERAntiSpyware. The only reason I say that is because I'm seeing similar symptoms on a machine I'm working on at this very moment. One of our managers will use his laptop for about five minutes after logging on to the domain, then it will lose network connectivity. It doesn't matter if it's wired or wireless, just drops all network connections. HOSTS file is clean, Malwarebytes came up clean. ComboFix might have done something but the system was still showing the same symptoms. I'm scanning it with SUPERAntiSpyware right now and it's telling me it found 12 items of "Browser Hijacker.Internet Explorer Zone Hijack" and 53 "Adware.Tracking cookies". Probably just end up formatting it in the end. Looks like some kind of adware/spyware called atdmt.com. Research seems to indicate it's nasty poo poo. It apparently made a bunch of registry entries at the very least. GREAT BOOK OF DICK fucked around with this message at 01:27 on Dec 23, 2008 |
|
#
?
Dec 23, 2008 01:17
|
|
|
Um, atdmt.com is an advertising company, like in page banner ads, not adware/malware. Unless you're one of the paranoid people who don't like tracking cookies.
corgski fucked around with this message at 01:55 on Dec 23, 2008 |
|
#
?
Dec 23, 2008 01:53
|
|
|
Scott808 posted:Regarding XP Antivirus 2009 and its variants, I ran into this by accident this weekend. Yeah that's weird, I'm on a completely clean machine and got the same result. 
|
|
#
?
Dec 23, 2008 01:58
|
|
|
TheWevel posted:Yeah that's weird, I'm on a completely clean machine and got the same result. I believe their web server has been hijacked, and depending on the referrer information it will redirect you to the malware site. I know I've read of this elsewhere.
|
|
#
?
Dec 23, 2008 02:03
|
|
|
Just so I don't inadvertently infect myself with something, this is the correct download link for SUPERAntiSpyware right? http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
|
|
#
?
Dec 23, 2008 02:35
|
|
|
thelightguy posted:Um, atdmt.com is an advertising company, like in page banner ads, not adware/malware. Unless you're one of the paranoid people who don't like tracking cookies. They were 12 REGISTRY entries from atdmt.com, not cookies. Even after removing them it still loses network connectivity so I'm sure there's still something somewhere.
|
|
#
?
Dec 23, 2008 02:53
|
|
|
That's crazy to see a site hijacked like that. I'm so glad I don't have to fix these things with any frequency anymore.
|
|
#
?
Dec 23, 2008 04:06
|
|
|
I've been messing around with that antivirusonlinescanner.com page, and it seems the installer that you get prompted to download/run on the page is detected by almost no virus scanners according to Virus Total. I think MS and 2 McAfee variants picked it up as something, but we have McAfee Enterprise 8.5 fully updated here, and it doesn't detect anything in the installer. Personally, I use Antivir and it also doesn't pick up the installer as anything nasty. Malwarebytes' Anti-Malware lets you run the installer executable, but once it downloads and tries to run its payload Malwarebytes' will catch it (tries to run av360.exe) and give you the option to terminate it. This seems to work and the machine seems to have no lasting ill effects.
|
|
#
?
Dec 23, 2008 04:40
|
|
|
GREAT BOOK OF DICK posted:They were 12 REGISTRY entries from atdmt.com, not cookies. Even after removing them it still loses network connectivity so I'm sure there's still something somewhere.
|
|
#
?
Dec 23, 2008 09:15
|
|
|
Hillridge posted:Just so I don't inadvertently infect myself with something, this is the correct download link for SUPERAntiSpyware right? I just got it from zdnet's download.com, seems the safest way to find most things.
|
|
#
?
Dec 23, 2008 14:00
|
|
|
I was onsite yesterday trying to figure out wtf was wrong with this Windows Server, and to kill time while it was updating (completely unpatched server, awesome), I decided to check Windows Update on a few of the PCs. I noticed that on this one Win2k box, Windows Update wouldn't load. Because the browser was so slow, I say it attempting to open 127.0.0.1. Let me tell you, that HOSTS file was great. It was no only blocking Windows Update and a variety of Microsoft download servers, but it also had a pretty comprehensive list of different antivirus update servers as well. So I fixed the HOSTS file and since they don't have any local antivirus software (  ) I loaded up Housecall to see what came up.I think the final count was somewhere around 4500 infections found. Most of them appeared to be  hidden various places around the PC. I suspect that the doctor was probably responsible for the initial infection, but I kind of doubt he's smart enough to have a huge cache of installers and keygens hidden deep within his user profile. I suspect the bulk of that was due to one or more of the infections.It always fills me with warm fuzzies when I come across crap like this in a medical environment. I'm glad my confidential patient information is in safe hands. Edit: here's a blurry pic of the scan in progress (sorry, my cell phone camera doesn't have a macro mode) 
|
|
#
?
Dec 23, 2008 14:48
|
|
|
brc64 posted:I was onsite yesterday trying to figure out wtf was wrong with this Windows Server, and to kill time while it was updating (completely unpatched server, awesome), I decided to check Windows Update on a few of the PCs. I noticed that on this one Win2k box, Windows Update wouldn't load. Because the browser was so slow, I say it attempting to open 127.0.0.1. I'm sure I don't need to tell you that disinfecting a win2k machine is a waste of your time. It's just going to get reinfected the very next time it touches the internet. You should recommend that he upgrade his machines to XP, there is absolutely no reason not to at this point.
|
|
#
?
Dec 23, 2008 15:41
|
|
|
abominable fricke posted:I'm sure I don't need to tell you that disinfecting a win2k machine is a waste of your time. It's just going to get reinfected the very next time it touches the internet. You should recommend that he upgrade his machines to XP, there is absolutely no reason not to at this point. By the way, Housecall locked up on that machine trying to disinfect LONGHORN BETA LEAKED.EXE
|
|
#
?
Dec 23, 2008 16:04
|
|
|
webcomics thread posted:I just got it from zdnet's download.com, seems the safest way to find most things. I ran it and found a bunch of cookies, but not much else. It's mildly annoying in that it sets itself to run at startup though. Oh, my hosts file was normal btw. I haven't had the problem yet today, so I'm going to keep my fingers crossed and hope I'm clean.
|
|
#
?
Dec 23, 2008 16:55
|
|
|
brc64 posted:I was onsite yesterday trying to figure out wtf was wrong with this Windows Server, and to kill time while it was updating (completely unpatched server, awesome), I decided to check Windows Update on a few of the PCs. I noticed that on this one Win2k box, Windows Update wouldn't load. Because the browser was so slow, I say it attempting to open 127.0.0.1. poo poo like this worries me every time I go to my doctor and see his laptop sitting on the counter, unlocked, with an RDP session into a Windows 2003 server. Granted, he does have NOD32 running on the server. Can't miss the icon when you're a few feet from the screen. 
|
|
#
?
Dec 23, 2008 18:07
|
|
|
I'm having major trouble with Trojan.bho , I've run malwarebytes and superantispyware, vundofix, combofix and they all catch it and say it's been removed. After a restart and rescan it's back. Short of wiping this install anyone else have an idea? Seems to be coming from my registry.
|
|
#
?
Dec 23, 2008 18:22
|
|
|
Toshi posted:I'm having major trouble with Trojan.bho , I've run malwarebytes and superantispyware, vundofix, combofix and they all catch it and say it's been removed. After a restart and rescan it's back. Short of wiping this install anyone else have an idea? Seems to be coming from my registry. The virus itself is probably still hiding on your system somewhere. You could try http://housecall.trendmicro.com/ and run their online virus scan there to see if it finds anything. If that doesn't work, there are other online virus scanners available from other companies. Just have to do a Google search because I'm not sure who else has one aside from ESET and Kaspersky.
|
|
#
?
Dec 23, 2008 18:44
|
|
|
Toshi posted:I'm having major trouble with Trojan.bho , I've run malwarebytes and superantispyware, vundofix, combofix and they all catch it and say it's been removed. After a restart and rescan it's back. Short of wiping this install anyone else have an idea? Seems to be coming from my registry. I would post about it in the tech support forum. You probably need to delete some DLL files or registry entries using recovery console or a live CD.
|
|
#
?
Dec 23, 2008 18:50
|
|
|
Capnbigboobies posted:Once you disable the stupid popup antivir is a great antivirus. Sorry for quoting something from the front page, but I've always hated that popup, how do you disable it?
|
|
#
?
Dec 23, 2008 19:26
|
|
|
sov68n posted:Sorry for quoting something from the front page, but I've always hated that popup, how do you disable it? Here.
|
|
#
?
Dec 23, 2008 19:30
|
|
|
What is everyone's opinion of Windows Defender? As more of the machines that I work on are being either built with/for or redeployed with Vista, Windows Defender is built right in as a Microsoft-managed antimalware tool. Is it worth its salt, or should I use it in tandem with something like Malwarebytes' products? Or option 3: Ignore it entirely and trust exclusively some third-party application?
|
|
#
?
Dec 23, 2008 20:05
|
|
|
My dad caught the PrivacyProtector virus. I don't know its official name, but it's the kind that bundles itself with an unlicensed anti-spyware trial software, ravages your system, and creates fake Windows alert balloons from your tray telling you that you have an infection. I can't remember whether it uses HOSTS redirection or a keylogger, but the fake Windows error messages tell you to purchase the anti-spyware software license over the web, so clearly that's a very bad idea. My solution was to flatten and reinstall. I assume a computer's pretty much hosed when it boots up to this:  EDIT: It was SmitFraud, or some variation of it. Phenwah fucked around with this message at 20:24 on Dec 23, 2008 |
|
#
?
Dec 23, 2008 20:20
|
|
|
Footboy posted:That is a much, much cooler graphic and snazzier UI than most virus writers would take the time to put into their product. On the other hand, that more or less screams that it is absolutely not related to Windows, which is the opposite tack that the successful ones are taking these days.
|
|
#
?
Dec 23, 2008 20:49
|
|
|
Midelne posted:That is a much, much cooler graphic and snazzier UI than most virus writers would take the time to put into their product. On the other hand, that more or less screams that it is absolutely not related to Windows, which is the opposite tack that the successful ones are taking these days. Pretty sure 90% of people can't tell the difference anyway.
|
|
#
?
Dec 23, 2008 23:30
|
|
|
I learned as a result of reading through the Microsoft Malware Protection Center's recent entries and Googling one term I didn't recognize that you absolutely should not Google SPTH and click any of the top couple of links that look like they might answer your question as to what the hell SPTH refers to. No really, don't, there are a shitload of hostile links. I guess if you've got an isolated VM and a virus scanner you want to test out it might be worth a laugh, but I'm running latest-build Firefox 3 and McAfee still logged at least one infection with a name I've never seen.
|
|
#
?
Dec 24, 2008 01:30
|
|
|
hyperborean posted:Actually, this just showed up on my brother's computer. What's the best tool suite for knocking this out? 
|
|
#
?
Dec 24, 2008 03:43
|
|
|
Luigi Thirty posted:Actually, this just showed up on my brother's computer. What's the best tool suite for knocking this out? Superantispyware will probably take care of it. https://www.superantispyware.com
|
|
#
?
Dec 24, 2008 04:16
|
|
|
FloorMatt posted:Superantispyware will probably take care of it. Thanks. On top of that, AVG is barfing alerts (he said he never thought it was important) he's got popups every 30 seconds, Firefox won't start, and he hasn't had automatic updates turned on since 2006. I hope I can get rid of this poo poo
|
|
#
?
Dec 24, 2008 04:28
|
|
|
Luigi Thirty posted:Thanks. On top of that, AVG is barfing alerts (he said he never thought it was important) he's got popups every 30 seconds, Firefox won't start, and he hasn't had automatic updates turned on since 2006. I hope I can get rid of this poo poo Uninstall AVG and install Avira AntiVir. It's free and much better than AVG.
|
|
#
?
Dec 24, 2008 04:47
|
|
|
FloorMatt posted:Uninstall AVG and install Avira AntiVir. It's free and much better than AVG. I think that'll be the first thing I do after I get rid of the 235 viruses/trojans/shitwares SuperAntispyware found 
|
|
#
?
Dec 24, 2008 04:52
|
|
|
I would just like to add a quick note on all of those TDSSrv things that seem to come along with the Win Anti Virus 2008/9/whatever malewares. If you go into the device manager, and then click on View -> Show Hidden Devices (something similar to that, I'm on a mac right now), and then go down to Non Plug-and-Play devices, then you will be able to see TDSSrv or whatever it is on your machine. You can then go into that and disable it, I haven't had any luck deleting it, but if you disable it you can then generally load up your virus scanners and other things like that whereas you couldn't before. I think that also might have something to do with the DNS changing things that won't allow you to go to certain virus software websites and the like. Also, another thing that I have found that is pretty nice, well it doesn't look too nice, but it works well is Avenger. Basically you just paste a list of files, registry keys, services, etc into a window, and click run, and it restarts your computer a few times while removing the files you have put into it. So, if you have a fairly comprehensive list of files that are generally used in the infections, you can put that into avenger and run that before you get going too far, like to get rid of TDSSrv  , or any other things that you know are bad.Another thing I'm a pretty big fan of is Process Monitor. Say I know of a registry key that keeps on being automatically regenerating, you can apply a filter to the keys value, and then when it is created you can click on it. Then after that you can look at the process's stack, and then see what file is generating the key. This has helped me a lot! Last but surely not least is HijackThis. This has saved me on many occasions, and I use this instead of msconfig all of the time. I think it picks up on a few more things, and you can actually use it to delete the files, whereas msconfig will just make them not start up. Be careful when using it though, as it will remove the files! Hope this helps.
|
|
#
?
Dec 24, 2008 05:54
|
|
|
FloorMatt posted:Uninstall AVG and install Avira AntiVir. It's free and much better than AVG. The virus scanner is not really the issue here.
|
|
#
?
Dec 24, 2008 08:42
|
|
|
fishmech posted:I believe their web server has been hijacked, and depending on the referrer information it will redirect you to the malware site. I know I've read of this elsewhere. yup, testing with curl gives completely different results depending on referer: code:code:
|
|
#
?
Dec 24, 2008 11:48
|
|
|
Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now.
|
|
#
?
Dec 24, 2008 17:23
|
|
|
Hillridge posted:Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now. I'd advise alerting the owners of the sites that they may have been exploited, and posting what sites and search results are giving you redirects.
|
|
#
?
Dec 24, 2008 18:11
|
|
|
Hillridge posted:Goddammit I am still getting redirected now and then when clinking links on a google search results page. I've run a few scans and found nothing. I guess I'll just live with it for now. Are there other computers on your local network? The latest batch of Zlobs perform DNS poisoning so they end up redirecting DNS requests from clean computers that are networked to an infected one.
|
|
#
?
Dec 24, 2008 19:29
|
|
|
JonM1827 posted:TDSServ EVIL BABY EATER I just spent three hours cleaning my families computer that had TDSServ and Vundo on it. It was honestly the worst experience I have ever had. Still is infected...
|
|
#
?
Dec 24, 2008 22:55
|
|
|
|
| # ? Apr 25, 2024 22:32 |
|
|
After reading this thread I downloaded Malwarebytes, Superantispyware, Combofix & Avira. I haven't yet installed Combofix, but Avira keeps popping up an alert saying that my copy of Combofix.exe is a Trojan. I believe I dl'd it from bleepingcomputer.com. Is this a known issue or did I trust the wrong google result?
|
|
#
?
Dec 25, 2008 06:47
|
|
