|
The worst I had to deal with recently was one of those bastard child XPAntiSpyware things. I remember infecting myself with the 2007 variant. Since then, it's come with friends that lock your DNS down to the 85.255 hell, and cause all sorts of wonderous crashing. Formatted that computer.
|
#
¿
Dec 25, 2008 08:39
|
|
|
|
| # ¿ Apr 25, 2024 11:41 |
|
|
F2B posted:Heck yes. That's what I do. I don't even mess with removal. If I so much as suspect any minor breech, I just restore the image. And yes 20 minutes is absolutely sublime compared to a 1 hour scan. Really. Using a bootable CD and a USB hard drive, you can have a restore time of 6 minutes. I'm not even making GBS threads you.
|
|
#
¿
Mar 1, 2009 07:20
|
|
|
I may have posted this in the ticket thread earlier today, but I got a system in with came with the upgraded version of Virut - the name eludes me now. Even though AVG (when it worked), MBAM, SAS and whatnot said the system was clean, the loving thing STILL infected all the USB sticks that came to it, among other things. loving, flattened with fire. After checking the chatlog, it's called Vitro. It just infects the everliving gently caress out of everything on the system. When I did a virus scan on the data I pulled, I found a PartyPoker.exe in their limewire folder. Going to wager that was the infection vector. But yeah. The ability of that little bastard to inject code into .exe files wholesale is... worrying. So when your entire patch of critical files (regedit, explorer, the session manager, msconfig) light up as infected... welp. PopeOnARope fucked around with this message at 17:19 on Nov 19, 2009 |
|
#
¿
Nov 19, 2009 04:44
|
|
|
As it seems to have been said earlier in the thread, Vitro, like Virut is hilariously overzealous - to the point where it breaks both real antiviruses and fake malware alike. That said, when you have something like 8 exe files running - half of which are invisible inside the file system... there are problems. Not to mention the fact that it seems to dynamically generate it's autorun virus. Every time I would plug the key in, there would be 2-3 new exe files, all of which slammed right into the system's core files before you could blink.
|
|
#
¿
Nov 19, 2009 17:38
|
|
|
BorderPatrol posted:Definitely a Virut variant. It's main MO is to infect every .exe file it can find, and also inject a hidden iframe in every html document (including every help file on your system). That would explain why AVG was running at 99% constantly on the client system I had :\. Now all that we need it to do is infect system / video / raid BIOSes and it'll be the perfect storm  .
|
|
#
¿
Nov 20, 2009 15:07
|
|
|
Ensign Expendable posted:Hopefully this results in a decline of Antivirus_2009_XP_Pro_weswearitsreal.notmalware.exe infestation. At least some users might think twice before downloading random stuff if they know they have an antivirus already. I don't think it'd really help. You can tell people a thousand times that they have an antivirus, give them all the best tools to scan their systems, but nope, when it comes down to it, that little gif is still blinking... YOU HAVE 59 INFECTED FILES! INSTALL RETARD RAPER PRO TO REMOVE THEM NOW BEFORE ALL OF YOUR PERSONAL INFORMATION IS STOLEN!!! I really have had customers bring back systems, telling me "it has a virus", the knowledge of which comes from one of these antivirii. We usually try to explain why they're stupid before telling them to get out.
|
|
#
¿
Dec 9, 2009 09:26
|
|
|
Fehler posted:So what is the best way to scan an XP machine infected by a Virus/Rootkit/Trojan these days? Does booting into safe mode and installing some scanner actually help anymore? If so, what scanner? Copy the data you need from it, cleanse the drive with fire, and put the data back when it's clean. Now, if that (two hour) procedure isn't an option, then it's generally reccomended to use things like MalwareBytes, SuperAntiSpyware, and Combofix to mop up the mess. I'm unsure in the way of live CDs (I can just pull the drives, so they're moot). Note: One thing that REALLY helps disinfection is if you have safe mode access. Go in there, clear out the temp and temporary internet files folders, open up MSConfig and disable EVERYTHING, and then look for abnormalities - go kill those by hand. Then check the services list for anything abnormal. That should help deal with a lot of more minor infections. PopeOnARope fucked around with this message at 18:10 on Jan 4, 2010 |
|
#
¿
Jan 4, 2010 18:07
|
|
|
do it posted:A friend's PC has been overrun with viruses and she wants to reinstall Windows XP; however, she's realized that because her laptop came with most of the software preinstalled (e.g. Office, XP itself, Nero, etc.) she doesn't have any of the license keys to successfully reinstall everything. Is there a way to find these keys in her PC's registry or something before reinstalling XP? Magic Jellybean Keyfinder.
|
|
#
¿
Feb 4, 2010 22:18
|
|
|
At about 444AM, an e-mail blast went out from my address to all of my current contacts - confirmed by a friend of mine online at the time. I've since scanned the system with MBAM, Sophos Anti-Rootkit, and Avast! I'm watching my connections like a hawk in cFosSpeed's connection monitor - nothing suspiscious. The only oddity is that when I audited the system logs, two .tmp files in the System32 folder "failed to run due to an incompatibility with the system" - this would be them http://uploading.com/files/72aa3ema/Infection.zip/ - each is 6.00KB in size. What the gently caress is going on, you guys think? Edit - checked the MIME info, and the mail blasted out from 115.49.34.112. With ads for https://www.nsehwop.com. Fuckin' Chinese. I've changed the login - this should fix the issue, yeah? PopeOnARope fucked around with this message at 12:06 on Feb 10, 2010 |
|
#
¿
Feb 10, 2010 11:34
|
|
|
BillWh0re posted:there are no kernel-mode rootkits for windows 7 64-bit Though that makes me feel better about my system security, it baffles me as to how some of my login info got lifted.
|
|
#
¿
Feb 22, 2010 22:36
|
|
|
COCKMOUTH.GIF posted:What about a scan with SuperAntiSpyware? I find that Combofix/Malwarebytes does the trick, but SuperAntiSpyware seems to find remnants that Malwarebytes didn't clean. I like the idea of rewriting the boot sector and using F-Secure from a bootable CD. Back when I worked at the computer store, we had a few of those. One was a woman who bought a printer well over a year ago, and was being a gigantic bitch because "IT DOESN'T WORK, I WANT A NEW ONE NOW! SOME ASIAN KID SOLD IT TO ME AND I REMEMBER IT LIKE YESTERDAY IT WAS 4 MONTHS AGO!!!" Turns out the dumb gently caress was plugging the USB cable into a fax port. Another was a woman where I was supposed to transport all of her old poo poo off her computer, and onto one she just bought. Either she neglected to tell me about, or failed to remind me of needing to "Move" the office install. So she calls about two weeks ago saying "Oh, about three months ago you moved all my old data to my new computer, but you didn't copy office. I need "The Code"." She goes on and on about "Oh, I have the disk, it must be legitimate, I just lost the case, and keeps demanding I give her "The Code". No matter how much I try to explain to her that every code is unique, and since she lost her case she's hosed, the drat woman just keeps going on and on about how it was my job to move it. Unfortunately, my boss didn't want to refund her whatever the labor cost I made on it was, so I just went over and installed "Another" version of office. gently caress, there's certain customers that piss me off enough to the point where I would be tempted to pull a windows disc out of their machine halfway through re-install and leave. I forgot to mention the best part. Through the entire phone call she kept referring to the product in question as "Windows 7". So yeah, it confused the making GBS threads gently caress out of me as to why her "old" computer (a Pentium 3 700 with 128mb of ram) would have that in the first place. PopeOnARope fucked around with this message at 16:58 on Feb 24, 2010 |
|
#
¿
Feb 24, 2010 16:54
|
|
|
Quick and odd question: Lately, we've noticed that after having MalwareBytes clean up infections, a lot of systems are losing the ability to connect to the net via ethernet. Other systems can connect just fine, but the system that just got disinfected? Nada. The lights are on on both ends, the cable is fine, and reinstalling the OS fixes the issue. Oh, and re-installing network drivers does poo poo all. What the hell?
|
|
#
¿
Sep 7, 2010 21:57
|
|
|
Knobjockey posted:There was a proxy server running on localhost but now it's gone and Malwarebytes hasn't removed its settings from Internet Options, Connections tab, LAN settings. That causes windows to tell you media disconnected, though?
|
|
#
¿
Sep 16, 2010 00:52
|
|
|
Speaking of Malware, I had a guy call in today that's been fighting it since August 24th. That's when the first logged malware cleanup was. That was also the last time MalwareBytes was updated on his system. Since then, they've sold him Cyber Associates PC Tuneup, and failed to resolve the problem on 5 calls. When I checked in today, I noticed that he was out of scope - and this issue would technically get me in poo poo to fix due to "Policy", but still. The poor fucker doesn't deserve to have his money drained away by an endless parade of idiots who don't actually help.
|
|
#
¿
Sep 17, 2010 02:27
|
|
|
I had a fun malware / virus issue the other day. Husband and wife's computer infected with the same poo poo. They finally discovered it when svchost.exe started crashing, and the system presented no sound / no mixer device. I figured this was odd, so I tried to navigate to https://www.malwarebytes.org - to find it was blocked. Okay then. I went to check DNS - it was changed to 93. something addresses on both systems. Changed that back. They also had a WRT54G with default login / password, which, lo and behold, had it's DNS changed too. The worst part about this is that there was maybe three hits on Google about the SVC Host error, and nothing meaningful about the IP addresses I pulled for DNS. Plus, I couldn't update MalwareBytes (12007). I'll provide some more meaningful information later on when I can check my work logs again, but overall, it was just frustrating.
|
|
#
¿
Sep 26, 2010 05:54
|
|
|
In these cases, thank gently caress for System Restore. About three days ago, I was trying to deal with a system rooted and carrying Antivirus 2010; the root was bad enough on it's own. From what GMER detected, there were three results - one from the online virus scan the guy ran, and the other two from the Malwarebytes forum, where they've been working on fixing that since the 10th (this was on the 17th). Basically the loving thing modified atapi.sys and iastor.sys to keep itself in business, and when it detected you running a scan of any sort (this is in safe mode too, kids), it would kill the process, and then deny the permissions. I ended up having to do cacls /g <path> Everyone /f each time, but it did no good - after that loving thing shut it down the first time it was of no use. I was actually trying to rip the rootkit out of the registry manually, but no matter how I hosed with the permissions it wouldn't let me delete it.
|
|
#
¿
Oct 20, 2010 07:14
|
|
|
BangersInMyKnickers posted:If a system has a rootkit, never attempt to repair it from a live boot to that OS. If your anti-virus product lets you build a emergency boot CD, use that (hopefully it catches it). Otherwise, use some kind of WinPE toolkit and use regedit to manually mount the system registry hive and do your cleanup there. I'm doing this poo poo over the phone, so my options are limited.
|
|
#
¿
Oct 20, 2010 16:23
|
|
|
Speaking of Viruses, holy loving gently caress, ThinkPoint was a goddamn epidemic today. 50% of our calls were to handle it. Fucker pops up in normal, safe modes. You can bypass it by throwing the horns and killing the process tree on hotfix.exe, but generally the easiest way is to system restore, then mop out the remainders. That said, when I see MyWebSearch on the system, I can assume it's got e-herpes. \/ Just scrape offending poo poo out of the appdata folders, program data on the C drive, and blast away the temp files. Should do it. Note: If you do system restore to kill it, system restore will fail. Don't fret. It worked. PopeOnARope fucked around with this message at 09:57 on Oct 24, 2010 |
|
#
¿
Oct 24, 2010 06:05
|
|
|
So I discovered last night, you can do a lot without explorer running - and holy gently caress does it make life faster. I'm rather fond of being able to shoot every process I don't need running, remove the temp directory, and then abuse cacls to "Fix" the permissions on other user accounts so I can get into them.
|
|
#
¿
Oct 25, 2010 18:48
|
|
|
Fun fact: Thinkpoint (and the exploit horses it rode in on) has hosed our call amount so badly that Dell now has a department to specifically handle it. Other fun fact: I finally ran across my first hosed hosts file the other day! It was just an unending wall of redirects, sending most attempts at Google out to random places of the web.
|
|
#
¿
Oct 29, 2010 16:31
|
|
|
Had an interesting infection at the end of the day today. It created 7 infections similar to the names of the directories they were in (Googlecalendr, and DellDock for example) / files they were near. Each had the same garbage description, was 167KB, and were all created at 3:45PM. I couldn't kill all processes, so I just swapped into another user profile to handle it. The "Trigger" infection that made them call in was Antivirus Studio 2010. I scanned the files with MalwareBytes, and it detected gently caress all. Also, all of them were detected by HJT as having HKCU runs. What was that?
|
|
#
¿
Nov 2, 2010 06:09
|
|
|
BillWh0re posted:You might want to try using Kaspersky's TDSSKiller next time you see a TDSS, TDL3 or Alureon infection: http://support.kaspersky.com/viruses/solutions?qid=208280684 Yeah, TDSS Killer works. I had a /b/tard call in with a rather beefy collection of infections. One of them was TDSS.3; and Killer repaired it just fine. That said, the last time I handled a rootkit? It infected iastor.sys. Don't delete that. \/ I assume it has some kind of rudimentary boot loader that reads the first x bytes of the drive, where the needed driver is copied to. PopeOnARope fucked around with this message at 00:44 on Nov 8, 2010 |
|
#
¿
Nov 7, 2010 06:04
|
|
|
Smart Engine does it by just disallowing you to run that specific file name (among about 800 others) in group policy. Hillariously, it also disables other fake antiviruses. That said, thank gently caress virus makers don't steal ideas from each other. A virus which replaces the shell variable in the registry with itself, blocks usage of many critical files to disinfection (Task Manager, whatup), deletes restore points, and breaks the recovery console would basically require a full wipe every time to deal with on-system. \/ Correct. But there are rare cases where you get rootkits and their processes that will kill your scanner no matter what it's named. PopeOnARope fucked around with this message at 08:06 on Nov 17, 2010 |
|
#
¿
Nov 17, 2010 04:03
|
|
|
Kaboobi posted:Boot into safe mode, kill the process, run combofix, make sure it didn't crap up anything in the registry. MalwareBytes will easily do it too. But to simplify: Throw the horns, kill process tree on hotfix.exe, reset your browser, fix the shell in HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, go into %appdata%\Roaming and kill hotfix.exe, install, thinkpoint.exe Done in about 10 minutes.
|
|
#
¿
Nov 17, 2010 22:09
|
|
|
I don't know what it is about Antivirus 8, but rather than upgrade the fake program itself, the creators think of ways to just be bigger assholes with it. AV8 is usually accompanied by some form of TDSS under XP, and today was icing on the cake. TDSSKiller detected TDSS 4, in the MBR. Motherfucker.
|
|
#
¿
Nov 21, 2010 00:47
|
|
|
Serfer posted:Jesus christ, Antivirus 2010 went from just a minor annoyance, to a major loving headache. Now it installs a rootkit. Safe Mode with Command Prompt? Then run poo poo, should be fine.Just as well, make sure it's not an MBR rootkit. Otherwise you're hosed.
|
|
#
¿
Nov 21, 2010 03:48
|
|
|
Ensign Expendable posted:For an MBR rootkit, can't you just boot into a Linux disk, zero the MBR, then boot into WinPE and put it back? What can the virus do to prevent that? Load up in Linux, clearly. But yeah, there are tools to disinfect the MBR. TDSSKiller is one, and it's very capable.
|
|
#
¿
Nov 21, 2010 05:04
|
|
|
We came across Win32.TDSS.TDL4 in the wild today. On a Windows 7 x64 system  TDSSKiller resulted in an unmountable boot volume. So we imaged it. It still wouldn't boot, and FixMBR is not an option.
|
|
#
¿
Nov 22, 2010 00:36
|
|
|
BillWh0re posted:Since it sounds like you have an imaging solution, could it be that this is somehow confusing the whole MBR/partition boot situation? How about any full disk encryption software or RAID? These can all complicate the MBR cleaning process, though I'm not sure how TDSSKiller specifically deals with them. I work with Dells. All day. And I don't have physical access to any of them; TDSS Killer can clean up TDL4 just fine, I had it do that just a few days prior. It seems like what it does best is kills the MBR though on x64 systems (Mind you, my co-worker was also using 2.4.1 instead of 2.4.4)
|
|
#
¿
Nov 22, 2010 14:34
|
|
|
Oddhair posted:I had a real doozy of a Thinkpoint this weekend, and the laptop wasn't helping me either. It's a Dell Vostro 1720 which came with Vista and was downgraded to XP. Couldn't run: Iexplore, Taskmgr, Regedit, Firefox, etc. I found lots of .dlls in her profile, set to start up in both HKCU and HKLM. Hijackthis was able to delete some of the dll entries, but I couldn't get rid of Hotfix.exe, under which everything in userland was running. Local group policy was set to disallow ActiveX, so Services.msc would load and be blank, same for gpedit.msc That wasn't just ThinkPoint. Also, try safe mode with command prompt in future. / use a boot disk
|
|
#
¿
Nov 23, 2010 00:49
|
|
|
Oddhair posted:Yeah, I'm sure it wasn't just one, there were scads of files in her profile and dozens of registry entries in HJT, but the booting from CD/DVD never worked. I should have used Safe+Command but I was swamped over the weekend putting 12 cubicles where 6 used to be, this was a side job with a deadline. I finally got fresh Vista on it but she absolutely can't use anything other than XP... Yeah I'd call that wiping time. As to somebody crying about vista over XP, maybe she should learn how not to ignore infections for 4 months before something pops up and makes the system unusuable.
|
|
#
¿
Nov 23, 2010 18:15
|
|
|
So this is cute. I got a call today from a woman who initially had GreenAV. It redirected her to a website with an 800 # to call. The representatives identified themselves as being from Dell, then demanded credit card information in order to fix the problem. Shame I forgot the URL - I was going to set up a virtual machine, set a goatse background, and let them in.
|
|
#
¿
Dec 7, 2010 04:58
|
|
|
Boxman posted:I've got a question, as someone who is only slightly savvy with this sort of thing. I'm on Mac OS (I promise I'm not posting this with Viruses generally don't tell you when they successfully deliver a payload, either. More than likely the exploit attempts to determine operating system, sees OSX, and just leaves it alone. Now if they were smart enough to include a DMG...
|
|
#
¿
Dec 7, 2010 06:42
|
|
on my face). Let's say I get an infected popup and click something that would infect a Windows machine. What happens with the malicious code? Does it sit somewhere in my cache, unable to run? Or does whatever exploit it tries to run simply fail because it was coded for Windows?
|
Midelne posted:That would probably resolve the immediate issue of that particular file being infected, but since infected file system and disk interface files are a great sign that you're rooted, I'd probably reinstall anyway. Uh yeah. You may want to go ahead and remove a MBR rootkit like TDSS before trying to reformat.
|
|
#
¿
Dec 14, 2010 07:47
|
|
|
Saint Sputnik posted:This Google hijack thing is really off-and-on. Sometimes it only redirects one link out of 20, and usually only the first time I click a link. MSE ran for over four hours and announced it found VirTool:Win32/Obfuscator.C, but wasn't able to kill it for reasons it could not explain. Worth trying OneCare? Where does it route you too, what does MalwareBytes say, what's running on your system right now? \/ Things getting into HKLM is bad yes, but not disastrous. I usually fire up in Safe Mode, mop up HKLM, turn on the admin account, go into that, clean up the files, mount the HKCU, clean it up, and call it a day. PopeOnARope fucked around with this message at 04:12 on Dec 23, 2010 |
|
#
¿
Dec 22, 2010 05:54
|
|
|
Jetsetlemming posted:I can still go to the site directly, and clicking again the exact same link in google properly took me to the right website. It was a once-off redirect. Make sure you don't have the respawning files. Specifically, check your task manager for dwm.exe, csrss.exe, conhost.exe and other running from suspiscious places.
|
|
#
¿
Jan 7, 2011 03:49
|
|
|
Bob Morales posted:Tom's did a test where they measured PC performance with various anti-virus and security packages installed, and also with a 'bare' system. Don't forget their habit of taking cash for reviews.
|
|
#
¿
Jan 9, 2011 03:18
|
|
|
angry armadillo posted:You're forgetting the customer also cares about someone to blame if the computer goes wrong. Well either that, or their computer manufacturer for not holding their hand through everything. Speaking of  poo poo, one of my customers needed to install Trend Micro Titanium today, and it wanted MalwareBytes ripped out to install.What. Oh, and I hate it when people ask me "Why didn't McAfee stop this fake antivirus!!!"
|
|
#
¿
Jan 10, 2011 06:26
|
|
|
Pope Guilty posted:I saw a fake AVG yesterday. The user couldn't remember installing it, but AVG is antivirus, right? Yeah I've seen a lot of them lately too. I guess whoever's churning them out figures Grisoft is too small time to go on a witch hunt.
|
|
#
¿
Feb 5, 2011 05:44
|
|
|
|
| # ¿ Apr 25, 2024 11:41 |
|
|
So my last call of the day was a rather dickish piece of malware. It did the usual bit of loving with the shell value, but it actually had the good sense to kill the task manager process every time we launched it. I mean, System Restore cleared it right up, but it worries me a little bit that the people developing these things finally put two ideas together. Not to mention the fact that loving with image file execution is becoming more common again (I'm looking at you, fake AVG). Now all we need is something to throw a rootkit into the mix, and I can call it the trifecta infection.
|
|
#
¿
Feb 14, 2011 04:25
|
|