Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
-Dethstryk-
Oct 20, 2000

brc64 posted:

My least favorite question to answer clients is "how did I get infected?" There's never a good way to answer that.
Same here. Especially considering that with a lot of infections, they aren't going to admit to everything they were doing in the first place.

Adbot
ADBOT LOVES YOU

-Dethstryk-
Oct 20, 2000

Suspicious posted:

If NOD32 is dropping the ball, which is the SH/SC goto antivirus now?

Also a lot of people in this thread need to disable autorun.
Let's be fair, a lot of people are dropping the ball on these latest threats. I've been installing NOD32 at variou businesses for close to four years now, and this latest batch of crap is the first time I've ever had NOD32 fail during that time.

Everyone is being blindsided and is caught up in a cat-and-mouse game with this latest crapware.

-Dethstryk-
Oct 20, 2000

BillWh0re posted:

That's pretty much all I can think of although if Office is on there you'd want to update that as well, basically anything that can open embedded in a browser, or that embeds a browser itself, needs to be kept up to date.
This is where something like Secunia's PSI comes in handy.

-Dethstryk-
Oct 20, 2000
Don't worry about it. It's legitimate and on top of that, I'm not sure why you would find a Windows DLL updating from the Microsoft servers fishy.

-Dethstryk-
Oct 20, 2000
Ran into a brand new variant of WinPC Antivirus that infected a machine on Wednesday. This son of a bitch is one of the worst fake security center programs, because even in safe mode it's preventing anything from running properly, like GMER and MBAM.

Nasty poo poo. Usually I resort to using the most recent version of Avira's boot CD to take care of this one, but they still aren't catching it.

-Dethstryk-
Oct 20, 2000

Stegosaurus posted:

I got some garbage on my pc that I couldn't get rid of and so I reformatted. My current av/spyware software suite is a full version of AVG and spybot. Anything else I need, or are these two enough for my purposes?
Honestly, some of the nastiest stuff going around isn't giving a gently caress what you have installed. This TDSS crap and all of the other malware posing as antiviruses has been slipping through everything for the past year because of how quickly they update.

Just watch what you're clicking on and where you are going, because that's where most of it is coming from.

-Dethstryk-
Oct 20, 2000

Otacon posted:

Thanks for this tidbit. Do you have to login for each installation? Can I install this on multiple (personally owned) computers with the same LiveID?
Looks like it so far. I've installed it on multiple machines with the same download.

-Dethstryk-
Oct 20, 2000

hobofood posted:

AFAIK none of my family use Yahoo for anything at all - I think hotmail is the tool of choice for lovely web-based email, they did originally have outdated versions of Java and Flash, but I fixed those after the first infection. Anything else in particular I should make sure is up to date?

I'll try Vundofix and Combofix on Saturday. Is there anything else that they should have sitting around to stop this from ever happening again in the future?
This kind of crap will get on a casual PC user's machine no matter what. I haven't seen a single AV solution work effectively against this because of how rapidly these things change.

And it doesn't have to be Yahoo. These things come from plenty of sources. Just make sure you update Flash and Java to the latest versions, and if they use Adobe Reader, update to the latest point release.

-Dethstryk-
Oct 20, 2000

n0manarmy posted:

Is there anything out there to kind of assist with tracking where an end user may have gotten a virus/spyware?

We've been getting a massive rash of people infected by the fake antivirus programs. Most of them have disabled task manager or close out task manager, CMD, and MSCONFIG before I can do anything.

We've got a student body of about 600 that are responsible for keeping and maintaining their laptops for exams but they're not. None of the students remember when/where it came from, only that it just showed up.
From my experience, most of these things are coming from Flash exploits, and often get into the system and pop up later (on a reboot, or just randomly) so it's harder to tell where they come from.

-Dethstryk-
Oct 20, 2000

PopeOnARope posted:

Edit - checked the MIME info, and the mail blasted out from 115.49.34.112. With ads for https://www.nsehwop.com. Fuckin' Chinese. I've changed the login - this should fix the issue, yeah?
Which login are you talking about? For your mail server? Because that's not going to stop some random Chinese server from sending an e-mail with your address on it. How it was sent to your contact list is another concern, but I'd verify that is what actually happened. "Confirmed by a friend" sounds far short of "entire contact list."

How is your contact list stored?

-Dethstryk-
Oct 20, 2000

Suran37 posted:

Not my choice, it was my dad's. His mindset is that if Comcast gives it to their customers it must be the best AV ever made. Maybe I'll just uninstall it. What would be a good replacement?
Microsoft Security Essentials. Free and it does a drat good job.

-Dethstryk-
Oct 20, 2000

Ted Stevens posted:

Well, the system is trashed. Just backup what you can and reinstall windows. The Dell discs work with any Dell branded computer.
And make sure that you use Dell discs and completely wipe the hard drive, because I've seen plenty of recovery partitions infected lately. Might as well get rid of those while you're at it so it's not a problem later.

-Dethstryk-
Oct 20, 2000

go3 posted:

Norton isn't even a speedbump to these things.
I'm getting a lot of machines now where MSE isn't helping much now, either. For about a year, I didn't have any problems with any of my clients running it. Now it's regularly letting them through.

Adbot
ADBOT LOVES YOU

-Dethstryk-
Oct 20, 2000

Captain Novolin posted:

I seem to have picked up something pretty nasty on my desktop, but I'm not entirely sure how to get it off. MSE picks it up, but it crashes windows before it can remove it. What are my options when it comes to boot CDs? I'd use a USB stick but my laptop's USB ports are all fried.

E: I couldn't get much info out of Microsoft Security Essentials before it shut down on me but I do know it's flagged as a trojan of some sort, and it's running as services.exe.

E2: got it! Trojan/Sirefef.M, Trojan/Sirefef.W and Phdet.E, hopefully I should be able to find something on google now.

To be safe, you'll want some sort of offline scanner that will work outside of Windows. You can just use Microsoft's Windows Defender Offline to make a boot CD. Best if you can make it on a clean PC.

  • Locked thread