|
AceSnyp3r posted:I have a question kind of related to this thread. Are there/have there been any known ways for a virus to spread via e-mail without the use of an attachment or embedded image/audio/video/java/etc.? I can't remember any offhand but there have been a few that have sent emails with attachments then used a MIME vulnerability in Outlook to open the attachment without user intervention. Also if the mail reader is vulnerable to running HTML it shouldn't in the message body then the payload can come from a remote website rather than an attachment. quote:That's interesting, is there another new image vulnerability in Windows or something? I'm kind of interested in how exactly a hacked JPG like you're talking about works. Most infected JPEGs, GIFs and PNGs there days are just legitimate image files with iframes or script tags appended. I think there's some way to get a browser to render them as HTML so the tags work but I forget how it happens.
|
# ? Dec 16, 2008 21:50 |
|
|
# ? Jun 8, 2024 06:47 |
|
Does anyone know how to get rid of this bullshit "Virus Remover 2008" malware that somehow got on my computer without me downloading or opening any files? It constantly pops up telling me I have deadly malware on my computer and to download the program. When I try to exit or cancel out, another message pops up saying "If you want your computer to be clean click OK." It also is constantly bringing up a bunch of random popups and error messages. That may be due to other malware, though.
|
# ? Dec 16, 2008 22:14 |
|
http://en.wikipedia.org/wiki/Brontok Apparently one of the variations of this (Avast sees it as rontokbro which sarc says is a Brontok variant) spreads over shared network drives as well as email. The combination of Iraqi internet, all of the computers being hooked to one switch, and 90% of people thinking Windows Defender is an antivirus has this thing spreading like loving wildfire. I now have a thumb drive that I use only to remove this loving thing.
|
# ? Dec 16, 2008 22:15 |
|
Namlemez posted:Got this on a machine through some random Java applet. This was like the most nefarious one I've ever had by far: I've been dealing with this for the last 2 days, that fix thing doesn't work for me. Aaaarrrgghhh
|
# ? Dec 16, 2008 22:20 |
|
the Bunt posted:Does anyone know how to get rid of this bullshit "Virus Remover 2008" malware that somehow got on my computer without me downloading or opening any files? It constantly pops up telling me I have deadly malware on my computer and to download the program. When I try to exit or cancel out, another message pops up saying "If you want your computer to be clean click OK." It also is constantly bringing up a bunch of random popups and error messages. That may be due to other malware, though. Run one or all of the programs mentioned in this thread. From the sound of it, SUPERAntispyware would probably be my first guess.
|
# ? Dec 16, 2008 22:30 |
|
the Bunt posted:Does anyone know how to get rid of this bullshit "Virus Remover 2008" malware that somehow got on my computer without me downloading or opening any files? It constantly pops up telling me I have deadly malware on my computer and to download the program. When I try to exit or cancel out, another message pops up saying "If you want your computer to be clean click OK." It also is constantly bringing up a bunch of random popups and error messages. That may be due to other malware, though. I managed to get this just a month ago right when I was switching antivirus programs (my free year of AVG ran out), I made the mistake of letting my roommate use my pendrive to transfer some files and it silently autoran off of the pendrive when I put it in. The only reason I noticed it at the time was that I was shutting down and it came up with a box asking if I wanted to cancel the install. After I finished installing avast and updated the definitions it would recognize it and prevent it from running, but the files kept replacing themselves after I deleted them. I looked it up on the net and found that malwarebytes takes care of it nicely, though that's the last time I let my roommate use my pendrive.
|
# ? Dec 16, 2008 22:33 |
|
AceSnyp3r posted:I have a question kind of related to this thread. Are there/have there been any known ways for a virus to spread via e-mail without the use of an attachment or embedded image/audio/video/java/etc.? I poked around in Google for "jpg trojan" but a lot of the results looked sketchy so click at your own risk I guess thelightguy posted:The last JPG arbitrary code execution vulnerability I've heard of was one that affected Windows 2000 and, I think, Windows XP RTM. I don't think there have been any since then but I may be wrong. XP RTM? I was running XP SP3 at the time. Maybe Vista patched that up. I didn't even know I had the nasty little bugger until my girlfriend's WoW account was hacked.
|
# ? Dec 17, 2008 03:40 |
|
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspxquote:Microsoft Security Bulletin MS04-028 quote:Non-Affected Software This was the latest one I could find and given that this bulletin was last updated in 2004, I'd imagine that SP3 is also not affected, just not listed.
|
# ? Dec 17, 2008 04:29 |
|
deviant. posted:XP RTM? I was running XP SP3 at the time. Maybe Vista patched that up. I didn't even know I had the nasty little bugger until my girlfriend's WoW account was hacked. You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too.
|
# ? Dec 17, 2008 10:36 |
|
A while back I remember having a jpg file that instantly crashed explorer.exe when you viewed the folder it was contained in. If you put it on the desktop, it would crash explorer constantly. If you viewed it in any browser, it would instantly cause an overflow and your system would bluescreen unless you closed it through Procman. I wonder if I saved it... EDIT Found it. It no longer crashes explorer, but it does cause iexplorer to jump to over 500mb RAM, and firefox to 791mb! Interesting. Otacon fucked around with this message at 13:00 on Dec 17, 2008 |
# ? Dec 17, 2008 12:56 |
|
Casao posted:You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too. The only thing I can think of is there was a thread on a gold farmer in another forum with a hotlinked picture. I hadn't got any email attachments and certainly wouldn't have opened them. Who the hell knows, though...
|
# ? Dec 17, 2008 14:53 |
|
Casao posted:You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too. My least favorite question to answer clients is "how did I get infected?" There's never a good way to answer that.
|
# ? Dec 17, 2008 14:56 |
|
brc64 posted:My least favorite question to answer clients is "how did I get infected?" There's never a good way to answer that.
|
# ? Dec 17, 2008 14:58 |
|
Well, I was using Firefox....does this mean IE7 is actually safer? Also, I wasn't running real-time-AV at the time. Yeah, pretty dumb.
|
# ? Dec 17, 2008 15:15 |
|
Otacon posted:A while back I remember having a jpg file that instantly crashed explorer.exe when you viewed the folder it was contained in. If you put it on the desktop, it would crash explorer constantly. If you viewed it in any browser, it would instantly cause an overflow and your system would bluescreen unless you closed it through Procman. I wonder if I saved it... I had a corrupted image in a folder full of images on an old hard drive that would crash explorer after a few minutes when explorer worked its way to the file to thumbnail it or something. Sounds like you had/have a similar thing.
|
# ? Dec 17, 2008 15:23 |
|
brc64 posted:My least favorite question to answer clients is "how did I get infected?" There's never a good way to answer that. I hate that question, I generally just tell them that there isn't really any way for me to know the exact point of entry and that anything I might say would purely be speculation. It is a nice out when they say that there kids use the computer and then start down the line of "the only things they do online..." I generally try to interrupt politely and point out that they have kids are going to get infected, guaranteed.
|
# ? Dec 17, 2008 15:24 |
|
Thanks for this thread, I've been running into some really nasty poo poo lately and hopefully the tools you guys have listed will help me out.
|
# ? Dec 17, 2008 22:41 |
Casao posted:You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too. It exploits the Server service vulnerability (MS08-067) and dumps x.exe / x.dll / x into C:\Windows\system32, which then pulls down other poo poo into .jpg files (which are actually .exe and .dlls) within your IE Temporary Internet Files folder. It's nasty as poo poo, get the MS patch, install, unplug, reboot and full system scan the poo poo out of it
|
|
# ? Dec 18, 2008 00:44 |
|
Otacon posted:My Toolkit lately has included 4 pieces of software: Thanks for the SuperANTISpyware recommendations in this thread. I'm a HUGE NOD32 fan, but it failed me today. I remembered looking at this thread, and came back, downloaded the free edition, and will now be purchasing a professional license.
|
# ? Dec 18, 2008 16:21 |
|
|
# ? Dec 18, 2008 16:31 |
|
I've been dealing with Vundo, aka Virtumonde for a couple weeks. I think I actually removed it once, then got reinfected. Now my java is up to date and it will hopefully stay off my system. The first time I used combofix and malwarebytes to get rid of it. This time I just renamed all the suspected dlls in my system32 folder then rebooted into safemode and deleted them. I then ran Spybot to take care of the left over registry entries. I ran it twice, and it caught a single entry the second time, so I hope it isn't still alive somewhere. Finally, I ran the symantec removal tool (which took for loving ever) and it didn't find anything. I'll do another Spybot scan tonight and see if any signs of it are back.
|
# ? Dec 18, 2008 16:38 |
|
hyperborean posted:
|
# ? Dec 18, 2008 17:13 |
|
brc64 posted:Oh drat, explorer.exe is a backdoor! You better delete that right away! And taskman.exe is an Internet virus! All those people telling you to run the "task manager" must be responsible for the infection! I have a text file somewhere of the fake-chkdsk results that some malware put out. At first glance the formatting was all correct, but the results give him something like twelve petabytes of disk storage, eighteen petabytes of which (yes, I know) is "dirty" and needs to be "e-cleaned".
|
# ? Dec 18, 2008 17:44 |
|
Midelne posted:I have a text file somewhere of the fake-chkdsk results that some malware put out. At first glance the formatting was all correct, but the results give him something like twelve petabytes of disk storage, eighteen petabytes of which (yes, I know) is "dirty" and needs to be "e-cleaned".
|
# ? Dec 18, 2008 17:53 |
|
At our shop the WinAntivirus2008 etc and it's variants are old hat by now, not even an issue. One that DID give us a heart attack the other day was this: csrsc.exe Registers itself as a service "WinSpoolerService" and lists it's publisher as Microsoft. We had to quickly kill the process, then delete the file on disk and a registry key, and if you weren't fast enough then it would run again and you couldn't delete the file. the scary part was when I took my flash drive with the tools out of that computer and plugged it into another computer, and all of a sudden that person's windows defender wanted to know if it was ok to attach csrsc.exe to like every drat startup process. Apparently this virus actually a. copies itself to removable media b. creates an autorun that c. fucks your poo poo up in about 3 seconds when you connect it to your computer.
|
# ? Dec 18, 2008 18:16 |
|
Midelne posted:And taskman.exe is an Internet virus! All those people telling you to run the "task manager" must be responsible for the infection!
|
# ? Dec 18, 2008 18:59 |
|
If NOD32 is dropping the ball, which is the SH/SC goto antivirus now? Also a lot of people in this thread need to disable autorun.
|
# ? Dec 18, 2008 19:16 |
|
Suspicious posted:If NOD32 is dropping the ball, which is the SH/SC goto antivirus now?
|
# ? Dec 18, 2008 19:24 |
|
hyperborean posted:avast!, Avira, Antivir, AVG (in order of my personal preference). Someone linked this site in another thread, it's great for making your own pick based on hard numbers from extensive testing.
|
# ? Dec 18, 2008 19:28 |
|
Suspicious posted:If NOD32 is dropping the ball, which is the SH/SC goto antivirus now? Everyone is being blindsided and is caught up in a cat-and-mouse game with this latest crapware.
|
# ? Dec 18, 2008 19:31 |
|
I had Vundo on my PC in November. I tried every antispyware program and specific Vundo fix program I could find. I ran Ubuntu on startup to get rid of all the crap. None of it worked and I had to wipe it and recover what I could. Its the only virus I've gotten since I was 13 and the nastiest thing I've ever seen.
|
# ? Dec 18, 2008 20:30 |
|
brc64 posted:I've been liking VIPRE Enterprise in my tests, but the decision makers don't want to invest a new product (that's less expensive, easier to manage and would make us more money), so we're stuck with a product that's only compatible with Windows Server 2008 if you use the beta. Yay! Also, VIPRE doesn't start with A, so it doesn't count
|
# ? Dec 18, 2008 20:43 |
|
Has Vundo been known to do anything beyond just being annoying? I'm wondering about things like keylogging, password stealing, etc. All it seems to do on my system is slow things down and occasionally try to open tabs to defunct websites in firefox.
|
# ? Dec 18, 2008 20:55 |
|
What makes this newest generation of virues/malware is that you can never be 100% sure its gone unless you just reformat the whole system. On badly infected machines it seems that even after a antivirus scan, malwarebytes/superantispyware/adaware/spybot and combofix the machine still can still be hosed. Windows XP's level of security in the hands of an average retard computer user is almost zero, even with the best antivirus. I find its often far faster to just backup and nuke the OS. Often a reinstall of windows is far faster than running several scans on a slow computer.
|
# ? Dec 18, 2008 21:18 |
|
ab0z posted:At our shop the WinAntivirus2008 etc and it's variants are old hat by now, not even an issue. One that DID give us a heart attack the other day was this: Sounds like you got the spools. That one seems to have burned itself out because I haven't seen it since sometime in July, but for a couple months prior to that I saw it everywhere. Before we understood what was going on we had infected probably five or six machines just by using our flash drives.
|
# ? Dec 18, 2008 21:19 |
|
By the way, if you have things that are "hidden", and resurgent or whatever, you need this tool: http://www.gmer.net/index.php It's aimed at rootkits but really it picks up anything running on the system.
|
# ? Dec 18, 2008 21:21 |
|
Another recommendation for GMER, but it's a little more advanced. Solutions like Malwarebytes and SuperAntiSpyware are fairly simplistic and almost anyone can operate them. GMER is good at showing you some really nasty poo poo (if it's there.) The latest AV-Comparatives report for November shows AntiVir and Kaspersky with the best rating, even though it's only around 70%. NOD32 is a well-built antivirus application with a small memory footprint. The problem with it is, in my opinion at least, is it's no longer capable of keeping up with the release rate of the latest infections. As for wiping and reinstalling Windows, it ultimately is the best solution to eliminating infections. However, it's important to keep in mind that MBR rootkits are making a comeback. Not to mention when people reinstall systems via a recovery partition, what's the possibility of a virus infecting that partition?
|
# ? Dec 18, 2008 21:41 |
|
GREAT BOOK OF DICK posted:Another recommendation for GMER, but it's a little more advanced. Solutions like Malwarebytes and SuperAntiSpyware are fairly simplistic and almost anyone can operate them. GMER is good at showing you some really nasty poo poo (if it's there.)
|
# ? Dec 18, 2008 21:54 |
|
hyperborean posted:How does GMER compare to Process Explorer? Looking at the screenshots it seems similar, although it's hard to tell because I can't read Polish or whatever that is. Different tools for different jobs mainly. Process Explorer is great for seeing whats happening with loaded modules and handles. GMER is more of a rootkit-revealer type tool and extracts a lot of information about the internal state of the Windows kernel (and even the DOS IVTs and boot sectors). I haven't used Process Explorer for a year or so though so it might have changed since then.
|
# ? Dec 18, 2008 21:58 |
|
|
# ? Jun 8, 2024 06:47 |
|
I'd flatten and reinstall if it didn't take so long to get everything back to the way it was. First you have to install the OS and apply all the updates, which includes what seems like 50 reboots. You can save a little time by slip streaming in the latest service pack to the install disc, but it still sucks. Then you have to reinstall drivers. Then you have to reinstall all the applications and possibly update them. Then you have to reconfigure all the applications and little tweaks you've setup since the last reformat. I'd estimate that it takes me the better part of a week to rebuild my system and get it back to how it was just before infection.
|
# ? Dec 18, 2008 21:59 |