|
Mantrid posted:Don't know if you guys saw this, but here's an interview with an adware coder: http://philosecurity.org/2009/01/12/interview-with-an-adware-author This is extremely interesting. Some of the stuff he talks about seems like it would be impossible for antivirus and antispyware programs ot counter. How do you tell what the virus is if every program on the computer is running the parts of the code, and no one knows where it came from? How do you delete a registry key if it contains characters that cannot be mimicked by a 32bit API? People like this need to start working for antivirus/antimalware companies, tey are incredibly smart.
|
# ? Feb 5, 2009 18:24 |
|
|
# ? Jun 3, 2024 08:19 |
|
BillWh0re posted:did it perform a full scan of the disk, or just a quick on-access scan when you plugged it in? ChunkyMonkey posted:Keep in mind too that corporate anti-virus software is terrible at catching things, especially the "on access" scanner. We use McAfee where I work, and I run malwarebytes/superantispyware constantly because McAfee doesnt catch poo poo.
|
# ? Feb 6, 2009 04:54 |
|
One of my coworkers who does some work on the side for a local hospital told me she was instructed not to log into the hospital network until further notice. Apparently there's been a crippling virus outbreak that they're still trying to contain, and they've instructed everybody on the hospital network to turn off their computers until they can clean up the mess. Sounds like conficker or something, based on the description. Whoops.
|
# ? Feb 6, 2009 15:30 |
|
Well, my brother's computer once again has caught the super-AIDS. It's got some new bastard version of Spyware Guard 2009 that won't let any antivirus programs run. SuperAntiSpyware just crashes, Malwarebytes spits up runtime errors, and I can't download any others because it redirects most common antivirus sites to 127.0.0.1. So I rebooted into safe mode and tried to run Malwarebytes. It scanned, the computer rebooted, and now it just sits at a black screen on startup. Safe mode with networking does the same thing, but regular safe mode still works. This is going to be a long day.
|
# ? Feb 8, 2009 20:18 |
|
Format and reinstall. gently caress him if he can't be responsible.
|
# ? Feb 8, 2009 21:11 |
|
deviant. posted:Format and reinstall. gently caress him if he can't be responsible. Well, after he broke that computer, he went to my mom's computer and did the same thing, so I kind of have to figure out how to fix it.
|
# ? Feb 8, 2009 21:23 |
|
Luigi Thirty posted:Well, after he broke that computer, he went to my mom's computer and did the same thing, so I kind of have to figure out how to fix it. First, flatten his and call it a loss. Then, boot your mother's computer to an Ubuntu live CD, copy all her documents over to a usb drive and flatten hers as well. After the re-install, copy her files back over and install Avast. Seriously, it's not worth fighting.
|
# ? Feb 8, 2009 21:46 |
|
Whenever I have helped friends in the past with virus removal I have always suggested a system re-install since I believe there is really no way to know what a virus has messed with. Is this good advice or can you put a high level of trust back into a machine that has had a virus or in most cases, many viruses removed from it?
MillDaKill fucked around with this message at 23:41 on Feb 8, 2009 |
# ? Feb 8, 2009 23:21 |
|
brc64 posted:One of my coworkers who does some work on the side for a local hospital told me she was instructed not to log into the hospital network until further notice. Apparently there's been a crippling virus outbreak that they're still trying to contain, and they've instructed everybody on the hospital network to turn off their computers until they can clean up the mess. I heard the exact same thing from someone in my area as well about this. Are you sure there's not some spam e-mail going around with hospital IT experiences? Although it sounds completely feasible if there is lovely IT security within the majority of U.S. hospitals. That alone is a scary thought.
|
# ? Feb 8, 2009 23:40 |
|
Luigi Thirty posted:Well, after he broke that computer, he went to my mom's computer and did the same thing, so I kind of have to figure out how to fix it. It's hosed. You're almost certainly dealing with a few variants of Vundo, Zlob, and some rootkits on top of the original infection. Vundo has a million nasty tricks to remain in the system, and even if you manage to clean it off, the system will probably be crippled. Recover her files using the Ubuntu LiveCD, or Ultimate Boot Disk 4 Windows, flatten, reinstall, and break your brother's hands. MillDaKill posted:Whenever I have helped friends in the past with virus removal I have always suggested a system re-install since I believe there is really no way to know what a virus has messed with. Is this good advice or can you put a high level of trust back into a machine that has had a virus or in most cases, many viruses removed from it? That really depends on the particular infection. If the four scanners that I use (Trend, Avira, SAS, MBAM) call a system clean, then I consider it good to go. One exception is Vundo. That one is an automatic nuke n' pave. GREAT BOOK OF DICK posted:I heard the exact same thing from someone in my area as well about this. Are you sure there's not some spam e-mail going around with hospital IT experiences? Although it sounds completely feasible if there is lovely IT security within the majority of U.S. hospitals. That alone is a scary thought. Security is awful in most organizations, and most networks are a playground once you get past the firewall. Most of the time, there are people in the IT organization who know their poo poo and could really secure the network if management had the will and the wallet, but that never happens. Also, there's always That One Critical App that requires that your tightly designed security will need holes opened up.
|
# ? Feb 9, 2009 01:36 |
|
Does the black screen have the mouse cursor? Can you bring up the task manager? In that case, it is usually that the malware has replaced a registry key that points to explorer.exe. Try running explorer.exe from the task manager. If it pops up, then you just have to find the registry key that points to it (I can't remember at the moment). If it says that explorer.exe can't be found, and it exists in Windows/System32 you are hosed.
|
# ? Feb 9, 2009 02:26 |
|
I just ran gmer out of curiosity and the only thing that shows up under the Rootkit/Malware tab is fltmgr.sys, which appears to be a legitimate Windows file that viruses sometime disguise themselves as. Should I delete the file or leave it alone and consider it a false alarm? I'm not experiencing anything out of the ordinary and Avira and Malwarebytes say everything is ok.
greg_graffin fucked around with this message at 03:30 on Feb 9, 2009 |
# ? Feb 9, 2009 03:28 |
|
For anyone NOT nuking a system after a nasty virus install, please please PLEASEEEE turn off system restore and then turn it on again. Disabling system restore removes all of the backups, which are guaranteed infected. This will help you when in 2 weeks, your brother says "Hey my Windows is hosed up again, time to do a system restore!" and the system is reinfected.greg_graffin posted:I just ran gmer out of curiosity and the only thing that shows up under the Rootkit/Malware tab is fltmgr.sys, which appears to be a legitimate Windows file that viruses sometime disguise themselves as. Should I delete the file or leave it alone and consider it a false alarm? I'm not experiencing anything out of the ordinary and Avira and Malwarebytes say everything is ok. Gmer is not a scanner, in the way that MBAM or SAS is. All it does is look for boot entries that aren't default. 90% of the time I run Gmer at work, it throws up some false flags. Don't delete it because it pops up in Gmer. However, using an actual scanner on the files that show up in Gmer isn't a bad idea. Otacon fucked around with this message at 04:55 on Feb 9, 2009 |
# ? Feb 9, 2009 04:53 |
|
Seconding the "just nuke them from orbit" philosophy for everything except the most benign adware. The amount of time spent cleaning a virus and even then still not being 100% sure everything is gone could be spent backing up files, reformat, and reinstalling drivers. A job like this takes me a max of 3 hours on average, but only 1 hour of real, actual work - yes, they get charged for all 3 hours. And let's be honest, most of these people could use a good reformat with the latest patches and an antivirus product that hasn't run out of its subscription 90 days after they purchased the pc.
|
# ? Feb 9, 2009 14:50 |
|
Otacon posted:This will help you when in 2 weeks, your brother says "Hey my Windows is hosed up again, time to do a system restore!" and the system is reinfected.
|
# ? Feb 9, 2009 14:57 |
|
Why flatten everything when you can use a live CD or plug the hard drive in a healthy system and scan it from there? Rootkits and such can't hide if they're not even loaded.
|
# ? Feb 9, 2009 18:36 |
|
devmd01 posted:Seconding the "just nuke them from orbit" philosophy for everything except the most benign adware. The amount of time spent cleaning a virus and even then still not being 100% sure everything is gone could be spent backing up files, reformat, and reinstalling drivers. A job like this takes me a max of 3 hours on average, but only 1 hour of real, actual work - yes, they get charged for all 3 hours. And let's be honest, most of these people could use a good reformat with the latest patches and an antivirus product that hasn't run out of its subscription 90 days after they purchased the pc. If I can't get a system back to its feet within 10-15 minutes, I back up, format and reinstall (pending client agreement of course).
|
# ? Feb 9, 2009 22:50 |
|
Thanks for the thread guys. I was stuck back in 2005 with adaware and spybot. I did a quick SuperAntiSpyware run and it found: BhoApp-b Unclassified.Unknown Origin (What?) Rogue.MSAntiSpyware2009 No wonder I've been slow lately.
|
# ? Feb 10, 2009 01:50 |
|
fungi^2 posted:Thanks for the thread guys. I was stuck back in 2005 with adaware and spybot. I did a quick SuperAntiSpyware run and it found: BHOApp is related to an MSIE toolbar - BHO means "Browser Helper Object" Unclassified.Unknown Origin is usually a remnant of another virus/malware that was half removed - it's usually not a threat, but it's nice to remove it. Anti Spyware 2009 is what 90% of the Internet is infected with, and definitely was the culprit in making your machine slow to a crawl. Don't feel too bad - over 100,000 people are infected by it every week. Look at it this way: You're just a statistic, that's all!
|
# ? Feb 10, 2009 02:15 |
|
Suspicious posted:Why flatten everything when you can use a live CD or plug the hard drive in a healthy system and scan it from there? Rootkits and such can't hide if they're not even loaded. Because something like the ultimate boot cd for windows can't necessarily help you clean everything. Something like the Geeksquad MRI CD can actually mount the Windows installation and have the ability to clean registry entries, hidden files, etc. I'm probably not as educated on utilizing an ultimate boot cd to its fullest potential, but I haven't found any easy way to clean everything with it.
|
# ? Feb 10, 2009 02:36 |
|
GREAT BOOK OF DICK posted:Because something like the ultimate boot cd for windows can't necessarily help you clean everything. Something like the Geeksquad MRI CD can actually mount the Windows installation and have the ability to clean registry entries, hidden files, etc. I'm probably not as educated on utilizing an ultimate boot cd to its fullest potential, but I haven't found any easy way to clean everything with it. Best I've used (that can mount to a Windows partition) is ERD Commander. Very useful for stopping hidden processes, drivers, services, etc.
|
# ? Feb 10, 2009 02:44 |
|
GREAT BOOK OF DICK posted:Because something like the ultimate boot cd for windows can't necessarily help you clean everything. Something like the Geeksquad MRI CD can actually mount the Windows installation and have the ability to clean registry entries, hidden files, etc. I'm probably not as educated on utilizing an ultimate boot cd to its fullest potential, but I haven't found any easy way to clean everything with it. Not only that, it can do registry hive replacements, if the PC has known good ones from a restore point. The Geek Squad stuff is incredibly nice and far beyond what most people have ever seen for automated virus removal and much, much more effective.
|
# ? Feb 10, 2009 03:39 |
|
I don't understand why viruses screw up computers so bad. It seems to me like it would be in the virus author's best interest to make the virus as discreet as possible while doing their nefarious work in the background. If a computer gets so royally hosed up from infection, most people turn their computer off and either throw it in the trash and buy a new one, or call someone to help figure out what the hell is going on.
|
# ? Feb 10, 2009 05:19 |
|
diehlr posted:I don't understand why viruses screw up computers so bad. It seems to me like it would be in the virus author's best interest to make the virus as discreet as possible while doing their nefarious work in the background. If a computer gets so royally hosed up from infection, most people turn their computer off and either throw it in the trash and buy a new one, or call someone to help figure out what the hell is going on. It all depends on what the virus author wants to do. Some simply want to download adware, where they get paid per install. Some want to sell you the variant of xp antivirus that they created from some template, some want to steal your info, and some just want to destroy your computer. If you read that article that I believe was posted here; there was a guy who wrote adware who actually had to include his own antimalware in his program to keep all the others off so people's computers wouldn't be so horribly messed up that his program wouldn't work anymore.
|
# ? Feb 10, 2009 05:27 |
|
Otacon posted:Best I've used (that can mount to a Windows partition) is ERD Commander. Very useful for stopping hidden processes, drivers, services, etc. /sign Once you know where the malware likes to hide, it's easy enough to remove.
|
# ? Feb 10, 2009 06:46 |
|
Has anyone here worked with Geeksquad? How efficient were those MRI disks?
|
# ? Feb 10, 2009 08:00 |
|
You don't have to work at Geek Squad to get a MRI disc. You just have to work at any other computer repair store. One will come in eventually.
|
# ? Feb 10, 2009 08:07 |
|
Anyone here use Counterspy/VIPRE security software? I've been using them for a few years now and they are one of the most underrated security companies I've seen, their stuff is very good (they originally made the first versions of the Microsoft Antispyware product) They just released a self-contained executable command-line scanner that does a pretty good job of removing a lot of junk, especially on systems that aren't loading up explorer. I'm currently looking at integrating it into my LiveCD system as well. Their product is at called VIPRE PC Rescue and is at http://live.sunbeltsoftware.com/. Download includes latest definitions built in. Good one to throw on the flash drive, scan time took me all of 3-4 minutes. http://live.sunbeltsoftware.com posted:The VIPRE PC Rescue Program is a command-line utility that will scan and clean an infected computer that is so infected that programs cannot be easily run.
|
# ? Feb 10, 2009 08:29 |
|
So I finally installed WinXP SP3 only 2 days ago and just today, browsing the internet, I notice my HD running too much, check processes and see acrord32.exe using 1.2 gigs of memory. I haven't been viewing any .pdf's since I booted. 5 minutes later my window is greyed out and I have a fake anti-virus program pretending to scan my system. prunnet.exe among other things in my processes now. I kill and delete everything, but I still have some randomly generated .dll's in system32 created at the same time which have hooked themselves into my winlogon.exe so I can't kill them or delete them. They generate new registry values every time I reboot so the same processes keep popping up no matter how many times I remove them from my registry and delete the files I can delete. Is there any way to use an image of a CD-ROM/floppy boot disk and load it from the HD using boot.ini? I have no floppy drive, my DVD drive isn't recognized in my BIOS menu and I got nothing but my HD to boot to. Which is SATA, and every other HD in this house is IDE so I can't even put it in a different computer to just delete the goddamn files hooked into my winlogon.exe. Whatever happened to being able to boot to a DOS prompt anyways. gently caress you safe mode with command prompt.
|
# ? Feb 10, 2009 10:28 |
|
Well, it looks my computer is infected with something, but I can't figure out what. I'm pretty sure it's not Vundo/Virtumonde, because it's not behaving like that. I've tried scanning it with SAS, MalwareBytes, Spybot, and Nod32, and so far nothing (I'm running some scans now, but I'm not at home). The way I know: My cable modem kept dropping connection. At first, I thought it must be the modem, or maybe my router. So like a good troubleshooter, I plugged the modem directly into my computer. It still kept dropping connection, requiring a modem reset. So I plugged it directly in to my wife's computer. It worked perfectly. Bad news for me, I guess. So this morning, I hooked it back up to my router and turned on my system, to see if I could figure this out. I type "netstat -a" and HOLY gently caress WHAT IS ALL THAT!? There was a long list (a very long list) of connection to various IPs and sites, none of which were using any normal ports (ones way up in the 40k range). Yeah. I'm infected. But I'm not sure how to fix this. I'd like to know what it is before just formatting and reinstalling (which is likely what I'll do anyway, but I want to know what it is!). Also, if I format (when), how safe are my backups? Is my secondary drive safe, etc., if it's a rootkit? That's kind of why I'd like to know what it is, first. EDIT: Gonna try a 'netstat -a -o' when I get home.
3 Action Economist fucked around with this message at 15:49 on Feb 10, 2009 |
# ? Feb 10, 2009 14:02 |
|
Check the PID's against the ones in the Task Manager, that will tell you which processes are opening tons of connections. Its likely that your modem is fine, youre just hitting XP's TCP/IP max connections limit, which is 5 for XP home, and 10 for XP Pro. I had a bittorrent software running that gave me the same issue, I used to reboot everytime that happened. Once I realized it was the bittorrent client, I closed it and now my internet works fine again.
|
# ? Feb 10, 2009 16:00 |
|
Chunky Monkey posted:Check the PID's against the ones in the Task Manager, that will tell you which processes are opening tons of connections. Its likely that your modem is fine, youre just hitting XP's TCP/IP max connections limit, which is 5 for XP home, and 10 for XP Pro. I had a bittorrent software running that gave me the same issue, I used to reboot everytime that happened. Once I realized it was the bittorrent client, I closed it and now my internet works fine again. I use Vista64, and it's not that my computer is crapping out. It's actually the modem. I know, because a modem reset fixes it -and- the router was losing connection to it, not just my PC. But yes, I will be checking which PIDs and executables arecausing this and hopefully I'll be able to remove them with UBCD or something.
|
# ? Feb 10, 2009 16:10 |
|
BorderPatrol posted:Anyone here use Counterspy/VIPRE security software? I've been using them for a few years now and they are one of the most underrated security companies I've seen, their stuff is very good (they originally made the first versions of the Microsoft Antispyware product)
|
# ? Feb 10, 2009 17:05 |
|
brc64 posted:I tested VIPRE Enterprise here and loved it. My boss proposed it to the owner as an alternative to OfficeScan (which STILL isn't Server 2008 compatible), citing better protection and management AND lower cost (which means we can make more money from it). Owner dismissed the idea without even giving it 2 seconds of thought. Should have emphasized the Microsoft connection to give the aura of reliability.
|
# ? Feb 10, 2009 17:11 |
|
Okay, I just spent 2 hours of my life battling the meanest winantivirus variant I've seen to date. This sucker appears to create some stealth software restriction policy that prevents me from installing anything that might get rid of it. MBAM setup just closes (and yes, I did try renaming the installer). HijackThis closes. Process Explorer closes, even under safe mode. gpresult /v showed me, among other things: code:
code:
If the computer weren't offsite I might be more willing to try to beat it into submission, but for now I give up. I told them to call the local guy who installed the PC and have him deal with it.
|
# ? Feb 10, 2009 17:18 |
|
brc64 posted:Okay, I just spent 2 hours of my life battling the meanest winantivirus variant I've seen to date. This sucker appears to create some stealth software restriction policy that prevents me from installing anything that might get rid of it. MBAM setup just closes (and yes, I did try renaming the installer). HijackThis closes. Process Explorer closes, even under safe mode. I guess the next thing to try is a boot CD with portable installations of scanners already present. After that I'd just flatten/reinstall, because goddamn once you're mucking around in phantom software restriction policies you're too far in.
|
# ? Feb 10, 2009 17:28 |
|
Midelne posted:I guess the next thing to try is a boot CD with portable installations of scanners already present. After that I'd just flatten/reinstall, because goddamn once you're mucking around in phantom software restriction policies you're too far in.
|
# ? Feb 10, 2009 17:54 |
|
Could someone explain to a dummy why if you backup important personal files on an infected computer, and put those files onto a fresh install, that the virus doesn't piggy-back with your documents and install itself again?
|
# ? Feb 10, 2009 18:23 |
|
Hughmoris posted:Could someone explain to a dummy why if you backup important personal files on an infected computer, and put those files onto a fresh install, that the virus doesn't piggy-back with your documents and install itself again? Viruses, etc., can only infect certain types of files, usually executables.
|
# ? Feb 10, 2009 18:28 |
|
|
# ? Jun 3, 2024 08:19 |
|
I'm on my third computer today that's crossed my desk with TDSSrv, and it's only 2pm. Signs that you are infected with TDSSrv: Windows XP refuses to boot, either blue-screening during the black loading screen, or freezing before it gets to login. Solution: Run WinERD commander from boot cd, attach it to your Win install, and go to Start -> Autoruns. Find the appropriate user profile (search through them all) and google every file that is set to autorun. If any of the results come up as malware, right click and delete that autorun. Then, move onto drivers and services: look for anything called TDSSrv, TSsrv, or any variants - there aren't always anything hidden in here, but you should always check. Finally, navigate in explorer (still in WinERD Commander) to c:\windows\system32\drivers - sort by date edited, and remove all of the random strings of letters, as well as anything listed as TDSSrv - even the log files can infect your system. Most of the virus will have modified dates very close together, and usually extremely recent. Then, back track one directory to c:\windows\system32, and sort it by date again. Do the same deletes for any other random string filenames, as well as the TDSSrv files. Click Start, Restart - do not just power off the computer as the startup registry changes will not be made. You should now be able to boot into safemode, and run Combofix. This virus should suck my nuts.
|
# ? Feb 10, 2009 20:02 |