|
ZoneAlarm using 82% of your CPU time might be trying to tell you something. Are you it's not actively blocking anything, or you're transmitting a buttload of packets to keyloggers.ru or something?
|
# ? Mar 31, 2009 06:37 |
|
|
# ? Jun 8, 2024 05:57 |
|
Rootkit.KInject: Why does my computer keep talking to freecreditcards.ru?
|
# ? Mar 31, 2009 07:29 |
|
Possibly screwed up zonealarm, vsmon is whats killing the cpu. Google indicates this is a common problem with a few potential fixes floating around. I'd just go for a reinstall of it for the best odds at fixing it. EDIT: wow, didn't see there was another page past that post, already answered
|
# ? Mar 31, 2009 08:32 |
|
Conficker's detectable by nmap btw - nmap -PN -d -p 445 --script=smb-check-vulns --script-args=safe=1 1.2.3.4
|
# ? Mar 31, 2009 13:38 |
|
Elected by Dogs posted:Conficker's detectable by nmap btw - nmap -PN -d -p 445 --script=smb-check-vulns --script-args=safe=1 1.2.3.4 All well and good, but I suspect the vast majority of infections are going to be on home computers and not under the watchful eye of someone experienced enough to know what nmap does. I'm hoping ISPs can do something similar and find infected machines remotely (assuming they're not NAT'd or anything like that).
|
# ? Mar 31, 2009 13:51 |
|
darkforce898 posted:The university I work for is having a problem with DNS changer viruses and they are not fun at all. They seem to all be Trojan.Flush.M but they aren't at all. None of the files are the same, but they have the exact same symptoms. code:
|
# ? Mar 31, 2009 14:06 |
|
Well, I tried rebooting in safe and using ComboFix. It didn't kill my computer this time, and it deleted a bunch of stuff:code:
I tried running Avira, MalwareBytes, GMER, and - in desperation - Windows Defender. No hits in the registry where Spyware Doctor sees TDS. Is it possible that it quarantined the files without telling me?
|
# ? Mar 31, 2009 15:45 |
|
The Man with a Hat posted:The thing is, Spyware Doctor still sees TDSServ, and not only that, but it's picked up signatures of an unidentified, low-risk Trojan that wasn't popping up before. I just went back to check on your previous post to figure out what was going on. Half your problem is likely to be the program reporting the problem, since I'm not aware of any worthwhile programs that will find malware, but not remove it unless you pay them money; that reads almost exactly, point for point, like how Antivirus 2009 spreads. I'd recommend uninstalling the thing (though if I'm reading this right, you already paid money to 'upgrade'?), even if it does turn out to be vaguely legitimate, on the grounds that their webpage is ugly and their business model is shady. Also, they're stupid and their faces are dumb. Find another computer. Put the hard drive from your old computer into the new computer as a secondary drive - do not boot from the old hard drive, boot from the new one. In this operating system -- which is presumably uninfected -- run whatever virus and malware scanners you'd like on the old hard drive. Preferably MalwareBytes or SAS, something that doesn't make you pay to remove what it's already found. If system files are fine, you've just fixed your system. If not, you've got a clear and simple course ahead of you of moving documents and necessary files, then reinstalling a clean copy of Windows.
|
# ? Mar 31, 2009 16:26 |
|
My aforementioned problems with logging in keep persisting. Today to the extent of not getting a successful log-in in normal mode (or, Test Mode as it's called now) at all. Safe Mode still works, though.
|
# ? Mar 31, 2009 17:06 |
|
Zuffox posted:My aforementioned problems with logging in keep persisting. Today to the extent of not getting a successful log-in in normal mode (or, Test Mode as it's called now) at all. Safe Mode still works, though. I can't remember - Have you run Combofix? If any of your system files are infected (I've seen explorer.exe, userinit.exe, and a slew of others capable of carrying an infection) then Combofix will alert you with the log file. If you have and the log file didn't tell you anything new, did you try Hijack-This? Post the log files and let's see what turns up.
|
# ? Mar 31, 2009 17:47 |
|
Even though the software is pretty self explanatory, I thought I'd share the best method I've come up with on running Combofix. Step 0: Put Combofix on a thumbdrive, and insert thumbdrive. Step 1: Turn on computer, press F8, boot into safe mode. Step 2: Do not hit "OK" to the safe mode warning - let that popup stay on the screen, but move it aside. You don't want to let explorer load. Step 3: CTRL+ALT+DEL to get to TaskMan, and go to File - New Task Step 4: Click browse, and find your thumbdrive Step 5: Copy/Paste combofix.exe to C: Step 6: Rename to "c:\cf.exe" Step 7: Run (from TaskMan) cf.exe. Step 8: Close TaskMan. As CF is running, it may reload the Safe Mode gui - just ignore it again. If Combofix has to restart your computer, follow these same directions - ideally, you'll catch it before it reboots so you can get it into safemode. It'll display the safe mode gui again - remember to ignore it. Finally, after it displays your log file, CTRL+ALT+DEL to get to task man, New Task, and launch explorer - you're back in business. I've been using this method for a few weeks and it constantly surprises me how many systems I can bring back from the dead with it. Safe mode (and not letting explorer run) is your friend. Use it wisely.
|
# ? Mar 31, 2009 18:04 |
|
Otacon posted:I can't remember - Have you run Combofix? If any of your system files are infected (I've seen explorer.exe, userinit.exe, and a slew of others capable of carrying an infection) then Combofix will alert you with the log file.
|
# ? Mar 31, 2009 18:16 |
|
Zuffox posted:It's unsupported on Vista 64, unfortunately. At least the last time I tried. Appreciate your elaborate guidance, though. Oh. 64 bit. Right. I've officially got nothing. Apologies.
|
# ? Mar 31, 2009 18:19 |
|
Well, I checked around, and it looks like the Spyware Doctor program is legit. The company is even working with Symantec. When I was checking, though, I found this... Wikipedia posted:Spyware Doctor is not free, but a free scan version is offered, providing real-time protection and scans for spyware. Only the full version is capable of removing spyware (though a user can use the free version to locate where the spyware is and then manually remove the files and registry entries themselves). ...I'm kinda tempted, but I don't want to ruin my computer. Here are the hits that Spyware Doctor picks up. Do they look just about right for a TDS infection? Or is Spyware Doctor an elaborate hoax?
|
# ? Mar 31, 2009 19:43 |
|
The Man with a Hat posted:Do they look just about right for a TDS infection? Or is Spyware Doctor an elaborate hoax? Can you navigate to http://safety.live.com ?
|
# ? Mar 31, 2009 20:25 |
|
The Man with a Hat posted:Do they look just about right for a TDS infection? Or is Spyware Doctor an elaborate hoax?
|
# ? Mar 31, 2009 20:29 |
|
The Man with a Hat posted:Well, I checked around, and it looks like the Spyware Doctor program is legit. The company is even working with Symantec. PCtools and Spyware Doctor have been around for a really long time. I used to have a subscription for it with the anti-virus edition, it's a good program really. https://www.pctools.com
|
# ? Mar 31, 2009 21:33 |
|
taiyoko posted:As I said, nothing seemed particularly out of place at first glance. I used to use logmein, I now use Crossloop for all my remote fixing things. https://www.crossloop.com All it needs is Email registration to download.
|
# ? Mar 31, 2009 23:07 |
|
Well, I downloaded HijackThis, and got a log. Not really sure what I should be looking for, but there are a couple of suspicious lines. It's kinda lengthy... would anybody be able to give me an opinion, if I posted it?
|
# ? Apr 1, 2009 03:06 |
|
The Man with a Hat posted:Well, I downloaded HijackThis, and got a log. Not really sure what I should be looking for, but there are a couple of suspicious lines. It's kinda lengthy... would anybody be able to give me an opinion, if I posted it? Yep! That's why it has that log - to post to other knowledgeable people and get their opinions.
|
# ? Apr 1, 2009 03:36 |
|
Excellent. Thanks for all your help.code:
|
# ? Apr 1, 2009 03:39 |
|
Well, I've been getting a lot of email regarding Conficker. I got links to removal tools, network scans, etc. I'm told that I will be on-call for a few of our clients tomorrow. My friend sent me a bunch of text messages saying he's on call for his place tomorrow as well. From the looks of it, Microsoft posted a fix to the exploit back in October 2008. Wouldn't that mean the update has been available on Windows Updates since November?
|
# ? Apr 1, 2009 04:11 |
|
First: You should avoid having two different virus scanners on your computer. Stick with Avast, uninstall Avira. Second: what is that crawler program? Third: While Spyware Doctor is a legit program, I don't see the need to have all these programs on startup. I mean: SuperAnti Spyware, Registry Mechanic, and Spyware Doctor? That's a bit overboard. I personally run MalwareBytes and Avast - that's it. You might still be in diagnostic mode and just trying everything under the sun to get to your problem, so I don't know. But, still - having two anti-virus programs is like wearing 2 condoms - it seems like a great idea, but it usually ends in tears. Fourth: Your running processes all check out, but these are safe to remove: The Man with a Hat posted:
From what HJT tells me, your tools found and removed the viruses - anything that says (no file) was an infected file that was removed. Give MalwareBytes a try (if you haven't already) and let us know if it finds anything else. From the look of that HJT log, you aren't infected - just running horribly slow with all those processes. Otacon fucked around with this message at 04:50 on Apr 1, 2009 |
# ? Apr 1, 2009 04:39 |
|
Otacon posted:First: You should avoid having two different virus scanners on your computer. Stick with Avast, uninstall Avira. Thanks. Crawler's just a plugin that warns me away from potentially dangerous websites. As for all the scanners, I figured that piling on the protection would be a good idea. Guess not. I had a Virtumonde scare about a year ago, so I went kind of overboard finding a solution. vvv Gotcha, thanks again. Tsercele fucked around with this message at 04:54 on Apr 1, 2009 |
# ? Apr 1, 2009 04:47 |
|
The Man with a Hat posted:Thanks. Crawler's just a plugin that warns me away from potentially dangerous websites. As for all the scanners, I figured that piling on the protection would be a good idea. Guess not. I had a Virtumonde scare about a year ago, so I went kind of overboard finding a solution. Dammit! I just edited my post, and was hoping for a ninja-edit. Oh well. Just give it a re-read - I researched a lot of those "iffy" ones on Google, and have removed a lot that I wasn't sure about.
|
# ? Apr 1, 2009 04:51 |
|
I've officially given up on ESET's support. Will likely do a format, but goshdarnit, I'll have to do a backup, and some malware might make it to the backup drive. Any last hints and help?
|
# ? Apr 3, 2009 14:20 |
|
Zuffox posted:I've officially given up on ESET's support. Will likely do a format, but goshdarnit, I'll have to do a backup, and some malware might make it to the backup drive. Pull the drive from the infected machine, drop it in an enclosure attached to another machine, scan it from there.
|
# ? Apr 3, 2009 14:21 |
|
I had this lovely email (slightly edited) when I came in this morning. The time on the email was 3:21 AM.quote:I initiated the Trend Scan on all machines. PC05 computer is INFECTED!!!! [emhpasis hers] Notice states "0 files cleaned, 11 infected and unable to fix". I never called her, either.
|
# ? Apr 3, 2009 14:50 |
|
Midelne posted:Pull the drive from the infected machine, drop it in an enclosure attached to another machine, scan it from there.
|
# ? Apr 3, 2009 16:07 |
|
Zuffox posted:Which programs would you recommend? I've tried them all on the laptop itself (some online scanners that didn't work aside), and naught was caught. Oh, pretty much anything. SUPERAntispyware, MalwareBytes, AVG Free, whatever you get your hands on. Scanning a drive that's not being booted from, in a clean operating system environment, is a much less challenging task for a scanner than playing hide and seek with rootkits using potentially compromised tools to do the checking.
|
# ? Apr 3, 2009 17:36 |
|
Well, saw my first instance of MS Antivirus; it was on a public computer used to sign up for timeslots for advising or something; anyway, I never knew how evil it was. Of course, I'm assuming that it's totally unrelated to the "www.sexyteensluts.biz" and "www.hairydykes.net" that I noticed in the search history. Is it hard to get off a computer, or are the computer janitors in charge going to have a real fun time getting rid of it?
|
# ? Apr 3, 2009 19:12 |
|
CraigK posted:Well, saw my first instance of MS Antivirus; it was on a public computer used to sign up for timeslots for advising or something; anyway, I never knew how evil it was. Of course, I'm assuming that it's totally unrelated to the "www.sexyteensluts.biz" and "www.hairydykes.net" that I noticed in the search history. It really isn't that bad. Run malwarebytes from a protected usb drive and then run combofix and you should be fine.
|
# ? Apr 3, 2009 20:00 |
|
brc64 posted:I had this lovely email (slightly edited) when I came in this morning. The time on the email was 3:21 AM. From what I've noticed in our company, do not trust another anti-virus vendor (Kaspersky) having 100% success removing Trend from all workstations automatically before installing their product. We had a lot of machines that were crashing or running very slowly simply because Trend was never completely uninstalled. Trend really does have a horrible loving product.
|
# ? Apr 4, 2009 03:31 |
|
Looks like I'm dealing with Win32/Virut.NBM on my aunt's PC. She said she was searching Craigslist for things to buy and she opened a link on there that probably infected her. At least she came forward and admitted that she's been using McAfee and it's since been expired for 2+ years.
|
# ? Apr 6, 2009 00:12 |
|
GREAT BOOK OF DICK posted:Looks like I'm dealing with Win32/Virut.NBM on my aunt's PC. She said she was searching Craigslist for things to buy and she opened a link on there that probably infected her. At least she came forward and admitted that she's been using McAfee and it's since been expired for 2+ years. This thing is a real bastard once you're infected because the infection routine has a significant chance to just trash each file it infects so it can't be recovered.
|
# ? Apr 6, 2009 00:31 |
|
BillWh0re posted:This thing is a real bastard once you're infected because the infection routine has a significant chance to just trash each file it infects so it can't be recovered. Fortunately it doesn't appear to corrupt .jpg files which is essentially all that needs to be saved from the machine. It looks like it also corrupted the Dell recovery partition as well because attempting to launch it only reaches a certain point. Thankfully Dell included recovery media. (The hard drive did pass a diagnostic check earlier in the day)
|
# ? Apr 6, 2009 00:50 |
|
GREAT BOOK OF DICK posted:Fortunately it doesn't appear to corrupt .jpg files which is essentially all that needs to be saved from the machine. It looks like it also corrupted the Dell recovery partition as well because attempting to launch it only reaches a certain point. Thankfully Dell included recovery media. (The hard drive did pass a diagnostic check earlier in the day) I'm pretty sure Dell's don't have recovery partitions at all and your only option is the recovery disc.
|
# ? Apr 6, 2009 02:20 |
|
Sometimes manufacturers will put a recovery partition with the expectation that you make your own disc, and give you no disc.
|
# ? Apr 6, 2009 02:24 |
|
Cojawfee posted:Sometimes manufacturers will put a recovery partition with the expectation that you make your own disc, and give you no disc. Yes, but Dell as far as I know is not one of these companies. If someone knows of hidden partitions or something I'd actually like to know, it'll save myself some headaches in the future.
|
# ? Apr 6, 2009 02:31 |
|
|
# ? Jun 8, 2024 05:57 |
|
1997 posted:I'm pretty sure Dell's don't have recovery partitions at all and your only option is the recovery disc. I've definitely seen Dells with recovery partitions, although the installation media is probably the way to go if you have it.
|
# ? Apr 6, 2009 02:31 |