|
brc64 posted:One of my coworkers has been battling something nasty on her laptop for the last couple of weeks that I haven't had any time to look into. A couple weeks ago she told me that her computer "lost" her audio device. Last week she started getting bluescreens and error messages on startup referencing chkdsk.dll (it was in Start Menu/Programs/Startup), and I noticed that OfficeScan was not only outdated but the real time scanner wasn't even running anymore. COMBOFIX. I had a pretty sweet one today - it may have been related to Vundo - but it removed boot.ini every reboot. INFURIATING.
|
#
?
Jun 2, 2009 03:00
|
|
|
|
| # ? Jun 8, 2024 00:37 |
|
|
If you are having trouble with that new Vundo variant that's been running around, and AntiMalware and SuperAntispyware are getting their asses kicked, I highly suggest running: Trojan Remover ( https://www.simplysup.com ) Its not a all in one cleaner, but with it you can get to where you can at least boot outside of safemode and install/run AntiMalware and SuperAntispyware. The jig is up, as it seems they're starting to target malwarebytes and superantispyware as of late. For a good laugh at all the new 'rogue' antivirus/spyware apps popping up(unless you already know all the new ones because you keep installing them, ha) see the Malwarebytes blog: http://malwarebytes.besttechie.net/ mixitwithblop fucked around with this message at 03:23 on Jun 2, 2009 |
|
#
?
Jun 2, 2009 03:20
|
|
|
mixitwithblop posted:If you are having trouble with that new Vundo variant that's been running around, and AntiMalware and SuperAntispyware are getting their asses kicked, I highly suggest running: I've been seeing this behavior for a while. Renaming combofix.exe to rambofix.exe is sometimes effective. Another tactic I employ in combating these malwares is to use hijackthis renamed to something coupled with the delete on reboot registry hack.
|
|
#
?
Jun 3, 2009 14:00
|
|
|
quote:Mass Injection Compromises More than Twenty-Thousand Web Sites http://securitylabs.websense.com/content/Alerts/3405.aspx Large numbers of state and federal government, large business, and schools have had their homepages hacked. Whoops! My money is on this in some way being related to Conficker.
|
|
#
?
Jun 6, 2009 01:03
|
|
|
Seems like a huge number of computers where I work got hit with trojan.win32.inject.achx My favorite theory is basically poor patching. It's a bitch getting some of these machines back on their feet.
|
|
#
?
Jun 9, 2009 19:15
|
|
|
Microsoft Antivirus returns as "Morro": http://www.neowin.net/news/main/09/06/16/exclusive-microsofts-anti-virus-morro-revealed
|
|
#
?
Jun 17, 2009 01:15
|
|
|
abominable fricke posted:I've been seeing this behavior for a while. Renaming combofix.exe to rambofix.exe is sometimes effective. Another tactic I employ in combating these malwares is to use hijackthis renamed to something coupled with the delete on reboot registry hack. Yeah, they've been doing that with spybot and ad aware for quite awhile now, not to mention every other boxed av software we love to hate. Its just that Antimal and sas are now whats on the popular/effective list. I like how the download for GMER gives it a random name. The spyware game is one thing... the rootkit world is some scary poo poo. Most of the tools to combat them are old and some new rootkits avoid detection. That's including Icesword and rootkit revealer guys. GMER is the only one updated to these new attacks anymore really. And then I don't pay attention for a year or so, and look what happens: http://www2.gmer.net/mbr/ See all the code updates the particular rootkit goes through to avoid detection. Stuff gets me paranoid.
|
|
#
?
Jun 17, 2009 03:46
|
|
|
I've got a strange thing on a customer's machine. All the folders in C: are replaced by the same name.exe (with extensions hidden) with the folder icon. For instance, C:\Windows .exe Combofix found a bunch of stuff and removed all these things, and now I can get into cmd.exe and the task manager (which I could not before). However, the original C:\Windows and Documents and Settings folders etc are still super-hidden. Even with invisible folders turned on, they do not show up. However, navigating to them manually through cmd works. Is there a way I can un-hide them, or should I just repair install Windows? This is a new thing for me and googling shows only one guy who has this issue. Perhaps I don't google right. In the mean time I'll be trying to solve it, but if anyone has insight it would be helpful.
|
|
#
?
Jun 17, 2009 21:31
|
|
|
Raluek, that sounds pretty messed up and if you aren't certain you'll be able to repair it 100%, I'd suggest format and reinstall. Especially if there isn't a whole lot of data you'd need to backup/apps to reinstall... Repair install works sometimes, and it *might* be easier in this case(although it tends to screw up a lot of apps, in which case a complete wipe would be less time consuming in the end)... there's a lot of stuff you could fix via Dial-a-Fix and sfc, but as you say, it sounds like you'll have to manually fix quite a bit yourself. At a minimum prior to repair install, I'd suggest full scans with AntiMalware, SuperAntispyware and Trojan Remover as mentiond by me previously, if you can get them working on an seemingly fubar'd box.
|
|
#
?
Jun 17, 2009 22:26
|
|
|
mixitwithblop posted:Raluek, that sounds pretty messed up and if you aren't certain you'll be able to repair it 100%, I'd suggest format and reinstall. Especially if there isn't a whole lot of data you'd need to backup/apps to reinstall... Yeah that level of destruction means you need to reload. It will be faster to back up the data and reformat/reinstall.
|
|
#
?
Jun 17, 2009 22:28
|
|
|
Yeah, that was what I was afraid of. I'm running a bunch of stuff on it right now (started with combofix, then to clamwin, superantispyware, malwarebytes) but I've not heard of Trojan Remover before (not up to date on this thread) so I'll try that before giving up hope. Prolly gonna have to reinstall anyways, though.
|
|
#
?
Jun 17, 2009 22:34
|
|
|
Raluek posted:Yeah, that was what I was afraid of. I'm running a bunch of stuff on it right now (started with combofix, then to clamwin, superantispyware, malwarebytes) but I've not heard of Trojan Remover before (not up to date on this thread) so I'll try that before giving up hope. Prolly gonna have to reinstall anyways, though. For informational purposes, if you can isolate a file you're reasonably certain is infected -- or if you've got a pretty small folder that you can zip up that you think probably contains an infected file -- it might be useful to upload it to virustotal.com and see if you can get a name on what you've got. I haven't heard a lot of positive things lately on zero-day coverage, but you never know.
|
|
#
?
Jun 17, 2009 23:44
|
|
|
Midelne posted:For informational purposes, if you can isolate a file you're reasonably certain is infected -- or if you've got a pretty small folder that you can zip up that you think probably contains an infected file -- it might be useful to upload it to virustotal.com and see if you can get a name on what you've got. I haven't heard a lot of positive things lately on zero-day coverage, but you never know. Well, that's kind of a problem since various utilities have found a bunch of stuff and restored most functionality, just all the loving directories are hidden, and not in the usual "hidden" manner that you can turn on and off in folder options. Can cd to them fine, though. That's what bugs me the most. I'll try a repair install next time I'm in the shop (Friday). Net effect is that I don't know what is infected and what is not, since all the obvious stuff has been rooted out.
|
|
#
?
Jun 17, 2009 23:47
|
|
|
The new Microsoft Antivirus "Microsoft Security Essentials" is now available for download (BETA, Microsoft passport/connect login required). Rumor has it that this is limited to the first 75,000 downloaders, so get on it soon if you want to try it.
|
|
#
?
Jun 23, 2009 21:22
|
|
|
Raluek posted:Well, that's kind of a problem since various utilities have found a bunch of stuff and restored most functionality, just all the loving directories are hidden, and not in the usual "hidden" manner that you can turn on and off in folder options. Can cd to them fine, though. That's what bugs me the most. I'll try a repair install next time I'm in the shop (Friday). Net effect is that I don't know what is infected and what is not, since all the obvious stuff has been rooted out. I was talking about this with a friend of mine and we got into an argument over whether the functionality that you're describing can be resolved by unchecking the "Hide Protected Operating System Files" option in View or not -- a lot of people miss that one, so I'm leaning toward that as the explanation. Can you verify that you have not only configured the system so that you can view Hidden files, but also explicitly configured it to show System files and folders?
|
|
#
?
Jun 23, 2009 21:30
|
|
|
Rastor posted:The new Microsoft Antivirus "Microsoft Security Essentials" is now available for download (BETA, Microsoft passport/connect login required). Thanks for this tidbit. Do you have to login for each installation? Can I install this on multiple (personally owned) computers with the same LiveID?
|
|
#
?
Jun 24, 2009 06:54
|
|
|
Rastor posted:The new Microsoft Antivirus "Microsoft Security Essentials" is now available for download (BETA, Microsoft passport/connect login required). Morro has apparently done very well in initial tests on detection, disinfection, and avoidance of false-positives. Neat.
|
|
#
?
Jun 24, 2009 16:56
|
|
|
Otacon posted:Thanks for this tidbit. Do you have to login for each installation? Can I install this on multiple (personally owned) computers with the same LiveID?
|
|
#
?
Jun 24, 2009 17:01
|
|
|
-Dethstryk- posted:Looks like it so far. I've installed it on multiple machines with the same download. Same. This is truly awesome.
|
|
#
?
Jun 24, 2009 17:10
|
|
|
Rastor posted:Rumor has it that this is limited to the first 75,000 downloaders, so get on it soon if you want to try it. Annnnd that's that.
|
|
#
?
Jun 24, 2009 19:31
|
|
|
Midelne posted:Morro has apparently done very well in initial tests on detection, disinfection, and avoidance of false-positives. Neat. I have it running on my XP32 machine and so far so good. I can't speak for it's effectiveness since I do at least try to avoid getting nasty software, but can say with 100% certainty it doesn't have Avira Free's annoying nag popups. 
|
|
#
?
Jun 25, 2009 02:01
|
|
|
I've been checking out this thread regularly, anyone run into the Cognac trojan? My company's blacklisted everywhere, and the first sign of an infection was yesterday.
|
|
#
?
Jun 26, 2009 14:39
|
|
|
Oddhair posted:I've been checking out this thread regularly, anyone run into the Cognac trojan? My company's blacklisted everywhere, and the first sign of an infection was yesterday. Not specifically, but by "blacklisted" do you mean that upstream mail servers are refusing to accept your mail?
|
|
#
?
Jun 26, 2009 15:48
|
|
|
It seems that way.
|
|
#
?
Jun 26, 2009 15:54
|
|
|
Oddhair posted:It seems that way. Check your mail server for open relay status.
|
|
#
?
Jun 26, 2009 17:09
|
|
|
Midelne posted:Check your mail server for open relay status. While you're at it, check to see if your server is on any blacklists: http://www.mxtoolbox.com/blacklists.aspx
|
|
#
?
Jun 26, 2009 17:16
|
|
|
mixitwithblop posted:While you're at it, check to see if your server is on any blacklists: Also, what evidence do you have that your mail server is blacklisted? What error messages or NDRs are you receiving?
|
|
#
?
Jun 26, 2009 17:24
|
|
|
Oddhair posted:It seems that way. Block outbound 25 for anything that isn't your mailserver (why doesn't everyone do this?)
|
|
#
?
Jun 26, 2009 22:15
|
|
|
sanchez posted:Block outbound 25 for anything that isn't your mailserver (why doesn't everyone do this?) Thought about recommending this, but if his mailserver is blacklisted I'd tend to think it was coming from his mailserver rather than infected PCs. Still, excellent advice from a security standpoint anyway. And block outbound IRC while you're at it.
|
|
#
?
Jun 27, 2009 03:23
|
|
|
sanchez posted:Block outbound 25 for anything that isn't your mailserver (why doesn't everyone do this?) You got me. I came to the conclusion that most people in IT don't really know what they're doing... and they don't care until its a problem. Maybe all they hear is 011011000110111101101100011101110111010101110100 when you talk about ports or packets. Maybe they've got some weird rear end pos app that wants to run a mailserver for some retarded reason and is 'essential'.... and their pos officedepot firewall is too weaksauce to add another source rule. Midelne posted:Thought about recommending this, but if his mailserver is blacklisted I'd tend to think it was coming from his mailserver rather than infected PCs. If he's just got 1 nat'd lan/1 public ip etc, it all looks the same from the blacklisters point of view. block irc? meh. most networks support ssl now, with a variety of ports to use. hence, newer botnets that still use irc probably do too. butusing irc is oldschool nowadays. mixitwithblop fucked around with this message at 10:00 on Jun 27, 2009 |
|
#
?
Jun 27, 2009 09:55
|
|
|
Got screwed by a version of Virut recently. Backed up, formatted, reinstalled, am only retrieving things from my backups which aren't executables. I had a fully updated version of Symantec Anti Virus which never even blinked. Going to try EndPoint on my reinstall instead. edit: Also, I have absolutely no idea how I even contracted it in the first place.
|
|
#
?
Jun 27, 2009 12:31
|
|
|
The machine was taken offline and cleaned, but I'll probably need to reinstall it Monday. I say probably because it isn't up to me, not because it will be optional. As of now, all blacklists are clear, but a few showed us as spammers on Friday.
|
|
#
?
Jun 28, 2009 22:40
|
|
|
Iblys posted:Got screwed by a version of Virut recently. Backed up, formatted, reinstalled, am only retrieving things from my backups which aren't executables. I have Symantec End Point (thank you, US Govt) and it caught both the Virut and Virut!Html versions I had floating around (thank you, file sharing on ship). Recently my hosting (Servage can go suck a fat dick, second time means it's time to move) got hacked again and I wound up having every one of my HTML files get injected with some awesome Javascript and all my .htaccess files rewritten. I had to download all 11GB worth of files (never knew if anything else was inserted besides malicious HTML) and then run a virus scan. When my AV didn't detect the malicious script I had to get a File Search and Replace-type tool and then go and have it rip the code out of all 800 web pages. Now I just have to reupload all 11GB to the new host. And then check to see how many of my domains got black listed by FF/Google. Again. Yea! loving russian hackers. Edit: Hey cool, apparently I missed a bunch of poo poo. Now I have to go through and manually check every directory for files I never added. I just found some cool obfusicated code that seemingly pulls from a huge file elsewhere in my site to make random blog posts or something. Awesome. edit2: and inserted invisible iframes that silently open spam pages. awesome. Ceros_X fucked around with this message at 23:52 on Jun 28, 2009 |
|
#
?
Jun 28, 2009 23:22
|
|
|
Malicious PDF files are the most common attack vector lately. Open up a legit site with a malicious banner ad, or a hacked site with a hidden iFrame that autoloads a PDF -> attacks Adobe Acrobat -> hello dropper, pulls down more poo poo, oh gently caress I've got Virut and TDSS rootkit poo poo everywhere. Update to Acrobat 9.10, use Group Policy to turn off the Adobe Browser Helper object, or just remove the piece of poo poo. I've heard musings of globally disabling Javascript in all PDFs also stops these kind of buffer overflows but I wouldn't bet the house on it.
|
|
|
#
?
Jun 29, 2009 00:12
|
|
|
Does setting your browser so that PDF's aren't automatically opened protect from this poo poo?
|
|
#
?
Jun 29, 2009 00:28
|
|
|
John Dough posted:Does setting your browser so that PDF's aren't automatically opened protect from this poo poo? Depends on the browser settings. Inline PDF rendering makes it much easier for a malicious iframe or banner ad to hit you with a PDF exploit, but even if that is disabled if your browser is set to automatically load the PDF when encountered you'll still get it. An open/save prompt will stop it so long as you don't try to open the thing. I would strongly recommend changing your system's DEP setting from OptIn to OptOut mode so all processes execute with DEP checking regardless if they were compiled with the correct flags or not.
|
|
#
?
Jun 29, 2009 00:35
|
|
|
I was in the Metal Thread in NMD a couple days ago switched to the next page and some invisible thing was playing like 5 different audio files all over the top of each other. None of them were playing anything related to metal. Freaked me the gently caress out. Disappeared when I reloaded the page. Doesn't appear to have installed anything that I've noticed. I have no idea what it was. Did a scan with Nod32 and MBAM and I appear to be clean. 
|
|
#
?
Jun 29, 2009 07:44
|
|
|
anticake posted:I was in the Metal Thread in NMD a couple days ago switched to the next page and some invisible thing was playing like 5 different audio files all over the top of each other. None of them were playing anything related to metal. Freaked me the gently caress out. Disappeared when I reloaded the page. Doesn't appear to have installed anything that I've noticed. I have no idea what it was. Did a scan with Nod32 and MBAM and I appear to be clean. Oh lord, Fragmaster's back to his old tricks.
|
|
#
?
Jun 29, 2009 09:15
|
|
|
BangersInMyKnickers posted:Depends on the browser settings. Inline PDF rendering makes it much easier for a malicious iframe or banner ad to hit you with a PDF exploit, but even if that is disabled if your browser is set to automatically load the PDF when encountered you'll still get it. An open/save prompt will stop it so long as you don't try to open the thing. Three questions: 1) How does my exclusive use of FoxIt affect my vulnerability to PDF exploits? 2) How do I do this DEP trick you're talking about? 3) What potential problems will I run into / what effects (if any) will I see through normal use?
|
|
#
?
Jun 29, 2009 10:21
|
|
|
|
| # ? Jun 8, 2024 00:37 |
|
|
You can set DEP to OptOut by going to System Properties --> Advanced System Settings --> Advanced --> Performance --> DEP
|
|
#
?
Jun 29, 2009 12:55
|
|