Coffee Quack posted:Here's how good trojans/viruses work: If you stop looking at the hash of files and start looking at suspicious behavior in general, such as modification of other files, using cheap / free commercial packers, changing one or more of a list of particular registry keys, creating a new service, creating a new driver, etc, you can catch everything. Of course, this catches legit things as well, which have to be investigated manually and authorized if clean and desired.
|
|
#
?
Oct 17, 2009 12:57
|
|
|
|
| # ? Jun 7, 2024 13:58 |
|
|
Running windows 7, (evaluation copy, not the retail version) and Windows Defender says its found 4 problems: Tool:Win32/Angryscan.A RemoteAccess:Win32/RealVNC RemoteAccess:Win32/TightVNC RemoteAccess:Win32/UltraVNC Anyone have any idea what these are? This machine is pretty much used for acccessing outlook and watching movies on netflix/hulu, so I'm not sure where something would have been picked up... edit: Never mind, I'm dumb. Windows helpfully scans inside of ISO files; all four of those are on the ISO for a boot disk.
|
|
#
?
Oct 26, 2009 16:18
|
|
|
Doc Faustus posted:Running windows 7, (evaluation copy, not the retail version) and Windows Defender says its found 4 problems: This is one of those things that really annoys me about AV software sometimes. "No, Angry IP Scanner isn't anything bad, it's a tool I use on a regular basis to do my job. Leave me alone."
|
|
#
?
Oct 26, 2009 17:29
|
|
|
Don't know what in the gently caress they installed on the computer, but when clicking a google result randomly, it'll quickly jump through about 3 or 4 pages with a URL like this (don't go there, obviously: http://fuellcells.com/result.php?Ke...c18fa&Submit=Go) and fling me to a weird search engine that isn't Google. What the heck is this, and has anyone seen it before?
|
|
#
?
Nov 5, 2009 04:44
|
|
|
Probably some sort of generic hijacker. Combofix, MalwareBytes AntiMalware, SuperAntiSpyware should do the trick. Kill it fast before it downloads something that's harder to get rid of.
|
|
#
?
Nov 5, 2009 06:31
|
|
|
Ensign Expendable posted:Probably some sort of generic hijacker. Combofix, MalwareBytes AntiMalware, SuperAntiSpyware should do the trick. Kill it fast before it downloads something that's harder to get rid of. Since I just reformatted anyway, (on the 31st, and we haven't really had a chance to install anything), and MalwareBytes didn't help, I just reformatted again. Probably my sister: after running an .exe file(!) to install a Cave Story save that took 5 minutes to install a few KB large file (!!!), and while screaming that it wasn't her fault, went to the same goddamn page that she downloaded the file from (!!!!!) and, when a Windows Defender dialog box popped up, she wailed on the "cancel" button, installing that, too. (!!!!!!!) 
|
|
#
?
Nov 5, 2009 08:05
|
|
|
CraigK posted:This is what we get for teaching them to cancel/ignore all popups.
|
|
#
?
Nov 5, 2009 17:41
|
|
|
Midelne posted:This is what we get for teaching them to cancel/ignore all popups. keeps us in business, really
|
|
#
?
Nov 5, 2009 17:55
|
|
|
CraigK posted:Since I just reformatted anyway, (on the 31st, and we haven't really had a chance to install anything), and MalwareBytes didn't help, I just reformatted again. Why does she have admin rights?
|
|
#
?
Nov 5, 2009 18:29
|
|
|
peak debt posted:Why does she have admin rights? How else is she going to install her Cave Story save? I'd imagine something like this might go down anyway "Can you come install this for me?" "This is a possible spyware, no" "RAAAAAAAAAAAAH" "Fine  "
|
|
#
?
Nov 5, 2009 20:50
|
|
|
Orange Juilius posted:HIPS prevents this from being a problem. It's still within the realm of possibility to find an exploit in these systems as well, but if you find that's happening, chances are someone's out for you, as the average credit card harvester/botnet operator isn't going to waste time on the tiny segment of computers using them.
|
|
#
?
Nov 5, 2009 21:02
|
|
|
Doc Faustus posted:Running windows 7, (evaluation copy, not the retail version) and Windows Defender says its found 4 problems: I've noticed the same issue on my machine. This is basically Microsoft Security Essentials freaking out over the Ultimate Boot CD ISO. It's scanning the contents of the ISO and thinking the VNC applications are infections.
|
|
#
?
Nov 6, 2009 00:55
|
|
|
I'm starting to wonder if recent symptoms on my machine are happening because of an infected USB thumb drive. For the past month I've had inexplicable Explorer.exe crashes and I've been unable to track down the cause. Tonight I had a dozen different things running with no problems whatsoever. I insert my Corsair thumb drive and KeePass crashes followed by Explorer.exe. I recall not long ago Microsoft Security Essentials stopping an autorun.inf virus from a different flash drive.
|
|
#
?
Nov 6, 2009 06:27
|
|
|
COCKMOUTH.GIF posted:I'm starting to wonder if recent symptoms on my machine are happening because of an infected USB thumb drive. For the past month I've had inexplicable Explorer.exe crashes and I've been unable to track down the cause. Tonight I had a dozen different things running with no problems whatsoever. I insert my Corsair thumb drive and KeePass crashes followed by Explorer.exe. I recall not long ago Microsoft Security Essentials stopping an autorun.inf virus from a different flash drive. Boot to knoppix and mount the thumbdrive, look for anything that doesn't belong.
|
|
#
?
Nov 6, 2009 06:56
|
|
|
In XP, I got a systray pop-up about an available update for Java. I let the installer run and Spybot's Tea Timer gave me a warning about jusched.exe containing the Perfect keylogger. I have a feeling it's a false positive, as I don't think Sun is sending out keyloggers with its updates. I ran a full Spybot scan as well as an AVG scan on the offending exe, but nothing came up. Anything else I should run to make sure I'm not infected?
imsuxok? fucked around with this message at 11:50 on Nov 6, 2009 |
|
#
?
Nov 6, 2009 11:28
|
|
|
Interesting article from Yahoo news about malware that turned a guy's computer into a child porn repository. While it's always terrible when this stuff hits, I always kind of hope this stuff gets scary enough to knock some sense into the "I ran with antivirus for 20 years and I never had a virus!" people.
|
|
#
?
Nov 9, 2009 06:04
|
|
|
Misogynist posted:Interesting article from Yahoo news about malware that turned a guy's computer into a child porn repository. I feel for those people because, well, kiddie porn is one accusation that justcan't be approached rationally. An accusation is as damning as signed confession with dated photos. Even if you get acquitted 100% you'll never be treated the same way.
|
|
#
?
Nov 9, 2009 19:42
|
|
|
deviant. posted:I feel for those people because, well, kiddie porn is one accusation that justcan't be approached rationally. An accusation is as damning as signed confession with dated photos. Even if you get acquitted 100% you'll never be treated the same way. It still feels suspicious. From the article: quote:...A technician found child porn in the PC folder that stores images viewed online... quote:...It was programmed to visit as many as 40 child porn sites per minute — an inhuman feat... Are there actually virus writers out there that uses IE to fetch stuff? Have these people never heard about wget? It just seems strange that if a random PC is used as a middle man, the images would end up in the IE cache.
|
|
#
?
Nov 10, 2009 00:03
|
|
|
ymgve posted:It still feels suspicious. From the article: Using Internet Explorer, a program that most people already have whitelisted in their firewall applications, is much easier to do without arousing suspicion than using some random executable that's likely to get flagged for blocking.
|
|
#
?
Nov 10, 2009 00:16
|
|
|
Misogynist posted:Yes, in the same way that there are worm writers that use Outlook to send emails. Good point, I hadn't thought about firewalls. Consider me corrected.
|
|
#
?
Nov 10, 2009 01:13
|
|
|
ymgve posted:It still feels suspicious. From the article: Not at a windows PC so I can't check, but I think the InternetOpenUrl/InternetReadFile calls (that a lot of malware do use) do go through the IE cache.
|
|
#
?
Nov 10, 2009 01:41
|
|
dazjw posted:InternetOpenUrl/InternetReadFile calls (that a lot of malware do use) do go through the IE cache.
|
|
|
#
?
Nov 10, 2009 01:52
|
|
|
I've got two machines on my bench right now that the screen on them dims in such a way that you would think that a UAC prompt is about to appear. One of the machines is running vista and the other is running XP. I've run it through half of my virus removal routine and it hasn't gone away, which isn't to say that it won't be resolved in second half. I did, however, want to ask and see if anyone was aware of anything new that exhibits this behavior.
|
|
#
?
Nov 18, 2009 23:10
|
|
|
abominable fricke posted:I did, however, want to ask and see if anyone was aware of anything new that exhibits this behavior. Like, a fake UAC prompt utilizing a semi-transparent window to make it look like UAC was popping up? If that's the case, yes. There's an example of a program attempting to spoof a UAC prompt about halfway down the page.
|
|
#
?
Nov 18, 2009 23:34
|
|
|
I may have posted this in the ticket thread earlier today, but I got a system in with came with the upgraded version of Virut - the name eludes me now. Even though AVG (when it worked), MBAM, SAS and whatnot said the system was clean, the loving thing STILL infected all the USB sticks that came to it, among other things. loving, flattened with fire. After checking the chatlog, it's called Vitro. It just infects the everliving gently caress out of everything on the system. When I did a virus scan on the data I pulled, I found a PartyPoker.exe in their limewire folder. Going to wager that was the infection vector. But yeah. The ability of that little bastard to inject code into .exe files wholesale is... worrying. So when your entire patch of critical files (regedit, explorer, the session manager, msconfig) light up as infected... welp. PopeOnARope fucked around with this message at 17:19 on Nov 19, 2009 |
|
#
?
Nov 19, 2009 04:44
|
|
|
They made a new one? drat, the old one was bad enough. Does it even do anything other than destroy everything horribly? How are people making money off that thing?
|
|
#
?
Nov 19, 2009 04:57
|
|
|
Midelne posted:Like, a fake UAC prompt utilizing a semi-transparent window to make it look like UAC was popping up? I've already ran malwarebytes and still am having a semi transparent display on both machines.
|
|
#
?
Nov 19, 2009 15:08
|
|
|
As it seems to have been said earlier in the thread, Vitro, like Virut is hilariously overzealous - to the point where it breaks both real antiviruses and fake malware alike. That said, when you have something like 8 exe files running - half of which are invisible inside the file system... there are problems. Not to mention the fact that it seems to dynamically generate it's autorun virus. Every time I would plug the key in, there would be 2-3 new exe files, all of which slammed right into the system's core files before you could blink.
|
|
#
?
Nov 19, 2009 17:38
|
|
|
abominable fricke posted:I've already ran malwarebytes and still am having a semi transparent display on both machines. Might try running a renamed Hijack This and posting the results in the HoTS. That generation of malware is pretty nasty, but I don't remember any of it being particularly good at hiding.
|
|
#
?
Nov 19, 2009 17:42
|
|
|
A customer returned with their laptop which was cleaned 2 weeks ago saying they were missing some access database files(.mbd), after checking out the logs for the stuff we ran Combofix shows them in the 'other deletions' field, and doesn't say exactly what was wrong with them. Is there anything in particular I can run on these files to make sure they are clean/clean them before restoring them and giving the laptop back? the laptop is running Norton 360 so I'm just a bit worried the machine will end up infected within the week and come back a third time. Malwarebytes and AVG would have run on the system at least once and not picked up anything.
|
|
#
?
Nov 20, 2009 01:19
|
|
|
Yakse posted:Is there anything in particular I can run on these files to make sure they are clean/clean them before restoring them and giving the laptop back? the laptop is running Norton 360 so I'm just a bit worried the machine will end up infected within the week and come back a third time. http://www.virustotal.com Well, unless they're huge.
|
|
#
?
Nov 20, 2009 03:09
|
|
|
CWSandbox is pretty good too, but that tells a different story, and if your funny file knows its in a VM it's going to just bail on you.
|
|
#
?
Nov 20, 2009 03:26
|
|
|
Midelne posted:http://www.virustotal.com
|
|
#
?
Nov 20, 2009 06:49
|
|
|
I got a virus last week that was bad enough to pretty quickly convince me to wipe and reinstall (except my windows disc was "borrowed" by my brother last time he came over to get me to fix his laptop, so I ended up installing linux). I'm pretty sure it was Virut or something like it based on what people have been talking about in this thread. It started by killing explorer.exe (The memory at [stringofchars] cannot be read message), and during that downtime before explorer automatically came back up it had infected explorer and a few other windows core files. AVG starts going nuts, but it refuses to touch windows system files, and this makes it completely worthless to stop the virus from spreading into, as far as I could tell, every single other exe on my entire computer. It also dropped fake links to porn sites on my desktop (They really went to "Tribal Cash" according to their targets), as well as a shortcut in C:. I restarted in safe mode and ran a full AVG scan, and opened msconfig and disabled everything that wasn't AVG or internet access, and that didn't stop it. Once I had ubuntu installed and loaded, I looked on my mp3 player and found it had even dumped copies of system files like explorer.exe onto my sandisk's internal drive. No auto-run file that I could see though. I formatted it anyway. AVG identified the infection as "Win32/Heur", which took me entirely too long to find out that that's just short for heuristics, and AVG didn't actually recognize the virus at all. Edit: I just realized that one of the files I backed up before wiping was an .html, the GTA games store their stats in an html file. Should I upload/email this anywhere? Maybe send it to AVG and bitch about how badly they failed against it? E2: That virustotal.com website above says it's completely clean. Hm. Jetsetlemming fucked around with this message at 07:10 on Nov 20, 2009 |
|
#
?
Nov 20, 2009 06:59
|
|
|
Definitely a Virut variant. It's main MO is to infect every .exe file it can find, and also inject a hidden iframe in every html document (including every help file on your system). What's really fun is when your AV program gets infected, and initiating a virus scan ends up infecting every file it scans! 
|
|
#
?
Nov 20, 2009 08:35
|
|
|
I dunno what exactly happened, but I just installed windows, installed Avira, updated windows, then rebooted, and as Avira was loading it managed to completely freeze up explorer.exe. Managed to fix it by manually killing it then restoring it with Task Manager, but it's more than a little concerning.
|
|
#
?
Nov 20, 2009 12:32
|
|
|
BorderPatrol posted:Definitely a Virut variant. It's main MO is to infect every .exe file it can find, and also inject a hidden iframe in every html document (including every help file on your system). That would explain why AVG was running at 99% constantly on the client system I had :\. Now all that we need it to do is infect system / video / raid BIOSes and it'll be the perfect storm .
|
|
#
?
Nov 20, 2009 15:07
|
|
|
any process combating these things should start by finding the date/time of the infection and then either using a bootable CD to start purging infected files or plugging the infected drive into another machine and purging bad files. then you can boot it back up and start running malwarebytes/superantispyware/etc
|
|
#
?
Nov 20, 2009 17:44
|
|
|
Most of the time Virut digs in so deep that purging all infected files renders the system unusable. You pretty much have to reinstall after that anyway.
|
|
#
?
Nov 20, 2009 17:54
|
|
|
|
| # ? Jun 7, 2024 13:58 |
|
|
I had posted earlier in the thread about finding a computer which had files infected with Virut, but not many. I scanned offline on a different, plain-Jane XP machine I keep off my network just for that kind of thing, and cleaned it up pretty well, and then did a repair install. It seems fine, even now months later. I keep thinking there's some glaring hole in my knowledge that I'm overlooking, like the blind spot in each eye. I should be good, though right?
|
|
#
?
Nov 21, 2009 02:21
|
|
