|
So I discovered last night, you can do a lot without explorer running - and holy gently caress does it make life faster. I'm rather fond of being able to shoot every process I don't need running, remove the temp directory, and then abuse cacls to "Fix" the permissions on other user accounts so I can get into them.
|
#
?
Oct 25, 2010 18:48
|
|
|
|
| # ? Jun 7, 2024 19:24 |
|
|
Parachute Underwear posted:I have a question: I just realized my parents are still running an admin account on Windows 7 and while UAC is maxed I'd like to get them down to a regular user account. Is a password 100% required or is having UAC maxed on a regular user enough? My dad's pretty savvy but I'd rather my mom and sister not have to deal with passwords every time. If they get a UAC prompt when they try to run something like Regedit, then they're safe in that respect.
|
|
#
?
Oct 25, 2010 23:17
|
|
|
I've got one thats probably pushing me towards recommending the flatten/reinstall to the customer. After removing your run of the mill fake AV (Internet Safeguard maybe) and running what seems to be a clean system, I can't run Windows Updates, launch services.msc, get into System Properties, User Accounts, etc. Whenever I try to launch, the window pops up and disappears instantly. So far rootkit scans have come up clean, but I left it scanning overnight so I'll see what I find in the morning.
|
|
#
?
Oct 26, 2010 03:35
|
|
|
Hitman Pro didn't find anything?  says there's a rootkit on there.Here's another vote for Hitman Pro. Client's computer was infected with some BS AV program and was talking to some IP in Russia. I ran MWB, MSE, and HijackThis on the computer and GMER, found some trojans, but not that bad. I ran a second scan and everything came up clean. An hour later, I get a call saying it's back. Ran MWB and such to only find a Trojan. Ran Hitman Pro and it found not one, but 2 rootkits. Reinstall time.
|
|
#
?
Oct 26, 2010 03:57
|
|
|
Ceros_X posted:(lots of stuff) Wow. Thanks for your trouble, dude, even if I didn't understand anything of what was in the IE page. It's still pretty weird it behaved like that. I'm in a bit of trouble, though. My computer had been behaving ok up until this fine morning when I boot it to find the MSService window return (it had stopped for a while) and a prompt for a new network! Oh, joy. I instantly pulled off the cable, opened the task manager and manually checked every process one by one to see where they were running from. The most suspicious one was WmiPrvSE.exe which simply refused to tell me where it was running from. Upon searching the computer I found two of it... one, your friendly neighborhood WmiPrvSE.exe running from Windows\System... another, in Windows\SysWOW64, and another in a amd-windows-whateverproviderhost-(bunch of numbers) in Windows\sxs, plus a bunch of .tmf files. I also can't kill it on the task manager. Once the internet is back on, the thing goes crazy, CPU system peaks and two csrss.exe processes appear, as well as trustedinstaller.exe (from Windows\Servicing). Now, I know they're all just regular Windows stuff, but again they're not letting me see where they're running from, which's fishy by my standards (actually, once I plug the internet back in, task manager for some reason doesn't let me see the properties on any process). After a bit of fiddling around with the internet turned off, MSE started going crazy with 50% CPU usage and the system started to hang. Now I rebooted it on Safe Mode and let MSE run to see if it will hopefully find anything, so I'm having to post this from a cybercafé. Trustedinstaller.exe raised a lot of suspicions (I mean look at its name), but now that I'm googling for it I see it's just a regular file (I'm glad I didn't delete it, though). And I see plenty of search results on google telling me those places for WmiPrvSE.exe are also normal. So I'm confused as to what this could be. It's pretty clear something fishy's going on, but a google search for "MSService Window" returns me only a thread on the xkcd forum (which describes pretty well my problem, though, what the OP there says is exactly what's happening to me) and a link to Bleeping Computer on msservice.exe, which's malware, but I'm not sure it's what I have on my box. As soon as I get home I'm searching for it, though. If I find it, well, what a joy, I can look for a way to fix it. If I don't, I'm not sure what I'll have to do. I'm afraid I may have a rootkit. Any ideas, goons?
|
|
#
?
Oct 27, 2010 13:08
|
|
|
Ted Stevens posted:Hitman Pro didn't find anything? Nope, Hitman Pro came up clean as well. 
|
|
#
?
Oct 27, 2010 14:48
|
|
|
Crimsonjewfro posted:Wow. Thanks for your trouble, dude, even if I didn't understand anything of what was in the IE page. It's still pretty weird it behaved like that. I'd guess you're looking at a problem with one or more of your Windows system files, since none of what you're describing sounds like a symptom of a virus infection to me, but any number of weird issues can be caused by Windows internals not being in their expected state. sfc /scannow will check your system files. It may or may not be able to resolve the issue; if not, you'll either need to repair the system files in some fashion (unlikely to be feasible) or reinstall Windows. At any rate, if you're unable to find peace of mind after scanning repeatedly, you should be reinstalling anyway. It's like a half-hour of system unavailability and a large download from ninite.com compared to however long it's already been unavailable.
|
|
#
?
Oct 27, 2010 16:12
|
|
|
Midelne posted:I'd guess you're looking at a problem with one or more of your Windows system files, since none of what you're describing sounds like a symptom of a virus infection to me, but any number of weird issues can be caused by Windows internals not being in their expected state. Thanks, I'm starting to suspect something like that too. I'm extra careful with my browsing (updated stuff, no-script, adblock, avoid fishy links and emails, the usual stuff), MSE has cleaned up every one of our portable disks (cellphones, MP4, pendrive... which we don't use on public machines ever since we got an IRC.bot), and most viruses aren't that sneaky. Something pretty weird happened, though. I went away to do something else while MSE was doing a full scan on safe mode (it takes forever), when the computer simply shut down. I rebooted it, tried to reach safe mode again and it crashed with a blue screen. I waited a while and tried booting again and chose to do that windows disk check and repair thing (I think it is sfc), where it found some corrupted stuff and seemed to fix it. Rebooted again and voila, everything is normal. I didn't even see the MSService Window again (really, what the hell is that window? I find it unlikely to be msservice.exe because I didn't find the file nor the behavior of the those worms ThreatExpert finds associated with it). I'm doing another scan, though, just to be safe, and later I'll see if safe mode is available as usual or hosed up.
|
|
#
?
Oct 27, 2010 16:49
|
|
|
Crimsonjewfro posted:Something pretty weird happened, though. I went away to do something else while MSE was doing a full scan on safe mode (it takes forever), when the computer simply shut down. I rebooted it, tried to reach safe mode again and it crashed with a blue screen. If you're blue-screening on safe mode and only on safe mode, you have a problem with your Windows system files. Explicitly type in the command sfc /scannow so that you can verify that what you are describing being run is sfc and not the chkdsk scan it runs sometimes when there are inappropriate shutdowns or other potential disk-error-causing scenarios. Again, you need to explicitly request an sfc scan; I am not aware of any circumstances under which Windows will automatically run one without user interaction. Issues with RAM can also cause enormous issues with performance, and would be consistent with some types of blue-screen crashes. In the future, if you happen to find another BSOD you should probably record the information on it, since it does provide useful diagnostic and error codes.
|
|
#
?
Oct 27, 2010 16:59
|
|
|
PopeOnARope posted:Speaking of Viruses, holy loving gently caress, ThinkPoint was a goddamn epidemic today. 50% of our calls were to handle it.  . Today I found some of my google searches were getting redirected. Malwarebytes found shell.exe, hotfix.exe, svchost.exe, etc. Malewarebytes didn't seem to have any trouble getting rid of it though so it don't seem too bad. It's pretty amazing how legitimate this pop-up looks when you see it, though. I also don't have a clue in hell how I got it when youtube was the only site I was looking at.
|
|
#
?
Oct 27, 2010 20:46
|
|
|
Loretta Trampface posted:I also don't have a clue in hell how I got it when youtube was the only site I was looking at. Because your Flash/Java/Adobe/Everything isn't fully updated.
|
|
#
?
Oct 27, 2010 21:02
|
|
|
pokecapn posted:Because your Flash/Java/Adobe/Everything isn't fully updated. Everything you mention here has been so heavily targeted it's almost unfair to be critical of Adobe/Sun but they need to work harder to push updates if they don't want to be held responsible for loving Skynet. This is one area where I'd side with Steve Jobs, even though I like my Flash games.
|
|
#
?
Oct 27, 2010 22:10
|
|
|
JustFrakkingDoIt posted:Everything you mention here has been so heavily targeted it's almost unfair to be critical of Adobe/Sun but they need to work harder to push updates if they don't want to be held responsible for loving Skynet. Sun doesn't maintain Java anymore  Also there's apparently a 0-day for Firefox's Javascript engine which means just about anywhere could be unsafe at the moment.
|
|
#
?
Oct 27, 2010 23:07
|
|
|
pokecapn posted:Sun doesn't maintain Java anymore I actually had a small rant typed up about how archaic the concept of a "safe" site was these days, but eh, who needs rants.  The thing the last couple years of computer security news should have taught anyone paying attention is not only that vulnerabilities will be widely and automatically exploited as soon as they are disclosed, but that (Stuxnet!) there's no guarantee we as a community will even know that a vulnerability exists until long after the damage has been done.There are no safe sites anymore.
|
|
#
?
Oct 27, 2010 23:26
|
|
|
I was looking at a wikia site and got a drive-by java exploit try to run through an infected ad. Nothing happened because java kept crashing before it could infect anything 
|
|
#
?
Oct 28, 2010 00:26
|
|
|
Got a drive-by last night that wouldn't go away. Ran MSE full scan and found like 3 Java exploits. 1 uninstall of Java and 1 install of Malwarebytes later, my computer is now not infected by retarded poo poo spewed on by loving advertising networks. e: Anybody know why these retarded drive-bys immediately change the proxy settings in IE and Firefox? Phone fucked around with this message at 01:22 on Oct 28, 2010 |
|
#
?
Oct 28, 2010 01:18
|
|
|
Phone posted:Got a drive-by last night that wouldn't go away. Ran MSE full scan and found like 3 Java exploits. 1 uninstall of Java and 1 install of Malwarebytes later, my computer is now not infected by retarded poo poo spewed on by loving advertising networks. They run a local software proxy that does things like redirect google searches among other things.
|
|
#
?
Oct 28, 2010 01:41
|
|
|
Midelne posted:There are no safe sites anymore. Even this one?  In all seriousness, 's what noscript is for. If you're really paranoid, firefox with noscript inside a linux vm.
|
|
#
?
Oct 28, 2010 02:43
|
|
|
sfwarlock posted:Even this one? No script is a huge pain in the rear end and a proper solution is better application sandboxing. IE actually does a very good job of this now and I really wish the mozilla devs would compile firefox to use it
|
|
#
?
Oct 28, 2010 03:20
|
|
|
sfwarlock posted:In all seriousness, 's what noscript is for. NoScript is about the best protection you can have, but there's really nothing you can do in the event that a site you've whitelisted has been quietly compromised and (this would be a fairly rare occasion, admittedly) is serving malware directly from the compromised site instead of pulling from a cheap host in the Ukraine. If you allow any script to run anywhere at any time, you are theoretically as vulnerable as anybody else. My company's website was hit repeatedly in the recent Network Solutions unpleasantness and had hostile obfuscated Javascript stuck directly into index.html for the page. You literally had to allow scripts to run on our site to get any information (like how to pay your bill ) because the amateur web design firm that the company hired back in 2005 or whenever delegated most navigational tasks to Flash. During the periods of time in which we were compromised - I did have a script running to compare hash values every five minutes, but I was not always able to respond quickly - even someone running NoScript would've been hit by a relatively recent Java exploit, at which point NoScript no longer mattered because they had the ability to execute arbitrary code.Again, don't get me wrong, NoScript is a great, great thing, but the web is built around requiring people to do stupid things to achieve normal functionality. That's going to take a long time to change, if indeed it ever does. edit: And yeah, like Bangers said, a modern version of IE in Vista/7 with proper UAC settings running in Protected Mode probably would've squashed the ability of this exploit to do anything once it broke out of that particular process.
|
|
#
?
Oct 28, 2010 03:24
|
|
|
So a fully updated IE 8 (or 9) would be more secure than Firefox, how about Chrome/Chromium? I've been using NoScript for years but you're only two clicks away from authorizing something potentially invasive. I thought Chrome ran in its own sandbox and couldn't execute code outside of it?
|
|
#
?
Oct 28, 2010 03:36
|
|
|
I believe Chrome uses the same file system integrity level system that UAC exposes, like IE's Protected Mode. Basically most things are run in a low integrity mode so they only have read/write access to low integrity areas of the file system (local and locallow in your profile primarily). Unfortunately this can break lovely plugins such as drat near every one on earth so they take some additional steps to isolate plugin processes these days.
|
|
#
?
Oct 28, 2010 03:42
|
|
|
I spent four hours today dueling Trackpoint or some poo poo that landed in D&S\Application Data\hotfix.exe Four hours I spent. But I finally got that poo poo and all its fake AV displaying friends off the machine. Combofix. GMER. Recovery console and fixmbr. Boot to Linux and kill dlls. Everything. I just got a call (mind, at 11 pm) on my personal cell, from my boss, who got called by his boss. Dude took the laptop home, and ten minutes later, it cropped back up. In related news, I just had my first three shots of Jäger. EDIT: It was clean at 2pm and he was happy. It was clean at 4pm and he was ecstatic. It was dirtied ten minutes after he got home. sfwarlock fucked around with this message at 15:37 on Oct 28, 2010 |
|
#
?
Oct 28, 2010 07:07
|
|
|
Yuupp. I just got the loving thing again on the same machine, and this time I don't have any clue how. All the hotfix/etc stuff is back where it was after having seemingly removed the infection. Either there's something else going on that isn't being picked up yet or there's a a rather bad exploit it's using. gently caress it; I'm powering off my Windows PCs and using linux until this blows over.
|
|
#
?
Oct 28, 2010 07:32
|
|
|
Hey, looks like the big, scary rootkit I was freaking about a while back...didn't actually exist. I got a support guy to take a look, and he said the logs were all clean and it was zapped when I did the format, and probably wasn't even a rootkit anyway. Turns out the router DNS had been changed, so I factory-reset and changed em and now all is right with the world.
|
|
#
?
Oct 28, 2010 08:19
|
|
|
Speaking of the lack of safe sites, zero day for Adobe is actively being exploited.
|
|
#
?
Oct 28, 2010 16:44
|
|
|
Midelne posted:Speaking of the lack of safe sites, zero day for Adobe is actively being exploited. I'd rather they publish articles when Adobe doesn't have a zero-day out at this point.
|
|
#
?
Oct 28, 2010 16:47
|
|
|
Midelne posted:Speaking of the lack of safe sites, zero day for Adobe is actively being exploited. Is it Tuesday already?
|
|
#
?
Oct 29, 2010 09:05
|
|
|
Technogeek posted:Is it Tuesday already? What we really need is http://isthereacriticaladobevulnerability.com similar to the existing http://iscaliforniaonfire.com. fake-edit: icof appears to be down. It was just a page with the word "YES" and a current timestamp.
|
|
#
?
Oct 29, 2010 15:43
|
|
|
Fun fact: Thinkpoint (and the exploit horses it rode in on) has hosed our call amount so badly that Dell now has a department to specifically handle it. Other fun fact: I finally ran across my first hosed hosts file the other day! It was just an unending wall of redirects, sending most attempts at Google out to random places of the web.
|
|
#
?
Oct 29, 2010 16:31
|
|
|
Midelne posted:What we really need is http://isthereacriticaladobevulnerability.com similar to the existing http://iscaliforniaonfire.com. The Adobe vulnerability is so bad, it caused the webserver to crash! EDIT: Here's another Adobe exploit I just read about : http://www.networkworld.com/news/2010/102810-hackers-exploit-newest-flash-zero-day.html?source=NWWNLE_nlt_daily_pm_2010-10-28 Ted Stevens fucked around with this message at 17:56 on Oct 29, 2010 |
|
#
?
Oct 29, 2010 16:40
|
|
|
A week or two ago I switched from AVG 2011 & SpyBot / TeaTimer to Microsoft Security Essentials. Everything has been going well. Tonight I got a UAC popup for Microsoft Security Essentials. It happened while I was playing a game and not browsing the web or anything exciting. Up until this point, I don't recall getting a UAC popup for anything other than installation. I clicked "no" and went on with my game. I see nothing in the various history logs and have not noticed anything weird with my PC (popups, redirected searches, etc). What would MSE be doing, on it's own, that needed admin?
|
|
#
?
Oct 30, 2010 12:08
|
|
|
Infecting your computer
|
|
#
?
Oct 30, 2010 12:26
|
|
|
hackedaccount posted:A week or two ago I switched from AVG 2011 & SpyBot / TeaTimer to Microsoft Security Essentials. Everything has been going well. It was probably updating in the background, your game lost focus for a second when it popped up to start updating and you inadvertently clicked "canceled update" or some other admin action on the MSE menu which prompted the UAC popup.
|
|
#
?
Oct 30, 2010 12:50
|
|
|
It wasn't a "we found a virus" pop up, it was what seemed to be (or may have been) a real UAC popup for Security Essentials. I lost focus on my window, background went black, popup said Microsoft Corporation as the publisher, etc. When in doubt, click no (or alt f4), so that's what I did. I just started using the program and I'm not sure why the hell it was asking for admin out of seemingly nowhere. EDIT: Thanks bee, I'll keep an eye on things. I've been paranoid and clean for years and seeing this weirdness after changing to a new security suite raised a few flags. hackedaccount fucked around with this message at 12:57 on Oct 30, 2010 |
|
#
?
Oct 30, 2010 12:55
|
|
|
Lately I've noticed the automatic updates process restarting itself. I usually run "net stop 'automatic updates'" when I'm prompted to reboot until I find the time to do so later, but every once in a while after this, it'll restart itself out of nowhere and pop up the reboot prompt. I suspect MSE. It seems like the sort of thing Microsoft would do, occasionally making sure automatic updates is running. Maybe that's what your UAC prompt was?
|
|
#
?
Oct 30, 2010 18:05
|
|
|
I haven't had any suspicious UAC popups or MSSE messages lately but today when I opened IE to use my bank's terrible ActiveX-based homebanking, I got a popup stating "key hook failed" which obviously didn't please me but at least it's better than one saying it succeeded. Anyway, I'm not seeing anything unusual in IE's addons page (only Silverlight and Flash enabled) and MSSE isn't finding anything. MBAM is next but I'm wondering if anyone's encountered something similar. edit: Crisis averted, the popup was from ShiftWindow, but at least I got a comforting clean bill of health from MBAM. Threep fucked around with this message at 12:52 on Oct 31, 2010 |
|
#
?
Oct 31, 2010 12:34
|
|
|
Jetsetlemming posted:Lately I've noticed the automatic updates process restarting itself. I usually run "net stop 'automatic updates'" when I'm prompted to reboot until I find the time to do so later, but every once in a while after this, it'll restart itself out of nowhere and pop up the reboot prompt. I suspect MSE. It seems like the sort of thing Microsoft would do, occasionally making sure automatic updates is running. Maybe that's what your UAC prompt was? OS updates can be flagged as critical by Microsoft and force your computer to begin a countdown to reboot. They usually do reserve this functionality for patches that fix things that can do drive-by root elevation (which was in last month's patches) so it could have been that. Since MSE uses the Windows Update functionality to update as well, it they could possibly do something similar in the patching cycle for that software. Especially if they see malware that is specifically targeting MSE.
|
|
#
?
Oct 31, 2010 15:04
|
|
|
Midelne posted:What we really need is http://isthereacriticaladobevulnerability.com similar to the existing http://iscaliforniaonfire.com.
|
|
#
?
Nov 1, 2010 06:16
|
|
|
|
| # ? Jun 7, 2024 19:24 |
|
|
Do antivirus LiveCDs ever work for anyone? I found a Kaspersky LiveCD a while ago that apparently isn't updated anymore, so it takes longer to download the latest definition updates as time goes on. I've yet to successfully clean an infection using this LiveCD. Still, I've run into remote users getting a nasty virus enough times to consider handing a copy to each of them. Since each one of them is visiting a client or otherwise need to have their files and can't ship the laptop back.
|
|
#
?
Nov 1, 2010 19:47
|
|
