|
I've cleaned up a few boxes using ClamTK from a linux boot cd but it's not one of my main tools by any means. I have a barebones XP liveCD and keep the installers on my usb key up to date, that seems to be the best balance of convienience and not waiting a jillion hours for updates.
|
#
?
Nov 1, 2010 20:22
|
|
|
|
| # ? Jun 3, 2024 10:35 |
|
|
hackedaccount posted:It wasn't a "we found a virus" pop up, it was what seemed to be (or may have been) a real UAC popup for Security Essentials. I lost focus on my window, background went black, popup said Microsoft Corporation as the publisher, etc. I've noticed MSE needing UAC approval to update itself, rather than its definition files. It's infrequent, but this might explain what you experienced.
|
|
#
?
Nov 1, 2010 21:16
|
|
|
Yeah, semi-recently, there was a major (probably engine-related) update for MSE. This was probably out starting 2 weeks ago or so. Which could add to the "things that piss you off" thread: See that orange exclamation and regular popup from Microsoft Security Essentials that says a major update is needed for it? Click it! By not doing so, you leave yourself slightly unprotected from viruses and such. All it requires is a little time and a reboot. I went to so many people's computers and saw that popping up.
|
|
#
?
Nov 1, 2010 21:36
|
|
|
Drighton posted:Do antivirus LiveCDs ever work for anyone? I found a Kaspersky LiveCD a while ago that apparently isn't updated anymore, so it takes longer to download the latest definition updates as time goes on. I've yet to successfully clean an infection using this LiveCD. I've used Trinity successfully a couple times.
|
|
#
?
Nov 2, 2010 02:08
|
|
|
Drighton posted:Do antivirus LiveCDs ever work for anyone? I found a Kaspersky LiveCD a while ago that apparently isn't updated anymore, so it takes longer to download the latest definition updates as time goes on. I've yet to successfully clean an infection using this LiveCD. Even with a cut-down UBCD4WIN setup for business, you still have Avast's free scanner which uses their standard updates (I think). There are some other free rescue scanners that'll run in the PE environment that aren't specifically included but should probably work better than what's on the outdated antivirus livecds. I still use Avast for my home machines, and this year they added the "pirate" language for talk like a pirate day, which makes the whole talking antivirus thing slightly entertaining if you choose not to turn all the voices off.
|
|
#
?
Nov 2, 2010 03:18
|
|
|
Had an interesting infection at the end of the day today. It created 7 infections similar to the names of the directories they were in (Googlecalendr, and DellDock for example) / files they were near. Each had the same garbage description, was 167KB, and were all created at 3:45PM. I couldn't kill all processes, so I just swapped into another user profile to handle it. The "Trigger" infection that made them call in was Antivirus Studio 2010. I scanned the files with MalwareBytes, and it detected gently caress all. Also, all of them were detected by HJT as having HKCU runs. What was that?
|
|
#
?
Nov 2, 2010 06:09
|
|
|
Had an Acer on Friday with something called Antivirus8. Malwarebytes couldn't catch/kill it, external MSE scan couldn't get rid of it, ComboFix wouldn't even run on it. I finally got fed up and formatted the thing. and then spent ages trying to find WLAN drivers for the thing because Acer's website didn't have them.
|
|
#
?
Nov 2, 2010 19:41
|
|
|
Malwarebytes has really been dropping the ball for me for the past week or so. I'm nearly at the point of recommending flatten and reinstall before even attempting removal.
|
|
#
?
Nov 2, 2010 23:24
|
|
|
Maniaman posted:Had an Acer on Friday with something called Antivirus8. Malwarebytes couldn't catch/kill it, external MSE scan couldn't get rid of it, ComboFix wouldn't even run on it. I finally got fed up and formatted the thing. Just ran into this today, it ate through Malwarebytes, but Combofix nuked it in safe mode. However, it left a "Debugger" registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe that wouldn't let explorer start when you booted up the system. Removed that and it all seemed fine after that. Kaboobi fucked around with this message at 23:41 on Nov 2, 2010 |
|
#
?
Nov 2, 2010 23:37
|
|
|
I think Malwarebytes has become too popular for it's own good. Too many viruses target MB installations and/or prevent the setup from running, even after renaming the exe. MB has reported a clean scan while the virus is throwing out it's fake notifications, even after successfully ending the process or while in safe mode. Lately though, every infection I've run into identifies any cleanup tool as a "virus", runs in safe mode, and persists after removal sometimes actually getting worse. I already skip right to a reinstall if the first scan doesn't find it or the virus returns, and I've been having to do that too often. So using a LiveCD is probably the last stage before I resign to simply flatten and reinstall at the first sight of a virus.
|
|
#
?
Nov 3, 2010 03:15
|
|
|
When it comes to fake antivirus stuff I've really never had any luck ever with malwarebytes actually removing it, same goes for spybot, superantispyware, etc. I've found that those programs tend to find trojans, and other random miscellaneous crap that came along with the infection, but as for actually getting rid of the fake antispyware program itself? I've typically had to manually get rid of it, using process explorer and hijack this to track it down, and then use scanners afterwards to clean up the remains or anything else I may have missed.
|
|
#
?
Nov 3, 2010 03:25
|
|
|
Just removed a rootkit last night - redbook.sys, infected usbhub.sys, rdpcdd.sys, mrxsmb.sys, and mup.sys - virus names were Rootkitdrv.HS, Alureon.H, and Oficla.M - Combofix helped me immensely, and a repair install finished it off. The biggest issue I had? Figuring out how to use a mouse and keyboard after I nuked the infected usbhub.sys file.
|
|
#
?
Nov 5, 2010 03:16
|
|
|
Otacon posted:Alureon.H Alureon is downright evil. I tried to nuke it externally once. MSE would detect it an clean it and it would come right back after a reboot.
|
|
#
?
Nov 5, 2010 03:21
|
|
|
Someone intelligent enough to identify an Antivirus 2010 infection on their own, attempt to remove it, fail, correctly determine which of their personal files could be salvaged and which presented dangers of infection, and retrieve those files and then burn them to a CD before asking me any questions about how to reinstall Windows .. .. was unfortunately not skeptical enough to avoid giving them a credit card number before getting suspicious. >.<
|
|
#
?
Nov 5, 2010 03:31
|
|
|
Midelne posted:Someone intelligent enough to identify an Antivirus 2010 infection on their own, attempt to remove it, fail, correctly determine which of their personal files could be salvaged and which presented dangers of infection, and retrieve those files and then burn them to a CD before asking me any questions about how to reinstall Windows .. Do they have a teenage kid? 
|
|
#
?
Nov 5, 2010 05:13
|
|
|
Maniaman posted:Alureon is downright evil. I tried to nuke it externally once. MSE would detect it an clean it and it would come right back after a reboot. I ended up booting directly into Safe Mode, running Combofix from a flash drive, and walked away for 45 minutes. When I got back, the machine had rebooted, and my mouse and keyboard were both dead, since the usb drivers were part of the rootkit and deleted during the reboot. I let Combofix finish running, saw the popped up log report, and I manually reset the system. Booted into the XP install CD, loaded recovery console and did a "fixmbr" before rebooting - restarted, booted back into the XP CD, and completed a repair install. Walked away again. Came back to see Windows booted up, virus free. This was followed by a less than exciting MalwareBytes session, an uninstallation of McAfee, an installation of MS-SecurityEssentials, and 89 Windows Updates. Pretty painless, compared to the ones that hollow out the registry like swiss cheese. EDIT: Actually, first repair-install didn't work: I encountered an error after the first phase of copying files completed:  (The last word is "info") I removed the hard drive and inspected it on another computer, and found a hidden system file inside system32/config that was exactly 16mb and with random letters as the filename. Virus scans returned nothing unusual, but I removed it anyway. Repair install succeeded after that. Otacon fucked around with this message at 07:31 on Nov 5, 2010 |
|
#
?
Nov 5, 2010 07:24
|
|
|
Otacon posted:Just removed a rootkit last night - redbook.sys, infected usbhub.sys, rdpcdd.sys, mrxsmb.sys, and mup.sys - virus names were Rootkitdrv.HS, Alureon.H, and Oficla.M - Combofix helped me immensely, and a repair install finished it off. The biggest issue I had? Figuring out how to use a mouse and keyboard after I nuked the infected usbhub.sys file. You might want to try using Kaspersky's TDSSKiller next time you see a TDSS, TDL3 or Alureon infection: http://support.kaspersky.com/viruses/solutions?qid=208280684 Generally tools like that can disinfect the infected driver file without totally removing it.
|
|
#
?
Nov 6, 2010 14:29
|
|
|
I had TDL3 infect the compbatt.sys but unfortunately TDSSKiller couldn't find it to clean it. However, I have had a lot of success with the tool previous to this one.
|
|
#
?
Nov 7, 2010 03:27
|
|
|
BillWh0re posted:You might want to try using Kaspersky's TDSSKiller next time you see a TDSS, TDL3 or Alureon infection: http://support.kaspersky.com/viruses/solutions?qid=208280684 Yeah, TDSS Killer works. I had a /b/tard call in with a rather beefy collection of infections. One of them was TDSS.3; and Killer repaired it just fine. That said, the last time I handled a rootkit? It infected iastor.sys. Don't delete that. \/ I assume it has some kind of rudimentary boot loader that reads the first x bytes of the drive, where the needed driver is copied to. PopeOnARope fucked around with this message at 00:44 on Nov 8, 2010 |
|
#
?
Nov 7, 2010 06:04
|
|
|
PopeOnARope posted:It infected iastor.sys. Which raises a Stupid Question. If Windows needs to have iastor.sys* loaded in memory in order to read the hard drive, how does it read the hard drive to get iastor.sys into memory in the first place? (*: or some storage driver) EDIT: I used to program 80x86 assembly, and I never thought of that. Now I feel dumb. vvv sfwarlock fucked around with this message at 03:17 on Nov 9, 2010 |
|
#
?
Nov 7, 2010 14:47
|
|
|
sfwarlock posted:Which raises a Stupid Question. If Windows needs to have iastor.sys* loaded in memory in order to read the hard drive, how does it read the hard drive to get iastor.sys into memory in the first place? it starts off going through the BIOS int 13 interface until the disk drivers are loaded -- hooking that interface as part of the MBR startup code is how these MBR-infecting rootkits get loaded into Windows in the first place
|
|
#
?
Nov 8, 2010 20:45
|
|
|
Quick related question: What is the method used by malware to disable running of task manager or AV software in Win7x64? Background: Got roped into a relative's "just take a quick look" ploy and found myself with a Win7x64 system infected with a fake antivirus called Internet Security System or the like running out of a temp folder. Autoruns/deletion took care of it, but taskmanager wouldn't run (no message) nor would the installed MSE's msseces.exe (produced an error message, don't recall it). I found a handful of reg entries that I'd seen before on another computer blocking AV programs: code:code:Edit: What's more, someone at the party had tried a tool called Sergiwa RRT (Remove Restrictions Tool) to remove/repair restrictions ala Dial-a-fix. She said she used the "Execution Debugger" fix to get task manager back. I've never heard of that tool, nor the mentioned fix. Experience stories/theories would be appreciated.
|
|
#
?
Nov 17, 2010 03:52
|
|
|
There's a couple ways to do it, though I believe the most common is to dll hook off of any exe file. What the dll does is up to the baddy, though I've seen it block certain exe's, all exe's, pop up a window saying "%filename%.exe is not safe! buy our crap!". Once you're in you can do as you like. Oddly enough using the Disallow is something I don't see very often.
|
|
#
?
Nov 17, 2010 03:59
|
|
|
Tapedump posted:After removing those, MSE runs again. I am curious what other registry locations can be used to block programs and how taskmgr.exe was blocked. Can someone school me a bit? I've also never heard of the tool, and the "execution debugger" immediately rings bullshit bells. You can prevent execution of specific programs in a number of ways - the Task Manager in particular can be non-destructively restricted by altering the local group policy specifically designed for that purpose. If they were feeling creative, they could even use group policy to specifically forbid execution of specific software in the Software Restriction Policy section. A lot of malware doesn't even bother getting that complicated, though, since they're not up against techs who know the ins and outs of this "task manager" and "command line" rigmarole. They often just stick in a process name blacklist and have the malware kill anything matching those process names.
|
|
#
?
Nov 17, 2010 04:00
|
|
|
Smart Engine does it by just disallowing you to run that specific file name (among about 800 others) in group policy. Hillariously, it also disables other fake antiviruses. That said, thank gently caress virus makers don't steal ideas from each other. A virus which replaces the shell variable in the registry with itself, blocks usage of many critical files to disinfection (Task Manager, whatup), deletes restore points, and breaks the recovery console would basically require a full wipe every time to deal with on-system. \/ Correct. But there are rare cases where you get rootkits and their processes that will kill your scanner no matter what it's named. PopeOnARope fucked around with this message at 08:06 on Nov 17, 2010 |
|
#
?
Nov 17, 2010 04:03
|
|
|
That's why you can get around a number of those viruses by renaming the installer file or program files with good results.
|
|
#
?
Nov 17, 2010 06:29
|
|
|
Just got infected with the google redirect virus. Little bugger infects the MBR, so none of the normal guys would detect it. (Malwarebytes or SuperAntiSpyware). I'm running XP 64bit, so Combofix was out. Decided to try HitMan Pro, and it worked like a charm! Let's hope I don't get hit again after the 30 days are up...
|
|
#
?
Nov 17, 2010 18:14
|
|
|
I'm crossing swords with ThinkPoint or whatever that poo poo is called for the first time. Pray for me.
|
|
#
?
Nov 17, 2010 21:40
|
|
|
sfwarlock posted:I'm crossing swords with ThinkPoint or whatever that poo poo is called for the first time. Boot into safe mode, kill the process, run combofix, make sure it didn't crap up anything in the registry. That should take care of it, at least in the two times I ran across it.
|
|
#
?
Nov 17, 2010 21:44
|
|
|
Kaboobi posted:Boot into safe mode, kill the process, run combofix, make sure it didn't crap up anything in the registry. MalwareBytes will easily do it too. But to simplify: Throw the horns, kill process tree on hotfix.exe, reset your browser, fix the shell in HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, go into %appdata%\Roaming and kill hotfix.exe, install, thinkpoint.exe Done in about 10 minutes.
|
|
#
?
Nov 17, 2010 22:09
|
|
|
Just dealt with something that essentially changed the whole routing table so certain IPs were sent to other infected hosts or something in addition to changing proxy settings on IE+FF, DNS settings on adapter, also set network.proxy.socks_remote_dns=true on firefox for some reason Nuked, didn't bother trying to clean it. 
|
|
#
?
Nov 18, 2010 10:04
|
|
|
BillWh0re posted:You might want to try using Kaspersky's TDSSKiller next time you see a TDSS, TDL3 or Alureon infection: http://support.kaspersky.com/viruses/solutions?qid=208280684 Seconding this. Managed to clean Alureon.H from my girlfriend's system with it, took three minutes and a reboot.
|
|
#
?
Nov 18, 2010 19:12
|
|
|
PopeOnARope posted:MalwareBytes will easily do it too. Careful; I've seen it throw crap in the userinit entry, as well.
|
|
#
?
Nov 18, 2010 20:26
|
|
|
Weird question here... I'm getting really tired of PC viruses from simply browsing the web. Aside from always keeping my browser and java and whatnot up to date, are there any plugins which will help limit computer viruses? I'm all for disabling functionality if it means no viruses. Because of viruses I am thinking of completely getting rid of having a Windows PC when my laptop eventually dies and running windows on my Mac through some utility like Parallels or VMWare. So if I'm running a virtual windows machine, what happens to my mac when my windows machine gets infected with a virus?
|
|
#
?
Nov 18, 2010 20:35
|
|
|
Astro7x posted:Weird question here... NoScript for Firefox is the nuclear bomb of web exploit prevention. It's a pain in the rear end to work with (lots of sites won't work until you whitelist them, but if you get overbroad in what you let through, you're sacrificing protection), but if you set it up right it's as close to ironclad as you can get. If you'd rather not deal with NoScript hassles, and are running Vista or 7, you're actually better off with IE or Chrome. UAC allows the browser to establish a secure "sandbox" - malware can try to play in there, but it won't be allowed access to the rest of the system. Obviously, this isn't 100% foolproof, but it really helps cut down the worst stuff. If you get an infection inside a VM, the virus can't escape unless you let it out. Some of the really nasty stuff out there will actually try to detect that it's inside a VM, and not do anything, because "throw it in a VM and watch what it does" is an important tool for security researchers.
|
|
#
?
Nov 18, 2010 20:59
|
|
|
Astro7x posted:Weird question here... Only browse on a limited account. If you have Windows 7 or Vista it is really easy to deal since they have an elevation prompt for admin credentials. Then only plug in your credentials if it is something you really want to install on your computer.
|
|
#
?
Nov 18, 2010 21:32
|
|
|
Space Gopher posted:NoScript for Firefox is the nuclear bomb of web exploit prevention. It's a pain in the rear end to work with... I have gone a step farther... I have a Linux VM (because Linux is free) on my Windows machine, and random browsing happens inside it. vvv I'm corporate (academic, actually) IT and yes, a lot of businesses are still on XP. sfwarlock fucked around with this message at 03:23 on Nov 19, 2010 |
|
#
?
Nov 18, 2010 21:48
|
|
|
Sorry to ask but, are you guys who are dealing with virus infections IT people for companies or are you just lowly old end users like me getting fricken hammered or something. I notice a lot of you still use XP, is that it? I am using Windows Vista and Windows 7 and have Sophos on all of them and never have a problem. Our work's core machines have some stupid little trojans on them that love flying around on USB sticks but Sophos slaps them down immediately and they never seem to do anything (it is always a Tater.F variant). Anyways, hope all of you well if you are just nice goons who are getting viruses from surfing the web, but I would sleep a lot better at night knowing that you all are actually IT guys kickin some rear end to save some other poor saps hard drive.
|
|
#
?
Nov 19, 2010 03:11
|
|
|
Heads up to anyone using Avira Personal and Windows XP SP3. There is a pretty severe resource/memory leak that was introduced in the new Avira 10 SP1 release that was pushed out to everyone around 11/2 this month. It results in the computer slowly being starved of resources until it becomes completely unresponsive. You most likely won't be able to open up task manager or perform a graceful shutdown, you will have to do a hard power off. It takes anywhere from a few hours to a day to reach that state. I was banging my head against this for the first few weeks of this month, and getting a bunch of calls from family and friends asking me why their computers suddenly sucked. I went crazy looking for rootkits, testing hardware, etc - until I put together that everyone calling me were all people I had recommended Avira to. The workaround right now is to disable the self-protection feature of Avira which is apparently the source of the leak (avipbb.sys). This can be done by going to "Configuration", making sure "Expert Mode" is checked, and unchecking "General > Security > Protect files and registry entries from manipulation". So far Avira has not responded or issued an official patch, but there are a ton of pissed of people in their forums: http://forum.avira.com/wbb/index.php?page=Thread&threadID=122344 http://forum.avira.com/wbb/index.php?page=Thread&threadID=122640 http://forum.avira.com/wbb/index.php?page=Thread&threadID=122658 http://forum.avira.com/wbb/index.php?page=Thread&threadID=122567 http://forum.avira.com/wbb/index.php?page=Thread&threadID=122672
|
|
#
?
Nov 19, 2010 05:06
|
|
|
|
| # ? Jun 3, 2024 10:35 |
|
|
On the plus side, the new SP1 release of Avira removed the annoying advertising popup that all the other free versions had. I wouldn't have minded that thing so much if it didn't constantly screw up and do dumb things like popping up as a 1x1 window, or popping up hundreds of pixels to the right of my visible desktop space. Might be time to move to Avast!...
|
|
#
?
Nov 19, 2010 05:14
|
|