|
repeater posted:On the plus side, the new SP1 release of Avira removed the annoying advertising popup that all the other free versions had. If you're using anything but Microsoft Security Essentials, you're doing free antivirus wrong.
|
#
?
Nov 19, 2010 05:23
|
|
|
|
| # ? Jun 3, 2024 11:17 |
|
|
Space Gopher posted:If you're using anything but Microsoft Security Essentials, you're doing free antivirus wrong. I agree, but I am annoyed to see machines I put it on still get massively infected. Its just too drat easy in xp to kill AV processes. It really is a joke.
|
|
#
?
Nov 19, 2010 07:14
|
|
|
Capnbigboobies posted:I agree, but I am annoyed to see machines I put it on still get massively infected. Its just too drat easy in xp to kill AV processes. It really is a joke. I'm giving it a shot. The main thing that kept me away from using MSE for so long was lack of fine-grained controls over the guard/scan behavior. A few of my machines are audio workstations that need super low disk latency, and I like being able to unhook realtime file/process guard for just that stuff and then just doing nightly scans later for paranoia. MSE seems to just have a big exceptions bucket where its all or nothing for directories and processes. It does seems a lot less resource intensive though so I'm gonna just see if it works out ok without tweaking it at all.
|
|
#
?
Nov 19, 2010 07:35
|
|
|
If you're having virus problems, try forcing DEP to OptOut mode and if you are on Vista/Win7 enabling SEHOP. Those can mitigate against a lot of browser exploits. Also uninstall/disable browser plugins that you have no need for. Java and Quicktime are the ones that tend to be installed that people don't really have use for in the first place.
|
|
#
?
Nov 19, 2010 18:16
|
|
|
I don't know what it is about Antivirus 8, but rather than upgrade the fake program itself, the creators think of ways to just be bigger assholes with it. AV8 is usually accompanied by some form of TDSS under XP, and today was icing on the cake. TDSSKiller detected TDSS 4, in the MBR. Motherfucker.
|
|
#
?
Nov 21, 2010 00:47
|
|
|
Jesus christ, Antivirus 2010 went from just a minor annoyance, to a major loving headache. Now it installs a rootkit. I got a machine in yesterday with a bad infection from it. It would allow superantispyware, malwarebytes, etc to install, but after a couple seconds of running, would kill the process and remove all rights on the executable. Same with hijackthis, rootkit revealer, etc. I can stop the driver its using to do the insidious stuff, even delete the sys file from WinPE, but it keeps coming back every reboot. AVG, Superantispyware, Malwarebytes, TDSSKiller, they all did fuckall. Reformat was the only option.
|
|
#
?
Nov 21, 2010 03:10
|
|
|
Serfer posted:Jesus christ, Antivirus 2010 went from just a minor annoyance, to a major loving headache. Now it installs a rootkit. Safe Mode with Command Prompt? Then run poo poo, should be fine.Just as well, make sure it's not an MBR rootkit. Otherwise you're hosed.
|
|
#
?
Nov 21, 2010 03:48
|
|
|
PopeOnARope posted:Safe Mode with Command Prompt? Then run poo poo, should be fine.Just as well, make sure it's not an MBR rootkit. Otherwise you're hosed. I didn't even think about it being in the MBR, I hope it isn't. Edit: Supposedly it creates a randomly named dll that gets loaded somewhere in the boot process. I presume that's what it's still doing, but I couldn't for the life of me figure out which dll it was. If Superantispyware and Malwarebytes couldn't find the signature of the file, I was out of ideas. Serfer fucked around with this message at 03:56 on Nov 21, 2010 |
|
#
?
Nov 21, 2010 03:52
|
|
|
For an MBR rootkit, can't you just boot into a Linux disk, zero the MBR, then boot into WinPE and put it back? What can the virus do to prevent that?
|
|
#
?
Nov 21, 2010 04:43
|
|
|
Ensign Expendable posted:For an MBR rootkit, can't you just boot into a Linux disk, zero the MBR, then boot into WinPE and put it back? What can the virus do to prevent that? Load up in Linux, clearly. But yeah, there are tools to disinfect the MBR. TDSSKiller is one, and it's very capable.
|
|
#
?
Nov 21, 2010 05:04
|
|
|
PopeOnARope posted:Load up in Linux, clearly. But yeah, there are tools to disinfect the MBR. TDSSKiller is one, and it's very capable. Um. Boot a windows cd, fixmbr, fixboot, done? Serfer posted:It still comes back after reboot. If removing it from WinPE didn't get rid of it, Safe Mode wouldn't do anything. Combofix.
|
|
#
?
Nov 21, 2010 05:18
|
|
|
sfwarlock posted:Combofix.
|
|
#
?
Nov 21, 2010 07:37
|
|
|
We came across Win32.TDSS.TDL4 in the wild today. On a Windows 7 x64 system  TDSSKiller resulted in an unmountable boot volume. So we imaged it. It still wouldn't boot, and FixMBR is not an option.
|
|
#
?
Nov 22, 2010 00:36
|
|
|
Just ran into the latest variant of the win7 antispyware 2010 (now 2011) malware that makes it look like windows security has detected dozens of trojans/virii and can only be fixed with applying heavy doses of credit card numbers. Spent half the day trying to get it off since MSE and Malwarebytes didn't recognize it. Only good thing was it directed me to softwarepayment1.com which I've reported to everyone I can think of from the registrar to the FBI. CounterSpy ended up recognizing it and removing the file, but now every program I try to run can't open because it tries to open a file named ssvagent.exe (even when trying to open a new tab in explorer) and it wants to know what program to use to try to open it. Running as admin is working for the most part. Just going to do a fresh install this weekend. TO-Milamber fucked around with this message at 01:34 on Nov 22, 2010 |
|
#
?
Nov 22, 2010 01:31
|
|
|
Just ran into some weird-rear end virus or mix of viruses. While the computer was connected to the internet, Notepad windows opened every few seconds with a pile of Javascript in them. I recall a part where it said "PID=..." and then a PID, that was different every time. If I tried to open Internet Explorer, it would hide the window and offer me to download ieframe.dll, or something along those lines. Safe Mode didn't help. I tried to at least get the machine to a state where I could actually give it some useful input and attempt to recover by rolling back to a system restore point, but the computer lost all ability to connect to any network; the only addresses it could obtain were in the 169.254.0.0/16 range. Since I had no Internet connection and no flash drive with a write protect switch, I ended up just reinstalling the whole thing. Has anyone else seen something like this?
|
|
#
?
Nov 22, 2010 05:11
|
|
|
Serfer posted:Jesus christ, Antivirus 2010 went from just a minor annoyance, to a major loving headache. Now it installs a rootkit. http://www.theregister.co.uk/2010/11/18/zeroaccess_rootkit_deconstructed/ http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/ possibly? 
|
|
#
?
Nov 22, 2010 06:38
|
|
|
PopeOnARope posted:We came across Win32.TDSS.TDL4 in the wild today. On a Windows 7 x64 system Since it sounds like you have an imaging solution, could it be that this is somehow confusing the whole MBR/partition boot situation? How about any full disk encryption software or RAID? These can all complicate the MBR cleaning process, though I'm not sure how TDSSKiller specifically deals with them. If you can boot a Linux or Windows environment from CD, you can use a hex editor to copy an MBR from a clean Windows drive, but you'll need to be careful only to copy the code portion of the MBR, not the partition table (just the first 0x1b8 bytes). There's an outside chance that the TDL4 rootkit has started encrypting the partition table to make fixmbr unusable, but I think other reasons are more likely.
|
|
#
?
Nov 22, 2010 14:11
|
|
|
BillWh0re posted:Since it sounds like you have an imaging solution, could it be that this is somehow confusing the whole MBR/partition boot situation? How about any full disk encryption software or RAID? These can all complicate the MBR cleaning process, though I'm not sure how TDSSKiller specifically deals with them. I work with Dells. All day. And I don't have physical access to any of them; TDSS Killer can clean up TDL4 just fine, I had it do that just a few days prior. It seems like what it does best is kills the MBR though on x64 systems (Mind you, my co-worker was also using 2.4.1 instead of 2.4.4)
|
|
#
?
Nov 22, 2010 14:34
|
|
|
I had a real doozy of a Thinkpoint this weekend, and the laptop wasn't helping me either. It's a Dell Vostro 1720 which came with Vista and was downgraded to XP. Couldn't run: Iexplore, Taskmgr, Regedit, Firefox, etc. I found lots of .dlls in her profile, set to start up in both HKCU and HKLM. Hijackthis was able to delete some of the dll entries, but I couldn't get rid of Hotfix.exe, under which everything in userland was running. Local group policy was set to disallow ActiveX, so Services.msc would load and be blank, same for gpedit.msc  I tried scanning offline, and then it failed to boot. Since it was once Vista, every boot it asks which OS to run, with Vista being the only choice, but once you select Vista it runs XP. I couldn't get XP media to boot for recovery, it kept crashing with a BSOD before the first interactive prompt, so no console for me. The Vista disk would boot, but the repair console would error out indicating it was for a different version of Windows. I figured maybe the drive has issues after I put two different XP media in my own computer and tried recovery from there. This next part is my fault, I had a spare SATA hard drive, and it was once used with a Power Mac so now it's GPT instead of MBR. Windows 7 Diskpart wouldn't convert it, Vista's wouldn't convert, I believe because the drive had partitions, though one was the EFI partition. I finally caved (at ~2:00 this morning, she needed it for 8:00 AM) and installed a spare Vista license I had sitting unused because 7 is better, had the presence of mind to not saddle her with x64 Vista, but I'll probably still have to try to get XP back on it sometime over the long weekend. Any ideas as to why I can't install XP? I see the HD has a feature called G Force which helps prevent data loss in the event of butterfingers, but it doesn't seem like that would cause any kind of incompatibility. Edit: I see it's also a 4K sector HD, could this be throwing me off too? Edit2: Yeah, apparently they don't support 4k natively, and so the writes aren't aligned and performance suffers, but I'm inclined to agree with you the drive might be tanking. Oddhair fucked around with this message at 18:57 on Nov 22, 2010 |
|
#
?
Nov 22, 2010 18:28
|
|
|
Oddhair posted:I couldn't get XP media to boot for recovery, it kept crashing with a BSOD before the first interactive prompt, so no console for me. Google suggests that you are correct in suspecting that XP does not natively support 4k hard drives, but this still seems sketchy to me since (from memory) the first interactive prompt is prior to the hard drive check. Could be wrong, but a straight up BSOD strikes me as an unexpectedly strong response from software, and usually makes me think of impending hardware failure.
|
|
#
?
Nov 22, 2010 18:38
|
|
|
Oddhair posted:I had a real doozy of a Thinkpoint this weekend, and the laptop wasn't helping me either. It's a Dell Vostro 1720 which came with Vista and was downgraded to XP. Couldn't run: Iexplore, Taskmgr, Regedit, Firefox, etc. I found lots of .dlls in her profile, set to start up in both HKCU and HKLM. Hijackthis was able to delete some of the dll entries, but I couldn't get rid of Hotfix.exe, under which everything in userland was running. Local group policy was set to disallow ActiveX, so Services.msc would load and be blank, same for gpedit.msc That wasn't just ThinkPoint. Also, try safe mode with command prompt in future. / use a boot disk
|
|
#
?
Nov 23, 2010 00:49
|
|
|
Yeah, I'm sure it wasn't just one, there were scads of files in her profile and dozens of registry entries in HJT, but the booting from CD/DVD never worked. I should have used Safe+Command but I was swamped over the weekend putting 12 cubicles where 6 used to be, this was a side job with a deadline. I finally got fresh Vista on it but she absolutely can't use anything other than XP... Forgot to mention there was RPCNet there as well, might have even been legitimate, but every time I'd kill it (reflexive RPC=bad thinking on my part) the computer would go into 1:00 shutdown mode. VVVVVVV It's an edict from IT on high, they literally won't or can't use Vista or 7 for reasons she couldn't explain to me, possibly a piece of software. I'm miffed because I couldn't get XP back on, so it's like I didn't complete the job. I don't doubt I'll get paid, they're great about that (this is a couple of friends,) but I feel bad not finishing the whole task. I also ordered her a keyboard on her instruction the same day she ordered one from Dell, but I can't fault her for using her hardware warranty. Edit: now with screenshotty goodness:  Click here for the full 1155x826 image. Oddhair fucked around with this message at 20:14 on Nov 23, 2010 |
|
#
?
Nov 23, 2010 16:59
|
|
|
Oddhair posted:Yeah, I'm sure it wasn't just one, there were scads of files in her profile and dozens of registry entries in HJT, but the booting from CD/DVD never worked. I should have used Safe+Command but I was swamped over the weekend putting 12 cubicles where 6 used to be, this was a side job with a deadline. I finally got fresh Vista on it but she absolutely can't use anything other than XP... Yeah I'd call that wiping time. As to somebody crying about vista over XP, maybe she should learn how not to ignore infections for 4 months before something pops up and makes the system unusuable.
|
|
#
?
Nov 23, 2010 18:15
|
|
|
So, how about that stuxnet?
|
|
#
?
Nov 27, 2010 18:08
|
|
|
I submitted a malware sample to Sophos just before I went to bed at 2am, and when I got up at 10am, it was added to their updates. I suppose you can't complain about that for service. I also submitted it to Kaspersky, but according to VirusTotal, they've still not detecting it. http://www.virustotal.com/file-scan/report.html?id=abc7395160c17c4dbd99d83c92ec90b5997956a222c2778afce9fd16ede399ef-1290851206
|
|
#
?
Nov 27, 2010 21:12
|
|
|
I've noticed that after quite a few successful virus cleanups, the internet won't work(but SMB will). When you try to ping something, windows says "Pinging <X> with 32 bytes of data." Where X is actually a strange Y character instead of the ip or domain you told it to ping. Quite a few services fail, and eventvwr claims it was because of a missing file, but the dependencies don't lead to much and there are just too many failures to trudge through the services hive in the registry to nail it down. I always end up keeping a clean VM of xp to copy and overlay the entire system32 folder, and that fixes it, so it has to be a missing file. Anyone have an idea? (winsock fix\lsp fix has no affect on this particular problem)
|
|
#
?
Nov 27, 2010 23:01
|
|
|
bobua posted:I've noticed that after quite a few successful virus cleanups, the internet won't work(but SMB will). When you try to ping something, windows says "Pinging <X> with 32 bytes of data." Where X is actually a strange Y character instead of the ip or domain you told it to ping. Quite a few services fail, and eventvwr claims it was because of a missing file, but the dependencies don't lead to much and there are just too many failures to trudge through the services hive in the registry to nail it down. I always end up keeping a clean VM of xp to copy and overlay the entire system32 folder, and that fixes it, so it has to be a missing file. Anyone have an idea? sfc /scannow would be the command to run if you wanted to actually find out what was broken or missing in your major system files. Copying an entire system32 folder over an existing install is not necessarily a good idea, since some or many of the files involved may be at a different version level than the rest of the Windows install. You may also end up with remnants of whatever you had in the existing system32 folder, if all you're doing is drag-and-drop copying from one folder to the other. It appears to be resolving your issue for the time being, but it's worth noting that it's probably not a good long-term solution and could be drastically improved on by imaging the entire system rather than one folder.
|
|
#
?
Nov 28, 2010 01:34
|
|
|
Midelne posted:sfc /scannow would be the command to run if you wanted to actually find out what was broken or missing in your major system files. Should have mentioned sfc does nothing for the problem. This is on multiple computers over the past year. I copy the system32 folder over WITHOUT overwriting files, so the only possible version mismatch would be the missing file having been older than it's replacement. Reloading\reimaging generally isn't a good option, these are residential machines and the time spent getting the computer back to how the end user likes it is big money. Returning a blank pc with someones my documents folder dropped back in would get me a 'why didn't I just buy a new pc?' I suppose I could do some sort of compare on the directories before I do it next time, and look for files that exist on the clean system but not on the dirty system. system32 is just huge, especially including subs.
|
|
#
?
Nov 28, 2010 04:10
|
|
|
While I'm home for the holiday weekend my dad got a virus on the family computer that brought up a fake virus scanner, stopped all websites from working, prevented system restore from working, and caused pop ups of porn sites. Booting in safe mode and using system restore to take it back a day did the trick. My dad claimed he didn't do anything. All he was doing was "deleting stuff". After prodding him more, by deleting stuff he meant going through his inbox and unsubscribing to all the junk mail. Except that by unsubscribe he meant click all the links and see what they were about first. "What is this e-mail? I didn't subscribe to Walmart.com for anything! But now they are sending these things for free $10 gift cards! So I clicked on the link and then this virus scanner popped up saying a scan was starting, so I clicked cancel. What did I do wrong?"
|
|
#
?
Nov 28, 2010 15:38
|
|
|
I catch up on this thread now and again, and I'm sure this has been mentioned, but just in case... I'm seeing a LOT of DNS hijacks. There's the old host file trick of course, the fake DNS server is getting common(dns server setting set in the registry, not the gui controls), and now I'm even seeing home routers having their dns settings changed to hand out the bad dns settings to all of the pc's set for dhcp on the lan. Easily prevented by just changing your router's default password, well worth it. I'm also seeing a lot of posts on various forum's I've read where people THINK they've cleaned the virus up, only to have it crop back up a few days later. I think this is especially common now that a lot of viruses are 2 parts, the rootkit and the payload. You clean the payload infection and the rootkit redownloads it or downloads a whole other one. A surprisingly accurate test is to make sure you can hit the windows update site.
|
|
#
?
Nov 28, 2010 19:22
|
|
|
bobua posted:Should have mentioned sfc does nothing for the problem. This is on multiple computers over the past year. Yeah, I wasn't suggesting so much for a fix as for the report it gives on which files it's detected issues with.
|
|
#
?
Nov 28, 2010 19:51
|
|
|
Okay, I just came across a new rogue antivirus. Typical style name of "Internet Security Suite". I'm having a problem getting rid of the final bits of it. I've run MalwareBytes, attempted a manual removal and it still lingers. I usually see it when I run ComboFix and it tells me to turn off Antiviruses (MSE and this one). The other things is I can't tell if it's blocking my Wireless. I can hook up a hardline and it works just fine. I can get the wireless to connect, but it's as if it's not. Edit: The wireless isn't pulling an IP correctly. Gothmog1065 fucked around with this message at 15:07 on Dec 2, 2010 |
|
#
?
Dec 2, 2010 15:03
|
|
|
Gothmog1065 posted:Okay, I just came across a new rogue antivirus. Typical style name of "Internet Security Suite". I'm having a problem getting rid of the final bits of it. I've run MalwareBytes, attempted a manual removal and it still lingers. I usually see it when I run ComboFix and it tells me to turn off Antiviruses (MSE and this one). Have you done anything towards cleaning out autoruns? (Hijackthis, Autoruns, possibly using a BartPE disk? (I've had success with the minixp on Hiren's.)) If Combofix can't get rid of it, I would be leaning towards a reimage. Have you run Combofix in safe mode? Have you run any standalone rootkit scanners? Have you booted to recovery console (from a boot disk, not onboard) and run a fixmbr? Regarding the wireless, do you have any other wireless devices? Do you have access to any other wireless access point? When you say not pulling an IP correctly, what do you mean? [No IP, wrong IP, 169.254.*.* IP, correct IP but bogus gateway or DNS information?] Have you tried turning off DHCP and hardcoding an IP just to test?
|
|
#
?
Dec 2, 2010 15:14
|
|
|
sfwarlock posted:Have you done anything towards cleaning out autoruns? (Hijackthis, Autoruns, possibly using a BartPE disk? (I've had success with the minixp on Hiren's.)) Wireless was fine, someone changed the password and didn't tell me. Ironically it didn't kick the password, just showed limited connectivity. I'll rerun combofix in Safe mode again, then try autoruns. I'm trying to get away from formatting this computer as it has a lot of programs on it.
|
|
#
?
Dec 2, 2010 15:18
|
|
|
Got my first Checkpoint/Hotfix today. Cleared it out pretty quickly, though I did have to actually go to the computer in question which was lame. Updated Java, Flash, and Acrobat Reader (from 7.0 to X) and it's still clean knock on wood.
|
|
#
?
Dec 3, 2010 02:36
|
|
|
Getting nailed today with some online defrag pay us 69.95 bullshit today. Normally Sophos catches this poo poo before it gets installed.
|
|
#
?
Dec 6, 2010 20:08
|
|
|
skipdogg posted:Getting nailed today with some online defrag pay us 69.95 bullshit today. Normally Sophos catches this poo poo before it gets installed. Was it this one?
|
|
#
?
Dec 6, 2010 20:22
|
|
|
Midelne posted:Was it this one? That's the one.
|
|
#
?
Dec 6, 2010 21:31
|
|
|
One of my friends got hit by something that looks like the same thing today, I told her how to get into safe mode around it and run Combofix and Malwarebytes but haven't heard back from her yet. http://www.bleepingcomputer.com/virus-removal/remove-hard-drive-diagnostic edit: Probably a PDF exploit? (4:19:51 PM) Xxxxx: I feel bad for the people who get fooled by it (4:20:49 PM) Xxxxx: I was browsing with firefox and a page abruptly told me to update java and I needed additional plug ins and poo poo (4:20:55 PM) Xxxxx: On a page with no java on it (4:21:10 PM) Me: Hm (4:21:17 PM) Xxxxx: So I just closed everything and it opened some PDF file (4:21:25 PM) Xxxxx: Which I closed before it loaded (4:21:47 PM) Me: keep your adobe reader up to date! (4:22:12 PM) Xxxxx: I minimized it and saw the hdd diagnostic icon on the desktop and it auto popped the dumb fake program front up (4:22:12 PM) Me: if you get hit with an infected popup, there's nothing you can do besides do hard reboot without clicking ANYTHING (4:22:14 PM) Xxxxx: I do!! (4:22:16 PM) Me: just mash the power button Kaboobi fucked around with this message at 22:26 on Dec 6, 2010 |
|
#
?
Dec 6, 2010 22:03
|
|
|
|
| # ? Jun 3, 2024 11:17 |
|
|
Kaboobi posted:(4:21:17 PM) Xxxxx: So I just closed everything and it opened some PDF file This is your most probable venue of infection, given that when people say they "closed" something they usually mean that they clicked the red X in the upper-right of the window. Clicking anything at all on a malicious web page - even something that looks like a big inviting red X - is a bad idea. Given human response time an infection-in-progress is probably unlikely to be affected by hitting the power button as quickly as possible, so it might be worth teaching them how to use Task Manager to close iexplore.exe or whatever they use to browse.
|
|
#
?
Dec 6, 2010 23:21
|
|