|
Ted Stevens posted:Run HitmanPro and show us a HijackThis log. See what comes up. Ran Hitman a bit ago and it found three bad things to delete. Seems clear so far. I'll work on HJT next. e: Still seems clear, yay. Not a single redirect since I ran Hitman. Saint Sputnik fucked around with this message at 02:40 on Dec 31, 2010 |
#
?
Dec 30, 2010 08:01
|
|
|
|
| # ? Jun 7, 2024 20:28 |
|
|
Ensign Expendable posted:I remember there used to be a website with a huge list of infected files/domains, but I can't seem to find it anywhere. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=308
|
|
#
?
Dec 31, 2010 02:31
|
|
|
This may not be entirely the right place to ask this, but my license for ESET smart security just ran out. Should I extend it or is there a new best antivirus?
|
|
#
?
Jan 5, 2011 21:28
|
|
|
The Belgian posted:This may not be entirely the right place to ask this, but my license for ESET smart security just ran out. Should I extend it or is there a new best antivirus? Personally, I think it is still the best all-around product on the market and we choose to renew our 750 seat corporate account for another two years a few months ago. But we just go with straight Nod32, I don't see much value in the extra cost for the full ESS.
|
|
#
?
Jan 5, 2011 21:38
|
|
|
I clicked a google link today supposed to go to filefront, and instead was taken to a porn site. I closed the tab, went back to the google tab, and clicked that filefront link a few more times, and they all went through. hosts is clear, there's nothing in it. MSE and TDSSKiller both passed fine (TDSS found a suspicious object that some searching has me convinced is just a part of Daemon Tools' virtual driver). Anything else I should check? Or should I chalk this up to a bad ad on Filefront's part (that site has really gone downhill the last couple years) or fluke? Using XP up to date, Chrome, and MSE real time protection. I've yet to have a single virus issue on this computer or otherwise suspicious behavior except for that redirect.
|
|
#
?
Jan 6, 2011 10:03
|
|
|
Jetsetlemming posted:I clicked a google link today supposed to go to filefront, and instead was taken to a porn site. I closed the tab, went back to the google tab, and clicked that filefront link a few more times, and they all went through. hosts is clear, there's nothing in it. MSE and TDSSKiller both passed fine (TDSS found a suspicious object that some searching has me convinced is just a part of Daemon Tools' virtual driver). Anything else I should check? Or should I chalk this up to a bad ad on Filefront's part (that site has really gone downhill the last couple years) or fluke? Using XP up to date, Chrome, and MSE real time protection. I've yet to have a single virus issue on this computer or otherwise suspicious behavior except for that redirect. I don't know, I'd still be suspicious. We've had two xp machines at our office in the past few months that got hit with some sort of mysterious dns-redirecting malware. Everything looked clean and every virus scan I could think of came up clean, including combofix, but they still had random dns redirects. Sometimes it would go hours without happening and then it would start up again. I ended up assuming it was as a rootkit and nuked them (though having roaming profiles makes this very easy).
|
|
#
?
Jan 6, 2011 16:13
|
|
|
Jetsetlemming posted:I clicked a google link today supposed to go to filefront, and instead was taken to a porn site. I closed the tab, went back to the google tab, and clicked that filefront link a few more times, and they all went through. hosts is clear, there's nothing in it. MSE and TDSSKiller both passed fine (TDSS found a suspicious object that some searching has me convinced is just a part of Daemon Tools' virtual driver). Anything else I should check? Or should I chalk this up to a bad ad on Filefront's part (that site has really gone downhill the last couple years) or fluke? Using XP up to date, Chrome, and MSE real time protection. I've yet to have a single virus issue on this computer or otherwise suspicious behavior except for that redirect. Was it actually filefront or was it a seo-googlebombed driveby exploit link?
|
|
#
?
Jan 6, 2011 16:44
|
|
|
Yeah, I looked at the url in the successfully loaded tabs and it seemed fine to me.
|
|
#
?
Jan 6, 2011 16:46
|
|
|
Try doing a search for something like "Remove Thinkpoint" If you start seeing lots of ads for StopZilla, there's a good chance something got you. But chances are, if you've scanned with MSE and Malwarebytes and nothing came up, you're OK.
|
|
#
?
Jan 6, 2011 17:11
|
|
|
Anybody know of any databases that track network footprints of various pieces of malware? Or at least decent descriptions of their behaviour on a system? I know this information is available for some of the more 'glamorous' virii/worms, but when it comes to something a little less interesting its often difficult to find useful information among the 700 sites copying eachother's "VIRUS X IS A ROOTKIT, IT INFECTS YOUR SYSTEM DOWNLOADS OTHER FILES".
|
|
#
?
Jan 6, 2011 20:12
|
|
|
Jetsetlemming posted:I clicked a google link today supposed to go to filefront, and instead was taken to a porn site. There was a rash of sites being exploited recently with something that would hijack their Google search results, so that clicking on a Google search result link would take you to a 3rd party's URL, but going to the original site's URL directly would still work normally.
|
|
#
?
Jan 6, 2011 20:38
|
|
|
Megiddo posted:What happens if you go directly to the filefront URL without using Google?
|
|
#
?
Jan 6, 2011 20:48
|
|
|
Jetsetlemming posted:I can still go to the site directly, and clicking again the exact same link in google properly took me to the right website. It was a once-off redirect. Make sure you don't have the respawning files. Specifically, check your task manager for dwm.exe, csrss.exe, conhost.exe and other running from suspiscious places.
|
|
#
?
Jan 7, 2011 03:49
|
|
|
The only one of those running is csrss, and looking in Process Explorer it's where I'm pretty sure it should be, as a child of srss, above winlogon, and running from system32.
|
|
#
?
Jan 7, 2011 08:33
|
|
|
sizerp posted:Anybody know of any databases that track network footprints of various pieces of malware? Or at least decent descriptions of their behaviour on a system? The major antivirus providers usually have something for any given virus in their database, though it's likely to be "W32.GenericTrojan" in many cases with correspondingly vague or unhelpful information. It'd be pretty hard in a rapidly-changing playing field to keep any sort of reliable information on the many, many, many players up-to-date.
|
|
#
?
Jan 7, 2011 08:41
|
|
|
Tom's did a test where they measured PC performance with various anti-virus and security packages installed, and also with a 'bare' system. They should have also tested and older system (one you'd be asked by your grandma or co-worker to 'fix') and they also should have tested Microsoft Security Essentials. McAfee sucks poo poo like we all know, and Norton somehow makes your computer faster http://www.tomshardware.com/reviews/anti-virus-virus-scanner-performance,2777.html    Oh wait. Tom's Hardware posted:However, for the time being, we’ve learned that a user can confidently install a virus scanner or Internet security suite without being too concerned about performance consequences gently caress you, Tom. And gently caress your ad-ridden site.
|
|
#
?
Jan 9, 2011 03:02
|
|
|
Bob Morales posted:Tom's did a test where they measured PC performance with various anti-virus and security packages installed, and also with a 'bare' system. Don't forget their habit of taking cash for reviews.
|
|
#
?
Jan 9, 2011 03:18
|
|
|
PopeOnARope posted:Don't forget their habit of taking cash for reviews. I was expecting to see this somewhere on their page: 
|
|
#
?
Jan 9, 2011 03:20
|
|
|
I can't comment on first-hand performance reviews of the newest versions of Norton on modern PCs, but it seems to me that the primary concern would be that it doesn't appear to be delaying things at all. The only action that takes no time at all is "not doing anything", or more likely rewriting your entire engine and scanning methodology with performance in mind and doing something like allowing things to run while you stick them in a buffer and scan the buffer and make a decision about whether it's safe after the fact. It'd be a brilliant piece of work from the consumer perspective if those numbers are accurate, even if it turned your security perimeter into Swiss cheese in the process - all the customer's likely to care about is whether their computer slowed down.
|
|
#
?
Jan 9, 2011 19:18
|
|
|
You're forgetting the customer also cares about someone to blame if the computer goes wrong. The funny part is they will blame the salesman in PC World who sold them their AV Software before the manufacturer. 
|
|
#
?
Jan 10, 2011 01:18
|
|
|
angry armadillo posted:You're forgetting the customer also cares about someone to blame if the computer goes wrong. Well either that, or their computer manufacturer for not holding their hand through everything. Speaking of  poo poo, one of my customers needed to install Trend Micro Titanium today, and it wanted MalwareBytes ripped out to install.What. Oh, and I hate it when people ask me "Why didn't McAfee stop this fake antivirus!!!"
|
|
#
?
Jan 10, 2011 06:26
|
|
|
When I worked retail, my go-to analogy for AV software was with vaccination. You want to get it before there's a problem, not after, and it's not 100% effective, so you still need to be careful, but it's way better than being completely unprotected.
|
|
#
?
Jan 10, 2011 06:34
|
|
|
Toast Museum posted:When I worked retail, my go-to analogy for AV software was with vaccination. You want to get it before there's a problem, not after, and it's not 100% effective, so you still need to be careful, but it's way better than being completely unprotected. What would you do if Jenny McCarthy came into your shop?
|
|
#
?
Jan 10, 2011 12:29
|
|
|
sonicice posted:What would you do if Jenny McCarthy came into your shop? Tell her she has an Indigo Computer.
|
|
#
?
Jan 10, 2011 12:31
|
|
|
Background: I'm a frontline tech for Sophos. For those of you who haven't worked with us, this does not mean 'script-reading drone'. Frontline with Sophos is staffed by folks who actually know computers. We have no scripts, just a shitton of VMs and a knowledgebase we all write articles for based on previous case resolutions. For those of you who use Sophos, if you've run across a recent TROJ/QBot, that detection was my baby. It's a nasty little bug. Once executed on the system, it reaches out to a remote server, grabs the latest version of the virus, drops it to the root of C: and \docsandsettings\allusers\localsettins\windows\(executablename)\ and then sets up a scheduled task to run itself on an hourly basis which causes it to reach look for exposed shares on machines in the domain or workgroup, where it drops a randomly named bug and a scheduled task and the process repeats there. It also creates a file in system32 named 'removeme.txt' that I wasn't able to get a sample of, but I would LOVE to know what was in it. The only way we were able to stop it was thanks to the SOI tool that we just started using. It's a pretty slick little CLI executable that monitors a specified folder or drive for modifications by suspicious software.
|
|
#
?
Jan 17, 2011 14:13
|
|
|
PopeOnARope posted:Oh, and I hate it when people ask me "Why didn't McAfee stop this fake antivirus!!!" It's like any safety measure in your car (seatbelts, airbags etc.): you are inarguably better off having than not having, but it's naive to think you're going to walk away unscathed from any accident. 
|
|
#
?
Jan 17, 2011 22:13
|
|
|
So I finally got a new computer; it's my first experience with Windows 7. I've already installed MSE, what else should I be using? What is the most secure browser? I put my last machine on lockdown from day 1 and never had any problems with viruses or malware, but that was XP with (mostly) Firefox.
|
|
#
?
Feb 3, 2011 20:44
|
|
|
I'm putting together a new toolkit, as my last one (hijackthis, spybot, adaware, AVG) is kind of lol. So far in plowing through this thread, it sounds like I should burn to a locked usb key the following - 1. combofix 2. malwarebytes-antimalware 3. rkill 4. hijackthis 5. ? anything else essential? I feel like most of that addresses malware - what should I be using for a virus scanner? Is AVG Free still alright? what about MSE? I actually think I prefer MSE because it doesn't have all those horrible popups, but maybe there's a way to disable them?
|
|
#
?
Feb 3, 2011 21:30
|
|
|
hahaha, reading the bleepingcomputer forums makes my head want to explode seriously I think the entire premise behind any posts about combofix is to troll any non-native english speakers by posting longwinded horrible grammar scary holier than thou rhetoric about why noone can possibly understand how to use combofix other than approved senior regular bleepingcomputer forum users some guy was like 'hey, I'm not an idiot. stop condescending and just tell me how to learn how to properly use combofix and stop being a dick'. mods respond quietman7 posted:Group:Global Moderator
|
|
#
?
Feb 3, 2011 22:12
|
|
|
|
|
#
?
Feb 3, 2011 22:13
|
|
|
mindphlux posted:hahaha, reading the bleepingcomputer forums makes my head want to explode I have always wondered what special knowledge the "experts" that Combofix refers you to have. It's a program with no options or preferences that basically gives you several chances to hit "cancel", and then does everything automatically. How hard could it be? (Also: did you mean to post 3 times in a row?)
|
|
#
?
Feb 3, 2011 22:36
|
|
|
mindphlux posted:I'm putting together a new toolkit, as my last one (hijackthis, spybot, adaware, AVG) is kind of lol. I'd add process explorer and TDSSKiller to that list. The latter deals with a certain type of rootkit that I see very often with typical malware infected computers, and that utility scans and removes them very quickly. It's been immensely handy in my experience.
|
|
#
?
Feb 3, 2011 23:55
|
|
|
J posted:I'd add process explorer and TDSSKiller to that list. The latter deals with a certain type of rootkit that I see very often with typical malware infected computers, and that utility scans and removes them very quickly. It's been immensely handy in my experience. Thanks, exactly the sort of tips I was looking for. I guess I've seen a ton of mention of Alureon in this thread, so TDSSkiller is probably a good idea. Thanks again!
|
|
#
?
Feb 4, 2011 00:26
|
|
|
Megiddo posted:What happens if you go directly to the filefront URL without using Google? Jetsetlemming posted:I can still go to the site directly, and clicking again the exact same link in google properly took me to the right website. It was a once-off redirect. This is what I had at the end of Dec. I forget the name of what Hitman cleaned off, but those were the symptoms. Then the other day I had some horrendous BSOD problems apparently caused by rootkit.win32.tdss.mbr, had to do a full reinstall before I believed that my HDD wasn't downright broken. ...Then while poking around redownloading all my antivirus programs and finding tutorials on how to reset Win7 to my tastes, I got zapped with Internet Security 2010: The Best Internet Security.  Worst part is, according to that wiki link, all three problems are related. Makes me wonder how long Alureon was there before it killed my system. I don't seem to have any problems now but I've run every antivirus I can think of today.
|
|
#
?
Feb 4, 2011 00:58
|
|
|
Bob Morales posted:Tom's did a test where they measured PC performance with various anti-virus and security packages installed, and also with a 'bare' system.
|
|
#
?
Feb 4, 2011 02:48
|
|
|
one more tiny question about some of these more prevalent malware etc programs - should you basically *always* boot into safe mode w/network before running them? is there any disadvantage to doing so? what about order in which to run the semi-automated ones? I'd think malwarebytes first, followed by some of the more specific ones? or should combofix go first? I guess my question about order just stems from the fact that I can't really tell what combofix is doing, whereas I think malwarebytes and normal antivirus programs are pretty straightforward.
|
|
#
?
Feb 4, 2011 03:48
|
|
|
mindphlux posted:I'm putting together a new toolkit, as my last one (hijackthis, spybot, adaware, AVG) is kind of lol. .NET version detector DTaskManager GMER Hitman Pro I'm also a fan of Spyware Blaster as a preventative thing.
|
|
#
?
Feb 4, 2011 05:36
|
|
|
mindphlux posted:I'm putting together a new toolkit, as my last one (hijackthis, spybot, adaware, AVG) is kind of lol. I tend to find the following are enough for most things, but it's not as automated as something like combofix or malwarebytes: Process Hacker Process Monitor Autoruns Rootkit Unhooker (newer beta versions are available on the forums at kernelmode.info)
|
|
#
?
Feb 4, 2011 10:16
|
|
|
Worked on a box that had an Alureon variant on it. Alureon's rootkit filter driver features don't work in Win64, so it relies on a classic method for infection: The boot record! If you ever have a situation where you get random Bluescreens or you can't see your boot volume in Disk Management, you might be infected. If you are, consider using Bootfix to purge that fucker out. Strangely, bootfix didn't detect the Windows installation, but it did rebuild everything, and the system ran stably afterwards. Remember: you can scan in any kind of boot environment, but unless you have a scanner that still knows to check the MBR, it might get overlooked. Then follow up by wondering how a boot sector virus might have suddenly become relevant once again.
|
|
#
?
Feb 4, 2011 10:35
|
|
|
|
| # ? Jun 7, 2024 20:28 |
|
|
Lady brought in a laptop a few days ago that's got something nasty on it. Randomly reboots, occasionally locks up, kills malwarebytes/mse/etc. Redirects sites. Keeps opening fake antivirus webpages. ComboFix keeps finding a rootkit and says it cleaned it, but never actualyl cleans it. TDSSKiller finds some variant of TDL4 but can't clean it. Rewriting the mbr has no effect. The lady told me she just bought a copy of AVG 2011 off the internet a few days before it went south. Sure, the program had the AVG logo. AFAIK though, there's more to AVG than just an avg.exe file that contains a lot of broken english and pops up a message like the following when you click the X. "Press OK to terminate application! CANCEL to minimize to tray!" Tried to tell the lady she probably got scammed but she wouldn't listen. Flatten and reinstall day today! edit: Forgot to mention... this version of "AVG" she "purchased" had the fastest file scanner in the world. A full system scan only took 3 minutes!
|
|
#
?
Feb 4, 2011 14:57
|
|