|
This morning I updated my virus definitions (which I'd done shortly before posting here), and THEN MSE found and erased New Text Document.exe. Sneaky loving virus.
|
# ? Mar 1, 2011 01:25 |
|
|
# ? Jun 8, 2024 07:29 |
|
Knight007au posted:JUSCHED.EXE I've been clean lately but I just searched for that, and it seems to be a Java update scheduler.
|
# ? Mar 1, 2011 02:02 |
|
Saint Sputnik posted:I've been clean lately but I just searched for that, and it seems to be a Java update scheduler. And you know, malicious software would never attempt to duplicate the identity / behavior of legitimate software.
|
# ? Mar 1, 2011 04:31 |
|
PopeOnARope posted:And you know, malicious software would never attempt to duplicate the identity / behavior of legitimate software. I know, but it's in the right folder (C:\Program Files (x86)\Common Files\Java\Java Update), is labeled properly and signed as Sun Microsystems. It's in there alongside all relevant related files (update checker, update registration, etc.). And scanning that one file directly with MSE, it's clean. So in my case it's a legit file, but thanks.
|
# ? Mar 1, 2011 04:39 |
|
Something on the forums keeps trying to download a .jnlp file, which I'm guessing is related to the recent Java patch. Glad I remembered to download that one.Saint Sputnik posted:I know, but it's in the right folder (C:\Program Files (x86)\Common Files\Java\Java Update), is labeled properly and signed as Sun Microsystems. It's in there alongside all relevant related files (update checker, update registration, etc.). And scanning that one file directly with MSE, it's clean. But that's probably not the case for the guy whose jusched.exe was flagged in the first place... 205b fucked around with this message at 05:13 on Mar 1, 2011 |
# ? Mar 1, 2011 05:10 |
|
ninepints posted:Something on the forums keeps trying to download a .jnlp file, which I'm guessing is related to the recent Java patch. Glad I remembered to download that one. Yeah, I was being condescending overall. Plus if it was a false positive, MWB would have just flagged the executable, rather than the registry entries opposed to the file alone.
|
# ? Mar 1, 2011 05:26 |
|
Saint Sputnik posted:I know, but it's in the right folder (C:\Program Files (x86)\Common Files\Java\Java Update), is labeled properly and signed as Sun Microsystems. It's in there alongside all relevant related files (update checker, update registration, etc.). And scanning that one file directly with MSE, it's clean. I had jusched.exe on my old computer out of the box, disabling it disabled the stupid Java updater that you don't need if you keep up on stuff. Or use Secunia PSI.
|
# ? Mar 1, 2011 23:38 |
|
Secunia is great and thanks to whoever suggested it the other week.
|
# ? Mar 1, 2011 23:53 |
|
I've been hit twice within the last three days while browsing SA. The first symptoms are an unexpected download prompt, then the Java platform starting up. The first time this happened, I was caught completely by surprise. A rouge antivirus program called Antivirus GO or something appeared and gave the expected crap about detecting lots of malware. Then, I couldn't get onto Google or Bing, as well as having taskbar pop-ups alerting to being infected. Luckily, the computer I was on was set to re-image itself every boot up, so after a restart, all the trouble was gone. The second time my laptop was hit. I freaked and forced a shutdown as soon as I saw Java start. I've restarted and have done a full scan with MSE with no results, and checked Startup and my plugins and haven't found anything suspicious. I think I managed to avoid any damage. I have turned off Java's SSV Helper plugin thing, so hopefully that should prevent any more mischief. Has anyone ran into anything like this?
|
# ? Mar 2, 2011 05:48 |
|
quote:Java Good thing that I keep plugins disabled because gently caress that. Mush Man: burn a copy of one of those fancy offline scanners. IIRC you'll have at least F-Secure, Kaspersky and AVG bootable rescue CDs to choose from. Then simply boot from it, update definitions and scan. Nothing can hide when the possibly infected OS isn't loaded.
|
# ? Mar 2, 2011 06:30 |
|
My mother's computer got infected with Windows Tool. She did run the "Diagnostic" tool that scans your hard-drive. Fortunately she asked me before doing anything else and didn't actually put in her Credit Card info to purchase the "advanced" option it offers. I've already taken the computer off the network. Two questions: 1. What are the possibilities that this spread to other computers on the network? There's two: a Mac, and a PC running Windows 7 with its antivirus up-to-date, both behind a router running DD-WRT with its in-built firewall on. Neither have shown any symptoms). How difficult will it be to completely clean up the system from this? I know that flatten and reinstall is usually the go-to option in these cases, but I'd rather avoid that if at all possible. I appreciate any help.
|
# ? Mar 2, 2011 16:42 |
Mush Man posted:I've been hit twice within the last three days while browsing SA. The first symptoms are an unexpected download prompt, then the Java platform starting up. Yes, this happened to me while I was browsing SA too. Did it start redirecting your browser to porno.com, sexyfeet.net and other adult-rated websites as well? Combofix seems to have gotten rid of it, but I'm reimaging this computer as soon as I can. Yes, I do want block, but not quite the way Anti Virus GO! wants me to. froglet fucked around with this message at 17:04 on Mar 2, 2011 |
|
# ? Mar 2, 2011 16:55 |
|
Pope Guilty posted:There's a failure state for Symantec Endpoint Protection (which my workplace provides free to students/faculty/staff) where one of the drivers (usually SrtSpl64.sys) goes bad, causing Endpoint to crash Windows on boot. Since SEP uses Windows Installer Service instead of a custom installer program, you can't just go to Programs and Features and yank it from Safe Mode. Only way we've found to get it out is to boot to safe mode, disable all SEP services in msconfig, reboot, and then uninstall. I know I'm late to the party, but there is a way to run windows installer in safe mode. This method will only make it run in safe mode w/ networking. If you want it to run in plain ol' safe mode, change the SafeBoot\Network to SafeBoot\Minimal The changes to the registry will stay after a reboot, but you might need to start the msiserver service manually. Create a .bat file with the following: code:
|
# ? Mar 2, 2011 17:00 |
|
Or you could just use SafeMSI.
|
# ? Mar 2, 2011 18:51 |
|
Brian Fellows posted:I've scanned the last couple of pages and didn't see anyone with my specific symptoms.
|
# ? Mar 2, 2011 22:31 |
|
froglet posted:Yes, this happened to me while I was browsing SA too. Did it start redirecting your browser to porno.com, sexyfeet.net and other adult-rated websites as well? No actually. My browser froze a bit and then gave fake IE error messages when I made attempts to access Google and Bing. That's it as far as its browser takeover went. beyonder posted:Mush Man: burn a copy of one of those fancy offline scanners. IIRC you'll have at least F-Secure, Kaspersky and AVG bootable rescue CDs to choose from. Then simply boot from it, update definitions and scan. Nothing can hide when the possibly infected OS isn't loaded. My laptop seems off the hook, but thanks for the tip. I'll keep this in mind in case it does happen.
|
# ? Mar 3, 2011 04:30 |
|
Mush Man posted:My laptop seems off the hook, but thanks for the tip. I'll keep this in mind in case it does happen. You're welcome. Also have a look at this guide, pretty handy stick to have. F-Secure "isn't" supported but you can install it by selecting (IIRC) Knoppix and pointing the program to F-S ISO.
|
# ? Mar 3, 2011 09:40 |
|
Saint Sputnik posted:Secunia is great and thanks to whoever suggested it the other week. You're welcome! I use it at home and would like to use it at work. I keep having users end up with malware, including that one that was pictured in the "London Stock Exchange" article. My boss always assumes they're browsing somewhere that isn't legit, and I keep explaining the way these things usually work to him, and he doesn't argue but I don't think he believes me (I also don't think all these people's browsing is legitimately work-related, but that's another story.) UAC cranked up, DEP, SEHOP, AdBlock+ and NoScript are saving me from any oops moments, since we all run as local admin in our domain (all of us but one guy, the one with the most recent infection.)
|
# ? Mar 3, 2011 19:12 |
|
Oddhair posted:My boss always assumes they're browsing somewhere that isn't legit, and I keep explaining the way these things usually work to him, and he doesn't argue but I don't think he believes me
|
# ? Mar 4, 2011 00:47 |
|
I just noticed some facebook virus spreading like crazy - it makes a user send out "dude is that you in this video? is that supposed to be called dancing?" links to facebook pages that I suppose have some sort of exploit. I think my noscript prevented it, but I really can't tell (I think if my pc started posting on other people's walls/IM'ing it would confirm infection though) Anyone else notice this thing yet?
|
# ? Mar 9, 2011 04:08 |
|
Since this is the Microsoft Security Essentials love thread: Have any of you had a problem where Windows Backup will fail because of MSE? I keep getting an error 0x80070005 from Backup and Restore Center in a client's Vista laptop, which appears to be a generic access denied error and can, according to some googling, be caused by antivirus software. When I uninstalled MSE and ran the backup again, it completed just fine, which is great - at least there's now a backup less than 3 months old. However, reinstalling MSE brings the error message back. Is there a workaround here? I can't really tell this client to uninstall and reinstall MSE every time she needs to make a loving backup.
|
# ? Mar 9, 2011 07:52 |
|
Can you just disable MSE instead of uninstalling it? As for the Facebook viruses, a quick Google says they spread via a fake e-mail from Facebook that has a link to a site with a virus. The virus then reads your cookies and if you're logged in to FB it will spam links to all your friends. They click on the link, get the virus, repeat. Unless there is something new out there, it seems to be the old "be careful before you click on e-mail links" thing. If anyone else has any info on current FB viruses or anything to watch out for, it would be appreciated. I assume a properly secured OS / browser and disabling all FBs should keep you clean 99% of the time.
|
# ? Mar 9, 2011 09:13 |
|
Goreld posted:I just noticed some facebook virus spreading like crazy - it makes a user send out "dude is that you in this video? is that supposed to be called dancing?" links to facebook pages that I suppose have some sort of exploit. I think my noscript prevented it, but I really can't tell (I think if my pc started posting on other people's walls/IM'ing it would confirm infection though) I think it's the traditional "transform the Facebook Like button so it's transparent and covers the whole page, then trick the user into clicking something on your page"
|
# ? Mar 9, 2011 10:33 |
|
hackedaccount posted:Can you just disable MSE instead of uninstalling it? Well sure, but that's hardly what I'd consider a long-term fix. I'm using Microsoft's backup solution with Microsoft's antivirus solution on Microsoft's operating system; surely they could have it stop the service manually or do whatever is necessary to make this work without manual intervention.
|
# ? Mar 10, 2011 00:30 |
|
How are you all getting viruses from the forums? I've never had a problem ever...maybe im just lucky?
|
# ? Mar 10, 2011 08:30 |
|
I've gotten a few popups from the flash ads before. I wasn't very helpful to the forums support since I didn't pay attention to which ad it was. It hit me a minute ago while helping someone install a Java update that these fake antiviruses are putting a little too much effort into their schemes. Just mask the virus as a Flash or Java update. Hell, the way Flash updates look now, the virus wouldn't have to be very elaborate at all. It might even pass the scrutiny of quite a few sysadmins or helpdesk monkies and get them to put in an administrator password. I've scared myself into paying closer attention to released updates and installed versions now. But I suppose the purpose of the fake antivirus is to get the $50+ from someone's credit card. I began to wonder how often that works after someone asked me "Wouldn't it be quicker to just pay them the $50?"
|
# ? Mar 10, 2011 15:07 |
|
I've been cleaning a decent amount of malware since I started working for a company that provides IT support to other companies. Since I like to dig around in things and understand them, I typically look around and attempt to trace the source of the infection (from an application perspective) while scans are running. Three quarters of the infections that I've worked on were ultimately traced to Java exploits running on outdated (for some reason Java 6.0 Releases 14, 16, and 19 are really common) installs of Java. The remaining ones have come down to finding things post-scan like an empty file named loanletter.zip sitting in the Downloads folder with a creation date immediately prior to the user reporting infection. Update/uninstall Java, I guess is what I'm saying.
|
# ? Mar 10, 2011 16:18 |
|
Midelne posted:I've been cleaning a decent amount of malware since I started working for a company that provides IT support to other companies. Since I like to dig around in things and understand them, I typically look around and attempt to trace the source of the infection (from an application perspective) while scans are running. Three quarters of the infections that I've worked on were ultimately traced to Java exploits running on outdated (for some reason Java 6.0 Releases 14, 16, and 19 are really common) installs of Java. Now that we're on KAV corporately (thank god, before there was nothing) the only inbound vector I'm seeing is in emails from "UPS" saying "THIS IMPORTANT CREDIT MEMO WILL BE PAID PLEASE ACKNOWLEDGE" with an exe inside "CREDITMEMO.ZIP". So yeah, don't let your users click on attachments I guess is what I'm saying. But Java is an enormous hole, and I was cleaning 3-4 stations a week before we updated java.
|
# ? Mar 10, 2011 22:16 |
|
A fairly odd question, but has anyone seen any symptoms of ComboFix disabling sound after it's been run on a machine? Recently there seems to be a few more complaints of sound being disabled on repairs we have done and they all seem to be jobs where we've used ComboFix. I'm still not convinced though because it's not like it's every single computer that it's been run on has done this and I know you should never rule out how retarded customers are, but I thought it'd be interesting to ask about.
|
# ? Mar 11, 2011 12:29 |
|
Haven't noticed that, but I did have one Windows 7 machine a couple days ago that ComboFix deactivated and and apparently screwed up a bunch of registry permissions that prevented me from re-activating it. That was a fun one. I assume it was ComboFix anyway. Ran it to get rid of some nasty rogue and after it rebooted windows decided it was no longer activated and no longer genuine.
|
# ? Mar 11, 2011 15:37 |
|
beastathon posted:A fairly odd question, but has anyone seen any symptoms of ComboFix disabling sound after it's been run on a machine? Recently there seems to be a few more complaints of sound being disabled on repairs we have done and they all seem to be jobs where we've used ComboFix. I'm still not convinced though because it's not like it's every single computer that it's been run on has done this and I know you should never rule out how retarded customers are, but I thought it'd be interesting to ask about. I had to reinstall the drivers for my soundcard after running combofix about a year ago. To be fair, my lovely video card has never really worked all that great ever (Creative SB X-Fi)
|
# ? Mar 12, 2011 08:28 |
|
vlack posted:Well sure, but that's hardly what I'd consider a long-term fix. I'm using Microsoft's backup solution with Microsoft's antivirus solution on Microsoft's operating system; surely they could have it stop the service manually or do whatever is necessary to make this work without manual intervention. That may be some leftover retardation from Vista. I'm running 7, do backups once a week and have never had a problem. I'll test on a laptop at work and see if it's vista specific or just some weird error you're having.
|
# ? Mar 15, 2011 13:11 |
|
Midelne posted:I've been cleaning a decent amount of malware since I started working for a company that provides IT support to other companies. Since I like to dig around in things and understand them, I typically look around and attempt to trace the source of the infection (from an application perspective) while scans are running. Three quarters of the infections that I've worked on were ultimately traced to Java exploits running on outdated (for some reason Java 6.0 Releases 14, 16, and 19 are really common) installs of Java. Outside of a corporate environment, I'm at the point now where if I have to fix someone's computer, I'll clean out the infection and force Google Chrome upon them. Uninstall all Java and Adobe Flash crap, maybe leave the Adobe Reader in there. Chrome can handle pretty much all of that natively so it helps close massive security holes. No product is bulletproof, but I believe forcing people to use Chrome and MSE will help mitigate many disasters once the other products are uninstalled. Obviously this won't work in an enterprise/corporate environment because of the need for Internet Explorer, AD, etc. It also helps to install an ad-blocking extension for Chrome and teach people how to practice safe computing to an extent. People have been asking me lately about alternatives to LimeWire and I typically tell them to just loving pay for the poo poo. It's not worth the aggravation trying random file-sharing programs/websites and hoping you won't infect yourself. PUBLIC TOILET fucked around with this message at 17:07 on Mar 15, 2011 |
# ? Mar 15, 2011 17:05 |
|
COCKMOUTH.GIF posted:Outside of a corporate environment, I'm at the point now where if I have to fix someone's computer, I'll clean out the infection and force Google Chrome upon them. Uninstall all Java and Adobe Flash crap, maybe leave the Adobe Reader in there. Chrome can handle pretty much all of that natively so it helps close massive security holes. No product is bulletproof, but I believe forcing people to use Chrome and MSE will help mitigate many disasters once the other products are uninstalled. Obviously this won't work in an enterprise/corporate environment because of the need for Internet Explorer, AD, etc. For what it's worth, Firefox 5 will have a mainstream 64 bit version, and that will be inherently more secure than Chrome which is still 32 bit. Vastly improved Address Space Layout Randomization and so on make 64 bit Windows programs much harder to gently caress with and 64 bit Java and Flash are out and both seem to have much fewer holes as well. It's a shame that Microsoft doesn't let you force 64 bit IE8/9 to be the default broswer though, even that is a shitload more secure, plus the "no tacking" system in 9 is also a quite viable adblock/malware site block system.
|
# ? Mar 15, 2011 20:27 |
|
How likely am I to get screwed by using the Filehippo update checker if I just let it download whatever it needs to keep things up to date? Any chance that one of their files would be compromised?
|
# ? Mar 16, 2011 18:18 |
|
Forever_Peace posted:How likely am I to get screwed by using the Filehippo update checker if I just let it download whatever it needs to keep things up to date? Any chance that one of their files would be compromised? Yes, if it's from Adobe. And on the same subject, anybody more knowledgeable know of reasons not to use Secunia PSI? I'm really liking it so far.
|
# ? Mar 16, 2011 20:16 |
|
Okay, I think this is the best thread for this. Is MSE still the de-facto standard if you don't want to spend money on an anti-viral? What about anti-spyware? How about if you do want to spend money?
|
# ? Mar 16, 2011 20:46 |
|
MSE is pretty much top-notch whether you want to spend money or not. Combine it with occasional manual scans from MalwareBytes and/or SuperAntiSpyware, and it's pretty good front-line protection. If you absolutely have to have the best, the only thing that reliably performed even a little better than MSE in past reviews was Symantec Endpoint Protection. But that's not really an option unless you have 4-5 computers or can get in on a somebody's site license like a corporation or university. Licenses come yearly in packs of at least five (starting at $54/license/year). But also note that by "performed better," I mean as a virus scanner; SEP is still a big, heavy program compared to MSE.
|
# ? Mar 16, 2011 20:58 |
|
Maniaman posted:Haven't noticed that, but I did have one Windows 7 machine a couple days ago that ComboFix deactivated and and apparently screwed up a bunch of registry permissions that prevented me from re-activating it. That was a fun one. I had the same thing happen to me cleaning an xp pro laptop this morning, right after running ComboFix.
|
# ? Mar 16, 2011 22:07 |
|
|
# ? Jun 8, 2024 07:29 |
|
Gallatin posted:I had the same thing happen to me cleaning an xp pro laptop this morning, right after running ComboFix. Make sure to check date/time when this happens.
|
# ? Mar 17, 2011 04:13 |