|
BangersInMyKnickers posted:That malware that marks every single file in a user profile as hidden can gently caress right the hell off. Pope Guilty posted:I'm getting used to the message "Windows cannot find C:/Windows/System32/rsrtui.exe". Malware creators are getting damned annoying lately. Though I've never quite seen one that does hell mode right: Disabled System Restore Nukes Recovery Partition. Changes .exe file association. Changes shell value. Changes a ton of image file execution options. Hides the files, all of them. Changes the DNS settings on your router. Roots the PC. Go ahead, try and remove the fucker without wiping it from orbit when somebody makes one of those. Oh, and I've also noticed a recent rash of McAfee / Norton removing the <Winver>Security2011 infections, but still leaving the hosed up .exe / .lnk associations behind.
|
#
?
Apr 28, 2011 19:59
|
|
|
|
| # ? Jun 1, 2024 13:56 |
|
|
BangersInMyKnickers posted:That malware that marks every single file in a user profile as hidden can gently caress right the hell off. Next one I find I am writing an attrib batch file. I'm tired of it too. I'm thinking %userprofile%\Desktop \Favorites \My Documents and a few start menu and quicklaunch path should do it.
|
|
#
?
Apr 28, 2011 20:02
|
|
|
PopeOnARope posted:Oh, and I've also noticed a recent rash of McAfee / Norton removing the <Winver>Security2011 infections, but still leaving the hosed up .exe / .lnk associations behind. Nearly every machine I've seen with Windows 7 Security 2011 has had Symantec Endpoint Protection on it. We give it away for free and it's almost like we shouldn't bother. E: We have this whole thing that scans your computer, makes sure your OS is up to date, and confirms that you have antivirus software before allowing you to connect to our on-campus network. As far as I can tell, about half of the users immediately uninstall their AV after passing the scan. Pope Guilty fucked around with this message at 20:07 on Apr 28, 2011 |
|
#
?
Apr 28, 2011 20:05
|
|
|
warning posted:Next one I find I am writing an attrib batch file. I'm tired of it too. Do you mind posting that, or something like that? I'm terrible at attrib, and I need it for when the hosts file gets hosed off, among other things.
|
|
#
?
Apr 28, 2011 20:07
|
|
|
PopeOnARope posted:Do you mind posting that, or something like that? I'm terrible at attrib, and I need it for when the hosts file gets hosed off, among other things. code:
|
|
#
?
Apr 28, 2011 20:16
|
|
|
Pope Guilty posted:Nearly every machine I've seen with Windows 7 Security 2011 has had Symantec Endpoint Protection on it. We give it away for free and it's almost like we shouldn't bother. If I were forced to use Symantac, I would uninstall it as quickly as possible too.
|
|
#
?
Apr 28, 2011 21:57
|
|
|
ymgve posted:If I were forced to use Symantac, I would uninstall it as quickly as possible too. We just offer it. There's also Microsoft Security Essentials, which we all advise people to get.
|
|
#
?
Apr 28, 2011 22:01
|
|
|
Here is my one experience with SEP (I think it was version 11). I took a quick side job doing rollouts for a hardware refresh. They shipped in the old laptops, we backed up data to a usb drive, used that drive to copy the data to the new laptop, then copied the user data again to a "server" for retention. One of the old laptops came in with a usb autorun virus that would hide itself and make it so you cannot choose to see hidden files in the OS anymore. I noticed this the second I put my drive in the "server" and saw that it had an .exe icon picture where "View pictures" usually is. I found the file and ran it through virus total and virtually every scanner had it known. I googled it and it was over a year old variant. I brought this to the attention of the IT guy there and he didn't seem to care much. This virus spread itself to every laptop that went through the room, every new laptop shipped to the users, every old laptop, because they used SEP on everything.
|
|
#
?
Apr 28, 2011 23:13
|
|
|
PopeOnARope posted:Malware creators are getting damned annoying lately. Though I've never quite seen one that does hell mode right: I'm really surprised this hasn't become commonplace. I've had more than a few instances where I thought I could easily remove some malware, but I just can't get rid of it, I go to do system restore on a whim, fully expecting the restore points to be hosed up, but then system restore gets rid of it despite the malware being really annoying otherwise.
|
|
#
?
Apr 28, 2011 23:26
|
|
|
J posted:I'm really surprised this hasn't become commonplace. I've had more than a few instances where I thought I could easily remove some malware, but I just can't get rid of it, I go to do system restore on a whim, fully expecting the restore points to be hosed up, but then system restore gets rid of it despite the malware being really annoying otherwise. The more of this behavior you do, the more likely heuristics and emulation are going to catch you for doing something fishy and stop it. Thus, they are always coming up with new novel ways to gently caress with you instead of rolling all the old-hat stuff in to one big, ineffective package.
|
|
#
?
Apr 28, 2011 23:35
|
|
|
Pope Guilty posted:As far as I can tell, about half of the users immediately uninstall their AV after passing the scan. 
|
|
#
?
Apr 29, 2011 07:21
|
|
|
FronzelNeekburm posted:Nice to see things haven't changed in almost a decade since I got out of the college residential tech gig. "XP SP 1 made my computer so slow!" I have no doubt we'd have a large population of XP SP1 users if the scanner didn't demand SP3.
|
|
#
?
Apr 29, 2011 08:29
|
|
|
Pope Guilty posted:There was an absolutely amazing thread in YOSPOS awhile back where somebody found a malwareinstaller that would install dialers which would install dialers which would install dialers and so on. I remember the phrase "Around lunchtime, it started making slot machine noises." This sounds hilarious, does anyone have a link?
|
|
#
?
Apr 29, 2011 11:10
|
|
|
My mistake, it was SH/SC: Fun with crack.exe
|
|
#
?
Apr 29, 2011 18:46
|
|
|
Pope Guilty posted:My mistake, it was SH/SC: Fun with crack.exe Oh god, I remember that. How did that not get goldmined?
|
|
#
?
Apr 29, 2011 19:02
|
|
|
My favorite "stupid virus tricks" thread was when someone in YOSPOS found a botnet and connected to its IRC server. The thread was shut down by Cidrick after people started using the botnet to display pictures of Bill Cosby on infected systems. Unfortunately, most of the screenshots were hosted on Waffleimages. http://forums.somethingawful.com/showthread.php?threadid=2990867
|
|
#
?
Apr 29, 2011 21:23
|
|
|
I had one of those viruses that hid everything on the computer come across my bench a week or two ago. Bleepingcomputer has a tool toward the bottom of this page that will unhide all of the files marked as hidden on your computer. Use with caution I guess, since some poo poo probably should be hidden. Let me know if this is bad advice and I can remove it I guess.
|
|
#
?
Apr 30, 2011 02:39
|
|
|
Wow, Windows Recovery Tool loving sucks. We started seeing it last week and this morning we've already got multiple machines in with it on there. Easy to get cleaned up and unhidden, but I'm about ready to be done talking people down from the edge when they think all their data's gone.
|
|
#
?
May 2, 2011 18:03
|
|
|
co199 posted:Wow, Windows Recovery Tool loving sucks. We started seeing it last week and this morning we've already got multiple machines in with it on there. Easy to get cleaned up and unhidden, but I'm about ready to be done talking people down from the edge when they think all their data's gone. Someday one of these viruses will do real loving damage. Generate a keypair, encrypt every user file, send the key off to the Russian mafia. And I just know I'll get reamed over it.
|
|
#
?
May 2, 2011 22:21
|
|
|
I just did something so dumb that I'm honestly worried that I had a mini-stroke or something because goddamn. My sister is visiting and asks me if I can copy a file from my machine to her USB stick. Knowing her I was 100% sure that that stick was going to be infected with something, so I double check that autorun is off, stick it in, enable the "Show System Files" option and, sure enough, find a hidden folder with "MyFile.exe" in it. Then, instead of outright deleting it I decide that I'm gonna scan it instead (I honestly don't even know why). I right click the file and my UAC reflexes must've kicked in or something because I proceeded to select "Run as Administrator" and then I clicked "Yes" on the prompt. Luckily my Antivirus caught it so nothing happened, but I swear to God I just stared at my screen for two minutes after it just completely dumbstruck at what I had just done. It was like I suddenly became the epitome of a bad computer user.
|
|
#
?
May 3, 2011 01:32
|
|
|
Not quite sure if this counts as a virus question, but the network at work has gotten slow. REALLY slow. I checked with the ISP, and they said that it wasn't a problem on their end, it was due to high-traffic use. Either someone's torrenting or streaming video, or there's someone's part of a botnet. Is there any freeware tools that can help me track down which computer is responsible for slowing down the network, and what port the traffic is coming from?
Shadowknight fucked around with this message at 02:28 on May 3, 2011 |
|
#
?
May 3, 2011 02:25
|
|
|
Shadowknight posted:Not quite sure if this counts as a virus question, but the network at work has gotten slow. REALLY slow. I checked with the ISP, and they said that it wasn't a problem on their end, it was due to high-traffic use. Either someone's torrenting or streaming video, or there's someone's part of a botnet. Is there any freeware tools that can help me track down which computer is responsible for slowing down the network, and what port the traffic is coming from? Poke your nose into the network closet and check which port looks like a strobe light.
|
|
#
?
May 3, 2011 04:08
|
|
|
sfwarlock posted:Poke your nose into the network closet and check which port looks like a strobe light. Also Wireshark. But your method gets all the points for style.
|
|
#
?
May 3, 2011 05:17
|
|
|
I'm currently trying to figure out if anything slipped in from some bullshit FB spam I got. I got a message saying a blank username account "made you an administrator of the page IPad 2 testers wanted." While I was trying to figure out how to flag it, I got that fake profile to load instead. I closed the tab immediately and I'm running my third scanning program with nothing so far. Any known issues with this particular spam I should look for?
|
|
#
?
May 3, 2011 10:39
|
|
|
Saint Sputnik posted:I'm currently trying to figure out if anything slipped in from some bullshit FB spam I got. I got a message saying a blank username account "made you an administrator of the page IPad 2 testers wanted." While I was trying to figure out how to flag it, I got that fake profile to load instead. I closed the tab immediately and I'm running my third scanning program with nothing so far. Any known issues with this particular spam I should look for? If your Java client is up to date, you should be fine. Most of those that I've seen are directing you to a page with a malicious script based on last month's Java vulnerability. Chances are, if you have contracted something you'd know it by now.
|
|
#
?
May 3, 2011 15:33
|
|
|
gently caress 'Antivirus 2011'
|
|
#
?
May 3, 2011 16:04
|
|
|
Since we have all identical hardware, I'm strongly of the "swap in a new PC and migrate data" camp when someone gets hit. But what should I worry about when copying data? I'm only worried about files in the one specific user's profile, but I would hate to bring along NTUSER.DAT, for example (as we do when migrating a user from a healthy computer), and have the infection come along for the ride.
|
|
#
?
May 3, 2011 16:59
|
|
|
Bob Morales posted:gently caress 'Antivirus 2011' Ended up running 'rkill', then installing MBAM, then after it was cleaned up, installed MSSE and removed AVG. It's the girls second to last day here, I told her don't touch any more computers. "I was buying a bike rack!" Bike rack of porn maybe.
|
|
#
?
May 3, 2011 17:51
|
|
|
Bob Morales posted:Ended up running 'rkill', then installing MBAM, then after it was cleaned up, installed MSSE and removed AVG. It's the girls second to last day here, I told her don't touch any more computers. Rkill combined with Combofix has yet to fail at getting rid of one of those infections for me. It doesn't always remove other stuff (crapware and some rootkits, notably) but it's great for getting a computer to a scannable state. Plus, if you have hands on anyway you should really be running a TDSSKiller and Malwarebytes scan at least. I usually go Rkill, Combofix, TDSSKiller, SuperAntiSpyware Portable, Malwarebytes, replace HOSTS file, reboot. The biggest problem is making sure everything is updated, but I run Ketarin to keep everything updated.
|
|
#
?
May 3, 2011 18:58
|
|
|
sonicice posted:I had one of those viruses that hid everything on the computer come across my bench a week or two ago. Bleepingcomputer has a tool toward the bottom of this page that will unhide all of the files marked as hidden on your computer. Use with caution I guess, since some poo poo probably should be hidden. Holy poo poo, that would've been helpful a couple weeks ago. Had some girl call me up for virus removal, and she had Windows Recovery on both her desktop and her laptop. Her desktop had some awful combination of TDSS and some other rootkit that couldn't be cleaned at all; rkill and combofix wouldn't even complete successfully in safe mode. That was the first time in years I had to tell someone that the best solution was to flatten and reinstall. gently caress you windows recovery, you ruined my awesome streak. 
|
|
#
?
May 4, 2011 23:22
|
|
|
RichieWolk posted:Holy poo poo, that would've been helpful a couple weeks ago. Had some girl call me up for virus removal, and she had Windows Recovery on both her desktop and her laptop. Her desktop had some awful combination of TDSS and some other rootkit that couldn't be cleaned at all; rkill and combofix wouldn't even complete successfully in safe mode. Don't forget to zero that fucker on the way out.
|
|
#
?
May 4, 2011 23:28
|
|
|
PopeOnARope posted:Don't forget to zero that fucker on the way out. Quoting this for good measure, had a bunch of customers customer get frustrated after they reinstalled Windows and were still infected. Pointed out that just doing an over the top reinstall isn't gonna fix poo poo with an MBR rootkit on the system. A lot of people haven't dealt with something like this in a long time, MBR and boot rootkits are all the domain of the 80s and 90s.
|
|
#
?
May 5, 2011 03:03
|
|
|
co199 posted:Quoting this for good measure, had a bunch of customers customer get frustrated after they reinstalled Windows and were still infected. Pointed out that just doing an over the top reinstall isn't gonna fix poo poo with an MBR rootkit on the system. A lot of people haven't dealt with something like this in a long time, MBR and boot rootkits are all the domain of the 80s and 90s. Some of the newer poo poo I've been seeing has an MBR rootkit component that prevents TDSSKiller from running (gets to 80% of the initialization process and then crashes, sound familiar?) along with the usual signs (redirected search results, prevention of any connection to a site with 'windowsupdate' anywhere in the URL including searches, svchost process that runs out of control). After nearly giving up, I discovered a simple 'FIXMBR' from the Windows Recovery Console does the job on this one. You'll get a warning that it appears you have a non-standard MBR or some poo poo and that your partitions might be lost, but I haven't seen that happen yet. Also, for the hidden files bullshit that's been going around, if it's the entire drive that's been flagged as hidden and system and you're DOS deficient and don't really care about unhiding folders that are hidden normally, just do this: code:
|
|
#
?
May 5, 2011 05:08
|
|
|
Oh, and while I'm going on about virus poo poo that pisses me off, here's another one: After cleaning a system, ever get the legal notice window before the logon/welcome screen that's got some gibberish there? Yeah, but then after you delete the Legalnoticecaption/text values from HKLM/.../WinNT/CV/Winlogon it's still there? If so, try just deleting the entire HKLM(and HKCU for good measure)/software/microsoft/windows/currentversion/policies/system key. Even if that key is empty.
|
|
#
?
May 5, 2011 05:24
|
|
|
PopeOnARope posted:Don't forget to zero that fucker on the way out. drat, I figured it was enough to just delete all existing partitions and then go on with installing Windows. What program do the cool kids use to zero out a drive? DBAN seems to be all about bullshit like multiple passes and random bit patterns.
|
|
#
?
May 5, 2011 05:25
|
|
|
Toast Museum posted:What program do the cool kids use to zero out a drive? # dd if=/dev/zero of=/dev/hda bs=1024k 
|
|
#
?
May 5, 2011 05:42
|
|
|
Okay, I walked into that one. Still, thanks. I don't know poo poo about Linux commands.
|
|
#
?
May 5, 2011 05:50
|
|
|
Toast Museum posted:Okay, I walked into that one. Still, thanks. I don't know poo poo about Linux commands. or with windows - diskpart select disk 0 diskpart /clean all
|
|
#
?
May 5, 2011 06:44
|
|
|
gruvmeister posted:Some of the newer poo poo I've been seeing has an MBR rootkit component that prevents TDSSKiller from running (gets to 80% of the initialization process and then crashes, sound familiar?) along with the usual signs (redirected search results, prevention of any connection to a site with 'windowsupdate' anywhere in the URL including searches, svchost process that runs out of control). After nearly giving up, I discovered a simple 'FIXMBR' from the Windows Recovery Console does the job on this one. You'll get a warning that it appears you have a non-standard MBR or some poo poo and that your partitions might be lost, but I haven't seen that happen yet. Yup, that's a great fix, we do the same thing in my shop, good to know that more people are seeing this bullshit. My roster of tools is up to rKill, ComboFix, TDSS Killer, GMER, Malwarebytes, Super AS, Hitman Pro and Stinger. Stinger's a little lacking since it's a virus removal tool, but it seems to catch some stuff. As an aside, it's loving hilarious that McAfee removes rKill as malware, talk about loving ineffective. I'm not surprised, though. I used to work in the AV industry and the amount of incompetence among the big companies is astounding. It's hard enough to keep up with all the new variants and bugs that come out without having lovely researchers to complicate the issue. co199 fucked around with this message at 07:30 on May 5, 2011 |
|
#
?
May 5, 2011 07:28
|
|
|
|
| # ? Jun 1, 2024 13:56 |
|
|
Me: "Scans are finished, I found over 50 infected files that McAfee missed. Would you like me to uninstall that, and install a free alternative by Microsoft?" Her: "You want to uninstall McAfee? But I have 200 days left in my subscription!" Me: "I found over 50 infected files. If I leave McAfee, you'll be back in a month paying me 3x the cost of your yearly McAfee subscription to remove them again." Her: "But I don't want to get ripped off... just leave McAfee and I'll figure out what to do when I get it back home." Hey look! Free money. Forgot to add: This was after McAfee deleted my copy of Combofix. Can you believe there are actually people who are PAYING for McAfee? Otacon fucked around with this message at 09:40 on May 5, 2011 |
|
#
?
May 5, 2011 09:20
|
|
