|
seriously guys MBR rootkits have been making a big comeback over the past year, and they are one of the easiest things to fix. if you've absolutely got to repair a system instead of starting from scratch, your first step should be either yanking the drive and scanning with another machine, or just running FIXMBR from the Recovery Console.
|
#
?
May 5, 2011 16:40
|
|
|
|
| # ? Jun 1, 2024 11:27 |
|
|
"You paid $59 (or whatever w7 costs) for MSE, do you want to use it or not" solves the issue half the time
|
|
#
?
May 5, 2011 16:45
|
|
|
bbcisdabomb posted:The biggest problem is making sure everything is updated, but I run Ketarin to keep everything updated. Just set this up to run automatically every day, thank you. I can delete my weekly reminder to do it manually now!
|
|
#
?
May 5, 2011 16:45
|
|
|
Toast Museum posted:drat, I figured it was enough to just delete all existing partitions and then go on with installing Windows. What program do the cool kids use to zero out a drive? DBAN seems to be all about bullshit like multiple passes and random bit patterns. Use DBAN. I guess this is the best place to ask: Is there a version of hitman pro for computer janitors to just cart around and use as a one-time "loving fix it right now" solution? I searched and it looks like there's just the 1-3 pc home license, or the 25-250 enterprise version. I'd really like something that just works on 1 pc at a time, but can be used on like a hundred machines through the year for like $200. If not, I guess I'll just use the free trial versions and feel like a moderately bad person.
|
|
#
?
May 5, 2011 20:21
|
|
|
RichieWolk posted:Use DBAN. Why? Multi-pass formats are bullshit.
|
|
#
?
May 5, 2011 20:39
|
|
|
RichieWolk posted:I guess this is the best place to ask: Is there a version of hitman pro for computer janitors to just cart around and use as a one-time "loving fix it right now" solution? I searched and it looks like there's just the 1-3 pc home license, or the 25-250 enterprise version. I'd really like something that just works on 1 pc at a time, but can be used on like a hundred machines through the year for like $200. If you find an answer to this, I'd sure like to be pointed in that direction. We've limited our reliance on Hitman for just that reason. BTW, looks like a new version of TDSSKiller got released on the 20th of April, seems to be working well so far.
|
|
#
?
May 5, 2011 20:42
|
|
|
Toast Museum posted:Why? Multi-pass formats are bullshit.
|
|
#
?
May 5, 2011 20:44
|
|
|
Biowarfare posted:Isn't the default autonuke a single zero or random pass? Oh, if that's the case, then no problem. The documentation I found was sparse and mostly talked about time-wasting options.
|
|
#
?
May 5, 2011 20:59
|
|
|
Girlfriend's laptop got hit by some TDSS variant. TDSSKiller (the new version) wouldn't work, even in safe mode. After pulling the drive and running TDSSKiller from a separate machine everything was fine. This points to an infected MBR right? Funny thing is the MBR has GRUB on it because this machine dual-boots as a MythTV frontend. Pope Guilty posted:We just offer it. There's also Microsoft Security Essentials, which we all advise people to get. Are there any good reasons to go with MSE if Forefront is available to me?
|
|
#
?
May 5, 2011 22:30
|
|
|
I was coming up on the end of my sub to NIS 2011, and took the plunge and grabbed Kaspersky PURE. The difference is night and day. My systems suddenly respond and work faster. I have three PC's on my home network, and can administer them all from a single PC with this thing, as well as have one PC act as a central server that pushes out updates to the other two. I loved Norton from 2009 and up, but it's like my eyes have been opened after switching. Everything NIS did, Kaspersky does, and seemingly more efficient and faster. And the topping on the cake was, Kaspersky found three trojans that NIS had missed for God knows how long. Sorry if it sounded like an ad, but I just can't believe how much faster the systems are, and dammit I'm excited.
|
|
#
?
May 6, 2011 03:06
|
|
|
So after reading about a guy making a virus kit on a USB stick I thought this would be a good idea. What are the best programs to have? What order should they be used?
|
|
#
?
May 6, 2011 06:17
|
|
|
Red_Fred posted:So after reading about a guy making a virus kit on a USB stick I thought this would be a good idea. What are the best programs to have? What order should they be used? I'll let others suggest scanning apps, but it will help if you put on USB immunizer so that you don't end up carrying back infections. The program creates an locked autorun.ini that can't be overwritten by viruses. http://labs.bitdefender.com/?page_id=108 What are people's opinions on Sophos Anti-Rootkit, how has it stacked up?
|
|
#
?
May 6, 2011 06:51
|
|
|
Red_Fred posted:So after reading about a guy making a virus kit on a USB stick I thought this would be a good idea. What are the best programs to have? What order should they be used? I keep a folder on my desktop with all my programs for my USB drive in it, and whenever I go out to work, I just wipe a stick and copy the contents over. I'll probably start using that ketarin program to keep the big ones updated. My USB drive contains: -generic hex editor -Norton Removal Tool -port scanner (superscan, because it's familiar to me) -Malwarebyte's Anti-Malware installer -Spybot Search&Destroy installer and includes -Spywareblaster installer -Combofix -.NET Version detector -GMER -HijackThis -Hitman Pro -LSPfix.exe from cexx.org -process explorer -rkill -Scanner -TDSSKiller -Rootkit unhooker -various fixes for vundo, virut, smitfraud, etc. -other random tweaks, like registry settings to restore .exe function, or stuff like that So far it's caught almost everything I've come across.
|
|
#
?
May 6, 2011 17:52
|
|
|
RichieWolk posted:I keep a folder on my desktop with all my programs for my USB drive in it, and whenever I go out to work, I just wipe a stick and copy the contents over. I'll probably start using that ketarin program to keep the big ones updated. For me, it's basically this + -Virus scan removers for everything I can find. McAfee, Norton, AVG, Avast!, MSE, BitDefender, NOD32, etc. All of them. -.Net Removal Tool and .Net installers (3.5 and 4.0) -Updated definitions for Malwarebytes and a few others -MSE 32 and 64 bit installers -hosts file from here -the entire Sysinternals suite - though I keep Autoruns and PE in the root -The full suite of Nirsoft utilities -Dial-A-Fix Along with the previously mentioned but not linked Ketarin for keeping them up to date. Takes me two minutes a day to update, max. It's hugely overkill, but I've suprised a few clients by having exactly what they needed. I also carry around a bootable pendrive made with SARDU - I don't think it's that great of a program but I put zero effort into it. I can boot Parted Magic, AVG and Kaspersky rescue disks, and if I put some effort into fixing my coworker's screwups on the image I could boot XP recovery console, two versions of UBCD, and several other useful programs.
|
|
#
?
May 6, 2011 20:55
|
|
|
Hey look, now even Mac users have to deal with rogueware bullshit: http://blog.intego.com/2011/05/02/intego-security-memo-macdefender-fake-antivirus/ Intego's Blog posted:Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results). When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open.
|
|
#
?
May 10, 2011 06:17
|
|
|
Windows 7 Security 2011 can gently caress it's own mother right in her rear end. It bothers me that the thing fucks the .exe file associations, the shell value, and the image file execution options for both IE and Firefox. If system restore isn't working, you can just pop into the admin account to nuke it, though.
|
|
#
?
May 10, 2011 08:18
|
|
|
RichieWolk posted:I keep a folder on my desktop with all my programs for my USB drive in it, and whenever I go out to work, I just wipe a stick and copy the contents over. I'll probably start using that ketarin program to keep the big ones updated. Add the portable version of Superantispyware. It comes in handy and is kept up to date. The scan is a lot quicker than a MWB scan, MWB can be extremely slow if you are on site (especially on a highly infected sloth box).
|
|
#
?
May 10, 2011 12:41
|
|
|
co199 posted:Hey look, now even Mac users have to deal with rogueware bullshit: Just had a user turn in a Mac with this installed. First time I've ever seen Mac malware in the wild.
|
|
#
?
May 10, 2011 18:52
|
|
|
tsbicca posted:Just had a user turn in a Mac with this installed. First time I've ever seen Mac malware in the wild. Everything I'd seen before this has been proof of concept. If you don't mind, can you explain how you got rid of it after you've done your cleanup? I think it'd be helpful for us computer janitors in the thread.
|
|
#
?
May 10, 2011 18:59
|
|
|
co199 posted:Everything I'd seen before this has been proof of concept. If you don't mind, can you explain how you got rid of it after you've done your cleanup? I think it'd be helpful for us computer janitors in the thread.
|
|
#
?
May 10, 2011 19:02
|
|
|
coinstarpatrick posted:Add the portable version of Superantispyware. It comes in handy and is kept up to date. The scan is a lot quicker than a MWB scan, MWB can be extremely slow if you are on site (especially on a highly infected sloth box). You're saying Malwarebytes is slow and recomending Superantispyware  SAS is the second loving slowest AV I've used behind ClamAV. I use SAS because it gets drat near everything, but I use Malwarebytes when I'm with customers because it's so much faster. Maybe the install version runs faster, but god drat does the portable version drag.
|
|
#
?
May 10, 2011 19:09
|
|
|
tsbicca posted:Just had a user turn in a Mac with this installed. First time I've ever seen Mac malware in the wild. Mac's are about 12% of the userbase in the US (google statistic), it makes sense that folks will start targeting Mac's and Safari as the userbase grows.
|
|
#
?
May 10, 2011 20:46
|
|
|
Got some wild windows antivirus 2011 come in. Disappointed to see that KAV enterprise detects it after its in but doesn't stop it in the first place.
|
|
#
?
May 10, 2011 21:25
|
|
|
Are there any special variables/settings I should be putting on in Ketarin? Can someone email me an example file so I can make sure I'm doing this correctly?
|
|
#
?
May 11, 2011 16:42
|
|
|
Gothmog1065 posted:Are there any special variables/settings I should be putting on in Ketarin? Can someone email me an example file so I can make sure I'm doing this correctly? This is from my Ketarin install from Dropbox, so it doesn't have all that much, but here's my jobs.db. It should get you just about everything. I don't much care for using FileHippo, so I download most everything from Majorgeeks. I just ripped a downloader script from the forums, get it here: Majorgeeks.xml
|
|
#
?
May 11, 2011 20:14
|
|
|
skipdogg posted:Mac's are about 12% of the userbase in the US (google statistic), it makes sense that folks will start targeting Mac's and Safari as the userbase grows. They've been saying this since OS X came out. There were plenty of classic Mac OS viruses.
|
|
#
?
May 11, 2011 20:18
|
|
|
bbcisdabomb posted:This is from my Ketarin install from Dropbox, so it doesn't have all that much, but here's my jobs.db. It should get you just about everything. Sweet, thank you. This saves me a ton of time.
|
|
#
?
May 11, 2011 20:41
|
|
|
co199 posted:Everything I'd seen before this has been proof of concept. If you don't mind, can you explain how you got rid of it after you've done your cleanup? I think it'd be helpful for us computer janitors in the thread. It's pretty easy. Close the program, drag MacDefender.app to the trash, and reset your login and homepage options. http://www.bleepingcomputer.com/virus-removal/remove-mac-defender It's also worthy to note that the user must provide their credentials for it to install.
|
|
#
?
May 11, 2011 23:29
|
|
|
bbcisdabomb posted:You're saying Malwarebytes is slow and recomending Superantispyware Yeah, this is not my experience with the install version. A full scan with SAS is much shorter than one with MBAM, although both have gotten faster in the last year or so, in my experience.
|
|
#
?
May 12, 2011 06:20
|
|
|
BorderPatrol posted:It's also worthy to note that the user must provide their credentials for it to install. Somehow I'm not surprised that there's still infections with this being the case.
|
|
#
?
May 12, 2011 07:53
|
|
|
PopeOnARope posted:Somehow I'm not surprised that there's still infections with this being the case. See every fake "Adobe Update, click here!!!" infection in the last 5 years.
|
|
#
?
May 12, 2011 08:11
|
|
|
PopeOnARope posted:Somehow I'm not surprised that there's still infections with this being the case. Given that the Apple users I support can't reliably tell the difference between OSX prompting them for their computer's credentials and their school credentials...
|
|
#
?
May 12, 2011 12:04
|
|
|
Pope Guilty posted:Given that the Apple users I support can't reliably tell the difference between OSX prompting them for their computer's credentials and their school credentials... It's all going to be the same password anyway.
|
|
#
?
May 12, 2011 14:55
|
|
|
I just ran across this page at Kaspersky, which is a list of all the free, one-off tools they offer (including TDSSKiller). Near the bottom it lists the Kaspersky Virus Removal Tool; is that tool a superset of all of the individual one-offs on listed on the first page, or is it something different? Anyone know? This FAQ entry doesn't provide much help, either. As an aside, I've put up my jobs.db from the previously-mentioned Ketarin, in case someone wants to use it as a starting point for their own jobs database. I just started using it yesterday and it is REALLY convenient once you set it up, but there are some UI quirks (to put it nicely) that kinda get in the way. Here's what I have on it:
|
|
#
?
May 12, 2011 23:59
|
|
|
Well, this is going to be a bit of a headache: Proper unicode implementation in file browsers on all platforms allows very effective obfuscation of file extensions, and it's now hitting the wild. You can play with this yourself if you have a copy of MS Word or are willing to do some software installs (source I Googled up). In Word, type "202E" (the hex value of the left-to-right encoding character), hit Alt-X, then type some stuff. It will appear right-to-left still, but if you copy the entire line and paste it to Notepad, it will be rendered left-to-right. Let's see how SA handles it: This is a test of SA's unicode compliance and scrubbing. I can tell you right now, my browser renders that backwards in the post window, until I previer and the character is replaced by an &#### stand-in. Let's try a test from the article I linked in the first paragraph. We are going to see how the following input renders when I substitute unicode characters for their placeholders code:cod.yrammusevitucn1c.exe code:CLICK HERE FOR SPORTS!!! 4pm.jose.conseco.at.bat code:Good news: naming a file that and putting on the desktop screws it up a bit, rendering "jose.con.mp4seco.at.bat". Bad news: viewing the file in Explorer renders it correctly as "jose.conseco.at.bat.mp4". Good news: if the file name section of the view is too small to show the entire document name, it screws up, putting the ellipses at the front of the name and keeping ".mp4" visible at the end, omitting characters starting with ".bat" going leftwards. So it's possible to detect these, but it takes some more diligence.
|
|
#
?
May 14, 2011 09:16
|
|
|
PopeOnARope posted:Windows 7 Security 2011 can gently caress it's own mother right in her rear end. When something hijacks .exe associations, I've found that MalwareBytes can be run if you just rename the MBAM.exe to MBAM.com. That has saved me so much time in clients computers right there.
|
|
#
?
May 15, 2011 01:42
|
|
|
vlack posted:I just ran across this page at Kaspersky, which is a list of all the free, one-off tools they offer (including TDSSKiller). Near the bottom it lists the Kaspersky Virus Removal Tool; is that tool a superset of all of the individual one-offs on listed on the first page, or is it something different? Anyone know? It's sort of a snapshot version of the full Kaspersky AV. It's not updatable and has no resident shield, it's just a scanner + cleaner. I've tried it and didn't really think it had any advantages over more lightweight tools (it's something like 80mb)
|
|
#
?
May 15, 2011 03:09
|
|
|
co199 posted:Everything I'd seen before this has been proof of concept. If you don't mind, can you explain how you got rid of it after you've done your cleanup? I think it'd be helpful for us computer janitors in the thread. I didn't actually do the cleanup, another tech did but he did something similar to this: http://www.bleepingcomputer.com/virus-removal/remove-mac-defender It worked pretty well as far as we could tell.
|
|
#
?
May 16, 2011 18:03
|
|
|
tsbicca posted:I didn't actually do the cleanup, another tech did but he did something similar to this: http://www.bleepingcomputer.com/virus-removal/remove-mac-defender It worked pretty well as far as we could tell. Ok, yeah I'd seen that article. Between what you and FCKGW posted, it looks like it's pretty standard. Still haven't seen on in our shop, but we do almost 0 Apple support so that's not surprising. Thanks!
|
|
#
?
May 16, 2011 23:00
|
|
|
|
| # ? Jun 1, 2024 11:27 |
|
|
bbcisdabomb posted:You're saying Malwarebytes is slow and recomending Superantispyware Funny, I just ran a quick scan of both.. SAS: 16:29 MWB: 1:32 (perfect conditions on a fast machine). I've definitely been in situations were MWB's really drags though. Another consideration: AFAIK SAS is designed to be run in safe mode and Malwarebytes isn't. VVV Not sure but I think that's from the developers. VVV -Some MWB staff member "This goes into areas where I cant say much without giving away the internal workings but MBAM is stronger from regular mode . This is by design as the majority of new malware runs from safemode so you gain nothing anyway . There are also multiple infections that as part of their first step blow away the entire safeboot keyset so we do not rely on it being there . " coinstarpatrick fucked around with this message at 04:15 on May 17, 2011 |
|
#
?
May 17, 2011 03:00
|
|