|
kastein posted:I wish it would just crash the box with a BSOD so I could actually trace something back. if it's that random and inconsistent, run memcheck86. first thing I would do.
|
#
?
Nov 7, 2011 21:45
|
|
|
|
| # ? Jun 7, 2024 16:58 |
|
|
Hex Darkstar posted:I can understand Artemis(a.k.a. Global Threat Intelligence) detections being vaguely named because they're heuristic instead of signature based but the signature based detections are horrible to track down information on. That's usually it. Most of the bigs have some form of heuristic detection now, and inevitably if it triggers you're going to get that generic.genericname response. Problem being most of their heuristics are simplistic/suck. There's a bunch that are used when it detects an exe has been modified by any obfuscator for example, regardless of anything else.
|
|
#
?
Nov 7, 2011 22:52
|
|
|
Scaramouche posted:That's usually it. Most of the bigs have some form of heuristic detection now, and inevitably if it triggers you're going to get that generic.genericname response. Problem being most of their heuristics are simplistic/suck. There's a bunch that are used when it detects an exe has been modified by any obfuscator for example, regardless of anything else. Yea definitely makes sense, they're talking about moving to Microsoft's corporate AV solution soon so i'm curious to see how good/terrible that is. On another note ZeroAccess is back and revised a bit  WHY WON'T IT DIE?!This application "D7" used to be really effective at preventing it from starting up but it looks like they've revised it and worked around that feature. It also is able to execute its rootkit functions on a non admin account too where as before it couldn't. Well back to pulling my hair out. e: Nevermind got D7 working was also able to find where it was hiding its loader this time around within an NTFS junction pointing to a $NTUninstallKB<rand#>$ folder. Hex Darkstar fucked around with this message at 00:22 on Nov 8, 2011 |
|
#
?
Nov 7, 2011 23:22
|
|
|
Demie posted:if it's that random and inconsistent, run memcheck86. first thing I would do. the one constant is that it is ALWAYS while I am playing some sort of streaming flash video or music, usually right after it starts and before it buffers enough to catch up with where it is. Else I would suspect memory.
|
|
#
?
Nov 8, 2011 00:27
|
|
|
kastein posted:adobe flash player again
|
|
#
?
Nov 8, 2011 23:46
|
|
|
http://support.microsoft.com/kb/244139 Enjoy.
|
|
#
?
Nov 9, 2011 00:25
|
|
|
kastein posted:adobe flash player again Are you sure you have a virus and this is not just a bad XP64 driver or a faulty piece of hardware? It sounds a lot like one of those.
|
|
#
?
Nov 9, 2011 01:47
|
|
|
ConanThe3rd posted:Couldn't you try forcing the computer to BSOD (I'm sure there's a way to do this) when things start going to poo poo? doesn't really do a hell of a lot of good when you get no real stack backtrace. If I had another system right now I'd enable kernel debugging via RS232 and dive in, but... I don't. It's a 4-core machine, too, so I can't just blindly cause an exception and hope it ends up on the right core. If I can figure out how to get a copy of the proper kernel symbol files I'll probably screw around with it once I get a usb serial adapter for my laptop. Wouldn't be the first time I've had to use dirty hacks to conclusively prove that a vendor's software was a piece of poo poo... they didn't fix it last time either  Red_Mage posted:Are you sure you have a virus and this is not just a bad XP64 driver or a faulty piece of hardware? It sounds a lot like one of those. I'm sarcastically calling adobe flash a virus because it is a flaming piece of poo poo. I'm pretty sure I don't have faulty hardware or a bad driver because this system is rock solid even when playing DVDs and running CAD software and other apps that use multiple gigabytes of RAM at a time and plenty of CPU, and because the problem literally shows itself only when loving around with streaming content via flash objects in a web browser. kastein fucked around with this message at 09:20 on Nov 10, 2011 |
|
#
?
Nov 10, 2011 09:18
|
|
|
Just came across MaxSS today. Also known as "You got your TDSS in my Max++", the removal for it was *really* easy compared to previous infections. This guy had full administrative rights on his machine, TDLFS, Pmax.gen infected driver and the VBR infection in the MBR (Rootkit.boot.SST.b). I'm not sure if the latest update to TDSSKiller made it more effective or what but it was definitely less painful to remove. It did corrupt the users McAfee VSE 8.7 install though I had to remove it entirely and install 8.8 to get the On Access Scan running again. Also I had no idea but they updated Unhide.exe so that it not only unhides everything but locates the %USERPROFILE%\Local Settings\Temp\smtmp folder and then copies all of the shortcuts and files back to their respective locations. I was extremely happy to see that. The FakeAlert that dropped it was something other than Sysdef.b this time though and it has some annoying features that Sysdef didn't have before. It added rules to explorer registry area in HKCU to hide My Computer, Control Panel, Run, Search, Network Place, pretty much the whole shebang. edit: Crappy detections all around for this one too. McAfee oddly enough detects the two FakeAV parts but the first one Ga46644e.exe is unknown to it (suspecting this is the Rootkit.boot.SST.b dropper but I need to test to see). File name: Ga46644e.exe Submission date: 2011-11-11 23:00:31 (UTC) Result: 5/ 43 (11.6%) http://www.virustotal.com/file-scan/report.html?id=b5211d8e667d245023a47315df3a2efacb8beaa90d30817e754a228c6c756e0d-1321052431 File name: EMcGxdUaDTp.exe Submission date: 2011-11-11 21:18:23 (UTC) Result: 11 /43 (25.6%) http://www.virustotal.com/file-scan/report.html?id=c11b20e11f50a731640628ae29a01250318ba9e4547d9cd1cb027245e0993fbe-1321046303 File name: 7Ij2m4yKwDxnOR.exe Submission date: 2011-11-11 23:03:39 (UTC) Result: 5/ 43 (11.6%) http://www.virustotal.com/file-scan/report.html?id=80b45080c9c2c807bb5d4a1e9750bc3ffe14b48bb35ce2e82f2c7e398c6f74db-1321052619 Hex Darkstar fucked around with this message at 00:50 on Nov 12, 2011 |
|
#
?
Nov 12, 2011 00:00
|
|
|
I've now got two machines redirecting search results in all browsers to either 63.209.69.107 or get-answers-fast.com. I'm having a hell of a time finding it. MBAM won't find anything, MSE won't, nothing stands out in ProcExp, TDSSKiller finds nothing wrong. Periodically it even stops redirecting for a little while, Anyone seen this lately? I also heard one of them was randomly playing music when the browser was open, and I've only seen that here once before.
|
|
#
?
Nov 18, 2011 19:00
|
|
|
It wasn't hit with some kind of DNS Changing malware was it? I've come across a few infections that actually modify the DNS server information to redirect users to malicious DNS servers. If not it could be a new variant of the TDL code there's been rumors and some confirmations that TDL based rootkit variants are coming out that aren't being maintained by the original authors of the TDL family. Bit Defender Labs has a few examples of this up If possible have you tried the FixTDSS tool that Symantec has? In cases where TDSSKiller fails the Symantec one seems to work which is odd because it is kind of crappy compared to TDSSKiller.
|
|
#
?
Nov 18, 2011 20:56
|
|
|
I just ran MS System Sweeper and it found some corrupt JAR files on the Vista machine in %appdata%\local\temp\java_[long numeric string here].tmp and ion.class in one of the temp files. I'm going to reboot this one and poke around some more, but the other machine is a higher-up's and he's got way more important stuff on there than this user, and MS System Sweeper wouldn't run on his machine, though I haven't disabled the floppy yet, which seems to help with the errors I've been seeing.
|
|
#
?
Nov 18, 2011 21:55
|
|
|
Ya, check your DNS entries and be sure to check the HOSTS file too. It's an old trick, but I still see it from time to time. Just saw one yesterday that had been modified, and the sneaky fucker that did it put about fifty blank lines after the default localhost entry before adding its garbage entries. I almost didn't catch it but then I saw the vertical scrollbar right as I was going to click on the close button.
|
|
#
?
Nov 18, 2011 23:24
|
|
|
gruvmeister posted:Ya, check your DNS entries and be sure to check the HOSTS file too. It's an old trick, but I still see it from time to time. Just saw one yesterday that had been modified, and the sneaky fucker that did it put about fifty blank lines after the default localhost entry before adding its garbage entries. I almost didn't catch it but then I saw the vertical scrollbar right as I was going to click on the close button. I have a user with a similar problem. No host file mods, no changed dns, no proxy I have no idea what is causing it.
|
|
#
?
Nov 19, 2011 00:38
|
|
|
Serfer posted:I have a user with a similar problem. No host file mods, no changed dns, no proxy I have no idea what is causing it. like you would nslookup paypal.com, get the correct IP verifiable with google or something, but actually visiting on that system would send it to some random baltic network
|
|
#
?
Nov 19, 2011 02:30
|
|
|
If the router's not hosed, and it doesn't have a rootkit, you'll want to run combofix on machines that do that. The worst I ever got was a system which scanned clean to everything - MBAM, SAS, Hitman, TDSSKiller, yet would redirect links clicked in Google. Worst part is, that it did it in every browser. At least combofix sorted it out.
|
|
#
?
Nov 19, 2011 03:50
|
|
|
PopeOnARope posted:If the router's not hosed, and it doesn't have a rootkit, you'll want to run combofix on machines that do that. IIRC there are some things that also impersonate dhcp servers and hijack DNS to a 192.168.x IP which is a proxy for an actual malicious DNS server so it looks like it's on the lan instead of a random russian IP
|
|
#
?
Nov 19, 2011 03:57
|
|
|
YAY!!! Hardware firewall, AVG Anti-virus, windows updates once a week, making sure everything is up to date, using firefox, and using Ad-block STILL didn't help from my gf getting "AV Protection 2011" installed on her laptop. She was doing so well 2 years virus/malware free. From the looks of things posted on the internet this program is only a day or two old. At least I know how I am going to start my Saturday morning...
|
|
#
?
Nov 19, 2011 12:37
|
|
|
Bad news, AVG Antivirus kind of sucks lately. Been going downhill for two years, it's basically in the "pointless bloatware" category now. Better off with MSE, though MSE ain't great, it is free.
|
|
#
?
Nov 19, 2011 14:21
|
|
|
Agreed posted:Bad news, AVG Antivirus kind of sucks lately. Been going downhill for two years, it's basically in the "pointless bloatware" category now. Better off with MSE, though MSE ain't great, it is free. HOLY CRAP!!! MSE did the job really well I love how even though the spyware program was blocking exes MSE just busted through it installed scanned and removed.
|
|
#
?
Nov 19, 2011 16:15
|
|
|
Got hit with the AV Protection 2011 virus a few hours ago. Just visited a streaming site that I usually never have a problem with. What the gently caress.
|
|
#
?
Nov 19, 2011 18:05
|
|
|
Have you implemented the true type font embedding vulnerability workaround?
|
|
#
?
Nov 19, 2011 18:49
|
|
teknetik posted:Got hit with the AV Protection 2011 virus a few hours ago. Just visited a streaming site that I usually never have a problem with. What the gently caress. My family computer got hit with this poo poo as well. It disabled AVG and has raped the computer in the rear end. Probably didn't help that my parents put their credit card info in and "bought" the virus, and then let it "scan" the computer for 2 hours. Anyone here remove it successfully? Edit Wow my reading sucks in the morning apparently, it's even talked about on the same page. Trying MSE now. 1st_Panzer_Div. fucked around with this message at 19:29 on Nov 19, 2011 |
|
|
#
?
Nov 19, 2011 19:05
|
|
|
1st_Panzer_Div. posted:My family computer got hit with this poo poo as well. It disabled AVG and has raped the computer in the rear end. Probably didn't help that my parents put their credit card info in and "bought" the virus, and then let it "scan" the computer for 2 hours. Time to cancel that card.
|
|
#
?
Nov 20, 2011 03:33
|
|
|
teknetik posted:Got hit with the AV Protection 2011 virus a few hours ago. Just visited a streaming site that I usually never have a problem with. What the gently caress. I think that is how my GF picked hers up as well, as much as I insist to her about not going on those sites (as well as having a Hulu+ and Netflix sub) she still does it. The best part was the main thing MSE picked up was a Divx program. I am also sure people will be getting this "AV Protection 2011" in the next few days since it seems the only thing that is picking it up right now (or working when you get it) is MSE, and who would think that Microsoft would actually make a FREE program that works well and isn't a steaming piece of crap
|
|
#
?
Nov 20, 2011 04:56
|
|
|
About 15 min ago, my comp locked up and went to a black screen. When I rebooted, it was installing some Windows (7) updates to a bunch of registry files before getting into windows, at which point it rebooted completely again. Then it was "Configuring windows, don't turn your computer off" when it actually got to the login screen. I find this weird because I have automatic updates turned off, and haven't checked for/installed any updates in months according to windows update. This isn't some kind of sophisticated new virus that forces fake updates to install, is it?
|
|
#
?
Nov 20, 2011 05:15
|
|
|
BabyRyoga posted:I have automatic updates turned off, and haven't checked for/installed any updates in months according to windows update. This is the best way to get infected you know that right?
|
|
#
?
Nov 20, 2011 05:22
|
|
|
Install Gentoo posted:This is the best way to get infected you know that right? It probably doesn't help with anything related to vulnerabilities, but I am usually extremely careful otherwise and constantly scan with multiple programs. I had a problem with updates screwing stuff up earlier on in Win7's life cycle, so I stopped installing them for a while. I bet all the kinks have worked out since then, so I can probably go and install a bunch right now. But, I am curious about the stealth updating it just did. Very suspicious.
|
|
#
?
Nov 20, 2011 05:33
|
|
|
Dbhjed posted:I am also sure people will be getting this "AV Protection 2011" in the next few days since it seems the only thing that is picking it up right now (or working when you get it) is MSE, and who would think that Microsoft would actually make a FREE program that works well and isn't a steaming piece of crap I am curious to see what my ticket queue looks like on Monday. Usually get a bunch of tickets when something like this comes out over a weekend. People working from home browsing off network without websense filtering malicious urls :/ Oh well it keeps me employed and honestly spending a few hours cleaning up infections isn't that bad of a day in the grand scheme of things.
|
|
#
?
Nov 20, 2011 06:49
|
|
|
BabyRyoga posted:I had a problem with updates screwing stuff up earlier on in Win7's life cycle, so I stopped installing them for a while. Don't do this. Fix the problem at the time, don't just stop installing updates. That's stupid.
|
|
#
?
Nov 20, 2011 07:56
|
|
|
Hex Darkstar posted:I am curious to see what my ticket queue looks like on Monday. Usually get a bunch of tickets when something like this comes out over a weekend. People working from home browsing off network without websense filtering malicious urls :/ Oh well it keeps me employed and honestly spending a few hours cleaning up infections isn't that bad of a day in the grand scheme of things. If you can just install MSE, I am still amazed at how this thing works  I installed some nasty viruses on an old laptop and some good spyware and it wiped them all out no issues. I really love that even if the program blocks the EXE file it still opens it is like Robocop.
|
|
#
?
Nov 20, 2011 09:35
|
|
|
Came here to thank you guys. I had AV Protection 2011 loving up my system (and apparently a goddamn rootkit and 5 gb worth of other garbage) and the ComboFix program mentioned earlier in the thread wiped it all out. I was going to have to buy a new PC, now I don't have too. Thanks again!
|
|
#
?
Nov 21, 2011 04:11
|
|
|
RickVoid posted:I had AV Protection 2011 loving up my system (and apparently a goddamn rootkit Really hoping whatever dropped the fake AV Protection software didn't also drop the rootkit. Did it say what the rootkit's name was by chance?
|
|
#
?
Nov 21, 2011 05:06
|
|
|
Hex Darkstar posted:Really hoping whatever dropped the fake AV Protection software didn't also drop the rootkit. Did it say what the rootkit's name was by chance? I really wish I had that for you. All I remember is ComboFix saying that it found a rootkit and that it would take the program a little longer to run. Any idea if that program drops a log anywhere? I could look for it sometime over the next few days. I'm running xp if that helps you tell me where to look. Seriously, that fake anti-virus is a bitch. Stops me from running task manager, windows explorer, hijacks my browser, and blocks my anti-virus stuff. Not to mention it's obnoxious and obviously fake messages. Anything I can do to help you guys learn about this thing, lemme know. Wish I could shoot it's programmer in the loving head. Ugh.
|
|
#
?
Nov 21, 2011 10:42
|
|
|
It should be in C:\ComboFix.txt
|
|
#
?
Nov 21, 2011 14:28
|
|
|
I remember talking to a co-worker about this a few weeks ago when I had a bunch of ZeroAccess infections. I said we should just fire me and train a monkey who can run ComboFix. God-drat I love that program. (ZeroAccess has since become more annoying and usually requires kernel-level unhooking before you can run any tools over it - suck that, monkey!)
|
|
#
?
Nov 21, 2011 14:52
|
|
|
Yea for a bit ZeroAccess wasn't too difficult to work with although a recent version i've come across makes it look like combofix is running but after it finishes its install/extraction process nothing happens and the files it put on the machine were completely gone  Time to go into the office and see how many FakeAlert AV tickets I've got 
|
|
#
?
Nov 21, 2011 15:54
|
|
|
FronzelNeekburm posted:It should be in C:\ComboFix.txt Yeah. I don't have that. Now's probably a good time to mention that I let it sit for three hours after it stopped doing anything during the deletion phase, checked task manager, saw that it wasn't showing any activity, and killed the window, right? And now the reaming will begin. The computer still boots and runs programs, I'm pretty sure I didn't hurt it.
|
|
#
?
Nov 21, 2011 17:26
|
|
|
RickVoid posted:Yeah. I don't have that. That would mean Combofix didn't complete fully. RickVoid posted:Now's probably a good time to mention that I let it sit for three hours after it stopped doing anything during the deletion phase, checked task manager, saw that it wasn't showing any activity, and killed the window, right? Yep, that's combofix. It's the only program I've ever used that will take overnight to compile a loving plaintext report. RickVoid posted:And now the reaming will begin. The computer still boots and runs programs, I'm pretty sure I didn't hurt it. Try grabbing Rkill (I use the one packed at iexplore.exe, personally) and run that, then the latest version of Combofix overnight. If it still hasn't generated a log file overnight, then you're no worse off. It it doesn't fix your problem, it's time to start checking pre-windows poo poo.
|
|
#
?
Nov 21, 2011 19:13
|
|
|
|
| # ? Jun 7, 2024 16:58 |
|
|
Hex Darkstar posted:Yea for a bit ZeroAccess wasn't too difficult to work with although a recent version i've come across makes it look like combofix is running but after it finishes its install/extraction process nothing happens and the files it put on the machine were completely gone Hitman Pro is a good one to run if combofix just doesn't run for some reason
|
|
#
?
Nov 21, 2011 19:15
|
|