|
Hex Darkstar posted:Not that anyone should use CNet to download files to begin with but it looks like they're packaging legit software with toolbars and changes the default search engine and home page to Bing/MSN. Download.com has been slipping for a long time, and they used to be my goto for safe freeware too.
|
# ? Dec 7, 2011 01:25 |
|
|
# ? Jun 7, 2024 04:18 |
|
Seriously? They can't patch it before of a feature they built in? I guess I shouldn't be surprised since it's Adobe, but stil...
|
# ? Dec 7, 2011 03:21 |
|
What the hell is wrong with Adobe
|
# ? Dec 7, 2011 03:41 |
|
It looks like there is a virus on one of the banner ads on SA... I really wonder if that is where I got it from..
|
# ? Dec 8, 2011 01:03 |
|
Sure could be, more than half a dozen times I've seen MSE pop up to say that in AppData\Local\Google\Chrome\<user>\Default\Archived History-journal it's found Trojan.JS/Redirector.HQ: This only happens when on SA. Yesterday it wouldn't act on it while Chrome was running and would only do so on restart...
|
# ? Dec 8, 2011 03:27 |
|
Any way to identify what ad or site it is trying to send you to? edit: after refreshing SA for a bit it looks like hxxp://obevdo.com/news was triggering a warning from Kaspersky. When I browse to it in a VM it tries to trigger some java scripting the VM doesn't have any installed so the page never loads. Gonna install Java and see what happens Hex Darkstar fucked around with this message at 04:24 on Dec 8, 2011 |
# ? Dec 8, 2011 03:35 |
|
Hex Darkstar posted:Any way to identify what ad or site it is trying to send you to? Mine was trying to go to hxxp://obevdo.com/content/v1.jar removed anything to make it unclickable. TLG James fucked around with this message at 16:04 on Dec 8, 2011 |
# ? Dec 8, 2011 04:13 |
|
Looks like we have our culprit, edited what I found in above your post. I couldn't see the ad that was doing it though because kaspersky blocked it from loading.
|
# ? Dec 8, 2011 04:16 |
|
I'm really starting to love that "delete desktop+documents" virus. The one virus that people can instantly tell is on their system, and can instantly tell when you've fixed it.
|
# ? Dec 8, 2011 19:05 |
|
So I got an alert from campus security that a director's laptop has a rootkit (no more information than that, they probably detected some questionable traffic). It's a Sony so doing a clean install is a pain in the rear end with all their poo poo software. Is it OK to use the recovery partition, or should I assume that that is compromised as well?
|
# ? Dec 8, 2011 20:23 |
|
I'd say it depends on the rootkit and what is contained within the recovery partition. If it is just a fresh image of the OS then chances are it is untouched by the rootkit I don't think i've seen anything about malware attaching itself to those. If it is MaxSS or a variant of TDL there may be a hidden partition on the drive that you'll want to clean before you go about reloading the OS though other wise you may end up with a reinfected install even after a full reload. edit: You can probably run TDSSKiller to determine what the infection is assuming it doesn't terminate it before it can launch. You might be able to even clean it but the only way to be sure is to blast the OS install and start fresh to be honest.
|
# ? Dec 8, 2011 21:01 |
|
Hex Darkstar posted:I'd say it depends on the rootkit and what is contained within the recovery partition. If it is just a fresh image of the OS then chances are it is untouched by the rootkit I don't think i've seen anything about malware attaching itself to those. If it is MaxSS or a variant of TDL there may be a hidden partition on the drive that you'll want to clean before you go about reloading the OS though other wise you may end up with a reinfected install even after a full reload. Well, ran TDSSKiller, and told it to scan for unsigned devices and hidden partitions, all it found was two unsigned files relating to symantec, so I'm going to assume I'm in the clear but restore to factory defaults just to be safe.
|
# ? Dec 8, 2011 22:05 |
|
RichieWolk posted:I'm really starting to love that "delete desktop+documents" virus. The one virus that people can instantly tell is on their system, and can instantly tell when you've fixed it. Well there's the one that hides *everything* and re-sets permissions on stuff in C:\ProgramData, which can really gently caress things over. When I encounter this virus, it's wipe and reinstall time no matter what. But there's also the one that just hides the desktop and documents. When I've encountered it, it hasn't even required combofix, just 1) Scan with MSSS 2) there is no step 2. It's the easiest virus I've seen in ages.
|
# ? Dec 8, 2011 22:32 |
|
FISHMANPET posted:Well, ran TDSSKiller, and told it to scan for unsigned devices and hidden partitions, all it found was two unsigned files relating to symantec, so I'm going to assume I'm in the clear but restore to factory defaults just to be safe. Sounds like a good idea, one of the other things that i've actually had companies/banks call and inform us about is ZeuS(ZBot) and SpyEye (EyeStye/Pincav) infections as they tend to closely track C&C server addresses and monitor for their traffic. That might be the suspicious traffic they've seen if it was SpyEye or ZeuS a reload probably is for the best anyways. Easy to clean but when it comes to Password/banking theft trojans it is way better safe than sorry.
|
# ? Dec 8, 2011 22:58 |
|
Did a virus removal for a family friend tonight ZeroAccess as I thought, machine was a complete mess 5 different trojans + the rootkit infection which occured due to a flash update + msimg32.dll (Zaccess dropper) being present. I didn't know this of course until I went to update the persons Adobe Reader from 8.1.4 to Reader X when the installer faulted MSIMG32.dll I face palmed thinking that I just reinfected the machine luckily it looks like it has to be the flash player install to trigger it. Java was out of date along Flash and Reader its a wonder more malware wasn't on there.
|
# ? Dec 10, 2011 04:43 |
|
Hex Darkstar posted:Did a virus removal for a family friend tonight ZeroAccess as I thought, machine was a complete mess 5 different trojans + the rootkit infection which occured due to a flash update + msimg32.dll (Zaccess dropper) being present. I didn't know this of course until I went to update the persons Adobe Reader from 8.1.4 to Reader X when the installer faulted MSIMG32.dll I face palmed thinking that I just reinfected the machine luckily it looks like it has to be the flash player install to trigger it. Java was out of date along Flash and Reader its a wonder more malware wasn't on there. Up to date reader probably wouldn't have done much
|
# ? Dec 10, 2011 04:49 |
|
From what I gathered from the Adobe posts and other security articles regarding that flaw Reader X with the secure/safe mode enabled would prevent the exploit from successfully running. Not sure if that is the whole truth but at least they're better off having Reader X in the long run.
|
# ? Dec 10, 2011 04:54 |
|
gently caress YOU JAVA!!! I've had absolutely no virus problems for years until I was forced by my university to install Java in order to get their piece of poo poo academic website working. I even went ahead and downloaded the most recent version from the Java website instead of the outdated one offered by the uni. And of course this happens... How the gently caress does Java get exploited out the rear end? It seems to be the most massively hosed with piece of poo poo software on the planet.
|
# ? Dec 11, 2011 09:54 |
|
Avalanche posted:gently caress YOU JAVA!!! It is, which is why you should use no script and only enable java on the website you need it on, you could also use 2 browsers or 2 copies of the same one if you hate no script that much. I too hate Java, but people use it and I don't think much is going to replace it. I mean its like how windows is a large target because most people use it, and how IE was a large target because most people used it. Now browsers are a bit more split but they all use java so that is targeted. It makes sense from the perspective of the person making the malware, find a bug in java or flash (or acrobat reader) and drop your poo poo.
|
# ? Dec 11, 2011 10:00 |
|
Also note that Oracle rarely issues out-of-band updates for known vulnerabilities in Java, so you usually have to wait for the quarterly update for them to be patched. So the latest version of Java isn't exactly something to trust either.
|
# ? Dec 11, 2011 19:12 |
|
This ad network hijacking bullshit is awful, my boss visits two websites ever and he got hit with "win 7 antivirus 2012" today. Probably from the ad reel on the page he streams radio from. Symantec AV was of course totally silent on the issue.
|
# ? Dec 12, 2011 23:44 |
|
I am seeing a lot of machines lately that get hit with Fake AV also getting hit with an attempt to install ZeroAccess using the msimg32.dll method I mentioned in the past few posts. It's gotten to the point where i've added a blocking rule in our AV to delete it from %USERPROFILE%\AppData\Local\Temp and %USERPROFILE%\Local Settings\Temp just as it is created. I can see it on some machines that never even got infected it is just sitting there on the hard drive doing nothing. Luckily it relies on the flash player "upgrade" to execute so if the user doesn't have admin rights the rootkit never makes it on the machine so that is the one thing that saved my rear end up until now.
|
# ? Dec 13, 2011 00:02 |
|
Caught a whole metric fuckton of poo poo from bad SA banner ads, but MSE was killing it no problem. Then I got whacked with one of those silly fake A/Vs. Not too difficult usually... but this time, it hosed my executable associations and apparently perma-broke Windows Firewall and a bunch of other stuff like IPSec. Gonna end up doing a reload this weekend, god dammit.
|
# ? Dec 13, 2011 03:31 |
|
Wonder_Bread posted:Then I got whacked with one of those silly fake A/Vs. Not too difficult usually... but this time, it hosed my executable associations and apparently perma-broke Windows Firewall and a bunch of other stuff like IPSec. Gonna end up doing a reload this weekend, god dammit. Seriously, I haven't had to do a clean format from a virus in probably a decade. No .exe would even run. This latest fake AV is the worst one I've seen as it immediately and completely trashed my entire OS.
|
# ? Dec 13, 2011 03:54 |
|
I got the executable associated fixed up real easy. I keep a copy of the registry keys relating to executable associations for exactly this reason at work. To be honest, I didn't even think of checking the firewall/other stuff til a coworker got hit as well and mentioned he did a reload 'cause it also hosed a bunch of other poo poo.
|
# ? Dec 13, 2011 04:03 |
|
Zogo posted:Seriously, I haven't had to do a clean format from a virus in probably a decade. No .exe would even run. This latest fake AV is the worst one I've seen as it immediately and completely trashed my entire OS. This is somewhat recoverable from if you actually feel like putting the effort in Apparently exe is just another association like doc->winword.exe
|
# ? Dec 13, 2011 04:26 |
|
Exe fix: http://www.raktor.net/exeHelper/exeHelper.com That file will search for known processes for Fake AV families like Sysguard etc.. as well as repair your .exe extension. I ran into the same one earlier today I ended up having to load up terminal services on their win 7 load and log into their machine that way because they couldn't launch communicator or internet explorer to let me remote out Hex Darkstar fucked around with this message at 16:42 on Dec 13, 2011 |
# ? Dec 13, 2011 04:38 |
|
Just going to throw this out there but would anyone be opposing to me making a new thread same topic but with an OP that has some trouble shooting/common problems/scanners/etc?
|
# ? Dec 13, 2011 21:56 |
|
I'd be all for a new thread with an updated OP that has some more information.
|
# ? Dec 13, 2011 22:24 |
|
Corvettefisher posted:Just going to throw this out there but would anyone be opposing to me making a new thread same topic but with an OP that has some trouble shooting/common problems/scanners/etc? Wouldn't that fall into the Haus of Tech Support if we're talking more about troubleshooting stuff? Prosthetic_Mind fucked around with this message at 22:34 on Dec 13, 2011 |
# ? Dec 13, 2011 22:27 |
|
Prosthetic_Mind posted:Wouldn't that fall into the Haus of Tech Support if we're talking more about troubleshooting stuff? Isn't this thread doing exactly that?
|
# ? Dec 13, 2011 22:35 |
|
Corvettefisher posted:Just going to throw this out there but would anyone be opposing to me making a new thread same topic but with an OP that has some trouble shooting/common problems/scanners/etc? I wouldn't be opposed to that if you would actually take it upon yourself to update it. too often people start threads and then don't really keep the OP up to date with the latest happening in the thread... id be willing to contribute at least the tools I use on a day to day basis, but would also be interested in hearing what is in others toolkits...
|
# ? Dec 14, 2011 00:21 |
|
mindphlux posted:I wouldn't be opposed to that if you would actually take it upon yourself to update it. too often people start threads and then don't really keep the OP up to date with the latest happening in the thread... Oh yeah I would keep it upto date, I'll start it off tonight http://forums.somethingawful.com/showthread.php?threadid=3455244 Add anything you want Dilbert As FUCK fucked around with this message at 19:06 on Dec 15, 2011 |
# ? Dec 14, 2011 01:12 |
|
I just caught the fake AV from a SA banner ad this morning. Killed all my shortcuts/.exe's. MSSE & MBAM straightened it out. Pain in the rear end, tho. WTF SA?
|
# ? Dec 17, 2011 17:35 |
|
Yeah I got two of them within two weeks of each other. Installed MSE and then uninstalled java cause gently caress java. A bunch of my users have been getting win7 antivirus 2012 and I am on vacation for the next two weeks
|
# ? Dec 17, 2011 19:43 |
|
goddamn, wish I knew about ComboFix before I got ransacked by the new goddamn Win7 2012 Antivirus crap. Everytime I got rid of it via Malwarebytes in safe mode, it came back. Finally I gave the gently caress up, backed up some stuff, and did factory reset. Apparently something I backed up was infected, leading to a second loving system wipe. Seems to be fine now, though. Am I right in assuming an .exe file I had backed up from the infected machine settings caused the virus to come back after I did a machine wipe to factory settings? I had backed up a bunch of crap from my Steam folder and I assume hl2.exe or something was the culprit in why the virus was back after everything was set to original out-of-box state.
|
# ? Dec 18, 2011 00:12 |
|
JeffLeonard posted:I just caught the fake AV from a SA banner ad this morning. Killed all my shortcuts/.exe's. Do we know which it was? I was browsing SA too when I was hit last week. MinibarMatchman posted:
Possibly something could've been injected into an .exe again. But you'd have to run the .exe again most likely.
|
# ? Dec 18, 2011 00:38 |
|
MinibarMatchman posted:goddamn, wish I knew about ComboFix before I got ransacked by the new goddamn Win7 2012 Antivirus crap. Everytime I got rid of it via Malwarebytes in safe mode, it came back. Finally I gave the gently caress up, backed up some stuff, and did factory reset. Apparently something I backed up was infected, leading to a second loving system wipe. Seems to be fine now, though. Probably. Also, when you "wiped", did you actually do a WIPE? Like DBAN or something/wiping MBR from a linux live cd? Because several of the newer variants persist past windows reinstalls. Also, why would you back up your steam folder? It's steam, just redownload a fresh copy.
|
# ? Dec 18, 2011 01:27 |
|
Biowarfare posted:Also, why would you back up your steam folder? It's steam, just redownload a fresh copy. Because re-downloading 200GB of games is a pain in the rear end.
|
# ? Dec 18, 2011 02:00 |
|
|
# ? Jun 7, 2024 04:18 |
|
Vatek posted:Because re-downloading 200GB of games is a pain in the rear end. 200GB is like three to five hours? edit: nvm, there are places with monthly bandwidth quotas and whatnot
|
# ? Dec 18, 2011 02:08 |