|
MinibarMatchman posted:goddamn, wish I knew about ComboFix before I got ransacked by the new goddamn Win7 2012 Antivirus crap. Everytime I got rid of it via Malwarebytes in safe mode, it came back. Finally I gave the gently caress up, backed up some stuff, and did factory reset. Apparently something I backed up was infected, leading to a second loving system wipe. Seems to be fine now, though. A 'factory reset' from a branded computer is just taking backup files from a hidden partition and reinstalling Windows with it. It's trivial for a virus to hide itself in that backup, so when Windows gets reinstalled, the virus comes along with it. The safer thing to do is a reformat with a Windows CD, which presumably the virus didn't jump to.
|
#
?
Dec 18, 2011 02:12
|
|
|
|
| # ? Jun 7, 2024 10:33 |
|
|
Biowarfare posted:Also, when you "wiped", did you actually do a WIPE? Like DBAN or something/wiping MBR from a linux live cd? Because several of the newer variants persist past windows reinstalls. Using a Vista/7 DVD with a format would work 100% of the time too right? Not like it has to be a Linux CD.
|
|
#
?
Dec 18, 2011 03:32
|
|
|
Zogo posted:Do we know which it was? I was browsing SA too when I was hit last week. No idea which banner ad. My laptop usually isn't on the internet, I use it for Ableton/recording. I used it to web browse for some reason this morning...only visited SA.
|
|
#
?
Dec 18, 2011 04:24
|
|
|
Raere posted:A 'factory reset' from a branded computer is just taking backup files from a hidden partition and reinstalling Windows with it. It's trivial for a virus to hide itself in that backup, so when Windows gets reinstalled, the virus comes along with it. The safer thing to do is a reformat with a Windows CD, which presumably the virus didn't jump to. Yeah, this is what I did, since I don't have a Windows CD. It's a Toshiba laptop feature, I suppose. Also the only Steam things I copied over were saves from stuff that would not be copied over on a reinstall. For some reason I backed up some TF2 stuff that contained a few executables. In any case, on the first day of the factory reset with those folders, it came back after a few hours. After doing everything again but without that folder, its been a few days and everything is running fine. Presently I have Malwarebytes/AVG installed but I guess AVG isn't really viable these days, is it? Both haven't picked up anything the past few days. Is there anything else I can use to fully insure it's not just dormantly waiting to crash everything in a week?
|
|
#
?
Dec 18, 2011 05:10
|
|
|
MinibarMatchman posted:Is there anything else I can use to fully insure it's not just dormantly waiting to crash everything in a week? http://www.bleepingcomputer.com/download/anti-virus/rkill then right after http://support.kaspersky.com/faq/?qid=208283363
|
|
#
?
Dec 18, 2011 05:16
|
|
|
MinibarMatchman posted:Yeah, this is what I did, since I don't have a Windows CD. It's a Toshiba laptop feature, I suppose.
|
|
#
?
Dec 18, 2011 05:17
|
|
|
Zogo posted:http://www.bleepingcomputer.com/download/anti-virus/rkill Ah, I did do everything from bleepingcomputer to deal with that Antivirus, so I'm good as far as the rkill application goes. I'll run the other program as well, thanks. edit: alright, after another rkill run and using that other program, still nothing. I guess I'm good for now; thanks for the suggested programs for further use! DLC Inc fucked around with this message at 05:33 on Dec 18, 2011 |
|
#
?
Dec 18, 2011 05:28
|
|
|
I know you guys know this, but just thought I'd post it in case anyone reading this gets the wrong impression. When people say they were infected by SA it doesn't mean SA is trying to infect computers; the baddie registers for the ad network SA uses (Google I assume) and then puts infected ads out to all publishers. You're just as likely to get infectious ads from any publisher as you are here.
|
|
#
?
Dec 18, 2011 19:41
|
|
|
Zogo posted:Using a Vista/7 DVD with a format would work 100% of the time too right? Not like it has to be a Linux CD. A format usually doesn't touch the MBR. The only way to be sure is to wipe the drive completely. That can be done by issuing the ATA secure erase command, or with a low-level, filesystem/partitioning-agnostic command like good old "dd if=/dev/zero of=/dev/yourharddrive bs=1M". There are options other than Linux - most hard drive manufacturers' bootable diagnostics will wipe the drive for you, for instance - but as far as I know the functionality to completely wipe the disk isn't available from Windows install media.
|
|
#
?
Dec 18, 2011 20:03
|
|
|
Scaramouche posted:I know you guys know this, but just thought I'd post it in case anyone reading this gets the wrong impression. When people say they were infected by SA it doesn't mean SA is trying to infect computers; the baddie registers for the ad network SA uses (Google I assume) and then puts infected ads out to all publishers. You're just as likely to get infectious ads from any publisher as you are here. Yeah, and the appropriate admins really want to hear from anyone who's fallen prey to a bad ad and who the "advertiser" was. QCS that poo poo (if you don't know how to avoid getting it in the first place).
|
|
#
?
Dec 18, 2011 23:36
|
|
|
Space Gopher posted:A format usually doesn't touch the MBR. The only way to be sure is to wipe the drive completely. That can be done by issuing the ATA secure erase command, or with a low-level, filesystem/partitioning-agnostic command like good old "dd if=/dev/zero of=/dev/yourharddrive bs=1M". Would fixMBR work from a recovery console in windows? I haven't had to do something like this, but I'm getting a few laptops at the family Christmas and might have to have a solution on hand.
|
|
#
?
Dec 18, 2011 23:43
|
|
|
You don't actually have to use dban or similar, just rewrite the MBR with a clean one. My usual method is to clobber about 16kb (just to make sure I flatten the first partition's boot sector and whatnot as well) of the whole disk special file with dd from a linux livecd, then boot up with the windows installer (or linux, or whatever you choose to install) and it'll HAVE to create a clean MBR and filesystem on the drive. Make sure you aim for the right drive... I physically unplug all drives I don't want to touch ever since I nuked the wrong one once. Also make sure you aim for the whole drive, not a single partition, if you are trying to kill the MBR - ie /dev/ad1 not /dev/ad1s1 or /dev/ad1s1a etc. I'm used to FreeBSD, so I may have a different naming scheme in that example than a linux livecd will give you. usual warnings apply, back up your poo poo before you do this, this will drink all the beer in your fridge and impregnate your daughter, if you don't want to nuke your whole drive's contents don't do this because it's intended to do just that, etc edit: I guess I know why I haven't gotten any of these ad based flash/java/pdf exploit viruses going around. I have ABP installed (and need to install noscript) so 99.9% of ads never even get loaded, and I use foxit pdf viewer instead of adobe. kastein fucked around with this message at 02:38 on Dec 19, 2011 |
|
#
?
Dec 19, 2011 02:35
|
|
|
There's also a way to take care of the MBR right from the comfort of your own windows disk! Get into the command prompt from the recovery console, run diskpart, and then issue the clean or clean all command. Clean just blows away the partiton tables / MBR, and clean all mops it all up. Takes loving forever, though. Otherwise, if you have an infection that survives reinstall, it means one of two things - Either you have a rootkit (Such as TDSS), or your infection is environmental.
|
|
#
?
Dec 19, 2011 02:41
|
|
|
Also if you have any sd/cf/memory sticks/usb flash drives/external hard drives wipe those too or you're liekly to be autoreinfected
|
|
#
?
Dec 19, 2011 02:52
|
|
|
Scaramouche posted:I know you guys know this, but just thought I'd post it in case anyone reading this gets the wrong impression. When people say they were infected by SA it doesn't mean SA is trying to infect computers; the baddie registers for the ad network SA uses (Google I assume) and then puts infected ads out to all publishers. You're just as likely to get infectious ads from any publisher as you are here. Oh yeah. I'm not blaming SA or anything like that. I have had the same thing happen on cleveland.com and other sites.
|
|
#
?
Dec 19, 2011 03:13
|
|
|
Is MSE seriously better than NOD32?
|
|
#
?
Dec 19, 2011 04:19
|
|
|
So whats the consesus on getting rid of Win 7 Antivirus/whatever its called that fake anti virus. I ended up using a regedit from bleepingcomputer.com that let me open up programs (this win 7 antivirus thing prevents all programs from starting) and then running malwarebytes and then a boot-time scan with avast. It goes away for awhile but then randomly starts up again like a day later. How do i get rid of it permanently?
|
|
#
?
Dec 19, 2011 06:31
|
|
|
flatten and reinstall, wipe all removable media, wipe mbr
|
|
#
?
Dec 19, 2011 07:14
|
|
|
I don't know what flatten means. How do I wipe the MBR? Also if i wipe my removeable media does that mean all the stuff Ive backed up cant be recovered/transfered to somewhere else? Is there some kind of tutorial for all of this?
|
|
#
?
Dec 19, 2011 07:41
|
|
|
Gozinbulx posted:So whats the consesus on getting rid of Win 7 Antivirus/whatever its called that fake anti virus. You're missing something here. Give TDSSKiller a whirl. Thoroghly check msconfig - programs and services. Check your start menu startup folder Check Appdata (Local and Roaming) Check Programdata (Doing a search for *.exe or *.dll in both sets of locations will help) Check the following registry locations: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon (Look for anything in shell / load) HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon (Look for anything in shell / load) HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce Other things you should do: Check your hosts file Reset your web browser of choice, clear it's cache. Ensure your DNS settings - On both computer and router haven't been hosed with. And while you're up (if you should so desire to boot into Windows, normally), look through the Task Maanger. Are there any suspiscious items there? As well, go into view, select column, and check off Command Line. This will allow you to see where each piece of software is running from. Usuaully if say, something like svchost.exe is running from \Appdata\Microsoft\, It's probably not legit. Or, you know, if your system is important to you as is, pay a specialist to gut it.
|
|
#
?
Dec 19, 2011 12:53
|
|
|
Gozinbulx posted:So whats the consesus on getting rid of Win 7 Antivirus/whatever its called that fake anti virus. Are you sure you just aren't regetting it? I'd completely uninstall java and see where that gets you at first.
|
|
#
?
Dec 19, 2011 15:43
|
|
|
TLG James posted:Is MSE seriously better than NOD32? For the price? Absolutely. Disregarding price it's still a strong contender. Gozinbulx posted:So whats the consesus on getting rid of Win 7 Antivirus/whatever its called that fake anti virus. Probably bundled with TDSS or a similar rootkit. The bleeping computer page has links to all the tools you need, after you use fixNCR.reg run rkill.exe, when that's done run TDSSkiller, then malware bytes to clean up.
|
|
#
?
Dec 19, 2011 16:30
|
|
|
Thank you so much guys. This virus is wreaking havoc.
|
|
#
?
Dec 19, 2011 17:21
|
|
|
I also have a recurring Win 7 problem. I system restored my computer back 48 hours, and it went away for about a day. Now it's back... going to take it to a shop see if they can do better then me. What a pain in the rear end, I'm not even sure how I got it since I don't visit any suspcious sites.
|
|
#
?
Dec 20, 2011 19:27
|
|
|
Arrgytehpirate posted:I'm not even sure how I got it since I don't visit any suspcious sites. Chances are you got it from one of the regular sites you browse, if it has an ad network like google ads or anything similar to it providing their ads then it is more than possible.
|
|
#
?
Dec 20, 2011 19:42
|
|
|
Run adblock, noscript, ghostery, etc.
|
|
#
?
Dec 20, 2011 20:01
|
|
|
http://www.theregister.co.uk/2011/12/21/win_7_bug_crash_risk/ Windows 7 x64 bug that can be triggered using an HTML tag via Safari. Which also may allow for kernel level code execution. quote:An unpatched critical flaw in 64-bit Windows 7 leaves computers vulnerable to a full 'blue screen of death' system crash.
|
|
#
?
Dec 21, 2011 20:49
|
|
|
From what I read on ISC it's got nothing to do with Safari and everything to do with win32k.sys: http://isc.sans.edu/diary/New+Vulnerability+in+Windows+7+64+bit/12238
|
|
#
?
Dec 21, 2011 23:29
|
|
|
I'm also having trouble with that Win 7 Home Security 2012 virus. Been fighting it over the past few days. Ran SpyBot in safe mode, took out a lot of trojans, then Malwarebytes, took out a lot. Been having something very odd happen afterwards, though. When I run my computer outside of safe mode, it will run fine for a few minutes past startup, and then everything will refuse to open. Task Manager will show me that whatever I try to open is only using about 84 to 100K of memory. Anything that I'm able to open before this takes place starts to not respond after a few minutes.
|
|
#
?
Dec 22, 2011 04:11
|
|
|
Did you try the fixncr and associated program Circutron? I've used it successfully twice at work and once here from the damned ads. Might want to uninstall Java and then delete the java folder. Also I think if you browse to c:\users\%useranme\appdata\local and sort it by date and find some weird 3 letter executable and delete it that should help with a lot of your issues. I did all of that, ran malwarebytes, rebooted, uninstalled Avast and installed MSE. Ran a deep scan and it still found 8 other issues after 5 hours. Reboot and clean as a bird. I still scan every other week though 'cause 
|
|
#
?
Dec 22, 2011 04:16
|
|
|
I'm out of the CJ biz but had to deal with a Zero Access rootkit today. TDSSKiller took care of it mostly. If your processor is getting pinned by PING.EXE that's generally how you can tell.
|
|
#
?
Dec 24, 2011 01:09
|
|
|
Scaramouche posted:I'm out of the CJ biz but had to deal with a Zero Access rootkit today. TDSSKiller took care of it mostly. If your processor is getting pinned by PING.EXE that's generally how you can tell. Yea the most recent versions have been loading multiple ping executables that consume 30% cpu each it is not stealthy at all
|
|
#
?
Dec 24, 2011 02:13
|
|
|
Has anyone seen a computer with that rootkit zero access not being able to connect to the Internet via LAN or WiFi after it was removed by combofix?
|
|
#
?
Dec 28, 2011 01:17
|
|
|
Yep! Run winsock fix on it that will fix the issue you should be able to find it through google there's a few places that host it.
|
|
#
?
Dec 28, 2011 01:37
|
|
|
Hex Darkstar posted:Yep! Run winsock fix on it that will fix the issue you should be able to find it through google there's a few places that host it. Great, I'll try that next time I run into that problem. Thanks!
|
|
#
?
Dec 28, 2011 01:48
|
|
|
stogie posted:Has anyone seen a computer with that rootkit zero access not being able to connect to the Internet via LAN or WiFi after it was removed by combofix?
|
|
#
?
Dec 28, 2011 06:31
|
|
|
I'm currently struggling with an XP laptop which became infected with Ramnit.AF last Saturday. How infected? It looks like the owner of said laptop isn't alone : http://www.bbc.co.uk/news/technology-16426824 This thing has trashed the OS and is impressively resistant to everything I'm throwing at it. Reformatting the drive and starting over is going to be the only option, but of course she doesn't do backups and I've got to salvage her personal documents to another isolated hard drive first by using an Ubuntu live CD. After that we can hook it up to another disposable machine and scan the gently caress out of that and find out how many of them are infected before even thinking about letting them near a fresh install. This is what happens if you access the Net with XP, don't update Adobe Reader and never make backups I guess.
|
|
#
?
Jan 5, 2012 23:28
|
|
|
IO don't know what is sitting out there without a patch yet, but my computer shop has been going crazy with computers coming in for virus removal with the Vista 7 Antivirus Platinum Pro 2012 XP antivirus crap, generally bundled with TDSS or ZeroAccess. Went from a slow period to every bench spot is full and the shelf is getting full, and 90% of them are virus removals.
|
|
#
?
Jan 6, 2012 15:43
|
|
|
El Goatherd posted:Ramnit poo poo gently caress that infection, i'm pretty sure the last machine I saw with it on there had pretty much every .exe file infected with it. Annoying as hell and when our endpoint finally picks up on it we get like 2000 event logs all for the same detection. Another one similar to Ramnit is "Expiro" that one shows up in our event logs a couple thousand times every few days all from one machine usually.
|
|
#
?
Jan 6, 2012 20:23
|
|
|
|
| # ? Jun 7, 2024 10:33 |
|
|
Maniaman posted:IO don't know what is sitting out there without a patch yet, but my computer shop has been going crazy with computers coming in for virus removal with the Vista 7 Antivirus Platinum Pro 2012 XP antivirus crap, generally bundled with TDSS or ZeroAccess. Went from a slow period to every bench spot is full and the shelf is getting full, and 90% of them are virus removals. We're in the same boat at our shop - XP, Vista, 7 - everyone is getting hit. I've had systems with KAV, Avira, McAfee, Norton and MSE (respectively, not all at the same time) get infected. It's pretty bonkers right now.
|
|
#
?
Jan 6, 2012 22:15
|
|
