|
theHUNGERian posted:Hey guys, Check your proxies. Check your DNS server setting. Check for a rootkit.
|
# ? Apr 3, 2012 17:13 |
|
|
# ? Jun 1, 2024 18:37 |
|
theHUNGERian posted:Hey guys, hit man pro fixes this, combofix will as well bascially hti hardcodes an IP for google in /hosts so when you go to anything google related it redirects to X
|
# ? Apr 3, 2012 17:15 |
|
edit: ^ Also what he said is a good idea too If you're getting that most likely you've been hit by the secondary infection that gets dropped by Smart HDD if you haven't already give TDSSKiller a run if that doesn't work give Yorkyt.exe (Panda Security ZAccess Removal Tool) a spin. If it isn't ZeroAccess then it is probably MaxSS/TDL in which case if TDSSKiller fails give FixTDSS (Symantec Tool) a try.
|
# ? Apr 3, 2012 17:30 |
|
I ran ComboFix and the problem remains. I'm running HitmanPro right now. I removed Smart HDD from the startup in msconfig in safe mode. Once done, I deleted all part of the sotware manuall. I then ran MalwareBytes, TDSKiller, and the unhide tool. Unfortunately, the shortcuts from the start menu were deleted during the infection, but they are just shortcuts. Will report back. Edit: HitmanPro for the win! Everything back to normal. I need to upgrade my spyware defenses. theHUNGERian fucked around with this message at 18:50 on Apr 3, 2012 |
# ? Apr 3, 2012 18:33 |
|
Hex Darkstar posted:Just removed one of those earlier today. That site has a location for the files but the one I came across today was in a different location also *DO NOT* delete the %temp%\smtmp\ folder or any subfolders of it that is where the malware moves all of your shortcuts and there's no restoring them unless you're lucky and they go to the recycle bin instead of the twisting nether of bits. Thanks. I followed the video linked to in the thread I posted and that seemed to remove it. Didn't touch the registry much though. A bit hesitant there. I've run a Hitman Pro scan, a Malwarebytes scan, a Kaspersky TDSSKiller scan and now running that microsoft security scanner you linked. Anything else I need to do now? Planning to do a full system scan with Trend Micro Internet Security at the end.
|
# ? Apr 3, 2012 19:06 |
|
For now that should do it if none of the other removal tools came back with any detections you might want to try and google something and see if you're being redirected or anything like that but otherwise you're more than likely back to normal although after an infection there's always that question of what else did it change As for today: drat near poo poo my pants when I saw that then I checked and ONE machine is generating 3218 events out of the 4000 something total. The person who is using that machine has to be blatantly ignoring virus scan pop ups on their machine I seriously want to talk to them and ask them what the gently caress. Problem is they won't answer their phone e: Mind you all those detections came in and are still coming in within the last 3 1/2 hours. About to tell networking to shut their port off Hex Darkstar fucked around with this message at 19:21 on Apr 5, 2012 |
# ? Apr 5, 2012 19:12 |
|
Yeah, my agency is getting hit with that SMART HDD poo poo. Thankfully, we got the poo poo locked down so all it can do is just flash that annoying window. (No admin rights! HA!) I just wrote up some instructions on how to clean it up and created a batch file that'll unhide the files and folder the users needs. (We can't use "unhide.exe". Government agency.)
|
# ? Apr 5, 2012 19:31 |
|
A machine came in today with a note saying Avira had stopped working for some reason. A quick peek at the logs revealed this :code:
code:
http://www.theregister.co.uk/2011/10/26/avira_auto_immune_false_positive/
|
# ? Apr 5, 2012 19:51 |
|
I've seen these before, but apparently it's back, in POG form: http://www.theregister.co.uk/2012/04/05/police_themed_ransomware/ Scareware that implies its found illegal material on your computer and you have to pay it off to not get arrested.
|
# ? Apr 6, 2012 00:15 |
|
It's weird I never see those tailored to the US. Only time I ever encountered one was a user visiting Germany got hit by that ransom crapware that was the one and only time i've had to do a removal for it ah well not going to complain the less of those around here the better.
|
# ? Apr 6, 2012 01:17 |
|
It must be because none of your users ever has illegal material on their computers!!
|
# ? Apr 6, 2012 02:08 |
|
Scaramouche posted:It must be because none of your users ever has illegal material on their computers!! The amount of .torrent files I see begs to differ Although not porn mostly TV shows goddamn them, had to add all the popular bit torrent clients to the list of unwanted programs so our virus scan suite nukes them before users can use them. You can get around it with renaming the exe file since we're not using a signature just based off exe name but most of them don't realize that so it works out in the end At least they're not doing it on our network our IDS systems monitor for that and it never seems to happen but they're still using a work resource to do it outside of work.
|
# ? Apr 6, 2012 02:23 |
|
Scaramouche posted:I've seen these before, but apparently it's back, in POG form: Yes, there was one purporting to be Strathclyde (Glasgow) Police. Initially McPolice issued a statement saying "it's not us, don't pay, get a computer bloke in" or similar. After some thought (and presumably a few confessions) they later changed their position to "it's not us, it's malware but if you'd like to talk to us about it the number is..." example
|
# ? Apr 6, 2012 19:52 |
|
Here's an easier to read screenshot from one of the most recent machines we had in infected with it (click for big) : Because everyone knows that the standard punishment for being a pedophile with 'secret terroristic plans' is a hundred quid fine paid with a money order.
|
# ? Apr 6, 2012 22:05 |
|
Hex Darkstar posted:It's weird I never see those tailored to the US. Only time I ever encountered one was a user visiting Germany got hit by that ransom crapware that was the one and only time i've had to do a removal for it ah well not going to complain the less of those around here the better.
|
# ? Apr 7, 2012 06:37 |
|
Has anyone seen that Smart HDD malware remove entire swaths of registry entries? I've got a coworker who had Smart HDD, and I removed it with MS' standalone system sweeper. Now this key is entirely missing: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\* I've tried exporting the key from a VM I keep around, regedit doesn't import it correctly, says it's an invalid file type. Since this covers file types and their handlers, it's hampering my repairs.
|
# ? Apr 10, 2012 22:51 |
|
Oddhair posted:Has anyone seen that Smart HDD malware remove entire swaths of registry entries? I've got a coworker who had Smart HDD, and I removed it with MS' standalone system sweeper. Now this key is entirely missing: Did you try using "REG IMPORT whatever.reg" from the command line?
|
# ? Apr 11, 2012 03:11 |
|
Oddhair posted:Has anyone seen that Smart HDD malware remove entire swaths of registry entries? I've got a coworker who had Smart HDD, and I removed it with MS' standalone system sweeper. Now this key is entirely missing: If I recall, this little piece of malware likes to put in an entry for regedit in Image File Execution Options to redirect to its wonderful little executables. I'm not sure if the "reg import" would work, but I've had luck with using autoruns to remove these sorts of entries.
|
# ? Apr 11, 2012 04:04 |
|
I'm going to try autoruns now, and I hadn't tried the command line merge, only from within regedit.
|
# ? Apr 11, 2012 13:59 |
|
Smart HDD/SystemCheck is destroying me right now. Many of them are dropping/resulting from TDSS/Alureon/Tidserv or something similar and they're breaking our custom MBR. Half of my calls lately are "When I turn my computer on it just has a blinking cursor on the top right and it won't do anything."
|
# ? Apr 12, 2012 08:51 |
|
repeating posted:Many of them are dropping/resulting from TDSS/Alureon/Tidserv or something similar and they're breaking our custom MBR. Half of my calls lately are "When I turn my computer on it just has a blinking cursor on the top right and it won't do anything." Ooooh they're spreading TDL again? If it is anything like in the past the FakeAV part of SmartHDD phones home after installing then downloads and runs a rootkit either TDL or ZAccess if the user has admin rights. All of the ones i've come across have been ZeroAccess infections so far that dropped along side Smart HDD. Luckily they leave the MBR unharmed but removal is still an annoyance if the self defense mechanisms in it are actually working. That stupid ADS executable it uses as a trip wire always causes problems unless you're using a tool specialized to removing ZeroAccess.
|
# ? Apr 12, 2012 18:12 |
|
So I'm a computer science major in college(so i'm not totally ignorant) and my laptop hard drive space appears to fluctuate a large amount. from day to day. today i appear to have 10 extra gigs of freespace out of nowhere which is a really large jump from what it normally does. until now i just assumed it was temporary files of programs or something (VM maybe?). I've scanned several times with MSE and MalwareBytes. is there a rootkit/virus that does this? or is my harddrive just being weird? I'm running windows 7 home premium.
|
# ? Apr 12, 2012 22:36 |
|
precedence posted:So I'm a computer science major in college(so i'm not totally ignorant) and my laptop hard drive space appears to fluctuate a large amount. from day to day. today i appear to have 10 extra gigs of freespace out of nowhere which is a really large jump from what it normally does. until now i just assumed it was temporary files of programs or something (VM maybe?). I've scanned several times with MSE and MalwareBytes.
|
# ? Apr 12, 2012 22:44 |
|
Well thats a first, came across a detection on a users machine that was a heuristic detection by Artemis for a .scr file named "Recycled". I sent it off to ThreatExpert and the results were kind of disturbing. It creates a sys file and service based off that sys file that is set to start at 0x1 so it is set to start as a system service Oh yea did I forget to mention that it also tries to contact a remote location that was in China according to the report? Curious about this one, it was in a backup the user made so I have a feeling if it ever ran on one of their systems it was already reimaged since then but still what was it doing while it was active.
|
# ? Apr 12, 2012 22:49 |
|
Hex Darkstar posted:Well thats a first, came across a detection on a users machine that was a heuristic detection by Artemis for a .scr file named "Recycled". I sent it off to ThreatExpert and the results were kind of disturbing. It creates a sys file and service based off that sys file that is set to start at 0x1 so it is set to start as a system service Oh yea did I forget to mention that it also tries to contact a remote location that was in China according to the report? I had a buddy get something similar off of a USB stick our boss brought back from a trip to China. I don't remember the specifics (>2 years ago) but I do remember a *.scr file in the recycle bin and the 0x1 service entry. It was super chatty with China. He wouldn't let me troubleshoot it so he just reformatted.
|
# ? Apr 13, 2012 01:09 |
|
Scaramouche posted:I had a buddy get something similar off of a USB stick our boss brought back from a trip to China. I don't remember the specifics (>2 years ago) but I do remember a *.scr file in the recycle bin and the 0x1 service entry. It was super chatty with China. He wouldn't let me troubleshoot it so he just reformatted. I have a sample of the dropper/backdoor install still I am going to try and run it via a VM that i've locked down and do a wireshark dump on what it is sending in hopes that it isn't a bunch of encrypted traffic. The family it comes from apparently consists of a Rootkit and possibly a PWS Component. At this point there's no real reason for me to do this besides curiosity the Virus Total results on it was a crap storm of detections on the 43 scans they use so now i'm just wondering if it was actually sending anything home still or if the C&C for it has been shut down. The backup the employee made was of his Blackberry's storage so I am thinking that it might have copied itself to his phone to try and spread by an auto-runs whenever his MicroSD card got mounted like a USB drive.
|
# ? Apr 13, 2012 01:24 |
|
precedence posted:...my laptop hard drive space appears to fluctuate a large amount. from day to day. today i appear to have 10 extra gigs of freespace out of nowhere which is a really large jump from what it normally does. You could try the spacemonger program to see if there's files or folders that stick out or fluctuate from day to day. http://www.sixty-five.cc/sm/v1x.php
|
# ? Apr 13, 2012 04:19 |
|
The gently caress is up with iGoogle right now? My wife just called me in to show me how trying to close an iGoogle Chrome tab brings up a "Are you sure you want to leave this page? Find love or sex here!" which links to cafebar.ro (Search Google for "iGoogle cafebar.ro" and watch how many strange hits come up.) My Chrome profile will not produce the same results. Her Firefox does the above, too, while mine does not. This is the same situation on three known-safe computers (the second has literally not been used today until now for the sake of testing, the third I just finished up a clean Win7 install). The behavior stopped for about two minutes before starting again, but this time when trying to close Chrome (on an iGoogle tab) itself. For now she is just avoiding iGoogle, and I'm scanning the hell out of her system tonight, but in the case its not a local infection what could cause this?
|
# ? Apr 15, 2012 00:59 |
|
To clarify, if you log into your iGoogle on her machine, this behavior does not occur. If she logs into her iGoogle on your machine, it does. If that's the case it sounds like she's got some nasty little widget added to her homepage.
|
# ? Apr 15, 2012 03:22 |
|
Tapedump posted:The gently caress is up with iGoogle right now? My wife just called me in to show me how trying to close an iGoogle Chrome tab brings up a "Are you sure you want to leave this page? Find love or sex here!" which links to cafebar.ro I found a report over here that claims this is caused by problematic iGoogle gadgets -- one person claimed that Match Up (a synonym quiz thing) was the culprit for them, but it may be different for your wife.
|
# ? Apr 15, 2012 03:23 |
|
Shalhavet posted:To clarify, if you log into your iGoogle on her machine, this behavior does not occur. If she logs into her iGoogle on your machine, it does. Technogeek posted:I found a report over here that claims this is caused by problematic iGoogle gadgets
|
# ? Apr 15, 2012 04:15 |
|
Hex Darkstar posted:Well thats a first, came across a detection on a users machine that was a heuristic detection by Artemis for a .scr file named "Recycled". I sent it off to ThreatExpert and the results were kind of disturbing. It creates a sys file and service based off that sys file that is set to start at 0x1 so it is set to start as a system service Oh yea did I forget to mention that it also tries to contact a remote location that was in China according to the report? That sys file isn't part of the virus. It's the system component of the Themida copy protection system: http://www.oreans.com/themida.php The malware author has just packed his lovely bot with Themida, which is what's dropped the sys file. So you don't have that to worry about at least -- and leaving the sys file around probably won't do any harm. The connections to China are definitely not from that though.
|
# ? Apr 15, 2012 17:38 |
|
Just a heads up for you guys, I got in to work yesterday and boot up my computer (which a few other users also use) to find it infected with some "Security Fortress 2012" bullshit, I think it was. Got past MSE, apparently.
|
# ? Apr 20, 2012 17:39 |
|
MSE has been updated to version 4 (skipping version 3 entirely): - Enhanced protection through automatic malware remediation: The program will clean highly impacting malware infections automatically, with no required user interaction. - Enhanced performance: Version 4.0 includes many performance improvements to make sure your PC performance isn’t compromised. - Simplified UI – Simplified UI makes Microsoft Security Essentials easier to use. - New and improved protection engine: The updated engine offers enhanced detection with cleanup capabilities and better performance. http://windows.microsoft.com/en-US/windows/products/security-essentials/
|
# ? Apr 25, 2012 11:32 |
|
Bokito posted:MSE has been updated to version 4 (skipping version 3 entirely): Just updated, the UI looks very much the same as the previous version except they went back to a blue background that gradually fades to gray and got rid of the weird texture thing. Kind of excited to see the speed improvements though, I always hated doing full scans because they would sometimes take over 6 hours. Also as a person that installs MSE for people who bring in computers for viruses, I wish/hope its fixed in this version, that MSE scans would prevent the computer from going to sleep if a scan is running and it's not on battery.
|
# ? Apr 25, 2012 14:24 |
|
Got a new one in yesterday. One of the fake HDD antiviruses. It would BSOD the computer when running any virus scan. Pulled the drive and ran MSE on it, and it got rid of a variant of Alureon and a bunch of other stuff. Now I'm left with cleaning up after it (unhiding files, fixing the start menu), and there's one issue I can't for the life of me figure out. The virus has screwed with font rendering where only on certain programs and dialog boxes, no text is rendered (or if its rendered you can't read it). I've tried resetting font settings, resetting the theme, messing around with DPI and accessibility options, to no avail. SFC found no integrity violations with any system files. I tried creating a new user profile and it does the same thing. The biggest issue is probably the Internet Options dialog. It shows all the GUI controls and all the icons, but not a single bit of text. It's a customers computer and they have a bunch of junk on it, so I'm trying to avoid a flatten & reinstall if at all possible. I should also mention that things such as the ClearType tuner will open and then lock up or crash explorer.
|
# ? Apr 26, 2012 17:39 |
|
Does anyone know what to do with a Windows 7 box that constantly goes into repair mode, no cause identified, and an SFC /scannow doesn't find any problems?
|
# ? Apr 26, 2012 18:50 |
|
Maniaman posted:Got a new one in yesterday. One of the fake HDD antiviruses. It would BSOD the computer when running any virus scan. Pulled the drive and ran MSE on it, and it got rid of a variant of Alureon and a bunch of other stuff. Have you replaced all the files in the font folder? It's possible the were hosed up somehow. Any custom fonts they have installed they'll have to do again, just copy the font folder from a clean install over it so you don't run into any legal issues if you have purchased fonts. The font files might also be on the windows disc easy enough to just drag out if you don't have a clean install.
|
# ? Apr 26, 2012 20:18 |
|
Maniaman posted:Got a new one in yesterday. One of the fake HDD antiviruses. It would BSOD the computer when running any virus scan. Pulled the drive and ran MSE on it, and it got rid of a variant of Alureon and a bunch of other stuff. sfc?
|
# ? Apr 27, 2012 07:15 |
|
|
# ? Jun 1, 2024 18:37 |
|
repeating posted:sfc? http://www.com????
|
# ? Apr 27, 2012 07:50 |