|
mindphlux posted:http://www.com???? I believe repeating was referring to System File Checker.
|
#
?
Apr 27, 2012 08:11
|
|
|
|
| # ? Jun 7, 2024 17:48 |
|
|
System File Checker/SFC found no integrity violations. Interestingly enough, the problem fixed itself when Windows Update installed Windows 7 SP1.
|
|
#
?
Apr 27, 2012 15:57
|
|
|
Finally ran across someone who was targeted by one of those cold call "Tech support" calls. I face palmed when the help desk contacted me but then something miraculous happened. The user DIDN'T let the person into their machine and actually hung up on them AFTER writing down the number they called from. Apparently they were watching the news the night before and it had run a story on this exact scam so they were aware enough to know that the person calling was full of poo poo. It made me so drat happy I almost shed a single tear/thought about ordering a medal to send them.
|
|
#
?
Apr 27, 2012 21:53
|
|
|
m2pt5 posted:I believe repeating was referring to System File Checker. Correct. My bad. On the subject of the tech support cold calls, I've had people having them from "Norton", "Microsoft", and "HP" so far. The "Microsoft" rep told the customer they were calling because system errors were detected, and directed them to Event Viewer. They showed them all the scary yellow Warnings and red Errors and told them their computer was basically dying and wanted $400 for a yearly plan. This is why I immediately hide the column with the icons if I'm ever in Event Viewer while remoted into a computer that a user is looking at.
|
|
#
?
Apr 28, 2012 08:14
|
|
|
Been seeing a lot of ZeuS activity pick up in my neck of the woods lately, 4th one i've had to remove in 2 days. They're also very conscious about how often they need to repack as well none of the major AV vendors have detected these Zbot executables when passing them through virus total.
|
|
#
?
May 2, 2012 22:04
|
|
|
Watch out for your android users who know enough to be dangerous http://arstechnica.com/gadgets/news/2012/05/android-users-targeted-for-the-first-time-in-drive-by-download-attacks.ars
|
|
#
?
May 3, 2012 15:06
|
|
|
What are the best tools for cleaning a computer in 2012? I remember SUPERAntiSpyware was excellent many years ago, is that still true?
|
|
#
?
May 9, 2012 00:11
|
|
|
gmq posted:What are the best tools for cleaning a computer in 2012? I go Combofix=>SAS=>TDSSKiller Then CCleaner Temp and Registry
|
|
#
?
May 9, 2012 00:24
|
|
|
Just got hit with the fake antivirus Trojan through a loving SA banner ad. MSE picked it up and removed it. It calls itself: Rogue:JS/FakePAV I'm running windows 8 too with IE10... Gonna reboot and do a full scan. Hopefully it wont reappear somewhere else. Not that it matters since this PC is getting a full format once the new win 8 build is released.
|
|
#
?
May 9, 2012 09:12
|
|
|
Avalanche posted:Just got hit with the fake antivirus Trojan through a loving SA banner ad. MSE picked it up and removed it. It calls itself: Rogue:JS/FakePAV You didn't actually download any virus, the real virus would have been the executable that page would have recommended you download and run.
|
|
#
?
May 9, 2012 20:11
|
|
|
So I got hit with smarthdd on my work computer somehow (ads  ), is there a set protocol on how to remove this thing? I've scanned the past pages of this thread and googled around but there's roughly a million different recommendations using as many different programs and people keep complaining that it pops back up.
|
|
#
?
May 11, 2012 11:05
|
|
|
I always use BleepingComputer.com: http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd
|
|
#
?
May 11, 2012 11:49
|
|
|
if you use avira in the workplace delay the patch http://www.maximumpc.com/article/news/bad_avira_antivirus_update_brings_windows_pcs_stand_still otherwise have fun fixing everything tomorrow
|
|
#
?
May 16, 2012 04:14
|
|
|
http://labs.bitdefender.com/2012/05/no-more-root-kit-in-zeroaccess/ I'd like to think this is a good thing, but the negative side of me wants to believe it is because they're revising the component while just operating without the rootkit for a bit 
|
|
#
?
May 21, 2012 16:27
|
|
|
http://www.securelist.com/en/blog?weblogid=208193522 Looks like the AV vendors are going buck wild over the latest "cyber attack" malware package that has been discovered although they're dating its first signs of infection going back as far as 2010. It is neat but they really fire up the hype on this stuff every time it happens. Still kind of unique in regards to how much functionality it has. 20 different plugins and the payload seems to be different from target to target. Guessing the higher profile or sought after target gets the additional programs deployed to them compared to your average user that got it installed on their home PC.
|
|
#
?
May 29, 2012 23:41
|
|
|
I had a run-in with System Fortress 2012 yesterday that was odd. It seems like when I got malwarebytes up and running using chameleon, the virus just uninstalled itself or something, because malwarebytes claimed not to pick up anything. The virus was gone, though, just leaving behind some trace crap like a start button icon. Mysterious. I guess it would make sense as a "poo poo I've been beaten don't analyze me" kind of thing, but I've never seen that behavior before, although admittedly I don't do a lot of virus removal these days.
|
|
#
?
May 30, 2012 15:12
|
|
|
Hex Darkstar posted:http://www.securelist.com/en/blog?weblogid=208193522 We actually just had a brief discussion about Flame here at work, and I dunno, maybe it's just ignorance but I don't get what's so impressive about it. Screenshots and a keylogger? NO WAY!! I guess the fact that it can turn on a microphone and transmit audio is kind of impressive, but people can turn on webcams and do the same with video so I didn't think anything of it. What's really the significance, here? edit; I forgot it can attack blutooth devices- that was actually pretty cool. Sab669 fucked around with this message at 15:28 on May 30, 2012 |
|
#
?
May 30, 2012 15:22
|
|
|
Sab669 posted:We actually just had a brief discussion about Flame here at work, and I dunno, maybe it's just ignorance but I don't get what's so impressive about it. Screenshots and a keylogger? NO WAY!! You can swap parts that you need in and out of the virus and it uses encryption. It's pretty sophisticated in that it can be tailored on the fly.
|
|
#
?
May 30, 2012 18:09
|
|
|
That kind of functionality isn't new though, ZeroAccess and ZeuS/Spyeye all have module based components that can be added or removed on the fly. There's a few others as well, I believe TDL3 or TDL4 went to a modular system where it could be upgraded/downgraded in terms of functionality from the C&C servers to the infected endpoints. http://www.scmagazineuk.com/united-nations-to-issue-warning-on-flame/article/243329/ United Nations is issuing an advisory regarding Flame 
Hex Darkstar fucked around with this message at 21:22 on May 30, 2012 |
|
#
?
May 30, 2012 21:19
|
|
|
The difference in this one is the use of the LUA script AND the level of sophistication. It's like finding a terrorist bomb, but when you go to defuse it it's built completely differently than you've encountered previously. It says there's someone new out there trying to manufacture a very modular virus, very sophisticated virus - a weaponized virus. http://www.networkworld.com/news/2012/053012-flame-malware-all-you-need-259713.html?hpg1=bn fatjoint fucked around with this message at 21:49 on May 30, 2012 |
|
#
?
May 30, 2012 21:44
|
|
|
Can one of you guys who deals with a lot of nasty stuff post a comprehensive "This is my tool set" post? I know this is sad, but after I moved to server operations in IT land several years ago, I haven't had to deal with a single virus issue since - and since I'm so out of date - if something were to happen at work, a server actually becomes infected, I feel afraid that I wouldn't be able to deal with it... Thanks,
|
|
#
?
May 30, 2012 22:10
|
|
|
fatjoint posted:I feel afraid that I wouldn't be able to deal with it... If a server is infected, anything short of flatten/reinstall is asking for trouble.
|
|
#
?
May 31, 2012 00:06
|
|
|
angrytech posted:If a server is infected, anything short of flatten/reinstall is asking for trouble. Heck, if its worse than just the user account being infected ie the virus does not run when you log in as the admin, I just reinstall anyway. My reimaging process is quicker than dicking around fixing the virus. Of course with remote stuff, its not so easy.
|
|
#
?
May 31, 2012 14:15
|
|
|
I figured this would be the best place to ask, but a co worker sent this link to our entire department. Sorry it's the mobile version, but that's what he gave. This sounds like Conficker in a way, but is this bullshit? The logistics of it just don't seem possible.
|
|
#
?
Jun 1, 2012 17:07
|
|
|
Gothmog1065 posted:I figured this would be the best place to ask, but a co worker sent this link to our entire department. Sorry it's the mobile version, but that's what he gave. No it's legit. It's the DNSChanger virus.
|
|
#
?
Jun 1, 2012 17:21
|
|
|
Is what bullshit? DNS changer is a trojan.
|
|
#
?
Jun 1, 2012 17:23
|
|
|
angrytech posted:No it's legit. It's the DNSChanger virus. Thanks, got a google hit with the FBI website. Trying to figure out impact and stuff from work since the guy who gave the link gave nothing else.
|
|
#
?
Jun 1, 2012 17:30
|
|
|
fatjoint posted:Can one of you guys who deals with a lot of nasty stuff post a comprehensive "This is my tool set" post? this isn't comprehensive, but my standard attack vector is boot safe mode then rkill -> fixTDSS/TDSSkiller -> combofix -> MBAM if I run into anything major combofix can't handle, I'll research and bring out virus-specific tools, or if it's horrible usually recommend just flattening the system, since it works out to be more cost effective for clients. would love to hear other people's attack plans though, since this is just what has been working for me, and by no means definitive.
|
|
#
?
Jun 5, 2012 03:54
|
|
|
I feel like the scarier part of Flame isn't so much that it's so complex and dangerous, but that it's obviously made by a professional team. SQL for storage, managed library use, script language with C extensions, and extremely modular. Not to mention it seems like a pretty targeted virus. It would be interesting to see how this kind of code stacks up to the hacker style which is enigmatic to me.
|
|
#
?
Jun 5, 2012 07:50
|
|
|
http://www.foxnews.com/scitech/2012/05/30/powerful-flame-cyberweapon-tied-to-powerfully-angry-birds/ And now for something completely hilarious. Yes the title specifically states "Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game" their reason? Both use LUA scripting. poo poo I guess Blizzard is in bed with them too since their UI mods use LUA too oh god i've been supporting cyber warfare!
|
|
#
?
Jun 5, 2012 17:21
|
|
|
Hex Darkstar posted:http://www.foxnews.com/scitech/2012/05/30/powerful-flame-cyberweapon-tied-to-powerfully-angry-birds/ Garry's Mod uses Lua heavily as well. (It's not an abbreviation, all-caps is wrong.) I don't think much can properly be said about this article outside of "   ".
|
|
#
?
Jun 5, 2012 17:32
|
|
|
m2pt5 posted:(It's not an abbreviation, all-caps is wrong.)  whoops!Yea everyone at the office seems to be getting a laugh out of that article plenty of "Well it is fox news what else would they publish? Something with merit or legitimate facts? Nah"
|
|
#
?
Jun 5, 2012 17:47
|
|
|
Hex Darkstar posted:powerful-flame-cyberweapon-tied-to-powerfully-angry-birds I was really suprised when this went to Fox News instead of The Onion.
|
|
#
?
Jun 5, 2012 21:51
|
|
|
Goddamnit, I got infected by "Security Shield" and I have no idea how it happened. First virus in years. And apparently now I'm infected by Zeroaccess.
|
|
#
?
Jun 5, 2012 22:27
|
|
|
bbcisdabomb posted:I was really suprised when this went to Fox News instead of The Onion. I didn't even notice that, not just angry birds but powerfully angry birds gmq posted:Goddamnit, I got infected by "Security Shield" and I have no idea how it happened. First virus in years. Thankfully ZeroAccess is being distributed without the rootkit component so it is a bit easier to disinfect a machine. I think Malwarebytes is able to do it with just a single quick scan so that might be worth tossing on the machine to do the cleanup then just uninstall it when done. TDSSKiller seems to fail at detecting and cleaning the usermode infection (what is currently being distributed) so it isn't really worth running. Chances are if you enable hidden/system files on your machine and go to C:\Windows\installer you'll see a hidden folder in there named {<random CLSID here>}, it won't be the only one with that naming convention but it should be one of few folders in that location that have the hidden/system attribute set. If ya open it up and see a folder named U and a file named "n" you've found where it is lurking. It may also throw itself into %userprofile%\AppData\Local\{<same CLSID as other>} Hex Darkstar fucked around with this message at 22:36 on Jun 5, 2012 |
|
#
?
Jun 5, 2012 22:31
|
|
|
Hex Darkstar posted:I didn't even notice that, not just angry birds but powerfully angry birds Oh cool, you ran into the same variant as I did last week. I ended up using universal virus sniffer from http://dsrt.dyndns.org to eradicate it. That's one of my favorite tools for this sort of malware removal.
|
|
#
?
Jun 6, 2012 01:02
|
|
|
Yea i'm not sure if they ran into complications with the rootkit component of it but for at least the past 3+ weeks it has changed its distribution method to include only the user mode infection even on admin privileged accounts. Not sure if that is because they're overhauling the component to be more compatible within x64 environments it had support but it was super easy to get rid of since it almost always relied on the same named DLL Each time (C:\Windows\System32\Consrv.dll) so that was almost a universal sign that the machine has been bad touched by ZeroAccess. I don't think it is for that reason mostly because the 32bit version is also only releasing the user mode component rather than the full blow rootkit so I guess we'll just wait and see.
|
|
#
?
Jun 6, 2012 01:17
|
|
|
Malwarebytes worked after a couple of reboots (for some reason it keep detecting the same stuff after deleting/rebooting), thanks. It did screw with Windows Firewall though, it doesn't allow me to start its service. Same for MSE. I was able to reinstall MSE but I have been unable to fix the firewall thing. EDIT: I was able to fix it, apparently it was a permissions issue.  Maybe what else it hosed up, the situation doesn't fill me with confidence. And I still have no idea how I got infected, I don't remember downloading anything weird lately. lunar detritus fucked around with this message at 01:57 on Jun 6, 2012 |
|
#
?
Jun 6, 2012 01:40
|
|
|
Might not have been something you downloaded, when was the last time you updated java, flash and acrobat? A lot of this poo poo spreads by drive by download through malicious ads. ZeroAccess did spread as cracks/other poo poo on random download sites though so that is another easy way of getting it. Crack for random program is modified to contain dropper for ZeroAccess and then bam that's all she wrote. Older versions of ZeroAccess used to target known security programs and reset the NTFS permissions of the files to nothing/everyone and remove the "System" user from it so that it could not start as a system service. It might be doing the same again in newer versions. I've also found instances where the malware that dropped it also made modifications to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" it will add the name of the executable (mcshield.exe, MsMpEng.exe, mbamservice.exe etc..) to there and set its own executable as a debugger for that program. Whenever you try to execute it the program will then disallow you from running those applications. This also breaks poo poo if you remove the malware because the debugger is no longer there and then it just won't let you open the file so either way until the key is removed that program is useless. Very annoying because it sometimes adds regedit as one of them so you usually have to dick around with renaming it or using an alternate program to first remove regedit.exe's entry and then proceed to clean up after that.
|
|
#
?
Jun 6, 2012 02:24
|
|
|
|
| # ? Jun 7, 2024 17:48 |
|
|
It's not the case any longer but knowing about regedt32 saved my bacon a couple of times with that.
|
|
#
?
Jun 6, 2012 02:40
|
|
