|
Has anyone seen zeroaccess on a Win7x64 machine? I just got a system that, even in Safe Mode, will not allow rkill or its renamed variants to run, nor TDSKiller, etc. Running Combofix (which removed <userfolder>\g2mdhlpx.exe and %windir%\syswow64\msnphoto.scr) has allowed other tools to be used, but this is my first real experience with a rootkit on a Win7x64 system. I mention zeroaccess because at some early point I got SAS to run a quick scan and I believe that's where I saw a reg key mentioned labeled 0access.
|
#
?
Jul 24, 2012 03:03
|
|
|
|
| # ? Jun 3, 2024 05:43 |
|
|
I see rootkits on Windows 7 x64 machines quite often in my repair shop. It's almost as bad as 32-bit machines now. These virus writers are doing a darn good job figuring out ways to get around DEP/SEHOP/ASLR, and driver signature enforcement.
|
|
#
?
Jul 24, 2012 04:01
|
|
|
When did we first see rootkits on 7x64?
|
|
#
?
Jul 24, 2012 04:55
|
|
|
Tapedump posted:When did we first see rootkits on 7x64?
|
|
#
?
Jul 24, 2012 21:16
|
|
|
After examining the system, it was found to have UAC disabled and was running IE8. I suspect the former to be a significant factor.
|
|
#
?
Jul 25, 2012 00:51
|
|
|
Tapedump posted:After examining the system, it was found to have UAC disabled and was running IE8. I suspect the former to be a significant factor. It's really quite ingenious.
|
|
#
?
Jul 25, 2012 02:23
|
|
|
Welp, I just got hit by a "Live Security Platinum" which apparently might be Sirefef in disguise? It started screwing with me, so I ended up doing a hard reset into Safe Mode Networking. Once in Safe Mode I realized my MSE was disabled and I couldn't seem to get it to work. However, MSE isn't the only thing I keep around, as I also have MalwareBytes installed. I give Malware Bytes a run, it finds a bunch of things and kicks them out (Trojan.Lameshield, Live Security Plat stuff). I reinstall MSE, give it a run, and it also finds a bunch of things (how I noticed the name Sirefef) As far as I can tell right now, I think my computer is relatively clean at the moment. Unfortunately, while my reinstalled MSE works, my Windows Firewall and Defender do not. I get these errors that they are simply unable to run, and they seem to hint that they simply don't exist anymore, as if the virus either uninstalled or corrupted them somehow. One final thing that bugged me was this "Windows has encountered a critical error and will restart in a minute" message, followed by a hard reset. I *think* I fixed this by somehow managing a startup repair menu after reseting during the startup process. After letting it do it's thing, I haven't encountered this error again. I did a little googling and the few suggestions there are didn't seem to work, and the rest are saying I need to reinstall windows. I currently don't know where my disc is, and I don't know where I wrote my product key down (I got it from microsoft for being in my college's CS department but I no longer have access) So basically... any ideas or am I boned as far as being protected goes? (The rest of my computer seems to be operational at the moment, I don't think anything else is broken) I suppose I could use a 3rd party for my firewall or whatever, but ever since AVG became non-recommended I've just been using Microsoft's.
|
|
#
?
Jul 25, 2012 08:17
|
|
|
Without hyperbole, you have at least three major reasons to re-install.
|
|
#
?
Jul 25, 2012 09:11
|
|
|
Tapedump posted:Without hyperbole, you have at least three major reasons to re-install. Damnit Ozma, we need :onlyoption: now more than ever. 
|
|
#
?
Jul 25, 2012 09:20
|
|
|
Well I suppose it was due time to reformat my C partition anyways. Now I just need a working dvd burner and a way to get my product key out of my windows installation. 
|
|
#
?
Jul 25, 2012 09:51
|
|
|
I ran into an infection just like that a month or two ago. The Windows Defender Offline disc was able to clear the infection, but I'd probably only trust that just enough to pull my data and reformat it. Incidentally: System information for Windows will show you your licenses. Magic JellyBean Keyfinder seems to be having issues with more modern software (or so I'm told)
|
|
#
?
Jul 25, 2012 12:43
|
|
|
Revitalized posted:Well I suppose it was due time to reformat my C partition anyways. Now I just need a working dvd burner and a way to get my product key out of my windows installation. Recovering the product key can be done from another computer with ProduKey, most likely by throwing the drive into a USB enclosure. If the OS is Vista or 7, you can make a USB key installer. You can also do it with XP, but it's unsupported and a lot more difficult to get working correctly.
|
|
#
?
Jul 25, 2012 14:03
|
|
|
Sirefef is pretty nasty, my desktop got hit by it and I can't get windows update to work properly anymore. I'd do a reformat but I don't have the space for my backups or enough bandwidth in a month to redownload things.
|
|
#
?
Jul 26, 2012 01:19
|
|
|
Make and move stuff to a secondary partition, then blow away the OS partition.
|
|
#
?
Jul 26, 2012 05:54
|
|
|
http://blog.crosbydrive.com/?p=265 Has some instructions/links for fixing BFE/windows firewall/windows updates that zeroaccess likes to gently caress with. Including copies of the standard registry entries for xp/vista/7.
|
|
#
?
Jul 26, 2012 07:48
|
|
|
What's a nice virus I can use to test MS Security Essentials? I want to see what its logs look like so I can consider building a tool for checking all our PCs for detections. Yes, we have less than ten. Or does anyone know of such a tool already?
|
|
#
?
Jul 26, 2012 12:28
|
|
|
alanthecat posted:What's a nice virus I can use to test MS Security Essentials? I want to see what its logs look like so I can consider building a tool for checking all our PCs for detections. Yes, we have less than ten. Or does anyone know of such a tool already? Well here's some files that MSE will detect viruses in: http://cd.textfiles.com/htoolbox/virus/
|
|
#
?
Jul 26, 2012 19:23
|
|
|
If you want to find a virus that's a little more wilderly, torrent anything with a keygen. I'm pretty sure no one's ever written one of those that wasn't also a trojan.
|
|
#
?
Jul 26, 2012 19:50
|
|
|
Go to Web of Trust (mywot.com) and click on the 'community' tab. This will show all the latest ratings by members, and there's usually some 'detected spyware x on this domain' postings. There's also dedicated threads in their forums for listing blackhole/zeus/quai.jar/etc. nets. Hp Hosts (http://hosts-file.net/) maintains a list of 'bad' sites in a downloadable hosts file as well.
|
|
#
?
Jul 26, 2012 20:41
|
|
|
alanthecat posted:What's a nice virus I can use to test MS Security Essentials? I want to see what its logs look like so I can consider building a tool for checking all our PCs for detections. Yes, we have less than ten. Or does anyone know of such a tool already? If you're looking for live malware samples http://kernelmode.info under the malware section. All archives uploaded to the site are password protected but once extracted can and will infect a system if you mistakenly run them with a misclick so its best to work with them inside of a VM/Sandbox environment.
|
|
#
?
Jul 27, 2012 05:39
|
|
|
Revitalized posted:Welp, I just got hit by a "Live Security Platinum" which apparently might be Sirefef in disguise? Live Platinum Security sometimes drops Sirefef along side the FakeAV component. They're different infections but bundled. This is caused by MSE killing services.exe due to Sirefef replacing it with an infected version of itself. It can be restored by using ESET's Services Repair Tool they also have a Sirefef Removal Tool As obnoxious as this version of Sirefef is i'll take it over the rootkit version any day. On 32 bit Win XP that infection was a beast if the user was an admin on their system. edit: damnit meant to edit my original post. oh well.
|
|
#
?
Jul 27, 2012 05:47
|
|
|
Cripes. Just got off a familial tech support call. Mom's laptop picked up a stupid resilient strain of Windows Activeguard that both nuked task manager and replaced it with itself and loads itself up into safe mode unannounced. That's beyond my meager ken. 
|
|
#
?
Jul 27, 2012 19:02
|
|
|
Hex Darkstar posted:Live Platinum Security sometimes drops Sirefef along side the FakeAV component. They're different infections but bundled. The repair tool did something but it didn't seem to change anything for the windows Firewall, nor does it let MSE update.
|
|
#
?
Jul 30, 2012 00:58
|
|
|
Revitalized posted:The repair tool did something but it didn't seem to change anything for the windows Firewall, nor does it let MSE update. Combofix will get the firewall up again - MSE might be stalling as certain Windows services are dependencies and also likely stopped. If combofix won't get them working again you can either track down each non-functioning component and look up a fix, or just accept the inevitable re-install.
|
|
#
?
Jul 30, 2012 13:50
|
|
|
Hex Darkstar posted:Live Platinum Security sometimes drops Sirefef along side the FakeAV component. They're different infections but bundled. Thank you. I've been trying to get rid of that for a week now refusing to reinstall.  Running these in safe mode then MBAM seemed to take care of the issue. I had sirefef and BCminer going taking up my processing power and my bandwidth. E: If anyone wants to know, I got it off of a streaming video site when it wanted me to update my flash player. Of course I know better and should have immediately went to adobe.com to check and see if my flash version was outdated, but I didn't and I got hit like a dope.Question about combofix because I'm not quite sure how to use it even after reading through MBAM tech support threads. I installed the program but anytime I use it I just get a cmd box that sits there. Pretend I'm a moron who has gotten use to apps having big shiny "start" buttons, but how the hell do you use this thing? E2: I keep staring at my resource monitor waiting for soemthing to go wrong, but nope it worked brilliantly. Thanks again Hex. An Ounce of Gold fucked around with this message at 23:36 on Jul 30, 2012 |
|
#
?
Jul 30, 2012 23:30
|
|
|
SymfonyMan posted:I got it off of a streaming video site when it wanted me to update my flash player. Of course I know better and should have immediately went to adobe.com to check and see if my flash version was outdated, but I didn't and I got hit like a dope. This is actually very common when it comes to Sirefef (although not the only infection to do this), usually the installer is a legitimately signed copy of "install_flash_player.exe" but what happens is the exe is paired with a malicious file named after "msimg32.dll" which if in C:\Windows\System32 is a legit file The way installers work in Windows is unless a file's path is hard coded in the installer it takes a look in the local directory that the installer is running from BEFORE looking in the usual place a file resides so when install_flash_player.exe runs it looks to its local directory and finds the malicious msimg32.dll and imports that instead of the one in C:\windows\system32 and then the machine gets infected. It's actually very devious and a phenomenal social engineering technique given how often it succeeds...not to pat the malware writers on the back or anything. edit: Also no problem glad something I post is of use here and there 
|
|
#
?
Jul 30, 2012 23:42
|
|
|
Posted this in the Pisses you Off thread by mistake: I've got a friend who says his web site is being blocked by the McAfee AV and he's come to me since 'I know about that stuff'. I've checked SiteAdvisor and URLVoid and they come up fine there, but does anyone know a way to see if their site is listed in the McAfee desktop client itself (preferably without installing it)?
|
|
#
?
Aug 2, 2012 22:52
|
|
|
Can you share the site if possible?
|
|
#
?
Aug 3, 2012 00:54
|
|
|
I believe URL filtering isn't part of the base McAfee AV Suite, we run it at the place I work at unless SiteAdvisor is a module of VSE once it is installed in which case disregard what I just said as we don't use SiteAdvisor. If you want i can check the URL against websense and another solution that we use for filtering as well. If it is a wordpress blog he might want to check if he got owned or not. Just did a cleanup of a few people who visited a blog for a well known speaker and got hit by a blackhole kit earlier today
|
|
#
?
Aug 3, 2012 01:39
|
|
|
I'd prefer not to share the site since it's not mine and I don't want to impugn it unnecessarily. After more research though I'm pretty sure it's a bug or false positive, since I bit the bullet and installed McAfee Internet Secure trial and it doesn't bat an eye at accessing the site, but it doesn't even make clear that if there's a URL filtering function. I logged into the FTP and there hasn't been a file modified newer than a month ago which was when sanctioned changes were last made to it, and it's an ecommerce site that gets a couple hundred visits a day so I'm sure it would have come up sooner than that if that was the case. It's a custom built .NET 4.0 eCommerce site, so no WordPress/PHP/MySQL shenanigans. I did some external scans/viewed the source code (there's only 4 unique pages) and there's no iframe/cross domain shenanigans I can find either. Going to ask him to contact the people who called in to see if he can get more details about what specifically is being blocked and by what (site advisor? mcafee av?) and why. Thanks for your suggestions though, I didn't even think to check if McAfee actually supported URL filtering. And just so it's not all no news, Microsoft released an attack surface scanner thinger today: http://www.theregister.co.uk/2012/08/03/attack-surface-analyzer/
|
|
#
?
Aug 3, 2012 02:00
|
|
Khablam posted:Combofix will get the firewall up again - MSE might be stalling as certain Windows services are dependencies and also likely stopped. If combofix won't get them working again you can either track down each non-functioning component and look up a fix, or just accept the inevitable re-install. Thanks for this, I cleaned up an infection during the week but could not work out for the life of me how to get Win firewall up and running again. Was contemplating manually reading the missing reg entries.
|
|
|
#
?
Aug 3, 2012 04:05
|
|
|
Tearing my loving hair out with a god drat google search redirect. Nothing finds it. It's not tdss, there's no other infections present. Across multiple profiles, no DNS/hosts fuckery. Why god why
|
|
#
?
Aug 8, 2012 10:32
|
|
|
How are you checking for dns? You know there is malware that will do arp poisoning, bruteforce default router logins and change network-wide resolvers, run their own resolvers on your LAN, etc?
|
|
#
?
Aug 8, 2012 11:06
|
|
|
Biowarfare posted:How are you checking for dns? You know there is malware that will do arp poisoning, bruteforce default router logins and change network-wide resolvers, run their own resolvers on your LAN, etc? DNS-ok.gov.au comes up clean, manually set them on all adapters. Checking the router now since you just blew my mind with that little nugget of info.
|
|
#
?
Aug 8, 2012 11:19
|
|
|
I ran into a infection the other day that had a 1/42 rating on Virus Total that threw a DLL file in to %userprofile%\appdata\local\javasoft that was doing random redirections here and there. It also launched two hidden Internet Explorer sessions in the background. Virus Total Results (Detection Ratio: 1/42) As of today it is still 1/42 when being analyzed, i'm submitting a sample of it to McAfee now but noticing it on the infected machine actually took a short while because from the outside everything looked normal. Once I got into process explorer and found it running it definitely got me on the right track. The one thing that threw me off is it uses HKEY_USERS to run its startup entry rather than HKCU or HKLM run/winlogon locations in the registry so checking the registry for out of the ordinary run keys wasn't any help at the start. Sneaky little poo poo.
|
|
#
?
Aug 8, 2012 18:54
|
|
|
Install Gentoo posted:Well here's some files that MSE will detect viruses in: http://cd.textfiles.com/htoolbox/virus/ Thanks, and thanks to others. MSE picked it up immediately on extraction and, as I had hoped, logged it in the System event log. Now I'm trying to get event forwarding/collecting working and I can filter the logs to just virus detections. I might even go crazy and email myself whenever there's a detection. We've no AV running on our server. What the opinion of ClamAV? Do I need real-time scanning on the server if all the clients have it? I was thinking of maybe scheduling McAfee Stinger or maybe using ClamAV scheduled/with real-time off. I've never had to look into this before as the other place I work we have Forefront chugging away nicely. I keep all client software up to date each week.
|
|
#
?
Aug 9, 2012 14:04
|
|
|
Depends on what kind of server; email is different from web is different from database etc. Not the program you'd use necessarily, but high i/o performant things have different needs. EDIT-This might help if you're doing Windows http://serverfault.com/questions/632/do-you-run-antivirus-on-your-windows-servers Scaramouche fucked around with this message at 19:31 on Aug 9, 2012 |
|
#
?
Aug 9, 2012 19:28
|
|
|
Hey, it's time to be suspicious about .doc(x) files again! http://hitmanpro.wordpress.com/2012/08/10/dorifel/
|
|
#
?
Aug 10, 2012 19:43
|
|
|
alanthecat posted:What's a nice virus I can use to test MS Security Essentials? I want to see what its logs look like so I can consider building a tool for checking all our PCs for detections. Yes, we have less than ten. Or does anyone know of such a tool already? If you ever need to test antivirus software, put this into a text file: code:As for tools to automate and control MSE scanning, sure, that exists already. It's called System Center Endpoint Protection. The big reason to use the professional versions of AV software (aside from licensing requirements) is the fact that they give you centralized control.
|
|
#
?
Aug 10, 2012 20:42
|
|
|
|
| # ? Jun 3, 2024 05:43 |
|
|
Space Gopher posted:
|
|
#
?
Aug 10, 2012 21:26
|
|