|
Is there anyone here familiar with NoScript? I often browse ft.com (the Financial Times' website) but when clicking on links to op-eds in the bannerhead NoScript returns me to the front page and displays a notification about possible cross-scripting XSS attempts. Clicking the link again (or selecting Unsafe reload from the NoScript options) bypasses this but it's a bit annoying. The same happens when clicking links to the site from other websites. Would anyone advise whitelisting ft.com for XSS protection, in any case?
|
#
?
Feb 14, 2013 19:45
|
|
|
|
| # ? Jun 1, 2024 17:57 |
|
|
Hex Darkstar posted:I think I ran into its Canadian counter part yesterday afternoon it was a U KASH ransomware that installed SST.C's bootkit. Nothing works on it in terms of dedicated anti-malware tools that i've seen MBAM kills the ransomware but doesn't detect the MBR infection it even stops TDSSKiller & aswMBR from starting as well. I did however have luck with a program I found while googling around, it is a tool called MBRFixyou can run inside windows in case you're doing remote support. I tried it on an XP machine yesterday and it was able to fix/purge the infected MBR and allow me to run TDSSKiller to make sure nothing else was lurking in the background. I'm not sure how dependable it is but this was a last resort thing for me so use it at your own risk if you decide to try it. I had the same issues getting anything to scan. It would cause Combofix to crash the PC (maybe due to a Win Vista issue) and TDSS killer would not launch even when renamed to iexplore.exe in safe mode. All the Malware scanners in my arsenal could only find the associated payloads. GMER found no rootkits. Finally got an older version of TDSSkiller from last November to run (v 2.8.15.0) which immediately found it. Did a final full scan with MalwareBytes; Google is not getting redirected, so I think it's gone. It certainly left a mark though, Windows Update and Firewall are toast.
|
|
#
?
Feb 22, 2013 22:23
|
|
|
I've been reading 'Practical Malware Analysis' out of general curiosity/interest and building out a segregated VMware test lab. I'm not interested in having it compromise other systems so a 30 minute test VM lifecycle while I log WireShark and procmon activity is really all I want to do. Short of clicking on every link in my in my spam folders, is there any other way to get sample malware? Malc0de has a repository for blacklisted IP addresses so perhaps rolling around in that bag of AIDS needles would suffice?
|
|
#
?
Mar 28, 2013 15:58
|
|
|
They got me.
|
|
#
?
Mar 28, 2013 18:21
|
|
|
Ozu posted:I've been reading 'Practical Malware Analysis' out of general curiosity/interest and building out a segregated VMware test lab. I'm not interested in having it compromise other systems so a 30 minute test VM lifecycle while I log WireShark and procmon activity is really all I want to do. http://www.kernelmode.info/forum/viewforum.php?f=16 http://contagiodump.blogspot.ca/ These are two places where you can get some malware to try out.
|
|
#
?
Mar 28, 2013 18:33
|
|
|
OSI bean dip posted:http://www.kernelmode.info/forum/viewforum.php?f=16 quote:mwcrawler is a simple python script that parses malicious url lists from well known websites (i.e. MDL, Malc0de) in order to automatically download the malicious code. It can be used to populate malware repositories or zoos. https://github.com/ricardo-dias/mwcrawler
|
|
#
?
Mar 28, 2013 18:58
|
|
|
A question about the other side of the malware coin...is there something I can run as a batch file to forcefully remove McAfee VirusScan Enterprise 8.7? Moneypak, Qakbot, and a bunch of other crap is hitting a lot more often, and the AV software they're using hasn't been updated in over a year because they let their subscription lapse; we need to get ESet put on there, but first we have to remove McAfee, and I'd hate to go around touching 200 computers.
|
|
#
?
Apr 5, 2013 20:58
|
|
|
A batch script it is not, but try to use this tool: http://support.microsoft.com/mats/program_install_and_uninstall/ It might be automatable but I do know it works for force-removals of most applications.
|
|
#
?
Apr 5, 2013 21:12
|
|
|
NecessaryEvil posted:A question about the other side of the malware coin...is there something I can run as a batch file to forcefully remove McAfee VirusScan Enterprise 8.7? This is the post-removal uninstallation tool: http://service.mcafee.com/FAQDocument.aspx?id=TS101331 If they are 200 machines running the same version of windows configured in the same way, you should be able to Autohotkey the removal process; create an exe of the script and run it on all the machines, then run the above tool to complete. ESET itself has a pretty simple network installation process.
|
|
#
?
Apr 7, 2013 12:16
|
|
|
Yeah, pushing out the new Eset will be easy, it's just the removal of the old that I fear will be more difficult. Especially with no McAfee server that could potentially automate it. And I'd have no clue how to create an exe.
|
|
#
?
Apr 8, 2013 04:01
|
|
|
NecessaryEvil posted:Yeah, pushing out the new Eset will be easy, it's just the removal of the old that I fear will be more difficult. Especially with no McAfee server that could potentially automate it. I'm not sure how to make an EXE in autoHotKey (I don't use it) But if you install AutoIt and rightclick a script there is a compile option. If you don't know either pick either one you should look up both and figure out which one you think will be easier to learn. AHK and AutoIt are very useful if you are doing stuff on a lot of computers.
|
|
#
?
Apr 8, 2013 04:50
|
|
|
NecessaryEvil posted:Yeah, pushing out the new Eset will be easy, it's just the removal of the old that I fear will be more difficult. Especially with no McAfee server that could potentially automate it. If you know how to use either AHK or AutoIt, see: http://www.autohotkey.com/docs/Scripts.htm and scroll down to the section on ahk2exe.
|
|
#
?
Apr 8, 2013 17:46
|
|
|
I offer this suggestion with no practical experience with doing so on a large scale I normally do this just when I need to do an uninstall remotely without bothering a user so this is a use at your own risk idea. If these were managed by ePO you can also use the following registry location to pull an uninstaller msiexec command: Windows 64 Bit Environments: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\VIRUSCAN8800\Uninstall Command Windows 32 Bit Environments: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\VIRUSCAN8800\Uninstall Command It looks like based on the version of VSE installed (VIRUSCAN8800, VIRUSCAN8700, VIRUSCAN8500) is it is always the same i.e. my VSE 8.8 installs are all: msiexec /x {CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF} REMOVE=ALL REBOOT=R /q Executing that command with admin rights results in VSE completely uninstalling silently from the target machine. This can also be issued using psexec over the network rather than having to deploy a batch to the users machines. Hex Darkstar fucked around with this message at 19:22 on Apr 8, 2013 |
|
#
?
Apr 8, 2013 19:18
|
|
|
A few days ago I got my first extra-toolbar virus in my dozen or so years of internetting, it was pretty exciting (but also terrifying to see on my nice new self built pc). I know literally nothing about the software side of computers, so it took me way longer than it should have to realize that disconnecting from the internet would stop it from bringing up another download window every time I hit the uninstall program button. I think it was called sweetpacks pro, and it was hilarious to see a bing search bar in it's horrible 1998 era design. Also, does anyone know how to completely get rid of Avast! off of a computer? I have an old Dell laptop that I don't use very often, but every time I turn it on I get like 2 or 3 pop up windows telling me that I should buy a subscription, and I've deleted every file that has the word 'avast' in it already.
|
|
#
?
Apr 8, 2013 23:15
|
|
|
There is a removal tool for avast you can try running if you haven't already: http://www.avast.com/uninstall-utility
|
|
#
?
Apr 9, 2013 00:32
|
|
|
Wow, that's so simple looking it sure makes me feel like a dumbass. Thank you!
|
|
#
?
Apr 9, 2013 00:37
|
|
|
Fiancée picked up a lovely redirect virus/thing. "defaultsearchbar.exe" She insists searchbar.exe in her add/remove probrams for Ie and chrome have been on her computer since she started using it, but I'm pretty sure its all this virus. Microsoft security essentials and spybot dont seem to be doing anything. (spybot was not installed when she got infected) Its been years since I had to deal with a virus and I think I'm out of the loop. I'm going to have her update her Java, but I need programs that can sweep the thing for her. Any advice?
|
|
#
?
Apr 15, 2013 11:32
|
|
|
Combofix?
|
|
#
?
Apr 15, 2013 12:31
|
|
|
There's a virus thread in Haus specifically for removal, should be pretty up to date.
|
|
#
?
Apr 15, 2013 12:43
|
|
|
Gothmog1065 posted:There's a virus thread in Haus specifically for removal, should be pretty up to date. This worked great, never needed combofix. Turns our I was talking to another teacher in my department about this ordeal and he said his new tabs "keep changing to something else."  So I forwarded the advice to him too. edit: 4 seconds of Google tells me its garbage and I'm living in the past. spunkshui fucked around with this message at 07:34 on Apr 16, 2013 |
|
#
?
Apr 16, 2013 07:25
|
|
|
everyone always needs combofix, they just don't know it yet. possible new thread title....
|
|
#
?
Apr 16, 2013 09:45
|
|
|
I've come across something that causes google chrome to just say 'loading....' no matter what page you go to. I can't even get to the settings menu on this computer. I've uninstalled and reinstalled with no luck. I've combofixed it, checked for rootkits, malwarebytes, etc - nothing is coming up. hosts file is fine, dns server is being set properly. all other browsers work perfectly. anyone know this one?
|
|
#
?
Apr 27, 2013 00:02
|
|
|
mindphlux posted:I've come across something that causes google chrome to just say 'loading....' no matter what page you go to. I can't even get to the settings menu on this computer. I've uninstalled and reinstalled with no luck. I've combofixed it, checked for rootkits, malwarebytes, etc - nothing is coming up. hosts file is fine, dns server is being set properly. all other browsers work perfectly. anyone know this one? This was a while ago, but if memory serves correct it was on WinXP Sp3, with Symantec Endpoint Protection 12.
|
|
#
?
Apr 27, 2013 00:18
|
|
|
Forgive me if this virus has been discussed ad nauseum, but this one is new to me. One of our clients calls up and says there are porn.exe files all over the server shares and that every directory on there has an .exe on it. Despite my desires to keep the virus contained at the client, my boss had me go pick up an infected workstation and bring it in to the shop. No biggie, as long as someone else doesn't connect it to the network when I'm not here, despite my warnings (they will). Anywho, I get it back here and stick a flash drive in it. The virus instantly changed my folder names to .exe extensions and sexy.exe, porn.exe, and x.mp4 files suddenly appeared. Neat! After a little investigating, it turns out the virus simply copies the existing files, changes their file names, and hides the original files. It probably attaches the hook to every file so that unsuspecting users double click the new .exes and the hook is reinstalled. Not terribly sophisticated. However, since so many files on the server have been altered, I am concerned about 1. data loss and 2. reinfection. Wiping the workstations is only an option if I feel like spending the 12 hours per computer installing iTunes, spotify, toolbars, printers, etc, basically making it exactly like it was before (they are clients, I am not their boss. Otherwise I would wipe with extreme prejudice). Anyone fought this thing before? Any tips?
|
|
#
?
Apr 29, 2013 21:59
|
|
|
Gweenz posted:Forgive me if this virus has been discussed ad nauseum, but this one is new to me. One of our clients calls up and says there are porn.exe files all over the server shares and that every directory on there has an .exe on it. Despite my desires to keep the virus contained at the client, my boss had me go pick up an infected workstation and bring it in to the shop. No biggie, as long as someone else doesn't connect it to the network when I'm not here, despite my warnings (they will). Anywho, I get it back here and stick a flash drive in it. The virus instantly changed my folder names to .exe extensions and sexy.exe, porn.exe, and x.mp4 files suddenly appeared. Neat!
|
|
#
?
Apr 30, 2013 00:08
|
|
|
Gweenz posted:Forgive me if this virus has been discussed ad nauseum, but this one is new to me. One of our clients calls up and says there are porn.exe files all over the server shares and that every directory on there has an .exe on it. Despite my desires to keep the virus contained at the client, my boss had me go pick up an infected workstation and bring it in to the shop. No biggie, as long as someone else doesn't connect it to the network when I'm not here, despite my warnings (they will). Anywho, I get it back here and stick a flash drive in it. The virus instantly changed my folder names to .exe extensions and sexy.exe, porn.exe, and x.mp4 files suddenly appeared. Neat! I have had this at several of my customers. Disabling network shares while you clean it is the only way to go. Also make sure to disable auto-run on the network through group policy. I have had good luck with the free Kaspersky removal tool here: http://www.kaspersky.com/antivirus-removal-tool?form=1 Plus this tool to unhide files and remove the system file status: http://download.cnet.com/Attribute-Changer/3000-2248_4-13676.html It comes in through email attachments like those fake UPS ones, letting people know not to open this stuff sometimes helps as well.
|
|
#
?
Apr 30, 2013 02:48
|
|
|
We got hit by this today too. Win32/Vobfus.PY / Win32.changeup ~ published 8 days ago apparently. Going to be fun and games tracking which of our 1400~ machines is infected. McAfee as useless as ever. Current plan is to try and boot into Windows Defender offline via pxe, and just blitz each computer room at a time. Honey Im Homme fucked around with this message at 17:57 on May 7, 2013 |
|
#
?
May 7, 2013 17:35
|
|
|
Shoot the person who didn't disable autorun via Group Policy? I'm not sure why you're in a situation where there's ~1400 machines and you'd need to manually clean each one; that's surely an area that needs massive and immediate review in your business. At this point, someone can use a USB stick in a coffee shop, bring it in, and cause dozens of man-hours in damage in seconds.
|
|
#
?
May 7, 2013 19:48
|
|
|
Khablam posted:Shoot the person who didn't disable autorun via Group Policy? Its a school. Autorun is disabled via GPO. It was probably a retarded teacher or a malicious student(heavily restricted - probably jumped onto a logged on staff machine during a lesson or whatever).
|
|
#
?
May 7, 2013 21:41
|
|
|
Honey Im Homme posted:Its a school. Autorun is disabled via GPO. It was probably a retarded teacher or a malicious student(heavily restricted - probably jumped onto a logged on staff machine during a lesson or whatever). I hope you don't teach anything more advanced than Office use. Back when I was studying managerial side of IT, we had a course on AD and Windows networking. Now guess how long and how many rogue DCs it took to get funding for separate lab network? Two years and about half dozen incidents, each one taking down half of the ~1500 workstations before being rectified.
|
|
#
?
May 7, 2013 21:58
|
|
|
Back in the year 2000 I crippled my schools IT room by running a dumb EXE/trojan and infecting all the machines on that network. It took IT staff about an hour to flatten the whole room and write the machines back from images. No files or software were local since it was a domain, serving userspace and programs centrally. The PCs were glorified thin clients. This was 13 years ago and it's a lot easier to achieve similar now. What I'm trying to say is that the scenario you presented shouldn't be the scenario you're working with, and there are some pretty cheap solutions out there to get this working on a school budget. When you pass 1000 machines, the break-even point on expensive prevention rather than costly (time) solutions is usually a single incident - and since you can be pretty sure a single incident will always happen, it's a no brainer. Someone somewhere needs to implement a decent IT policy, there. Khablam fucked around with this message at 22:28 on May 7, 2013 |
|
#
?
May 7, 2013 22:24
|
|
|
Khablam posted:Back in the year 2000 I crippled my schools IT room by running a dumb EXE/trojan and infecting all the machines on that network. That's great. Thanks.
|
|
#
?
May 7, 2013 22:31
|
|
|
Khablam posted:Back in the year 2000 I crippled my schools IT room by running a dumb EXE/trojan and infecting all the machines on that network. This is generally overlooked by most systems administrators whose first reaction is to blame the anti-virus vendor as opposed to actually investigating what made it get into their systems in the first place. If one user has the ability to compromise network shares and create headaches for your 1,000+ machine network all through one false move, you have a problem with an infection as well as your IT policy. Anti-virus solves the layer 8 problem only so much. It isn't bullet-proof and considering the type of infection previously indicated, it's the type that the AV vendors struggle with a lot. Lain Iwakura fucked around with this message at 06:44 on May 8, 2013 |
|
#
?
May 8, 2013 06:42
|
|
|
Anybody have a quick fix for mysearchresults.com hijacking Chrome? I'm pretty sure something similar was mentioned recently in this thread. I'm waiting for a refreshed malwarebytes to finish scanning and just thought I'd take a chance in here that someone had the obvious solution at hand.
|
|
#
?
May 13, 2013 00:50
|
|
|
try adwcleaner. I'd combofix it too first, but I combofix everything. Then check installed programs, check plugins/extensions, run a hijackthis, check hosts, and run malwarebytes again.
|
|
#
?
May 13, 2013 00:52
|
|
|
I feel dense asking this, but is there any good way to do hardcore disinfection on an entire network of machines? Like, let's assume there was a 1000 user network, and 30% of the machines had rootkits. I mean, if I ran a 1000 user network, I'd just have system images, not store user data locally, and flatten machines left and right, but even that would involve a lot of work setting up profiles and poo poo again for users? unless all their programs were web based and literally nothing was really local. But anyways, let's assume there's a mismanaged network of 1000. Or, more realistically, what about a 50 user network not being managed like an enterprise / without system images? I assume there's not an easy way other than taking individual machines off the network and giving them a lot of personal attention - but just wanted a sanity check from y'all.
|
|
#
?
May 13, 2013 00:59
|
|
|
mindphlux posted:I feel dense asking this, but is there any good way to do hardcore disinfection on an entire network of machines? I say we dust off and nuke the site from orbit. It's the only way to be sure.
|
|
#
?
May 13, 2013 03:59
|
|
|
mindphlux posted:I feel dense asking this, but is there any good way to do hardcore disinfection on an entire network of machines? No system images? drat. I'd bet on this, though Honey Im Homme posted:Current plan is to try and boot into Windows Defender offline via pxe, and just blitz each computer room at a time. To try to get at the rootkits Now, the user software, there are solutions to storing user profiles on your network... but since I don't really know your situation aside from what you described above, I rather not keep shooting in the dark 
|
|
#
?
May 13, 2013 04:16
|
|
|
I've had someone get hit by 2 variants of the "FBI found kiddie porn!" virus in one week. As it's the same person, I'm inclined to think that there was something I didn't get the first go round that let the PC get reinfected. Besides MBAM and ComboFix, what else am I forgetting to do here?
|
|
#
?
May 21, 2013 16:40
|
|
|
|
| # ? Jun 1, 2024 17:57 |
|
|
Walter_Sobchak posted:I've had someone get hit by 2 variants of the "FBI found kiddie porn!" virus in one week. As it's the same person, I'm inclined to think that there was something I didn't get the first go round that let the PC get reinfected. Besides MBAM and ComboFix, what else am I forgetting to do here? Sing it with me: o/ Backup, format, reinstall, doo dah backup, format, reinstall, virus goes away! o/
|
|
#
?
May 21, 2013 17:08
|
|