|
I've kinda lost track of this thread over the last year or so. It was slow at work today so I decided to peruse it and came accross the following post with requests that it go into the OP. So here it is.Megiddo posted:There's really a lot more to it than that, if you want to keep your machine secure: I will also add that you need to have a good antivirus, preferably in my opinion NOD32 which is for pay. Other here will argue until they die from lack of air that Microsoft Security Essentials is just as good. I respectfully disagree. To each their own. Also adblock and no script are your friends, learn them love them use them. Any thing else that anyone thinks of should PM me as I don't check this so much anymore, but I am flattered that what was essentially a rant and an exercise in blowing off steam has become the MEGATHREAD for viruses in SHSC. So this week at the shop starts off kind of bad since 7 people decided to call at 4:55pm on Saturday to approve virus removals effectively making my bench a virus removal station for at least the first half of the week. I don't really care for virus removals because they are routine, boring, and there is not a lot of money in them. So I get in begin the removals and go drink coffee and smoke while the first scans were running. The first one I do has to run in safe mode and everything is operating as expected, I can network fine and explorer is responsive. So I come back about 30 minutes later and since the machines have rebooted into normal startup, I go about logging them in to a user account. One of them locks as soon as I select a user, another gets to the desktop and explorer is immediately unresponsive and another works very slowly but will not network thus keeping me from accessing my tech tools on the server. So I reboot these three machines back into safe mode and run anything that will install without needing windows installer service. I find the usual on all three; vundo, smitfraud, zedo, random rootkit a, random rootkit b and some other nondescript malwares. Having finished what I could in safe mode, I reboot to normal startup with all msconfig entries disabled with the exception of Microsoft services. Same thing. Back to safe mode and this time I install autoruns and have a look at what is going on at startup. I don't see anything that raises an eyebrow, curse, reboot the machines and start repair installs. One of them took two attempts to finish the repair install, the other two went alright. One by one they finish and reboot. All three get to the welcome screen and want to be reactivated. I make a fuss about how pissed I'm going to be if I have to call Microsoft for all three activations, but I don't ever get the opportunity to find out if that would have been the case. All three freeze with the border of the activation prompt displayed but the rest of the windows never get drawn. So I reboot to safe mode on the first one and am reminded that a) you cannot activate in safe mode, and b) you cannot log into safe mode without activating. I contemplate the prospect of having to call three customers and cajole them into giving me more money to backup their data so I can wipe and reload their OS. Since that was not a particularly desirable outcome, I pull one of the drives connect it to one of my shop machines and run it through nod32, avg, avast, bitdefender, and a2. These scanners didn't find anything at all. Frustrated I decided to run them through Panda Active Scanner. It finds stuff that it considers minor, and shows me where they are but will not fix them itself without signing up for an account. gently caress that. I delete the things it found and made mental note of what they were called and where they were located. I reconnected the hard drive to the first computer and viola! it works. Hell yeah. I go to the second machine and look in the places I had looked on the first machine and find nothing. So I run it through panda and notice that both machines had rootkit.kinject present. I look it up on Google, and it turns out that only superantispyware has it in their definitions. I update my copy of superantispyware on my shop machine and connect the third and find it in like 90 seconds. It turns out rootkit.kinject just breaks windows in a bad way. It installs as a hidden service and nothing can see it there, even auotruns. You must pull the drive and scan it elsewhere if you hope to get rid of it. Superantispyware and Panda are the only two outfits that I know detect it and there is absolutely no English literature on the Internet of anyone encountering it. You can only use Superantispyware to get rid of it on the local machine if you can get to a desktop and browse the file system. If not you got to pull the drive. I thought I would share this with everyone because it took me like 4 days to narrow down (bear in mind that I was working on 15 or more machines at any given time this week so I might have only gotten around to those machines only 4 or 5 times the first couple of days). Personally I haven't seen anything like this since the spools earlier this summer. tl:dr Rootkit.kinject will gently caress your poo poo up. So far I only know of two AV scanners that get rid of it, panda and superantispyware. Read the post and do not perform a repair install if you have a machine that exhibits any of the symptoms I describe. What have you seen recently that has made you gnash your teeth? abominable fricke fucked around with this message at 01:10 on Jun 14, 2011 |
#
¿
Dec 13, 2008 02:54
|
|
|
|
| # ¿ May 21, 2024 01:04 |
|
|
people posted:Antivirus 2009 I would say that 65% of the computers that come in for diagnostics at my shop have this or some variant of it installed. It does make for an easy diagnosis though.
|
|
#
¿
Dec 13, 2008 20:05
|
|
|
Namlemez posted:Got this on a machine through some random Java applet. This was like the most nefarious one I've ever had by far: http://vundofix.atribune.org/
|
|
#
¿
Dec 14, 2008 21:01
|
|
|
Namlemez posted:Tried that, said nothing was infected but even Ad-Aware could still see it and the files were still present in \System32. It unfortunately does not catch all variants and they admit it does not have 100% coverage because of how it infers infection. Yeah, I generally don't use that tool unless I feel like I'm out of options. Generally I find that combofix gets rid of the major nastiness that is vundo. I think SDFix will get rid of it too.
|
|
#
¿
Dec 15, 2008 01:30
|
|
|
brc64 posted:My least favorite question to answer clients is "how did I get infected?" There's never a good way to answer that. I hate that question, I generally just tell them that there isn't really any way for me to know the exact point of entry and that anything I might say would purely be speculation. It is a nice out when they say that there kids use the computer and then start down the line of "the only things they do online..." I generally try to interrupt politely and point out that they have kids are going to get infected, guaranteed.
|
|
#
¿
Dec 17, 2008 15:24
|
|
|
ab0z posted:At our shop the WinAntivirus2008 etc and it's variants are old hat by now, not even an issue. One that DID give us a heart attack the other day was this: Sounds like you got the spools. That one seems to have burned itself out because I haven't seen it since sometime in July, but for a couple months prior to that I saw it everywhere. Before we understood what was going on we had infected probably five or six machines just by using our flash drives.
|
|
#
¿
Dec 18, 2008 21:19
|
|
|
What a poo poo day in virus land. We should start posting combofix, malwarebytes, superantispyware, spybotsd, and hijack this logs to use as a community resource. Anyone onboard?
|
|
#
¿
Dec 19, 2008 00:09
|
|
|
brc64 posted:I was onsite yesterday trying to figure out wtf was wrong with this Windows Server, and to kill time while it was updating (completely unpatched server, awesome), I decided to check Windows Update on a few of the PCs. I noticed that on this one Win2k box, Windows Update wouldn't load. Because the browser was so slow, I say it attempting to open 127.0.0.1. I'm sure I don't need to tell you that disinfecting a win2k machine is a waste of your time. It's just going to get reinfected the very next time it touches the internet. You should recommend that he upgrade his machines to XP, there is absolutely no reason not to at this point.
|
|
#
¿
Dec 23, 2008 15:41
|
|
) I loaded up Housecall to see what came up.
hidden various places around the PC. I suspect that the doctor was probably responsible for the initial infection, but I kind of doubt he's smart enough to have a huge cache of installers and keygens hidden deep within his user profile. I suspect the bulk of that was due to one or more of the infections.
|
Install Superantispyware to a flash key and run it
|
|
#
¿
Dec 30, 2008 18:47
|
|
|
Otacon posted:Most of the time now, the hardest part about killing Spyware is getting the stupid computer to boot into Windows. Our shop sees a lot of BSODs and black screens on boot, and Safe Mode isn't even a sure fire way past that trash. But once you're on the desktop, those viruses and spyware will be gone soon. One thing to try is to use an ERD boot CD, and use the system restore function. It will do the same system restore the same way that windows does. The only thing that you need to do beforehand is to backup the %windir%\system32\config folder because sometimes (probably a third of the time) it forgets to restore the registry.
|
|
#
¿
Jan 2, 2009 22:41
|
|
|
^^^^^^ I bet it would have too
|
|
#
¿
Jan 7, 2009 22:41
|
|
|
Otacon posted:As of yesterday, our shop found a new virus/rootkit disguising itself as a Microsoft Windows driver, signed by Microsoft themselves. Be careful out there! Do you care to share any info, or are you going to hold out?
|
|
#
¿
Jan 9, 2009 16:19
|
|
|
Cojawfee posted:The best idea is whenever you have a problem, look for Norton. Or just run the removal tool anyway. You won't believe how hosed up Norton leaves your computer after uninstalling. I've seen Norton totally block iexplore.exe, it never lets you access network shares, and sometimes blocks the internet entirely. Not to mention that the whole thing slows your computer to a stand still. I don't know how Symantec can still be allowed to sell that shitstorm. But the geeks at Best Buy told me it's the best antivirus software there is... 
|
|
#
¿
Jan 9, 2009 19:38
|
|
|
zapf posted:Just finished cleaning off a friend's computer that got infected with TDSServ. Seems to be completely gone now, thanks to SUPER Antispyware and ComboFix. It wouldn't surprise me if this is news to him.
|
|
#
¿
Jan 13, 2009 17:22
|
|
|
RivensBitch posted:After fighting vundo for hours I finally managed to remove it, but now windows wont let me configure my wireless network adapter. Has anyone encountered this after a vundo removal, and is there a utility to rebuild the networking? A non-flatten windows reinstall doesn't work. What shows up in the network connections control panel? If nothing shows up you might have a broken COM+ on your hands.
|
|
#
¿
Jan 15, 2009 00:59
|
|
|
Bob Morales posted:I'm fairly sure. Nod32 will find it. I had that one last week. Does it look for a host on port 8221 or 9882 or 8991 or something like that? It was sneaky. It wouldn't show any activity on netstat or tcpview but we could see it happening on our gateway. The only reason I found it is because my tech machine uses nod32 and I was scanning with something else offline and just happened to find it.
|
|
#
¿
Feb 17, 2009 01:03
|
|
|
I've had a few computers come through with Virut. I tried to clean the first one, and wasted a lot of time and frustration. Now if I find it, its backup and flatten time. No ifs ands or buts.
|
|
#
¿
Feb 19, 2009 00:32
|
|
|
Luk0r posted:What happened to Spybot and Ad-Aware for cleaning up poo poo on computers? Am I living in the past? I still use Spybot but more for the back end clean up than for the initial cleanup. It will find and allow you to fix security center overrides and that sort of thing that other programs do not find.
|
|
#
¿
Feb 23, 2009 16:12
|
|
|
People Talking about Virut posted:Virut There is a free stand alone AV called Dr.Web that will clean .exe files that are infected with Virut.
|
|
#
¿
Mar 4, 2009 17:38
|
|
|
Otacon posted:VIRUT You haven't even began to scratch the surface of how unbelievably evil this virus is. It injects itself into key files in the i386 folder and waits. If something changes to a file in the windows system folder and windows system file protection determines that it is compromised and be re-expanded then *boom* the payload is executed and begins to run rampant on the computer. I actually find virut on 2/3 of infected machines, it just turns out that it is hiding in the i386 folder waiting for its moment. However, at this point it is easily dealt with. I noticed this a couple of weeks ago and was shocked at the sneakiness of this motherfucker. God damned evil genius that author is. Also, I completely agree that onces a system has virut running on it, your hosed. Boot to a live disk and get what you need. NEVER BOOT INTO WINDOWS AGAIN TO RECOVER FILES. VIRUT IS LIKE THE EBOLA OF COMPUTER VIRUSES. YOU WILL UNWITTINGLY INFECTED ALL YOUR OTHER COMPUTERS. Reformat and cut your losses.
|
|
#
¿
Apr 9, 2009 05:23
|
|
|
Zwabu posted:What is the best way to detect a Virut infection? Eset online scanner will find it, and so will dr.web
|
|
#
¿
Apr 9, 2009 16:14
|
|
|
brc64 posted:Fun fact: our worst vundo-offending client shares a mapped drive on the server between all of the PCs. Is it not dropping an autorun.inf there to? Otherwise that would be silly.
|
|
#
¿
Apr 23, 2009 22:22
|
|
|
I think there was an update passed along by microsoft after sp3 that disables that function. If someone can substantiate this that would be great, I only say so because a lot of the machines I work on don't autorun anymore. With the advent of flash drives that can carry a payload this is (would be) a welcome change in my eyes.
|
|
#
¿
Apr 25, 2009 02:03
|
|
|
parasyte posted:If they insist we reinstall programs we ask them for the discs or the keys if we happen to have a disc available to us. Usually my boss has us try various discs if we end up having to get a Windows key from the registry though I usually will refuse to install some random customer's Windows if it happens to need a VLK disk. From a business standpoint (and a lot of the posters in this thread are in the repair business) it's a bad idea to not take every step possible, provided you know how, to recover 'lost' MS key codes. Most of the time I will reinstall their office for them even if they don't have the key. Typically I use the digital product id found in HKLM\Software\... to decode their license key. Then, I can use the \MSOCACHE directory to reinstall the program. I never alert the client that there is a possibility that I might be able to recover their office until I already know the answer. I just do it and tell them that I was able to do it and when they get the computer home with Office installed they are ecstatic. There is nothing illegal with what I do, I merely assume that the keys I am recovering are legal. It's in poor taste to even allude to a client that they are a thief, and so I assume that they have a legitimate copy of software that they presumably bought legally. I am certainly not in the business of being a pirated software supermarket. I could loose my ability to ever make money in the field again if I were to act like one. However, I am also not in the business of software license enforcement. Unless a client is being stupid and using near iconic key codes like the 'FCKGW' key on their XP with SP1 machine or using the 'GWH28' key code for Office 2003 Pro VLK, it's no skin off my back to reinstall the software. The last thing either I or my clients have time for is going through the effort of finding out if each and every key I recover is in fact legal; instead of putting myself in a situation where I might loose a client (and all the potential clients that I might have gained through them) if I know that there is software piracy taking place on the machine I will tell them that there is no way I can recover their key and unless they have the box at home somewhere, there is nothing I can do. Additionally, if it is something that I have to call in the activation for, and Microsoft lady cheerfully activates it then who I am to complain. Now that I have derailed the discussion I will contribute that I am growing increasingly spiteful toward virut. Even with backup flatten and reinstall it is a bitch because you have to be certain that there are no .exe files left behind that someone stupid could run on a whim and restart the whole process. The creator(s) are evil loving genius(es) and if I were to meet them I would first shake their hands and congratulate them on the success of their hell spawn. I would then kick them in the balls.
|
|
#
¿
May 21, 2009 00:27
|
|
|
mixitwithblop posted:If you are having trouble with that new Vundo variant that's been running around, and AntiMalware and SuperAntispyware are getting their asses kicked, I highly suggest running: I've been seeing this behavior for a while. Renaming combofix.exe to rambofix.exe is sometimes effective. Another tactic I employ in combating these malwares is to use hijackthis renamed to something coupled with the delete on reboot registry hack.
|
|
#
¿
Jun 3, 2009 14:00
|
|
|
Midelne posted:Personally I see Virut and give up on cleaning. It's not impossible to clean, but it's a lot quicker and less frustrating to remove vital pictures and documents, format, and reinstall Windows. I've told clients that if I ever met the son of a bitch I would approach him, shake his hand, congratulate him on making something so nefariously evil, and then cold cock him in the nose. I think I would be justified.
|
|
#
¿
Sep 5, 2009 15:33
|
|
|
I've got two machines on my bench right now that the screen on them dims in such a way that you would think that a UAC prompt is about to appear. One of the machines is running vista and the other is running XP. I've run it through half of my virus removal routine and it hasn't gone away, which isn't to say that it won't be resolved in second half. I did, however, want to ask and see if anyone was aware of anything new that exhibits this behavior.
|
|
#
¿
Nov 18, 2009 23:10
|
|
|
Midelne posted:Like, a fake UAC prompt utilizing a semi-transparent window to make it look like UAC was popping up? I've already ran malwarebytes and still am having a semi transparent display on both machines.
|
|
#
¿
Nov 19, 2009 15:08
|
|
|
Diocletian posted:Combofix needs to be able to work on Win7 64-bit damnit. Or at least something comparable should work, Malwarebytes' and MSE are ok, but I don't like to rely on just those two. I am not aware of anything that would infect a x64 system that would require combofix to remove. Combofix works on 32bit systems only.
|
|
#
¿
Dec 9, 2009 21:59
|
|
|
Twotone posted:What does MSE stand for? I'll try it. Malwarebytes and Superantispyware come up with nothing. AVG of course comes up with nothing as well. Microsoft Security Essentials
|
|
#
¿
Jan 26, 2010 19:03
|
|
|
BillWh0re posted:It appears that a lot of people infected with the TDSS/TDL3 rootkit I was talking about before are now getting bluescreened after patch Tuesday. I came in here to post exactly this. This find it mildly humorous until I remember that I will be fixing a lot of this next week. I've also notice a lot of highjacked userinit.exe entries at HKLM\Software\Microsoft\Windows NT\Winlogon\Userinit key. It appears that they are typically altering the key to point to winlogon32.exe. Needless to say it causes a logon logout loop. This can be fixed via ERD and altering the key to point at userinit.exe again. As a safe measure I have also been replacing msgina.dll, winlogon.exe and userinit.exe.
|
|
#
¿
Feb 13, 2010 02:01
|
|
|
KillHour posted:I had an awesome idea for a virus the other day, and was wondering if anyone had seen something like it, or knew if it was even possible. It would search for known router firmwares and replace them with a modified version that has the virus embedded in it. It would then proceed to reinfect any computers you cleaned and hooked back up to the network. If done right, it would be hell on earth to discover what was really happening. Unless it is an unsecured network or unsecured setup page, I doubt this would be plausible. What I have seen though is where a virus sets up an adhoc network in a computers wireless control panel that broadcasts when no other network is present. What then happens is that people around the machine connect to the adhoc network and get infected or worse, the adhoc ssid is the same as ones that are legitimately used by businesses so machines that have connected to the legitimate ssid automatically connect to the malicious adhoc network absent of a real network.
|
|
#
¿
Jul 13, 2010 21:44
|
|
|
Anyone come across one that redirects webpages to websiteblockonline.com? I've thrown just about everything I've got against this machine and it turns up nothing. The only real useful google result on it is dated July 11, 2010 and it says to run malwarebyes (which I have). There is nothing except for local host in the host file, superantispyware, spybot, a2 free, eset online scanner, and bit defender online scanner find nothing. I have no proxy settings to remove. Basically I cannot find any good reason for this be going on and really don't want to have to flatten and reload this machine.
|
|
#
¿
Jul 15, 2010 22:54
|
|
|
Forgot to mention that I've run combofix (it keeps detecting rootkit activity but doesn't resolve anything). Also ran Hijackthis! it found nothing out of the ordinary and the DNS is set for automatically assign from the gateway. I'm stumped here. I think I might give the Dr. Web live CD a try. edit: Dr. Web found nothing abominable fricke fucked around with this message at 14:57 on Jul 16, 2010 |
|
#
¿
Jul 16, 2010 13:45
|
|
|
Ted Stevens, Hitman Pro found it. Thank you so much. Let's talk about me having your e-love child.
|
|
#
¿
Jul 16, 2010 22:08
|
|
|
Ted Stevens posted:Glad to hear it worked. I did a ton of research doing AV solutions and hitman did a great job finding poo poo others didn't. The redirect problem is gone, as it turns out the machine was infected with a variant of TDSS that had infected the keyboard driver. Sneaky fuckers.
|
|
#
¿
Jul 19, 2010 17:08
|
|
|
Megiddo posted:There's really a lot more to it than that, if you want to keep your machine secure: I added this info to the OP. Suggestions for further additions should be sent to me via PM as I don't check this thread regularly anymore. I am however very flattered that 3 years later it is still going strong.
|
|
#
¿
Jun 14, 2011 01:13
|
|
|
Anyone encountered Cryptolocker yet? Apparently they make good on their threat to encrypt your files. Have one on my bench that I didn't take seriously and now it looks like I might be forced to pay the ransom. Info: http://community.spiceworks.com/topic/381787-crypto-locker-making-the-rounds-beware http://www.geek.com/apps/disk-encryptiing-cryptolocker-malware-demands-300-to-decrypt-your-files-1570402/
|
|
#
¿
Sep 18, 2013 13:00
|
|
|
|
| # ¿ May 21, 2024 01:04 |
|
|
go3 posted:We've discussed it a little in the 'A ticket came in...' thread and I've been following it extensively. Its going to be a real issue. So far payments made have resulted in the files being decrypted. Once time is up the program removes itself and most importantly removes the registry entries containing the public key and list of encrypted files. I've read a little bit about it, and I guess my understanding is unclear. Does the software encrypt the data when it is installed? Or, does it encrypt when the timer reaches 0? Another thing that I am wondering about, does it run from a system context or a user context? I ask because I have a machine that sat on my bench (off), while the timer was still running and I booted it after the timer expired (but didn't log in). So I am wondering if I set the clock on the computer to a time shortly after the machine as brought in, can the ransom be paid and the machine restored to backup up the data and then flatten it?
|
|
#
¿
Sep 18, 2013 14:48
|
|