|
I'm putting together a new toolkit, as my last one (hijackthis, spybot, adaware, AVG) is kind of lol. So far in plowing through this thread, it sounds like I should burn to a locked usb key the following - 1. combofix 2. malwarebytes-antimalware 3. rkill 4. hijackthis 5. ? anything else essential? I feel like most of that addresses malware - what should I be using for a virus scanner? Is AVG Free still alright? what about MSE? I actually think I prefer MSE because it doesn't have all those horrible popups, but maybe there's a way to disable them?
|
# ¿ Feb 3, 2011 21:30 |
|
|
# ¿ May 17, 2024 18:16 |
|
hahaha, reading the bleepingcomputer forums makes my head want to explode seriously I think the entire premise behind any posts about combofix is to troll any non-native english speakers by posting longwinded horrible grammar scary holier than thou rhetoric about why noone can possibly understand how to use combofix other than approved senior regular bleepingcomputer forum users some guy was like 'hey, I'm not an idiot. stop condescending and just tell me how to learn how to properly use combofix and stop being a dick'. mods respond quietman7 posted:Group:Global Moderator
|
# ¿ Feb 3, 2011 22:12 |
|
|
# ¿ Feb 3, 2011 22:13 |
|
J posted:I'd add process explorer and TDSSKiller to that list. The latter deals with a certain type of rootkit that I see very often with typical malware infected computers, and that utility scans and removes them very quickly. It's been immensely handy in my experience. Thanks, exactly the sort of tips I was looking for. I guess I've seen a ton of mention of Alureon in this thread, so TDSSkiller is probably a good idea. Thanks again!
|
# ¿ Feb 4, 2011 00:26 |
|
one more tiny question about some of these more prevalent malware etc programs - should you basically *always* boot into safe mode w/network before running them? is there any disadvantage to doing so? what about order in which to run the semi-automated ones? I'd think malwarebytes first, followed by some of the more specific ones? or should combofix go first? I guess my question about order just stems from the fact that I can't really tell what combofix is doing, whereas I think malwarebytes and normal antivirus programs are pretty straightforward.
|
# ¿ Feb 4, 2011 03:48 |
|
it's about time for me to put together another compendium of my 'AMAZING ANTIVIRUS SAVIOR CDROM/USBSTICK 6.0' my last one was my first one, I'm just getting back into the game as far as virus purging goes. so, I'm looking for some feedback of anything I might be missing. one thing I know I want but am having trouble finding is a good bootable indepth antivirus/malware program for systems where I can't even boot into windows. I looked at the kaspersky boot cd one, but the very first system I tried it on, it wouldn't detect the harddrive (on a dell laptop) or some bullshit and basically wouldn't finish booting up - so obviously it's out. anyways, here's what was on my last one : combofix desktoptaskmanager mwbam MSE installer, x64/x86 TDSSkiller gmer superantispyware portable with defs rkill procexp an avgfree installer for kicks critical feedback encouraged!
|
# ¿ Jun 16, 2011 06:07 |
|
lazer_chicken posted:SafeMSI (or instructions for how to do it manually) is really useful if you're like me and forget how to do it every single time. hey presto, I didn't even know about this. Thanks, that will be useful - I wasted an hour on a machine a couple weeks ago trying to figure out how to do windows installer in safe mode - I just figured it was truly disabled - didn't even think to google it.
|
# ¿ Jun 19, 2011 22:33 |
|
Corvettefisher posted:Just going to throw this out there but would anyone be opposing to me making a new thread same topic but with an OP that has some trouble shooting/common problems/scanners/etc? I wouldn't be opposed to that if you would actually take it upon yourself to update it. too often people start threads and then don't really keep the OP up to date with the latest happening in the thread... id be willing to contribute at least the tools I use on a day to day basis, but would also be interested in hearing what is in others toolkits...
|
# ¿ Dec 14, 2011 00:21 |
|
is hitmanpro better than malwarebytes antimalware? or does one address things the other doesn't? I really don't like the kookiness of MWBAM, and that it leaves a giant icon in people's start menus/desktops that says MALWARE if I forget to uncheck the box. using hitman on my own system right now for the first time, and I like that there's an option to just scan and not install... and it seems to be catching all the same stuff as MWBAM.
|
# ¿ Mar 29, 2012 00:09 |
|
repeating posted:sfc? http://www.com????
|
# ¿ Apr 27, 2012 07:50 |
|
fatjoint posted:Can one of you guys who deals with a lot of nasty stuff post a comprehensive "This is my tool set" post? this isn't comprehensive, but my standard attack vector is boot safe mode then rkill -> fixTDSS/TDSSkiller -> combofix -> MBAM if I run into anything major combofix can't handle, I'll research and bring out virus-specific tools, or if it's horrible usually recommend just flattening the system, since it works out to be more cost effective for clients. would love to hear other people's attack plans though, since this is just what has been working for me, and by no means definitive.
|
# ¿ Jun 5, 2012 03:54 |
|
I don't really know the history of combofix - but why is it so good at what it does, while anti-malware and AV programs completely suck?
|
# ¿ Jul 7, 2012 08:47 |
|
speaking of which - there are so many times when I need to use combofix via remote access - but combofix kills the logmein service, and will sit there waiting for prompts from the user. has anyone had any luck using some other remote access program to run combofix? or does combofix have an unattended mode? I hate that they try to hide information about the program on the basis that only their dumb trained 'malware gurus' can handle using the tool properly.
|
# ¿ Jul 13, 2012 21:31 |
|
goddamnit there's gotta be a way
|
# ¿ Jul 14, 2012 19:11 |
|
alright, virus kit rollcall what you guys got in your kits? code:
|
# ¿ Sep 10, 2012 03:25 |
|
Revitalized posted:I am indeed using Firefox, and I tried the GooRedFix. It was done in a second but I still seem to get redirected on first click. I just decided to google "What exactly does Combofix do?" and the first link was to a forum post. Clicking on it redirected me to a Norton Security advertisement page, but I went back and clicked the link again and it took me through to the forum post. so, I've been having this happen on my personal machine, which is embarrassing considering I fix computers for a living. can't seem to get the bugger. done gooredfix, combofix, tdss, gmer scan, checked stuff with hijackthis, and no dice. did you ever end up figuring this one out?
|
# ¿ Sep 20, 2012 19:09 |
|
This dumb google redirect thing on my laptop has gotten past every scanner I've thrown at it, and I can't track it down with like hijackthis or anything, though I see symptoms of it in my registry. anyone run into a really hard to find redirect recently?
|
# ¿ Oct 17, 2012 23:42 |
|
Hex Darkstar posted:If possible can you provide examples/screenshots what you're seeing in the registry? Also if you haven't already try giving that rogue killer application I recommended above a run. So, when I run hijackthis, there are tons of references to files that no longer exist - basically anything that says "file missing". And yeah, I did give that rogue killer app a run too. no dice. O23 - Service: Bluetooth OBEX Service - Intel Corporation - C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe O23 - Service: Intel(R) Centrino(R) Wireless Bluetooth(R) + High Speed Security Service (BTHSSecurityMgr) - Intel(R) Corporation - C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe O23 - Service: Intel(R) Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe O23 - Service: Intel(R) Dynamic Platform & Thermal Framework Processor Participant Service Application (DptfParticipantProcessorService) - Unknown owner - C:\Windows\SysWOW64\DptfParticipantProcessorService.exe O23 - Service: Intel(R) Dynamic Platform & Thermal Framework Config TDP Service Application (DptfPolicyConfigTDPService) - Unknown owner - C:\Windows\SysWOW64\DptfPolicyConfigTDPService.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Zero Configuration Service (ZeroConfigService) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
|
# ¿ Oct 19, 2012 06:54 |
|
Tapedump posted:Don't suppose Disk Management shows an extra 10MB or so partition hanging off the end of your hard drive? Even if not, check using gparted/linux live cd. Try TDSSKiller, too. nope - I'm 1000% sure of this too, because I just made an image of my win7 partition, wiped my disk clean, installed backtrack linux and grub, then restored my win 7 backup to a different partition. I basically just got done making sweet love to my entire partition table, I know it like uhhh the back of my hand or something. now that I think about it, I don't know why I didn't just reinstall windows while I was going to all that trouble, but I guess I want to get to the bottom of this since it's my job and all. it's been like 4 years since there was a virus/malware I couldn't track down.
|
# ¿ Oct 19, 2012 06:57 |
|
Khablam posted:You could very well have a system file that has been replaced with a modified version. Open a command prompt and hit "sfc /scannow" and let it verify your Windows files. You may need your installation media. I was slapping myself for not doing a sfc, but it came up clean. hosts and DNS is clean. I'd just do a clean install, but at this point I really just want to find this fucker. the google redirect itself doesn't affect my usage of the machine horribly, so time spent isn't an issue...
|
# ¿ Oct 20, 2012 18:02 |
|
NecessaryEvil posted:Unfortunately, it is in my job description, and I'm part of the IT company they hired. I hope there were bees in the trap.
|
# ¿ Oct 26, 2012 17:40 |
|
in other news, I just reformatted because of that google redirect thing, and changed all my banking passwords just in case. I'm still loving pissed off that a virus won - first time I've given up in a couple years.
|
# ¿ Oct 26, 2012 17:41 |
|
let me be the first to just say "lol"
|
# ¿ Nov 10, 2012 18:23 |
|
Laserface posted:The only thing I can think of with this, as it hit me too a while ago, is a hidden partition on the drive or a bootkit. I owned my partition table, dualbooted linux and 7, mine was clean... I'd love an answer if anyone finds it too...
|
# ¿ Nov 29, 2012 00:01 |
|
movax posted:I've been derelict and haven't perused this thread in detail yet; are you guys using this as a generic computer security/~~InfoSec~~ thread or is there enough to go on here about just viruses and malware? viruses and malware
|
# ¿ Dec 6, 2012 23:59 |
|
Zwabu posted:Wife's computer has a "Speedy PC Pro" pop up saying she has 269 infections yada yada. Popup notes that it's a "Microsoft Partner!" and popup came up with VOICE/SOUND announcing the infections. Is this a virus and if so what is the best removal tool? I had this one on a client machine the other day. There was a MBR rootkit, so make sure you check well. But, for the speedy pc reg thing, it was just an uninstall from add/remove programs.
|
# ¿ Feb 3, 2013 00:53 |
|
Revener posted:Setting up a new PC and I'd like to do it right. Is there anything that isn't in the OP that anyone would recommend as far as setting the new PC up? What software do people recommend, or has it not changed much since the OP was last updated? just re-read it, it seems good to me. fresh install/uninstall any OEM poo poo, update drivers, let ms update do it's thing, install latest adobe and set it to patch automatically, ditto for java if needed, install MSE (it's as good as NOD - and I swore by NOD a couple years ago), put chrome/firefox on with adblock. golden, until your user is an idiot and opens "Fax From A Tracking UPS Delivery HP FaxJet ScanCenter . PDF.DOC.XLS.EXE.JPG"
|
# ¿ Feb 3, 2013 12:05 |
|
Zogo posted:It just opened up to a harmless looking photo for me. YOU NOW HAVE ROOTKIT.KINJECT ALSO AIDS
|
# ¿ Feb 8, 2013 05:22 |
|
everyone always needs combofix, they just don't know it yet. possible new thread title....
|
# ¿ Apr 16, 2013 09:45 |
|
I've come across something that causes google chrome to just say 'loading....' no matter what page you go to. I can't even get to the settings menu on this computer. I've uninstalled and reinstalled with no luck. I've combofixed it, checked for rootkits, malwarebytes, etc - nothing is coming up. hosts file is fine, dns server is being set properly. all other browsers work perfectly. anyone know this one?
|
# ¿ Apr 27, 2013 00:02 |
|
try adwcleaner. I'd combofix it too first, but I combofix everything. Then check installed programs, check plugins/extensions, run a hijackthis, check hosts, and run malwarebytes again.
|
# ¿ May 13, 2013 00:52 |
|
I feel dense asking this, but is there any good way to do hardcore disinfection on an entire network of machines? Like, let's assume there was a 1000 user network, and 30% of the machines had rootkits. I mean, if I ran a 1000 user network, I'd just have system images, not store user data locally, and flatten machines left and right, but even that would involve a lot of work setting up profiles and poo poo again for users? unless all their programs were web based and literally nothing was really local. But anyways, let's assume there's a mismanaged network of 1000. Or, more realistically, what about a 50 user network not being managed like an enterprise / without system images? I assume there's not an easy way other than taking individual machines off the network and giving them a lot of personal attention - but just wanted a sanity check from y'all.
|
# ¿ May 13, 2013 00:59 |
|
Pablo Bluth posted:I've come across a website (non e-commerce site for a shop) that appears to be serving malware (it was blocked by the firewalls at work, and I didn't note the malware name). There's some rather suspicious obfuscated javascript that inserts iframes from a second website (which serves up a clone of a respectable website). you have done your job, good citizen
|
# ¿ May 29, 2013 23:58 |
|
Khablam posted:Crptolocker has taught me the sheer amount of corporate mail servers that can't/don't scan attachments is simply amazing. You're literally safer using free webmail than a managed solution you'd pay 5-figures a year for. yeah, if you're running a mail server without an endpoint security service, you're a dolt. I got called out on this very early on in my career. Thank you, incredulous NOC technician, for being a huge dick when I tried to do something stupid. google postini was great, but I guess they're transitioning to a google apps only type service. they say nothing will change with how it interacts with exchange servers, I'm hoping this is actually true...
|
# ¿ Oct 12, 2013 07:01 |
|
does anyone have any documentation on the inner workings of combofix? I'm always really annoyed by their whole "ONLY FOR USE WITH AUTHORIZED HELPER, DONT USE THIS ON YOUR OWN, THERE BE DRAGONS HERE" poo poo. I mean I understand it as a public policy, but it'd be really useful if they shared like, command line options, how to write scripts for it, etc for those of us who use it on a regular basis.
|
# ¿ Oct 16, 2013 22:05 |
|
Khablam posted:Real answer: it's obfuscated because the people actually telling you to run it don't have a clue what it does, and it sounds better to say "sorry, can't tell you" than "I'm a trumped up self-aggrandizing wannabe IT expert with a 2000 word MOSTLY RED CAPS LOCK copypasta for dealing with any and all IT issues" Yeah, I completely agree with all of that really. I don't think there's any legitimate reason to obfuscate basic parts of the program other than to be a shitlord. I'm sorry, but publishing some command line options on how to run an unattended scan are not going to let the terrorists win. Annoyingly, it's very good at what it does. It's usually my first line option, just because it's so easy. I've never had it gently caress up a machine either. So, disable AV, combofix it, and then delve in deeper to see if there are still traces of infection. I'll admit I'm a bit lazy, but I lost the virus-hunting boyscout attitude a longgggggggggggggggggg time ago, sometime after I joined the real world of technology support.
|
# ¿ Oct 19, 2013 07:18 |
|
jesus christ that's horrifying
|
# ¿ Nov 1, 2013 21:12 |
|
everyone knows america will be around forever, so I'm sure there's no reason DARPA would put a killswitch in it...
|
# ¿ Nov 2, 2013 00:51 |
|
H1KE posted:A machine came in today, filled to the brim. Nothing unusual. Qvo6, Yontoo, ZeroAccess, GoonSquad, Winweb-wait what? you'll edit this post if you know what's good for you
|
# ¿ Nov 18, 2013 10:56 |
|
|
# ¿ May 17, 2024 18:16 |
|
Drunk Badger posted:But still, what does it do? it does everything. hit it with combofix, hit it with malwarebytes, and unless you have something particularly nasty, you're done. I'm near 100% success with combofix. I can only think of two times it made things worse - it completely hosed some graphics drivers once and windows wouldn't boot, but I just fixed that up manually - and another time when the MBR suddenly was pointing to a wrong partition - but again, I just booted my utility disk and fixed than manually and they were good to go. Occasionally there's stuff that neither combofix or MWBAM picks up, but again, easy enough to spot and remove manually in most cases. also, a good way to hedge your bets is to warn clients before you do any work on their system that virus removal is inherently risky, and that things like settings + bookmarks + 3rd party programs might be "infected by viruses" (I mean... yeah it's not technically true, but it's a good way to explain it), and could be removed during the cleanup process. Make sure they have a backup, or consent to you charging them to go ahead and make one before you continue. I won't work on a system unless I have in writing that they don't mind if some data is lost, or that they have a backup already in place (or I'm ghosting one for them, like Siochain mentioned)
|
# ¿ Feb 21, 2014 23:21 |