|
No sooner does this thread show up, suddenly a friend has popups and bluescreens all over the place. He somehow got Rootkit.TDSSrv, Rootkit.KInject, and Vundo. His slightly wonky hardware isn't helping, either - <1-year old DVD-RAM drive won't boot from 2 different bootable DVDs, handles CDs fine.
|
#
¿
Dec 20, 2008 00:05
|
|
|
|
| # ¿ May 17, 2024 20:41 |
|
|
Usually IsoBuster will allow you to get data off of multi-session disks, even in the eventuality that was described a few posts up (assuming malware could accomplish this, sorry, I don't understand optical media like I probably should.
|
|
#
¿
Mar 10, 2009 16:55
|
|
|
I've been checking out this thread regularly, anyone run into the Cognac trojan? My company's blacklisted everywhere, and the first sign of an infection was yesterday.
|
|
#
¿
Jun 26, 2009 14:39
|
|
|
It seems that way.
|
|
#
¿
Jun 26, 2009 15:54
|
|
|
The machine was taken offline and cleaned, but I'll probably need to reinstall it Monday. I say probably because it isn't up to me, not because it will be optional. As of now, all blacklists are clear, but a few showed us as spammers on Friday.
|
|
#
¿
Jun 28, 2009 22:40
|
|
|
I feel like I'm risking getting flamed in here... I had a friend recently who had Virut on her hard drive in a few system files, WMplayer.exe, etc. I scanned it offline from another machine with SAS and MBAS, as well as the AV client on the scanning machine, then performed a repair install. Should I have been able to clean it off in the space of a few hours? Here's the important part of the log: code:
|
|
#
¿
Sep 4, 2009 15:57
|
|
|
I had posted earlier in the thread about finding a computer which had files infected with Virut, but not many. I scanned offline on a different, plain-Jane XP machine I keep off my network just for that kind of thing, and cleaned it up pretty well, and then did a repair install. It seems fine, even now months later. I keep thinking there's some glaring hole in my knowledge that I'm overlooking, like the blind spot in each eye. I should be good, though right?
|
|
#
¿
Nov 21, 2009 02:21
|
|
|
Stanley Pain posted:Good to know  Click here for the full 728x550 image. Apparently it's a licensing service, which might look like a rootkit... Edit: I jumped to action right when I saw your post, since I have no AV on my WHS, but between not doing scarcely any browsing from the server and a decent firewall, I'm confident the server is clean. My confidence is probably hubris in disguise... 
Oddhair fucked around with this message at 17:12 on Feb 24, 2010 |
|
#
¿
Feb 24, 2010 16:43
|
|
|
univbee posted:Try The Conficker removal tool at http://www.bdtools.net/. Also, if this is a Vista or 7 machine and you have access to the Microsoft Desktop Optimization Pack (through MSDN or whatever), you can set up an official Microsoft Emergency Rescue Disc (6.0 if it's Vista, 6.5 if it's Windows 7), which has an offline spyware scanner that actually works well on rootkits I've found. Do you know where it would reside on MSDN?
|
|
#
¿
Jul 16, 2010 17:11
|
|
|
That's great, thanks, I see it now.
|
|
#
¿
Jul 29, 2010 21:24
|
|
|
I had a real doozy of a Thinkpoint this weekend, and the laptop wasn't helping me either. It's a Dell Vostro 1720 which came with Vista and was downgraded to XP. Couldn't run: Iexplore, Taskmgr, Regedit, Firefox, etc. I found lots of .dlls in her profile, set to start up in both HKCU and HKLM. Hijackthis was able to delete some of the dll entries, but I couldn't get rid of Hotfix.exe, under which everything in userland was running. Local group policy was set to disallow ActiveX, so Services.msc would load and be blank, same for gpedit.msc  I tried scanning offline, and then it failed to boot. Since it was once Vista, every boot it asks which OS to run, with Vista being the only choice, but once you select Vista it runs XP. I couldn't get XP media to boot for recovery, it kept crashing with a BSOD before the first interactive prompt, so no console for me. The Vista disk would boot, but the repair console would error out indicating it was for a different version of Windows. I figured maybe the drive has issues after I put two different XP media in my own computer and tried recovery from there. This next part is my fault, I had a spare SATA hard drive, and it was once used with a Power Mac so now it's GPT instead of MBR. Windows 7 Diskpart wouldn't convert it, Vista's wouldn't convert, I believe because the drive had partitions, though one was the EFI partition. I finally caved (at ~2:00 this morning, she needed it for 8:00 AM) and installed a spare Vista license I had sitting unused because 7 is better, had the presence of mind to not saddle her with x64 Vista, but I'll probably still have to try to get XP back on it sometime over the long weekend. Any ideas as to why I can't install XP? I see the HD has a feature called G Force which helps prevent data loss in the event of butterfingers, but it doesn't seem like that would cause any kind of incompatibility. Edit: I see it's also a 4K sector HD, could this be throwing me off too? Edit2: Yeah, apparently they don't support 4k natively, and so the writes aren't aligned and performance suffers, but I'm inclined to agree with you the drive might be tanking. Oddhair fucked around with this message at 18:57 on Nov 22, 2010 |
|
#
¿
Nov 22, 2010 18:28
|
|
|
Yeah, I'm sure it wasn't just one, there were scads of files in her profile and dozens of registry entries in HJT, but the booting from CD/DVD never worked. I should have used Safe+Command but I was swamped over the weekend putting 12 cubicles where 6 used to be, this was a side job with a deadline. I finally got fresh Vista on it but she absolutely can't use anything other than XP... Forgot to mention there was RPCNet there as well, might have even been legitimate, but every time I'd kill it (reflexive RPC=bad thinking on my part) the computer would go into 1:00 shutdown mode. VVVVVVV It's an edict from IT on high, they literally won't or can't use Vista or 7 for reasons she couldn't explain to me, possibly a piece of software. I'm miffed because I couldn't get XP back on, so it's like I didn't complete the job. I don't doubt I'll get paid, they're great about that (this is a couple of friends,) but I feel bad not finishing the whole task. I also ordered her a keyboard on her instruction the same day she ordered one from Dell, but I can't fault her for using her hardware warranty. Edit: now with screenshotty goodness:  Click here for the full 1155x826 image. Oddhair fucked around with this message at 20:14 on Nov 23, 2010 |
|
#
¿
Nov 23, 2010 16:59
|
|
|
MeestarK posted:Anyone know of any tools that will auto update flash/java? Seeing if there's anything out there for me to run after cleaning up a system for a customer before I look into making something myself. Not an auto-update, but Secunia PSI is free for non-commercial use and will alert you to potential security problems (sometimes non-existant ones; mine likes to inform me about previous versions of Chrome that aren't even installed (e.g. versions older than my install date for Chrome.) I've been hit on these forums, as in I had Gmail and three SA tabs open and got the "your computer might be infected" fake pop-up. I had white-listed SA in AdBlock/Noscript but though it's still allowed in Noscript, it's blocked in AdBlock. I should probably buy no ads, since I have archives and Plat.
|
|
#
¿
Feb 21, 2011 08:38
|
|
|
Saint Sputnik posted:Secunia is great and thanks to whoever suggested it the other week. You're welcome! I use it at home and would like to use it at work. I keep having users end up with malware, including that one that was pictured in the "London Stock Exchange" article. My boss always assumes they're browsing somewhere that isn't legit, and I keep explaining the way these things usually work to him, and he doesn't argue but I don't think he believes me (I also don't think all these people's browsing is legitimately work-related, but that's another story.) UAC cranked up, DEP, SEHOP, AdBlock+ and NoScript are saving me from any oops moments, since we all run as local admin in our domain (all of us but one guy, the one with the most recent infection.)
|
|
#
¿
Mar 3, 2011 19:12
|
|
|
I couldn't get KeePassDroid to use an authentication file, but that ended up being no additional security, since the key file was right there on the flash drive I use for KeePass as well as on the phone.
|
|
#
¿
Apr 5, 2011 19:15
|
|
|
Has anyone had Windows 7 Recovery delete all the shortcuts in c:\program data\all users\Microsoft\Windows\Start Menu? I helped a lady with her infection, and I was able to use the single-line attrib command from around page 50 to show the hidden files. Her Start Menu remained empty, and she had been backing up her profile and system only, not program data. Is it likely they were deleted, or simply moved somewhere?
Oddhair fucked around with this message at 14:16 on May 25, 2011 |
|
#
¿
May 25, 2011 14:09
|
|
|
warning posted:Dealt with this today, I just remade the missing shortcuts. Found mine in c:\users\username\appdata\local\temp\smtmp\1\ It was well worth it due to how much stuff the boss has installed, and how busy he is. Now I have to call back the first person I helped with this, hopefully her stuff is still there.
|
|
#
¿
May 25, 2011 18:56
|
|
|
Back on page 50 someone posted this: code:
|
|
#
¿
May 26, 2011 19:30
|
|
|
I've now got two machines redirecting search results in all browsers to either 63.209.69.107 or get-answers-fast.com. I'm having a hell of a time finding it. MBAM won't find anything, MSE won't, nothing stands out in ProcExp, TDSSKiller finds nothing wrong. Periodically it even stops redirecting for a little while, Anyone seen this lately? I also heard one of them was randomly playing music when the browser was open, and I've only seen that here once before.
|
|
#
¿
Nov 18, 2011 19:00
|
|
|
I just ran MS System Sweeper and it found some corrupt JAR files on the Vista machine in %appdata%\local\temp\java_[long numeric string here].tmp and ion.class in one of the temp files. I'm going to reboot this one and poke around some more, but the other machine is a higher-up's and he's got way more important stuff on there than this user, and MS System Sweeper wouldn't run on his machine, though I haven't disabled the floppy yet, which seems to help with the errors I've been seeing.
|
|
#
¿
Nov 18, 2011 21:55
|
|
|
I can't suggest NoScript for other people, it's just too much hassle, but I run it alongside AdBlock both at home and at work, along with UAC cranked all the way up and SEHOP enabled. I am one of the few who hasn't ever gotten a drive-by install (we all run as local admin.) We have to use IE for our CRM, but nothing else really requires it. I personally can't stand it under most circumstances, I don't know how anyone can say with a straight face that they don't mind it, but I am terribly impatient with technology.
|
|
#
¿
Dec 6, 2011 16:09
|
|
|
Has anyone seen that Smart HDD malware remove entire swaths of registry entries? I've got a coworker who had Smart HDD, and I removed it with MS' standalone system sweeper. Now this key is entirely missing: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\* I've tried exporting the key from a VM I keep around, regedit doesn't import it correctly, says it's an invalid file type. Since this covers file types and their handlers, it's hampering my repairs.
|
|
#
¿
Apr 10, 2012 22:51
|
|
|
I'm going to try autoruns now, and I hadn't tried the command line merge, only from within regedit.
|
|
#
¿
Apr 11, 2012 13:59
|
|
|
I set up the naïve with Adblock Plus, and sometimes I'll mention NoScript to them, but it's just too much hassle to use NoScript for the majority of people.
|
|
#
¿
Oct 9, 2013 21:52
|
|
|
Bear with me, because I'm not sure which way this BS is going: A lawyer I've done some IT work for in the past called me up today asking how his Win7 computer could have reverted back the May 2012. We talked back and forth, and I had him check some things for me, as he also can't get on the internet for some reason. He's sure about the date, as his most recent email in Outlook is from May 2012, his desktop image has been different for a long time but now it's what it would have been back then, etc. Looking into System Restore, he has two restore points, May 2012 and today at ~5:00 AM Central. Looking through the event viewer, under security, there are several suspicious entries just before 3:30 AM (which is significant because that's the most recent boot time as well: code:Sadly, the only firewall is an SMC Comcast business gateway, so of course no real logging is to be had on the WAN link. I have no idea whether my buddy had this guy's password, I certainly never needed to have it, and in all the time he worked there and I worked for them I never got the feeling the lawyer trusted his 'paralegal' with his password. I'm asking here because I hope he simply got phished or hacked, or has some awful remote execution malware, rather than it being somehow related to my buddy. Secondly, I really don't feel like being accused of anything, and I can't really be sure of anything at this point. I instructed him to make a backup onto a new external HD and then shut it down, and told him I'd call later today, but I have no idea where to begin, I don't really do side IT work anymore, it's just too drat difficult to juggle an 8-5 plus help customers who also keep the same schedule.
|
|
#
¿
Jun 11, 2014 20:04
|
|
|
Khablam posted:Actually this would be pretty easy in a scenario where the ex-employee still has access to some installed remote desktop software, VNC or the like. This was one of the odd red herrings, Logmein was there, along with lots of other folders he'd cleared out years ago. The thing that didn't stand out was that it was booting into Windows Vista instead of Win7. Still not sure what happened, but his old Vista machine's hard drive had been pulled out and added to his new desktop when it was purchased, and then never removed. Somehow the boot order got swapped in the BIOS (or maybe the other lawyer was ham-fistedly messing with lawyer #1's tower when he experienced some difficulty with his email the night before and reversed the cables) so it booted off the Vista hard drive. One BIOS change later it booted fine into Win7. Thanks for your responses, I'm glad it turned out to be nothing serious, because over the phone it was really suspicious sounding.
|
|
#
¿
Jun 12, 2014 14:13
|
|
|
|
| # ¿ May 17, 2024 20:41 |
|
|
Brut posted:So it looks like someone's setting up a new botnet, I've been seeing infections all over our client base of this thing that calls a bunch of dllhost.exe (in 32bit mode) and basically eats up all the ram and tries to contact a bunch of outside servers, none of our traditional tools remove it completely (Combofix, MBAM, MBAR, TDSSKiller, ESET online scanner, widnows defender offline, other random poo poo I tried), and roughly 50% of recent threats on bleepingcomputer forums and mbam forums are about this thing, for now we just flatten and reinstall when we see it but depending on the client and the user that can be a ton of trouble. I had a user get this, and it only ran when he was logged in, but it didn't manage to do much except be annoying. Restoring to a known-good restore point wiped it out, but nothing I tried would detect it either.
|
|
#
¿
Nov 6, 2014 16:58
|
|