Slashdot Mirror
Domain: bleepingcomputer.com
Stories and comments across the archive that link to bleepingcomputer.com.
Comments · 341
-
Re:Same as before.
The proxy setting will show up - and can be removed with 2 clicks - in a HijackThis report. While Trend Micro bought it and supposedly has changed something (not sure what...) HJT remains a useful tool for anyone combating malware and ransomware.
The Firefox extension AC replied about will show up in a log from ComboFix though CFX won't remove the proxy by itself at this point -- perusing a ComboFix log features loads of information about a system and its infections.
-
Re:Not A Virus
It's also worth noting that the 'malware' of which there is an 'explosion' of discussion about on the forums according to the article (about 200 threads) is about as sophisticated as that seen for Windows circa-1995. Checkout these removal instructions. The Mac equivalent of CTRL+ALT+DEL, opening the task manager and killing the process, then trashing the executables. I could knock up something with the same level of sophistication on Mac, Windows or Linux in an afternoon. Even the first Internet worm used two executables that would each relaunch the other when the user killed the process. This 'malware' even politely closes when the standard close button is clicked.
I'm not sure this can even be properly classed as malware - I'm not sure what you'd call it - it's more like a phishing scam as it doesn't do any harm (other than the embarrassment of porn popping up) - it's really fraudware, designed to extract money from the user.
-
it's a fairly harmless trojan
I have seen this "malware" in the wild. My elderly mother called me, last week, about this. She reported "something came up on my screen, telling me that my computer is infected and that I should click to remove them". I had her take a screenshot and send it to me:
She is almost as computer illiterate as one could be, but even she had a suspicion that this wasn't legitimate.
Out of curiosity, I went to the URL (which inspects the user-agent, to avoid showing this scareware screen to non-Mac users), clicked "remove all", downloaded/unzipped the file, _manually ran the installer_, and clicked through several install steps.
This is not drive-by malware, it doesn't use an exploit in a vulnerable browser plugin, etc. It's a fairly-hardmless trojan that is easily removed. A google search for "remove mac protector" will yield detailed instructions, e.g.:
http://www.bleepingcomputer.com/virus-removal/remove-mac-protector
I have saved the installer, if anyone would like a copy of it for analysis. It contains some remnants of Russian language settings from Xcode, among other interesting tidbits.
-
Re:combo of bad apple, bad sophos, and stupid user
I don't run active antivirus at all, the trick is never to touch the internet explorer browser. Another tip is don't download a bunch of pirated program and run them without scanning them first. I suggest malwarebytes.
I also keep a copy of combofix on a usb drive just in case. -
I just did the same...
I just spent most of my three day weekend cleaning up some "Antivirus Soft" http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft that took over my Windows 7 installation. My antivirus software didn't detect it, and I was in Chrome 5 just reading news sites when it took over. After hours of booting into safemode, and scanning every piece of media I had with 3 different antivirus software. I discovered I had 5 different trojans and 2 different keyloggers. This forced me to change 50+ passwords. I don't consider myself an average user who easily falls for downloading malicious stuff. I have been in IT since 1994. I got everything cleaned up, but was left wondering how the hell this happened? So I finally gave up and I am done with windows forever. I have been dual booting for a while, but now I have decided to go all the way. I am doing this in spite that I don't think Linux is as nice on the desktop. Its just not worth it if I am going to do everything I can to be a secure user, and still get infected. So I sympathize with Google on this one. Its so utterly frustrating, that I damn well want to swear off technology period. Una-bomber style.
-
Re:virus scanners are the devil
Not too sure about MBAM, but ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix is a splendiferous tool, detects generic malware threats and rootkits.
I run clamshell so I can manually scan files I download, and I've had autoplay turned off since windows 95 - What had possessed Gates and the Windows Team to automagicaly run untrusted stuff off any device, I'll never know. New York Hooker, and all that jazz.
Anyways - yeah, any time I think something fishy has happened that I missed, drop to safe mode and run Combofix. Works Swell. -
Re:I'm a professional Malware removal guy. Literal
That last one might give me pause....
The guy who writes it has English as a second language. Basically it's asking for permission to do delete rootkits it finds, and warning you that Rootkit removal is an art, not a science, and some OS Loss may occur.
Besides, this is the real Combofix site, not that one:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
-
Re:Install through ninite.com
I cron this every day, have fun!
fog@fog:/usr/local/bin$ cat getantivirus.sh
wget -N -ifog@fog:/antivirus$ cat filestoget.txt
http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE
http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.spybotupdates.com/files/spybotsd162.exe
http://www.spybotupdates.biz/updates/files/spybotsd_includes.exe
http://download.avgfree.com/filedir/inst/avg_free_stf_en_85_420a1708.exe
http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe
http://dlce.antivir.com/package/wks_avira/win32/en/pecl/avira_antivir_personal_en.exe
http://dl.antivir.de/down/vdf/ivdf_fusebundle_nt_en.zip
http://mbam.malwarebytes.org/database/mbam-rules.exe
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
http://files.avast.com/iavs4pro/vpsupd.exe
http://files.avast.com/iavs4pro/setupeng.exe -
Re:Yet another reason
I don't see what the big deal is. Windows is a perfectly secure operating system as long as you don't access any external media or connect to the internet.
(Coming from someone who just spent 10 hours removing the Internet Security 2010 trojan malware from his wife's computer.)
Welcome to my world. It should be illegal to own a computer and be computer illiterate. I have a wife and a 16 year old daughter that just love to download anything that asks them to. Gotta love the rescue disk:-)
-
Re:Yet another reason
I don't see what the big deal is. Windows is a perfectly secure operating system as long as you don't access any external media or connect to the internet.
(Coming from someone who just spent 10 hours removing the Internet Security 2010 trojan malware from his wife's computer.) -
Re:Drive-by downloads of fake antivirus softwareHey kid, this one (Advanced Virus Remover) is a joke I've removed several times by hand. Here's a link to one of the most helpful websites out there: http://www.bleepingcomputer.com/virus-removal/remove-advanced-virus-remover
Assuming you gave us the right name that is. Good Luck.
-
Re:Why don't apps just use their own copy of the .
Actually that was a big problem with the GDI+ library a few years ago. People have even written their own vulnerable DLL scanners for this sort of thing.
-
Combofix
I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Use it. Love it. Marvel at its simplicity, its beauty.
-
Re:It's very entertaining.
The newest version of the "Antivirus 2010" software is a pain in the ass to get rid of. It rootkits the system and makes manual removal pretty much impossible without a WinPE boot disk of some kind, and even then it's difficult to find all the instances. There's one tool I found to remove it and most of its kin, and that is combofix. It successfully cleans Antivirus 2010 and a host of other rootkit-based malware in a process I can only describe as "magic". I'm just posting this to help out others that have spent way too much time trying to get rid of this crap off of friend/family computers.
-
Re:Didn't even see the Digg Bar Fail
Norton did the completely wrong thing by deleting the posts, but people jumped the gun in claiming it was some sort of nefarious backdoor.
-
Re:512Meg?
While I think your idea of bringing back plus packs is a GREAT idea, as it would cut the bloat without having 400 fricking versions of the OS, there is another idea from that time I believe they desperately need to bring back as well: The WinNT/Win9x divide. Remember how if you remember how if you wanted a HOME OS you could actually BUY a home OS, and if you just wanted to get your work done there was an actual business OS? Now they put out the same bloated as hell, multimedia choked, bling bling to the top, I want to be OSX so damned bad it hurts OS and just cripple a few features for the home market.
That is NOT a business OS. A Windows business OS is a fugly, plain, low resource using, backwards compatible OS with minimum bells and wells and good GPO management. That is why to this day I still say Win2K Pro was the best business OS MSFT has ever made, and frankly everything since then has been downhill. There wasn't any added themes support or multimedia bling bling junk in the Win2K of goodness. Nope, just fugly Grey solid as a rock business goodness. Of course that is why you have tons of sites that show you how to turn Win2K8 server into a workstation. It is because ever since Vista all the business user(one of the most lucrative and largest markets MSFT has) has gotten from MSFT is the finger. It is also why infoworld is declaring Win7 is going to be yet another dud to the enterprise and SMB markets.
That is why I am making this prediction: Win7 is going to be another dud. MSFT has seemed to forgotten that folks want to use at home what they use at the office. That is why I have many customers that still insist on Win2K or WinXP, because that is what they use at work and that is what they want at home. The only good I foresee coming from Win7 is that they may finally fire that damned monkey Ballmer. He has had the company hopping from one boneheaded idea to another like they have ADHD, and his Apple and Google envy is frankly dragging the company down the toilet. If folks wanted an Apple they would BUY a bloody Apple! But of course I'm not the only one that thinks the best thing that can happen is Ballmer be given his walking papers. Bring back the plus packs and for the love of Deity bring back actual Business OSes. Because the shit they are shoveling now sure as hell don't cut it.
-
ComboFix anyone?
So apparently no one has heard of ComboFix?
http://www.bleepingcomputer.com/combofix/how-to-use-combofix -
Re:hijacking AV sites too
I work at a university dorm as a network technician (UWM, incase you're wondering!), and fix ten to twenty computers a week infected with malware, often exactly this strain of rogue AV software.
The utility called ComboFix almost always cleans these infections up with no hassle. If that fails, or if examination of the logfile indicates that it didn't quite get everything, MalwareBytes Anti-Malware should take care of the rest, and if anything gets past BOTH of those you can take note of the infected file names that couldn't be removed and delete them from Knoppix or a BART LiveCD.
I only reinstall Windows as a last resort, or if ComboFix detects an unremovable rootkit (this can be found in the logfile.)
-
HijackThis
Use HijackThis. Bleeping computer has a tutorial which links to tools you can use to look up process and service names. It's essentially a registry tool that displays keys are often exploited (your startup list, BHO's, services, things like that), though it does several other handy things as well.
It's also a great way to simply boost performance by cleaning up unnecessary startup items and services, but use it with care, most of the things it displays are totally supposed to be there.
If HijackThis looks clean then your system is probably not infected and you should check the hard drive, chkdisk might tell you something, but the manufacturer probably provides an -
Re:MalwareBytes?
combofix is something else that is effective against Antivirus XP 200x and many other infections.
-
It don't work!
That new fangled Antivirus 2009 thing is a total gyp. I've been clicking that thing all day...wait, now a Java update is prompting me. Jeesh. I gotta go, that Nigerian millionaire's needs my help..
[/end user speak]
-
Re:Padding with 0x00 bytes?
Try Combofix.
Free, and it works.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix -
Re:Dialog boxes shut off critical thinking
I think the solution is to make the buttons themselves say what they do, rather than clicking Ok or Cancel, have the button say "Exit crashed program", or "Install new program" or what have you. Always being OK or Cancel conditions people to just blindly click.
The Apple user interface guidelines have always stated that verbs should be used on command buttons. Inserting a blank disk under Mac OS pops up the "Format" or "Eject" dialog box. On Windows, the text says "To format the disk, click OK. To quit, click CANCEL" with "OK" or "Cancel" buttons.
Of course, if you put something other than OK or CANCEL in the dialog box, most Windows users freeze up. They don't know what to click.
Making users read the dialog box text helps. Just make sure the text is actually useful for making a decision. -
Re:Explains the odd attempted breakins..How does one tell if they are rootkitted? I have the latest patches and updates to my anti-virus, firewall and anti-spyware software but none of them mention anything about rootkits... Another thing that worries me is my software is all free! Comodo for my firewall, Avast for my anti-virus and Adaware for my anti-spyware...is the free software much worse than the stuff you have to payout for?
By definition rootkits are hidden from the user in normal use. On Windows systems they are usually installed as driver files with a
There are a number of further references on the Wikipedia page that you use to find out more about them.
This is a list of "known" Windows NT related rootkit files with details of which rootkit pack they belong to http://www.bleepingcomputer.com/startups/rootkit.html
There are a number of rootkit detectors for Windows, but there are also many legitimate files on Windows systems that have hidden attributes for some reasons, so any rootkit detector must be used with care. Windows provides many paths of infections, but most rootkit anchored malware requires user intervention of some kind. Accepting unknown software, going to a subverted webpage or a webpage with ads that have been subverted to install malware when a vulnerable computer is found. Most of the installers use a script to check for available exploits.
Best protection is not to use Internet Explorer, next best protection is to disable javascript on untrusted websites or when you are using webpages you wouldn't show your mother. -
Re:Symantec on SystemDoctor: Pot, meet kettle...
Symantec AV often lags behind in protection and definitions. The worst recent example that comes to mind is the spread of hacktool.rootkit (aka about a million things), which was implemented in countless malware releases. Symantec was AFAIK the only mainstream antivirus program that missed detecting it as it was installed. My flavors of choice are:
AVG Free antivirus
LavaSoft Adaware
and Spybot Search and Destroy.
Very little can get by this trifecta. When I suspect that a machine has received an infection that these three can't remove, I research the individual piece of malware on sites like CastleCops or I just Google it by process name.
I also keep archives of RootKitRevealer, peperfix.exe and HijackThis. -
Tools I use that haven't been mentionned
Worth a mention:
* Ultimate Windows Boot CD which I also find very useful when someone comes to me with a computer they have completely messed up - you have to create your own but it's a very streamlined experience. http://www.ubcd4win.com/
* PrevxR which is a "permanent beta" version of their commercial offering. It can be configured the different settings range from Individual (suitable for Grandma) to Enterprise (very hardcore). http://free.prevx.com/
*KillBox - basically a utility you can configure to delete certain files on bootup, I use this in conjunction with HijackThis, which was already mentionned above. http://www.bleepingcomputer.com/
-
This worked for me
I'm not sure if this is technically correct, but I treated this thing like the Smitfraud/Quicknavigate/Virtual Maid infections.
My step-sons pc got hit with this on Monday and I followed the Method 1 instructions found here... http://www.bleepingcomputer.com/forums/topic17258. html/ to remove it. It took about an hour and involved a lot of scaning and rebooting but I eventually got it all.
I then installed Firefox for him and blocked his access to IE
BTW, Mcafee did not do a single thing to stop this from being installed, nor did it give any type of warnings after the fact. I hate Mcafee. -
Re:Smitfraud-C
I think it is. My step-sons pc got hit with this on Monday and I followed the Method 1 instructions found here http://www.bleepingcomputer.com/forums/topic17258
. html to remove it. It involved a lot of scaning and rebooting but I eventually got it all. I then installed Firefox for him and blocked his access to IE -
Malware - Love it AND hate it
One one hand, spyware is some pretty evil stuff. There are little weasel programs I've spent quite a bit of time trying to get out of systems.
On the other hand, I get paid to do that. I just did one small company with 5 computers that was literally shut down because they couldn't do anything on their systems. Spyware is a problem on just about every single "joe average" computer that I have seen lately. The problem, of course, is going to get worse as long as Windows continues to allow users to run with privileged access by default.
I don't feel like going into a Microsoft rant - I'm sure it would be preaching to the choir anyway. I would like to share effective tools in my warchest for cleaning out spyware -
Ad-Aware - My favorite anti-spyware program right now. Gets about 95% of baddies.
HiJack This! - Cleans up anything that Ad-Aware may have left behind. It scans all startup regkeys, services, and BHO IE extension keys and lets you select which ones to nuke. BE CAREFUL, it lists both the good and the bad. If you don't know what a process is, google for it before you remove its key.
There are many other useful tools on this download page as well, like LSPFix. This program will fix the mess left by programs that mess with your TCP stack, such as New Net, whos manual removal can disable your Internet access completely.
Pocket KillBox - You know those processes that come back from the dead after you kill them? Can't delete the EXE because it's locked in both normal and safe modes? Pocket Killbox is what you need. If it can't delete the file outright, it can temporarily end the Explorer task and try it that way. If that doesn't work, it can use Windows' replace-on-reboot function to swap the EXE with a dummy file on the next reboot. Very handy for getting rid of the most nefarious of processes.
Spyware Blaster - Pre-emptive spyware prevention. The interesting thing about this program is that it doesn't remain resident in memory. Instead, it writes files and regkeys to your system that prevent the spyware from installing. Adding and removing protection can be done in one click. -
Re:two things... w/ linksI did some google searching relating to killbox and aurora and I found some links:
and most notable: MyPCTuneUp which I am assuming is that Aurora Uninstaller you were talking about. According to the forum link above, the uninstaller really works. And it can't hurt to try, considering Aurora has already hijacked your PC, what more can an uninstaller do besides uninstall the malware.
And from personal experience, I've had a few Malware uninstallers from the official company that did a better job removing the malware than SpyBot, MS Anti-Spyware, and Lavasoft Ad-aware.
-
Re:How to solve these problems.
You wiped a computer because of spyware? What would you say if someone wiped their Linux box because Mozilla would not start.
Just about the same thing. I have not found any spyware that could not be removed. Maybe you actually have to look something up on the internet; but I guess it is a better story if "it was so bad that I had to wipe the box!".
Check out:
http://www.bleepingcomputer.com/files/killbox.php
and
http://www.pcworld.com/downloads/file_description/ 0,fid,23258,00.asp
And read a bit:
http://www.pchell.com/support/spyware.shtml
Not so hard if you really *want* to be able to do it. -
Give this as a gift for the holidays
Nothing is more annoying about the holidays then going to visit family and friends and then being sucked into fixing their damn computers While everyone is drinking and having a good time we are the schmucks trying to figure out how to remove that damn proces from windows 98!
This year I wash my hands of it and am giving them a printout of a tutorial I found that has helped some friends. It is basic, but they do not bother me as much anymore:
Simple and easy ways to keep your computer safe and secure on the Internet -
I do these steps on every computer i touch
Simple steps to keep your computer secure!
Doing these steps saves me a huge amount of time and heartache in the future. -
Just secure windows and this wont be a problem!
With the amount of crapware out there and the amount of guides and articles written about this subject you would think people would still be a bit more secure. Unfortunately it does not seem to be the case.
This guide explains how to keep your damn computer from being stupidly compromised:
Simple and easy ways to keep your computer safe and secure on the Internet
Also heres a tutorial for switch from IE to firefox:
Switching from Internet Explorer to Firefox -
Just secure windows and this wont be a problem!
With the amount of crapware out there and the amount of guides and articles written about this subject you would think people would still be a bit more secure. Unfortunately it does not seem to be the case.
This guide explains how to keep your damn computer from being stupidly compromised:
Simple and easy ways to keep your computer safe and secure on the Internet
Also heres a tutorial for switch from IE to firefox:
Switching from Internet Explorer to Firefox -
Re:IE-Spyad
Here's a link to check it out:
http://www.bleepingcomputer.com/forums/index.php?s howtutorial=53/ -
For anyone who doesnt know how to switch from IE
For anyone who doesnt know how to switch from IE here is a tutorials for you:
Switching from Internet Explorer to Firefox
Enhancing Firefox with Browser Extensions -
For anyone who doesnt know how to switch from IE
For anyone who doesnt know how to switch from IE here is a tutorials for you:
Switching from Internet Explorer to Firefox
Enhancing Firefox with Browser Extensions -
Tutorial on GDI Scan to find vulnerable apps
Bleeping Computer has a tutorial on how to use GDI Scan, offered by ISC, to find apps with the vulnerable gdiplus.dll. The tutorial can be found here:
GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability
Either update those apps so they dont have the problem anymore, or do not use the app. -
Re:Internet Explorer DLL's
Why not just go back and ask the folks at bleeping computer Just went there and looks like they have a help forum
-
Internet Explorer DLL's
I've been trying to clean the system from spyware and other mallicious goodies. Finally firefox works with pogo.com so IE is now not in use at all. I managed to find a site that posted ALL of the startup locations for XP. And this has stopped the lurking spyware in the background.
However I'm still looking for a site that can direct me on how to delete the malicious DLL's that are loaded up with IExplore. Anyone have any tips?