Great info Stunna. Thanks.

 

I've followed everything said in this thread. Great advice, please keep this up to date. I hate Google Chrome though but Firefox lost all of my info anyways so I'll try and make the switch.

 

Adobe announced Adobe Reader X a few days ago it is the next version of the PDF reader that runs in a protected sandboxed mode much like google chrome and internet explorer on Vista/7. If implemented properly this should do a lot to limit attacks via PDFs. It will be available next month and can't come soon enough. Now java and firefox need to join the club.

http://blogs.adobe.com/adobereader/2...-reader-x.html

 

Here's a cool browser extension for Chrome, Firefox and Safari. Do you hate seeing facebook "like" infesting all the pages you visit, telling you what people liked, recommended and shared? Do you really not give a shit about who did what with Facebook? Do you NOT like the facebook "like" button on AZ? Then this extension is for you! It's called Facebook Blocker. It blocks communications with third party sites with facebook servers. Likes still work on the actual Facebook, it doesn't effect the facebook site at all just other sites that have embedded facebook shit on their pages.

To install click on the link below and choose your browser of choice. If you use chrome you can just install the extension and carry on and the browser starts working right away but if you use Firefox or Safari you actually have to restart the browser to take advantage of this extension, how primative!

http://webgraph.com/resources/facebookblocker/

Before Facebook blocker



After Facebook Blocker

 

I am not generally a fan of your witch craft, but this one makes my Azine pages load faster, so I am cool with it.

 

I use this and Adblock Plus, it makes my webz much better.

 

Yes, I should've mentioned that. I thought of it but didn't bother to add that.

 

 

How primative [sic] indeed


F the like button! Installed and AZ is loading faster

 

About to :surrender to a virus


I think it's some kind of Java exploit with what the PC's owner was telling me. Says it came from a link on Google Video.

Combofix cleared it, but says it detects rootkit activity every time it is ran. Malwarebytes cleared 8 files on the first run and doesn't detect anything again, but it's still there.

I've cleared everything bad out of:

HKEY LOCAL MACHINE --> Software --> Microsoft --> Windows --> Current Version --> Run and Run Once


HKEY LOCAL USER--> Software --> Microsoft --> Windows --> Current Version --> Run and Run Once


I've tried a couple of other tricks I've learned in the past but nothing has worked. I can't tell if it is clearing out and then coming back after a restart or not clearing at all. I believe it's infected and/or corrupted explorer.exe from what I can tell.

I have all the files backed up so wiping won't be a big deal, but I was trying to figure it out for a moral victory. Very few I've ever not been able to fix

 

Does combofix ask about installing the recovery console before you run it? Also, are you certain you have the latest version of combofix.

 

Yes and yes. I've used a combofix a lot and have always said no to the recovery console prompt.

It doesn't act normal when it runs. Runs way longer than normal, and when the message about rootkit activity comes up it says it needs to restart. After restart it finishes and displays the log like normal (again taking forever), saying it's clearing different things each time. Doesn't matter if it's safe mode or not.

And the virus doesn't try to block combofix or task manager or anything like that. I thought it was gonna be a walk in the park before I started...

 

Run TDSS killer and also turn off system restore

Oh and clear your java cache in the control panel

 

Damnit my stupid university requires me to run Cisco Nac Agent but the program doesn't work on my system at all anymore. They uninstalled my AVG pro too, since I have to download McAfee. Do you guys now any way around this and should I just install Microsoft Security Essentials instead of AVG again. I refuse to use McAfee and if I have to download it I will uninstall it.

 

MSE works great for me. Give it a shot. McAfee can go die in a fire.

 

Well it says in their instructions that the recovery console is the only way to remove some infections so thats why I asked. Might want to give it a shot if you haven't formatted yet.

 

Since I was able to play around a bit I killed everything I could find related to Java and nothing changed. Time became an issue so I had to go ahead and start the reload. Now fighting with Dell's p.o.s. website for drivers What a terrible company.

Anyways I'll have to try the TDSS killer another time. Something you use often?

 

McAfee and Symantec. We use the corporate edition at work and it's absolute trash. It was a lot worse until they did an upgrade.

rtvscan.exe

 

Hmm, I've actually wondered that but my boss says don't worry about it so I never did. Do you do it every time? What happens if you click yes for recovery console?

 

Scottman, corporate edition of McAfee or Symantec?

 

Symantec. Like I said, it's not too bad now that they've fixed the severe performance draining problems that were affecting every PC, but I still don't see it protecting much of anything. We have Websense and the Symantec and these things still come in with viruses. Yes I know it can't prevent/detect them all but it still seems a little high IMO.

Most of the time, when they come back infected and you do a full scan, the Symantec won't detect a thing. Yet you can throw a freeware anti-virus on there and that program will go nuts.

 

I never felt I got good results from mcafee or norton and those avcomratives, virusvault AV effeciency tests are garbage, every AV catches at least 95% on of the malware in those test but IRL the results aren't anywhere near that high.

Yes I use TDSS killer cause it's effective and a very fast scan usually between 15-30 seconds and it can remove Alureon rootkits better than anything else.

http://support.kaspersky.com/viruses...?qid=208280684

I had been fighting Alureon on a few machines and I had some success with MSE and others I didn't (probably due to different strains of the TDSS rootkit) then I tried TDSS killer and it found it removed it in less than a minute saving me hours of time. Now I've seen a rootkit get past TDSS killer too (might not've been a TDSS rootkit to begin with) and I had to wipe and reinstall but still it's good to run it first cause it's so effective and fast.

 

No, I never have but haven't had to either. Every infection I've encountered has been removed with no problems.

After looking into though, all it does is install the recovery console and adds the option to the boot.ini file so when you startup, you have the option to boot to your OS or the console. I can't find anything about combofix using the console to remove something. It appears to me the console would have to be invoked manually and you'd have to delete file(s) manually. With that being said, I don't think the console will help in this case unless you knew exactly what you needed to remove.

If someone knows more about it then please correct me if I'm wrong.

 

So you can't run the combofix exe from the recovery console? That would seem to make sense. You boot into recovery console and the main system isn't running but you can scan for malicious files and actually remove them since the system isn't running.

 

I don't know. I'll try it tomorrow when I get to work.

 

I've used MSE before but uninstalled it because it was conflicting with AVG. I hate McAfee so much it always crashes my system and IT is not willing to allow me to surf the internet without McAfee. Such bullshit and Cisco Nac Agent has to be the worst piece of software I have ever seen.

 

You're not supposed to run AVG and MSE at the same time. You're not supposed to run two realtime AVs at the same time.

If you want to run MSE then you must uninstall AVG, restart your PC and then install MSE

 

Good article on Lifehacker about how to break into a Windows Machine and also how to prevent it from happening to you. It covers how to access files on a Windows NTFS hard drive using a linux LiveCD and how to prevent it (encrypt the drive), also how to use Linux to reset the password and how to prevent it (again encrypt the drive) and finally using bruteforce like ophcrack to guess the user password and how to prevent ophcrack from guessing the password (secure password).

I tried to use Ophcrack on my boss's PC (with his permission) because we couldn't get log in to it and Ophcrack couldn't figure out his password cause it was too complex, which gave me a hint as to what his password was and I was right.

But I've used Ophcrack a few times and it works on simple passwords pretty quickly.

http://lifehacker.com/5674972/how-to...ppening-to-you

 

I am glad you are not freezing RAM to recover TrueCrypt passwords in volatile memory.

 

yeah I saw that hack. not going that far....

 

 

Hey check it there's a new trojan for OS X floating around in the WILD!
It appears as a video link on social networking sites or via email and it uses as a Java exploit (surprise, surprise!) and then modifies system files so that it doesn't need to prompt for password to run then it hijacks your user account and sends out spam messages to spread the infection.

Hope you Mac users have updated your Java!

If you want to remove this trojan.osx.boonana.a infection you can run the software from this link

http://macscan.securemac.com/files/BTRT.dmg

 

In related news, Apple has released a deprecated version of Java. To use their words
Apple used to port the Java VM to work with OS X and would release updates for it and now after announcing the Mac App Store that won't allow Java Apps Apple won't be supporting it much longer and it may not be available at all in 10.7 Currently no one has stepped up to fill in the void. Apparently besides Windows, Java has been maintained by the OS developer, HP, IBM, etc maintain java for their OS's as did Apple until now.

It'll be interesting to see who picks up the Apple's slack and if this will have an impact on OS X for more exploits like the one listed above.

 

 

No you cannot run combofix from the recovery console. Just tried it.

 

I bet you could if you booted to safe mode with command line. I've used that a few times to launch system restore on a system that refused to launch .exe files.

Speaking of which here's another tip I figured out for you guys that fight malware. Do you know how to get around when malware won't let you run any exe files?

One trick is to turn on hidden common file extensions in Folder options then go to c:\windows\ and change regedit.exe to regedit.com. Then try and open in it and if it opens then go to HKEY_CLASSES_ROOT\.exe. On an infected system you should see the folders "default icon" and "shell". Delete those! They aren't supposed to be there. Keep the "PersistentHandler" folder. Then click on the .exe folder and for the (Default) reg key it will probably say "secfile", edit that so that it says "exefile" (no quotes).

Secfile is added by the malware and shouldn't be in the registry, now if you scroll further down the HKEY_CLASSES_ROOT folder you should see a folder called "secfile", that folder is added by the malware and within that folder it will tell you the malware's file location. Make note of that location so you can delete the malware and then go ahead and delete the secfile folder cause it doesn't exist normally in the registry.

If you get worried you're going to fuck it up then find a known clean machine and compare the HKCR\.exe to the infected one and make the infected one match the clean one. There's a slight difference between HKCR\.exe in XP and 7 so be aware of that.

After modifying the registry with the steps above you should be able to run programs, just go and delete the malware whose file location was noted in the secfile folder and start with your normal cleanup routine.

You can also change mbam.exe to mbam.com to make malwarebytes run, I've had success doing that before too.

But remember I talk out of my ass 90% so I could be making this all up......

 

I just ran across " backdoor:Win32/Cycbot.B " It's my dads computer that's infected but man is it a bitch so far. I assume because it's so new and the scans aren't picking it up completely yet.

 

Look here: http://www.bleepingcomputer.com/forums/topic354181.html

Don't know about that Russian software though...

 

Yea, I and tried Dr. WebCure It but no luck. It's better but something is still fucked up.

 

Another tip, if you can ping but can't load websites check internet options to see if a fake proxy has been setup. Go to internet options > connections > LAN > and if Proxy server it checked then uncheck it. If you click the advanced button it'll probably have 127.0.0.1 as your proxy server.

Also check your DNS server settings, I know Alureon rootkit sometimes puts in it's own DNS servers that won't work.