Jonesi

Tried it. Wish it was that easy. It actually removes those features in internet explorer. The are grayed out and inaccessible. Any other way around it?

#1 STUNNA

Check your DNS setting for your network adapter, they may have edited that.

#1 STUNNA

Those setting are usually greyed out unless you check the box to configure the proxy

#1 STUNNA

Run TDSS killer, it doesn't work on all rootkits but it works on the most popular right now.

http://support.kaspersky.com/viruses...?qid=208280684

Whiskers

64 Bit OS?

Whiskers

Only runs on 32 bit os.

Jonesi

well aware. It literally grays out all of "Internet options" and Several other features.





It's 32 Bit on Vista.

#1 STUNNA

Huh? It states clearly on the page

Whiskers

exactly...

#1 STUNNA

Adobe Reader X is out! It's the new hottness! It runs in a protected sandboxed mode that isolates itself from the system files. This should be a big security improvement.

download it here

http://get.adobe.com/reader/?promoid=BUIGO

Billiam

FYI you can also get it (like past versions of the Reader) straight from Adobe's FTP. I usually use ftp3.adobe.com but I seem to recall that ftp1 - ftp5 worked as well.

/pub/adobe/reader/win/10.x/10.0.0/en_US/AdbeRdr1000_en_US.exe

#1 STUNNA

Yup! Someone posted that on neowin yesterday and I installed it last night before it ever went live.

#1 STUNNA

actually it's

ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/

doopstr

IE Protected Mode pwnd
https://threatpost.com/en_us/blogs/r...ed-mode-120310

stogie1020

#1 STUNNA

Interesting. So it's not breaking through protected mode it's going around it. So the way to prevent this is to enable protected mode on intranet sites. That would stop this bypass.

stogie1020

Seems like IE will have to firewall the different Security Zones users can assign in IE. Also, may have to figure out how to monitor 127.0.0.1 for new "arrivals" and quarantine them.

#1 STUNNA

I've been wanting to update this thread for the past few days but have hesitated cause I'm lazy and the stuff keeps piling so here goes.

First up, seems the fake AV software guys are now making fake defrag programs.



It's pretty much the same thing as FakeAV except it says your disk is gonna die unless you give us money.

Side note, that's what really disappointed me about the Conficker thing. Here they created one of the most genius pieces of malware extremely advanced and very well thought out and then once they had infected all these machines everyone was really scared about what Conficker was gonna do when it became active on the machines. You started thinking these guys are evil geniuses they must have some crazy sinister plan, what could it be!?!? ZOMG! But no it just started telling people they were infected with Fake AV. I was let down. Same old bullshit.......

http://news.cnet.com/8301-27080_3-20025692-245.html

#1 STUNNA

Next up. Gawker's source code and database got hacked and leaked on webs via torrents! Not good! I'm sure some of you have seen this by now. Gawker for those that don't know owns Gizmodo, Lifehacker, Kotaku, Deadspin, Jalopnik, Fleshbot (Very NWS), io9, Valleywag, Defamer and Gawker. If you created an account on any of those sites then your login and password got jacked. I'm amongst one of them. Unfortunately I'm not sure what my password was. it was my old password but I might've changed it but I didn't then I should be fine since I don't use that one anywhere else.

If you wish to check and see if your email is on the list of compromised accounts, one person uploaded all of the email addresses hashed in MD5 format.
http://www.google.com/fusiontables/D...?dsrcid=350662

You can check that table for yours by doing the following: Go to http://pajhome.org.uk/crypt/md5/ and type in your email to get the MD5 hash, click "Show Options" on the table, then paste the MD5 has into the field and click "Apply." This procedure will help you know if you own one of the hijacked accounts.

If you get a result then you're fux0red!

Now I think the database was encrypted and if you used a secure password then it might be much harder for your password to be cracked. However, if you used the same passwords on every site then hacker just has to try the user name and password on other sites and see if they work.

This has made start to look into using Last Pass. I've heard of it many times but I never bothered with it. I just signed up for it and I'm going to give it a whirl. I've heard nothing but great things about it so I'm sure I'll like it. If you want to know more about last pass check this article:

http://lifehacker.com/5645162/the-in...-with-lastpass

In related news McDonalds database was also hacked and all user info was stolen from there too. So if you signed up with mcdonalds to receive coupons or what not your info was stolen.

So even if you create a secure password that can't be guessed the database that stores it can still get hacked and your password stolen that way and if you use that secure password on all your sites then you got trouble. That's why making up different secure passwords for each site you go to is the best way. Then when you use a service like last pass you can just have last pass remember it and all you need is a very secure master password for last pass that you can remember.

#1 STUNNA

Oh yeah, deviantART had their database hacked too. You can read more about each of these attacks at the links below

deviantART:
http://www.neowin.net/news/deviantar...dresses-leaked

McDonalds
http://www.neowin.net/news/mcdonald0...atabase-hacked

Gawker
http://thenextweb.com/media/2010/12/...amespasswords/

Apparently Gawker was talking shit to 4chan about their invincibility..... Idiots!

#1 STUNNA

Also last week there was a massive DDoS attack by supporters (mainly 4chan Anon's) of WikiLeaks against Visa, mastercard, Paypal and a failed one against Amazon. So if you had problems using paypal last week that was why. They were targeting paypal's API servers which handles payments and they attacked Visa's verified by visa servers which could've disrupted online stores that use that service, Newegg is one that comes to mind.

Apparently the Anon group got disoragnized and they were having communication problems and the attacks sort of fizzled out but they're expected to reorganize again and do more attacks in the future.

It's been a crazy few days for teh hackers.

#1 STUNNA

So I went up against a fierce rootkit today. It was Alureon.A Which I thought would be pretty easy but it is very stubborn. my task was to connect this drive via my usb to sata dock and back up files. Well as soon as I connect the drive MSE pops up a warning telling me that the drive's MBR is infected with Alureon.A and that I should clean it. So I do, then MSE says there was an error and that I need to restart to remove the rootkit. I do that and nothing happens, it's still there.

So then I turn to my trusty TDSSkiller which has never failed me in the past. I run that it finds the rootkit and says it removed it. Then I decide to run again and it finds it again and says that it removed it. Of course it didn't which is why it kept finding it over and over again. I also tried Norton's and Trend Micro's Rootkit programs with no luck. I do a little research and find this link

http://www.microsoft.com/security/po...n:OS/Alureon.A

It tells me that I could do a fixmbr and fixboot to get rid of it. So I boot from an XP CD go into recovery console (after using ophcrack to figure out the admin password) and run the two cmds. I reboot and guess what? It's still there! I kinda expected that.

So anyone know anything about editing the MBR? Stogie? I know I could do a LLF and wipe it out but I kinda want to beat it without dropping a nuke on it.

Gfaze

http://www.bleepingcomputer.com/forums/topic308323.html

Looks like Combofix did the trick for this user.

Whiskers

I found MSE pretty good at finding and getting most viruses, but when it find a hard virus it loops alot.

Gfaze

Happened to my sister's computer. Unruy.D was a pain in the ass to get rid of. MSE would find it and supposedly delete it but upon reboot there it was again! Malware, Superantispyware, Spybot, you name it, I tried it. Combofix finally did away with it.

#1 STUNNA

Meh, different issue! I was getting some weird group policy error. I'm running 64 bit 7 and of course combofix doesn't run on x64. I'll have to boot into hiren's and then run combofix

doopstr

Thanks for this. I used it to clean my sister's XP machine

#1 STUNNA

You're welcome

thelastaspec

ComboFix +1

#1 STUNNA

A couple updates to make today. Well two for Facebook and one for Chrome/Firefox/IE 9

Facebook today announced they're going to be rolling out access to their site over HTTPS SSL. Normally Facebook and many other sites would just encrypt the login screen but once you were in your account all that activity was unencrypted. Which was how the firesheep extension was able to capture the FB session cookie over open wifi and allow someone to steal your identity. The entire encrypted session will block that and you will able to surf FB on open wifi network without getting hax0red. The setting will be in account settings under account security.

Also I noticed that FB keep track of your recent devices that login to FB so you can now if someone else is all up in your shit. it can also notify you via email or text that some foo has accessed your account on a new device.




Also it uses your location to help detect suspicious activity. So if you login from Kalifornia in the morning and then a few hours later FB detects someone logging into your account from England it will ask to confirm identity. Not by a catchpa but by showing you a few pics of your friends and asking you to identify them, like so



These are all changes that Google made to Gmail about a year ago but it's very nice to see these coming to Facebook.

blog post with more info about this:
http://blog.facebook.com/blog.php?post=486790652130

#1 STUNNA

Chrome and Firefox have announced plans to enable opt-out options for advertising.

you can get the Chrome opt out cookie here:

https://chrome.google.com/webstore/d...fdgfjilccfpfoe

Also IE 9 announced similar plans months ago and it will be showing up in the next public release which should be within the next few days. It will operate much like the ad-block extension on Firefox and Chrome except it comes preinstalled. It will have black and white lists that you can install from list publishers.

doopstr

Nice nottie^

Jonesi

While fixing computers recently after numerous attempts troubleshooting, using cleaners etc i've just said fuck it and pulled the drive. Then run it as a slave and clean it from there which seems to work really well and saves a Lot of time trying to go through the normal BS stuff.

I know there's a chance it could infect the other drive/computer but I may just go this route all the time now. The computer I use is an older Dell I can just re-image if it does get fucked up.

Anyone else go this route?

CanopyFlyer

^^Actually no, as any virus on that drive is not running. As long as you do not open any executables that are infected, you will be fine.

When I deal with a system that has a virus, I have both a bootable USB drive, and CD-Rom (in case it's an older system that will not boot off USB) with tools to clean it up. Outside of completely reimaging the system, it is the best way to remove malware.

#1 STUNNA

^Not necessarily. I've personally seen MSE go crazy just by connecting an infected hard drive many times. Rootkits will do that, malware that exploits autorun and just browsing through an infected drive can do that too.

rza49311

iTrader: (1)

This works well to remove the actual infected files but if the registry has invalid entries, you won't be able to remove those while the drive is a slave.

Jonesi

What do you normally use as bootable? Hirens?

#1 STUNNA

I prefer hirens. I used to use Ultimate boot CD but it is so slow to boot into it's XP. Hiren's takes 2-3 mins to boot into mini XP while UBCD is about 10 minutes.

I don't usually boot from CD to run AV scans, I prefer to remove the drive and connect it to my PC since it allows me to run much more scans on it. With the disc you can have programs that won't run in that environment and the programs aren't usually the latest versions or have the latest AV definitions, plus the hassle of making sure you have the latest version of the disc.

Jonesi

Agree with all of the above. I've been using Hirens and started pulling drives to save the hassle. Seems so much easier. Then run quick checks after putting it back in.

#1 STUNNA