StarDestroyer.Net BBS

Dominus Atheos wrote:The bolded part is why myself and other people who know a lot about computer security will always recommend an nuke and pave whenever someone is infected with spyware. Even if you think you removed the program, it may leave bit's and pieces of itself on your computer. Sometimes those bit's and pieces will only slow down your computer, but don't be surprised to find that there's a keylogger stealing everything you type on the keyboard, or that your computer is a zombie that's sending spam email as part of a botnet.

Yup, I'm not saying otherwise, I'm just saying nuking is rarely the only option.

Though, zombies are usually fairly easy to detect.

So I have another machine on the bench with this. It's so nefarious that a) I needed to run roguefix just so that I could start malwarebytes, and b) it's even running when I'm in safe mode. This is some nasty shit.

How the fuck are you guys getting viruses? Do you browse questionable porn sites? Do you run questionable executables? What the fuck are you doing?

I'm hoping that nothing will get by Chrome.

JLTucker wrote:How the fuck are you guys getting viruses? Do you browse questionable porn sites? Do you run questionable executables? What the fuck are you doing?

For Braedley and I, it's our friends and customers.

But tell me, what's the oldest version of Java you have installed?

All it takes is one injection on one site you trust.

Shit, *antivirus 200x is a stone bitch if it's got its claws in there. I've pulled the 2007 variant of my dad's laptop and it was just a total pain.

Microsoft's Malicious Software Removal Tool will now attempt to remove those fake antivirus programs.

Xeriar wrote:The main installation vector is called virtumundo.

I've been hit with that and for the most part my computer is clean. The only place that is still affected by virtumundo is FireFox.

Dominus Atheos wrote:

Rogue 9 wrote:Until the hard drive gets corrupted.

There's very little that's going to corrupt a hard drive bad enough to irrecoverably wipe out all the partitions that doesn't either mean you need to replace the entire thing, or will jump across hard drives. Anyway, all of those vendors provide a way to make your own recovery disks from that partition.

Theoretically malware can infect this partition, then you're fucked even after reinstall. The likelyhood is somewhat less since there's a variety of permutations that has to be accounted for in the malware if it takes this route

I had shit like this on my mom's computer (though, its a wonder that the thing runs at all, especially sporting WinXP). It was a pain in the ass to get that shit off the system.

JLTucker wrote:How the fuck are you guys getting viruses? Do you browse questionable porn sites? Do you run questionable executables? What the fuck are you doing?

Shit, I thought I posted a reply to this. Anyways, as Xeriar said, I'm cleaning this shit off customers' computers. Luckily, some customers are smart enough that when their kids get their machine infected, they bring it in when it's only minor and before this nasty smitfraud variant gets them.

phongn wrote:Microsoft's Malicious Software Removal Tool will now attempt to remove those fake antivirus programs.

It now fails utterly.

You can forget about trying to get anywhere if you let explorer.exe run. This is insane...

Man. I'm glad I killed this when I did. In fact, I think I'm going to update every anti-malware tool I have (it's an impressive list), reboot to safe mode after I'm done with this work I'm doing, and scan the fuck out of everything just to be sure nothing's left.

As for infection vector, I'm guessing it was a malicious banner ad. I play a couple of browser games that have until now always been clean (and no, I don't click ads), but I think I'm going to get Adblock Plus now.

You've been living without it? God, I nearly claw my eyes out every time I have to see a flashing banner ad.

Edit: also, http://easylist.adblockplus.org/ is your friend with ADP.

Rogue 9 wrote:Man. I'm glad I killed this when I did. In fact, I think I'm going to update every anti-malware tool I have (it's an impressive list), reboot to safe mode after I'm done with this work I'm doing, and scan the fuck out of everything just to be sure nothing's left.

As for infection vector, I'm guessing it was a malicious banner ad. I play a couple of browser games that have until now always been clean (and no, I don't click ads), but I think I'm going to get Adblock Plus now.

Do you use IE7Pro? It has built in an Ad blocker and a Flash blocker.

Sorry for the necro, but this thing hit me today, of that I am sure, because all the symptoms are the same (I'm running XP Pro): this is my first major infection ever. I was about to try Xeriar's suggestion of malwarebytes + roguefix, but I have one major obstacle to even attempting that: I cannot restart the computer in any variety of safe mode. It begins to load the files in prompt mode, then hangs up on a file called sptd.dat or something or other, then after a while the computer reboots on it's own. Help, please! I simply cannot afford to nuke this hard drive so I need assistance here. In the meantime, should I stop using this computer and borrow my sister's laptop? can this thing "mutate" into something worse simply by running the computer?

I don't recognize a "sptd.dat"; a google search turns up "sptd.sys" sptd.sys Prevx analysis, so malware is always a possibility behind that.

Have you tried pulling out the drive and scanning it on another computer?

Back on the topic, Adblock is pretty good, but if reinforced with NoScript (which is a Javascript blocker; only sites that are "whitelisted" are allowed to use Javascript) it more or less sets up a nearly-impenetrable shield. NoScript can be annoying at times, when you try to use a site and find out the only reason it doesn't work is because of the Javascript, but otherwise it's pretty good at safeguarding from the occasional malicious Javascript code.

YES! STOP RIGHT NOW!

Mutate probably isn't the best term, but I've seen how this infection can dig in. If you catch it before you trigger it's second phase (which I doubt you did, since you're posting about it here), then it's fairly easy to remove. But if you let it dig in, then it starts doing nasty stuff like installing a driver that prevents malwarebytes from even running (even in safe mode) or redirecting all your internet traffic to rouge sites. Honestly, and I'll be blunt here, you're either looking at nuke and pave, or professional cleaning.

Fuck, I somehow picked that up last week, at work no less, doing work related things...

It hijacks your DNS so it uses whatever IP they wanted as your DNS server. IPConfig will even show your proper DNS server, but if you watch your packets with Wireshark, you'll see the DNS requests going to a completely different IP - and it of couse resolves the URLs or hostnames you want into whatever site they've put in their DNS server. It was really easy to catch when the IP of every site I put in was going to the same place thanks to the Show IP plug-in for Firefox.

I said "god damnit" and wiped my machine. I wasn't about to let that get its dick anywhere else.

Thankfully I had a ghost image I made once I got my machine all setup and all my apps installed so it was a quick format and a 20 minute image restore and I was good. Which is good, cause I have a ton of shit on that machine.

EDIT: This was about the first virus that wouldn't let you to websites.

My personal recommendation is to buy a new hard drive if you don't have another computer available. 80 to 200GB drives are now almost dirt cheap, and what that will let you do is install a clean copy of Windows without worrying about screwing up your old documents.

Once you've set up Windows and every piece of anti-malware software you need, patched everything and generally made sure it's locked down tighter than Alcatraz, then you can plug the old hard drive in as a secondary and scan the crap out of it. After you're done scanning and cleaning it, THEN you can move your documents back over.


Sidetrack:
On a clean install, I typically make two partitions; the first, smaller, one holds Windows and the second one all my data; I usually do about a 30%/70% split between Windows and documents. You can then the Junction tool (available at Microsoft's Sysinternals page) to make a symbolic link to the Documents and Settings folder so that you can place it on the D: drive and have Windows and everything else think it's on C. This setup allows me to reformat C: in case of emergency while retaining my documents and settings; it's just a matter of renaming the Documents and Settings folder after a reformat, scanning it, and copying back only what's needed to the new Documents and Settings folder on D:.

It's always a major inconvenience to have to do this, so this is why you either forego "easy" and run with a very locked down OS, or (my solution) switch to Linux for web browsing, email and just about everything else and keep Windows only for the newest games that won't work on Wine.

My personal recommendation is to buy a new hard drive if you don't have another computer available. 80 to 200GB drives are now almost dirt cheap, and what that will let you do is install a clean copy of Windows without worrying about screwing up your old documents.

OK, I'm posting this from my sister's laptop: I believe the above is the route I am going to use. While I already have an old secondary hard drive, (while back when I had 98SE I used to use it for backup when I reinstalled the OS every 18 months) however at 40gb it is simply too small for all my data + a working copy of XP. In the mean time I will ensure the desktop is not used at all, and install every anti-malware app on this computer I can think of. Since I have only installed XP precisely once, I'd like to ask, will installing the same copy again give any trouble from XP's DRM?

Ma Deuce wrote:Since I have only installed XP precisely once, I'd like to ask, will installing the same copy again give any trouble from XP's DRM?

It shouldn't. If it does, activate by phone. Microsoft's internet and telephone servers don't seem to be connected for XP, so you can still activate Windows even after you hit the internet activation limit (usually 5 for XP).

Ma Deuce wrote:OK, I'm posting this from my sister's laptop: I believe the above is the route I am going to use. While I already have an old secondary hard drive, (while back when I had 98SE I used to use it for backup when I reinstalled the OS every 18 months) however at 40gb it is simply too small for all my data + a working copy of XP. In the mean time I will ensure the desktop is not used at all, and install every anti-malware app on this computer I can think of. Since I have only installed XP precisely once, I'd like to ask, will installing the same copy again give any trouble from XP's DRM?

IIRC, the activation scheme only gets suspicious if you change around more than a few hardware pieces, and try to activate ALOT within a very small time space. If you have an OEM computer that came with Windows, it's even better, as the activation info is already stored in your BIOS; it wouldn't really care.

Ma Deuce wrote:

My personal recommendation is to buy a new hard drive if you don't have another computer available. 80 to 200GB drives are now almost dirt cheap, and what that will let you do is install a clean copy of Windows without worrying about screwing up your old documents.

OK, I'm posting this from my sister's laptop: I believe the above is the route I am going to use. While I already have an old secondary hard drive, (while back when I had 98SE I used to use it for backup when I reinstalled the OS every 18 months) however at 40gb it is simply too small for all my data + a working copy of XP. In the mean time I will ensure the desktop is not used at all, and install every anti-malware app on this computer I can think of. Since I have only installed XP precisely once, I'd like to ask, will installing the same copy again give any trouble from XP's DRM?

http://netsecurity.about.com/od/windows ... xp0829.htm

Malwarebytes Anti-Malware is awesome. I had the same malware that stopped me from browsing many sites, accessing Task Manager and Start Menu, displayed tons of pop-up ads tailored to look professional/legitimate, etc. and I tried detailed instructions on the internet that included downloadable programs that dealt specifically with the type of malware affecting my computer, going into Safe Mode, and combing through the registry and system files.

Then somehow I came across Malwarebytes, ran the scan, removed what it found, and voila, lame malware gone.

That experience convinced me to take security more seriously again. I was shocked that someone like me who wasn't a complete moron about computers nonetheless could be given such a headache over spyware. I've never had a spyware laugh at my attempts to remove it before.

So in addition to COMODO firewall and Avira anti-virus, I also purchased Malwarebytes so I could get automatic updating and real-time protection. SUPERAntiSpyware has a rogue sounding name, but it's another great anti-spyware software that the developer of Malwarebytes is on record saying is the only other anti-spyware program he respects. Since I've chosen to have Malwarebytes as my real-time protection, I just run the free version of SUPERAntiSpyware manually. Previously, I used Spybot and Adaware, but the former is showing its age and the latter, despite fancy new look, has the same old detection rates. Both tend to find a lot of spyware, but they're all low level spyware (mostly cookies), while Malwarebytes and SUPERAntiSpyware both get the real nasties.

Another good program to get is Spywareblaster. Protects Firefox and Internet Explorer using its database of known spyware to help prevent their installation in the first place.

These, with safe browsing and download practices, is the best set up, I think.