Welcome Guest ( Log In | Register )

Forum Announcement

New user registrations disabled until further notice.

Bump TopicReply to this topicRSS feed Start new topic Start Poll

Outline · [ Standard ] · Linear+

> Virus /Rootkits Thread, Work In Progress (Virus/Malware)

BlueWind
post Sep 23 2015, 11:05 PM

Sianzation
*******
Group: Senior Member
Posts: 2,874

Joined: Jan 2007



You may be infected with rootkit.

Download MBAR here : https://www.malwarebytes.org/antirootkit/
n8210
post Sep 24 2015, 04:04 PM

Look at all my stars!!
*******
Group: Senior Member
Posts: 2,330

Joined: Mar 2005


download
update
scan


Attached thumbnail(s)
Attached Image
n8210
post Sep 24 2015, 05:10 PM

Look at all my stars!!
*******
Group: Senior Member
Posts: 2,330

Joined: Mar 2005


still the same old 4 files detected but could not remove by malwarebytes
n8210
post Sep 28 2015, 04:58 PM

Look at all my stars!!
*******
Group: Senior Member
Posts: 2,330

Joined: Mar 2005


went into msconfig today to disable a partition software from starting every time windows start... but to my surprise, there is something that I don't recognize... what is this? how to find out? I am using W8.1


Attached thumbnail(s)
Attached Image
n8210
post Oct 1 2015, 10:09 AM

Look at all my stars!!
*******
Group: Senior Member
Posts: 2,330

Joined: Mar 2005


Do i need to install another anti virus along side my malwarebytes premium? seems not worth it if I have to buy another anti virus to go along with malwarebytes, but protection is important.. So, do i need to?
xwdgksvfh
post Oct 20 2015, 03:53 PM

New Member
*
Group: Newbie
Posts: 3

Joined: Oct 2015
Because you said that is casesam infected with the virus. In this http://www.ourcase.co.uk case backup files Dllcache also deleted AVG.

This post has been edited by xwdgksvfh: Oct 23 2015, 10:17 AM
sony88
post Sep 20 2016, 05:38 PM

Getting Started
**
Group: Junior Member
Posts: 85

Joined: Nov 2013


QUOTE(n8210 @ Sep 28 2015, 04:58 PM)
went into msconfig today to disable a partition software from starting every time windows start... but to my surprise, there is something that I don't recognize... what is this? how to find out? I am using W8.1
*
QUOTE(n8210 @ Oct 1 2015, 10:09 AM)
Do i need to install another anti virus along side my malwarebytes premium? seems not worth it if I have to buy another anti virus to go along with malwarebytes, but protection is important.. So, do i need to?
*
according to the pic .

i believe u downlaod too many crack software and get infected .

so in this case , if u have many P &C info and doing many transacation .

i advise u to get an original antivirus + original windows =p
n8210
post Sep 21 2016, 06:46 AM

Look at all my stars!!
*******
Group: Senior Member
Posts: 2,330

Joined: Mar 2005


QUOTE(sony88 @ Sep 20 2016, 05:38 PM)
according to the pic .

i believe u downlaod too many crack software and get infected .

so in this case , if u have many P &C info and doing many transacation .

i advise u to get an original antivirus + original windows =p
*
It's a new w8 setup. Anyway already moved to w10.
raifalove
post Oct 23 2016, 02:24 PM

Casual
***
Group: Junior Member
Posts: 317

Joined: Apr 2008
From: Taman Putra Perdana



If u don't have budget to buy Anti-Virus Software,you may try Microsoft Essential Security by downloading from Microsoft Download Center.
Window 7 & 10 having this software and its work great for me so far

This post has been edited by raifalove: Oct 23 2016, 02:25 PM
blastmeister
post Jan 9 2017, 01:58 PM

Getting Started
**
Group: Junior Member
Posts: 98

Joined: Jun 2006


Guys, if your computer is still infected with virus even if you try scan with your antivirus software, you can try this Dr.Web CureIt!® by Doctor Web. It is FREE. Follow the link to download the software and run it. No need install.
http://free.drweb.com/cureit/?lng=en

One of the best software to detect and cure files especially infected with new threat such as rootkit, trojan, virus and etc

This post has been edited by blastmeister: Jan 9 2017, 02:00 PM
fizzomar
post Feb 20 2017, 10:24 AM

New Member
*
Group: Junior Member
Posts: 47

Joined: Dec 2016
QUOTE(blastmeister @ Jan 9 2017, 01:58 PM)
Guys, if your computer is still infected with virus even if you try scan with your antivirus software, you can try this Dr.Web CureIt!® by Doctor Web. It is FREE. Follow the link to download the software and run it. No need install.
http://free.drweb.com/cureit/?lng=en

One of the best software to detect and cure files especially infected with new threat such as rootkit, trojan, virus and etc
*
is it really that effective?
fizzomar
post Feb 20 2017, 10:27 AM

New Member
*
Group: Junior Member
Posts: 47

Joined: Dec 2016
QUOTE(raifalove @ Oct 23 2016, 02:24 PM)
If u don't have budget to buy Anti-Virus Software,you may try Microsoft Essential Security by downloading from Microsoft Download Center.
Window 7 & 10 having this software and its work great for me so far
*
thumbsup.gif totally agree with you
hooiteoh
post Mar 2 2017, 11:57 AM

New Member
*
Group: Junior Member
Posts: 16

Joined: Jul 2014
hi guys , my computer some program can open fast like google chrome , firefox , but some of program it shows at task manager processes but it wont show in windows and task manager applications bar , and some of the program takes 20 min to show out in windows , and my command prompt cant open too , i scanned my comp with malwarebytes and kaspersky antivirus and already clean it out the virus , any idea to solve this ?
jamarasan
post Mar 12 2017, 04:42 AM

New Member
*
Group: Newbie
Posts: 1

Joined: Jan 2017
QUOTE(AsenDURE @ Jun 18 2007, 04:11 PM)
Virus Removal Steps

Keep the infection local.
Disconnect from the network/internet. I mean physically pull out your RJ45/RJ11 plug. This stops the virus from progating throughout your network or over the internet (worms/viruses), stop your data from leaving (calling home) your compromized system (trojans) through backdoors and stops your machine from participating in a zombie mob DOS attack.

Perform a Virus Scan.
This is the first attempt to determine if your system is truly infected. Do a deep scan of every single file and folder on the system. This may take several hours but it is necessary. Make sure your virus definition(Database) is updated. Many of them can update the database locally via a update file you can grab off the offical website.

Grab the prescribed removal tool. Once you've identified the virus infecting your system. you can now better deal with the particular infection by administering the proper "vaccine". You can go to any of the known antivirus companies website and grab a removal tool. This tool will delete any of the known virus-infected files and registry entry made by the virus. Take not of the virus "version" and download the corresponding tool. It will require you to do a scan and then reboot into safe mode and perform the scan again.

Removal Tools:
• AVG
http://free.grisoft.com/doc/8/lng/us/tpl/v5
• Kaspersky
http://www.kaspersky.com/removaltools
• Norton
http://www.symantec.com/enterprise/securit...emovaltools.jsp
• McAfee
http://us.mcafee.com/virusInfo/default.asp?id=vrt
• Panda
http://www.pandasoftware.com/download/utilities/

I also suggest downloading McAfee's Stinger and PC-Cilin's Virus Cleanup template (and their respective virus definition files) which are standalone/install-less virus removal engine.
• McAfee Stinger
http://vil.nai.com/vil/stinger/
• PC-Cilin VCT
http://www.trendmicro.com/download/dcs.asp

Additionally, you can scan your PC online with
• PC-Cilin Trendmicro's Housecall
http://housecall.trendmicro.com/
• Panda Antivirus Active Scan
http://www.pandasoftware.com/products/ActiveScan.htm
• Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
• McAfee File Scan
http://us.mcafee.com/root/mfs/default.asp
• Norton Fee Online Virus Scanner
http://kb.wisc.edu/helpdesk/page.php?id=2389

It is very important that you place any media you're using to trasfer the Removal tool, virus database update file or when performing a scan to read-only-mode until you are certain that your system is no longer infected. If you're media does not have read-only option then don't use it. If you have no choice, once it is put in the system, assume that it is also infected and treat it accordingly. These devices can be put into read-only mode by the sliding button on your device. Read your manual. Any portable media not on read-only mode are susceptible to being infected by the virus.

Check for unusual applications and processes.
A virus is just like a regular application and need to be running in order to work. It should also have a way to start itself up again when the system is rebooted (taking advantage of many of the ways programs automatically start-up in Windows). There are typically five ways that programs start-up automatically in windows and we need to look at these five ways to look for the virus.

1. The most rudimery is the Startup folder. Any application or shortcut that is located in the Startup folder will automatically start-up each time the system is booted into Windows. There are several of these folders located throughout the system notebly each user’s profile

• C:\Documents and Settings\<username>\Start Menu\Programs\Starup
                  (this includes Default and All Users profiles as well)
• C:\Documents and Settings\Default User\Start Menu\Programs\Startup and;
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup

and Windows system files such as;

• c:\autoexec.bat
• c:\config.sys
• Windows\win.ini, wininit.ini, system.ini
• Windows\system\autoexec.nt, config.nt

more reading: http://www.aumha.org/a/loads.php

2. The most typically is from the Registry. Several locations in the registry that controls auto-startup of applications are contained. The HKEY_USERS and HKEY_CURRENT_USER run when the user logs in while settings under HKEY_LOCAL_MACHINE run when the system starts up. Some of the registry keys that you need to look it include:

Local User
HKEY_USERS\<User UID>\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\*CurrentVersion\RunOnce

Local Machine
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

a more extensive list of launch point can be found here:
http://www.silentrunners.org/sr_launchpoints.html

3. The current favorite is as a Service. Just like running from the registry, any viruses that installs itself as a service can run without user intervention upon start-up. It can also start back up when when you kill it because the service control has the option to restart the service upon a failure (in which case, manually killing it constitutes a failure).

user posted image

4. Less common is from a Script. The GPO is an enterprise-wide feature that enables the network administrator to write a script to perform certain tasks upon start-up/shutdown on multiple computers in a network/domain using scripting language such as VB, JS,etc. Your computer also has a local GPO and you need to launch the GPO editor console and to check if there are any suspicious scripts running on your system.

Running Scripts are located in

• Local Computer Policy\Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup for programs that run when the computer is started and;

• Local Computer Policy\User Configuration\Windows Settings\Scripts (Logon/Logoff)\Logon for programs that run when the user logs in.

user posted image

If you don't do any scripting, aren't on a domain, then anything in here is considered highly suspicious.

5. Possibly, but rarely, from a Scheduled Task. A scheduled task has the ability to run applications on start up and on log in of a user. They also have the ability to run a program as a different user or as the system itself. The Scheduled Tasks can be found under the Control Panel.

it is very common to see virus writers use a combination of these steps so you need to cover all these basics.

Using Msconfig,Gpedit.msc,Services.msc
The Microsoft System Configuration Utility or simply MSCONFIG is a tool built into Windows that is designed to help you troubleshoot problems with your computer. You can see some of the programs that run in the background upon startup here together with some registry entries and it's a good place to start. To check your services you need to use Services.msc and to check scripts, as mentioned before, Gpedit.msc. All are run from Start > RUn >

user posted image

more information:
http://support.microsoft.com/kb/310560

for a more extensive utitily I would recommend AutoRuns from Sysinternals.
http://www.microsoft.com/technet/sysintern...s/Autoruns.mspx

Turn off System Restore.
There is some debate about whether to turn off system restore or not when during an infection. The reason why we need to  be concerned with system restore is because system restore can at certain times cache a virus which will be restored with the other windows system state files during a system restore operation. Often times you will also get the AV complaining that it is unable to clean one or more files in the System Volume Information data store.  The downside is that when you purge the restore points, you will be unable to restore your system to a previous system state if anything goes wrong.
user posted image

as a general rule, take extra interest in any processes don't have a company name (with the exception of DPCs, Interrupts, System, SMSS, Services, System Idle Process and things mentioned above), verification signer (Process explorer auto verifies images) and version number attached to it. you can kill the process by right-clicking on it selecting Kill. process explorer also allows you to search for a specific process. you should also be interested in purple threaded processes.

QUOTE(mark russ ppt presentation slide)
Purple highlighting indicates an image is “packed”
Packed can mean compressed or encrypted
Malware commonly uses packing (e.g. UPX) to make antivirus signature matching more difficult
Packing and encryption also hides strings from view
user posted image

If you're unsure what a process is responsible for you can check it out here:
http://www.liutilities.com/products/wintas...ibrary/scvhost/
*
Corsair0418
post Jun 8 2017, 11:04 PM

24K KARAT MAGIC
****
Group: Senior Member
Posts: 505

Joined: Nov 2012



windows 10 stop letting you download 3rd party antivirus? my windows 10 asked me to uninstall my bitdefender and use their protection instead
gadgetssai
post Jul 2 2017, 04:27 PM

New Member
*
Group: Junior Member
Posts: 7

Joined: Mar 2017
http://www.gadgetssai.com/2017/02/imovie-a...or-ipadmac.html
leejames618
post Aug 7 2017, 05:12 PM

New Member
*
Group: Newbie
Posts: 8

Joined: Jul 2017
registry editor
remove it from there.
imran
post Jan 2 2018, 12:34 PM

On my way
****
Group: Senior Member
Posts: 504

Joined: Feb 2009




any latest software effectively kill "virus" ?
Bobsagrath
post Jan 8 2018, 10:04 PM

New Member
*
Group: Newbie
Posts: 2

Joined: Jan 2018
From: Kunak


Already try not working ,maybe need more power antivirus ?

15 Pages « < 13 14 15Top
Bump TopicReply to this topicTopic OptionsStart new topic
 

Switch to:
| Lo-Fi Version
0.0806sec    5.06    6 queries    GZIP Disabled
Time is now: 20th May 2018 - 10:05 PM