Showing posts with label virus. Show all posts
Showing posts with label virus. Show all posts
Thursday, May 31, 2012
Are you shure virus
Extremely sad to see the signs of a redirect virus on gse12. Had a redirect from boingboing, when I cancelled it, got a popup that said "Do you want to leave this page -- Message from webpage -- are you shure". Getting a few google hits on it. This malware bytes page has a guy with a severe case being told unsucessfully to try to use TDSSkiller, he eventually does a reinstall:
http://forums.malwarebytes.org/index.php?showtopic=105033
Tuesday, February 7, 2012
Windows detected a hard disk problem
This morning, Lisa's laptop was thoroughly hosed. After the initial alarm wore off, it was clear that this was just another fake "error fixer" virus like Windows 7 Security 2012. Here are some of the plethora of error messages from this virus:
Windows detected a hard disk problem
Windows - Delayed write failed to save all the components for the file \\System32\\0005382. The file is corrupted or unreadable. This error may be caused by a PC hardware problem
System Error - Critical Error. hard drive critial error. Start a system diagnostics application to scan
Critical error Windows OS can't detect a free hard drive space. Hard drive error (This one is my favorite)
Clicking the Windows Detected a hard disk problem balloon gets:
System Check - with 4 categories including My computer Relate Problems. HDD related Problems. It "scans" and produces a results window with nearly laughable over-the top error messages.
Another clue: Task manager is suppressed when summoned using ctl-alt-del.
Anyhow, this here is definitely the one. Looks nasty:
http://www.bleepingcomputer.com/virus-removal/remove-system-check
The cleaning procedure involves MalwareBytes tools and looks pretty similar to the removal instructions for the Windows 7 Security 2012 virus.
Windows detected a hard disk problem
Windows - Delayed write failed to save all the components for the file \\System32\\0005382. The file is corrupted or unreadable. This error may be caused by a PC hardware problem
System Error - Critical Error. hard drive critial error. Start a system diagnostics application to scan
Critical error Windows OS can't detect a free hard drive space. Hard drive error (This one is my favorite)
Clicking the Windows Detected a hard disk problem balloon gets:
System Check - with 4 categories including My computer Relate Problems. HDD related Problems. It "scans" and produces a results window with nearly laughable over-the top error messages.
Another clue: Task manager is suppressed when summoned using ctl-alt-del.
Anyhow, this here is definitely the one. Looks nasty:
http://www.bleepingcomputer.com/virus-removal/remove-system-check
The cleaning procedure involves MalwareBytes tools and looks pretty similar to the removal instructions for the Windows 7 Security 2012 virus.
Google redirect virus TDSS
After a few funny redirects, I began to suspect that Lisa's laptop had another virus, and sadly found it to be true. Not only is this a virus, but it's an extremely dangerous rootkit and proving difficult to remove.
First, I keyed in some searches to the sites that I was being redirected to. Many of the results identified the virus as TDSS and revealed that it's more than just your average values. Many victims complained that their virus detection and removal software was not working on it. I got the following two links:
This one seems a little too simple to be correct, it just says to turn off JavaScript and then runTDSSKiller. Later it suggests hints to thwart DNS redirections:
http://www.computing.net/howtos/show/how-to-remove-the-google-redirect-virus/415.html
This link is also untrustably simple sounding, claiming that TDSSserve.sys will be hiding in the device manager and you can just disble it? Then just install your favorite antivirus tools and declare victory? Apparently there's something called "Google-Redirect-Virus-Remover' by name? MalwareBytes and SuperAntiSpyware were both famililar names recommended. Then it also goes into hints for thwarting redirection, particularly in checking for proxy server settings. The final hint, however looks useful, an also-familiar package called "UnHackMe" which apparently detects rootkits.
http://www.ehow.com/how_5842581_remove-google-redirect-virus.html
After refining my searches better, I began to get more serious postings on the topic.
The following link is to 6 pages of directions with screenshots of each step, most of which concern checking for DNS redirection, false host tables, Proxy servers, etc. Then it recommends TDSSKiller.exe. Then it recommends resetting the router, which I can believe although it would make me sad to have to figure out how to re-setup my network afterwords. After the post though are 32 pages of comments full of other hints and tips which I've only skimmed through so far. After reading this, I did everything up to TDSSkiller.exe. The name of the identified virus came back as Win32.ZAccess.k. After running, I rebooted, ran TDSSkiller again, and it found it again, probably indicating that it's refreshing itself through the registry or Master Boot Record.
http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
I also kept getting results back for the "atechjourney" blog's posts about this, which seemed knowlegable but was vague and seemed to be hawking "optimizer" tools. The same vague hints were reiterated in other posts which also seemed like a bad sign. Lastly, it recommends a paid online removal service, also a bad sign but which has also been echoed by other blogs:
http://atechjourney.com/google-redirect-virus-remove-manually.html/
Hints in this forum about what to do if TDSSkiller not working include renaming TDSSKiller (doesn't seem to be something I need), run Hitman and/or ComboFix (both highly recommended on other forums too), and running TDL-4 from bitdefender:
http://answers.yahoo.com/question/index?qid=20110726110537AADZ9zp
Holy how, here's a video by a guy who did it. I know that getting rid of this thing would make anybody want to put in the extra hours to help others do it too. The comments are the usual mix of thanks and unsatiated frustration. I expect that I would find several dozen videos on this topic on youTube:
http://www.youtube.com/watch?v=N4zs42gO_fs
Update: I removed the most recent "scareware" but the rootkit seems to still remain. VERY interesting links from searching on the rootkit's name:
First off, this forum, where a user gets superlative service and is talked through a bunch of fancy ComboFix moves with log after log posted, and the "Kiss ZeroAccess Goodbye" tool is mentioned:
http://www.bleepingcomputer.com/forums/topic413198.html
Here's the link to KISS. It also mentions having to fix ACLs (Access Control Lists) which I guess I'm going to have to learn what those are:
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/
The comment section at the bottom of the release announcement lead to another page where the authors of the Anti-ZeroAccess tool revealed how much work they've put into decompiling and understandig how the malware works.
http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/
and
http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/
Anyhow, about to try this webroot tool, since ComboFix continues to be too scary lookng to try.
Ok, it found it in netbt.sys, which I recall seeing mentioned somewhere else regarding this rootkit. Rebooting now.
Still there. Now it's in cdrom.sys I think that I followed this one around this path before.
Here's an AMAZING link from a guy who has to fix this all the time. This is clearly a lot of work and I'm going to have to try this later. Definitely dreading the moment this leads to loss of network access which seems to be the hell that many users end up encased in when they scrub this bug out:
http://remove-malware.com/malware/rootkits/rootkit-zero-access-max-notes/
First, I keyed in some searches to the sites that I was being redirected to. Many of the results identified the virus as TDSS and revealed that it's more than just your average values. Many victims complained that their virus detection and removal software was not working on it. I got the following two links:
This one seems a little too simple to be correct, it just says to turn off JavaScript and then runTDSSKiller. Later it suggests hints to thwart DNS redirections:
http://www.computing.net/howtos/show/how-to-remove-the-google-redirect-virus/415.html
This link is also untrustably simple sounding, claiming that TDSSserve.sys will be hiding in the device manager and you can just disble it? Then just install your favorite antivirus tools and declare victory? Apparently there's something called "Google-Redirect-Virus-Remover' by name? MalwareBytes and SuperAntiSpyware were both famililar names recommended. Then it also goes into hints for thwarting redirection, particularly in checking for proxy server settings. The final hint, however looks useful, an also-familiar package called "UnHackMe" which apparently detects rootkits.
http://www.ehow.com/how_5842581_remove-google-redirect-virus.html
After refining my searches better, I began to get more serious postings on the topic.
The following link is to 6 pages of directions with screenshots of each step, most of which concern checking for DNS redirection, false host tables, Proxy servers, etc. Then it recommends TDSSKiller.exe. Then it recommends resetting the router, which I can believe although it would make me sad to have to figure out how to re-setup my network afterwords. After the post though are 32 pages of comments full of other hints and tips which I've only skimmed through so far. After reading this, I did everything up to TDSSkiller.exe. The name of the identified virus came back as Win32.ZAccess.k. After running, I rebooted, ran TDSSkiller again, and it found it again, probably indicating that it's refreshing itself through the registry or Master Boot Record.
http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
I also kept getting results back for the "atechjourney" blog's posts about this, which seemed knowlegable but was vague and seemed to be hawking "optimizer" tools. The same vague hints were reiterated in other posts which also seemed like a bad sign. Lastly, it recommends a paid online removal service, also a bad sign but which has also been echoed by other blogs:
http://atechjourney.com/google-redirect-virus-remove-manually.html/
Hints in this forum about what to do if TDSSkiller not working include renaming TDSSKiller (doesn't seem to be something I need), run Hitman and/or ComboFix (both highly recommended on other forums too), and running TDL-4 from bitdefender:
http://answers.yahoo.com/question/index?qid=20110726110537AADZ9zp
Holy how, here's a video by a guy who did it. I know that getting rid of this thing would make anybody want to put in the extra hours to help others do it too. The comments are the usual mix of thanks and unsatiated frustration. I expect that I would find several dozen videos on this topic on youTube:
http://www.youtube.com/watch?v=N4zs42gO_fs
Update: I removed the most recent "scareware" but the rootkit seems to still remain. VERY interesting links from searching on the rootkit's name:
First off, this forum, where a user gets superlative service and is talked through a bunch of fancy ComboFix moves with log after log posted, and the "Kiss ZeroAccess Goodbye" tool is mentioned:
http://www.bleepingcomputer.com/forums/topic413198.html
Here's the link to KISS. It also mentions having to fix ACLs (Access Control Lists) which I guess I'm going to have to learn what those are:
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/
The comment section at the bottom of the release announcement lead to another page where the authors of the Anti-ZeroAccess tool revealed how much work they've put into decompiling and understandig how the malware works.
http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/
and
http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/
Anyhow, about to try this webroot tool, since ComboFix continues to be too scary lookng to try.
Ok, it found it in netbt.sys, which I recall seeing mentioned somewhere else regarding this rootkit. Rebooting now.
Still there. Now it's in cdrom.sys I think that I followed this one around this path before.
Here's an AMAZING link from a guy who has to fix this all the time. This is clearly a lot of work and I'm going to have to try this later. Definitely dreading the moment this leads to loss of network access which seems to be the hell that many users end up encased in when they scrub this bug out:
http://remove-malware.com/malware/rootkits/rootkit-zero-access-max-notes/
Tuesday, December 13, 2011
Win7 Home Security 2012 Firewall Alert Unregistered Version System Hijack Action Center
This appears to be a very well known trojan; I'm not sure how it got through on Lisa's laptop. Here are the links for how to remove it:
First off, the Microsoft pages for it reveal that there are Vista, XP, and Windows 7 "versions" out there. Humorously, they refer inquiries to the "bleepingcomputer.com" page on the virus:
http://answers.microsoft.com/en-us/windows/forum/windows_vista-security/how-do-i-remove-vista-home-security-2012-virus/1e3ea9ab-8b1b-486f-b840-1d1fd4988322
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/getting-messages-about-win-7-home-security-2012/3d161885-299f-4231-837d-93fffeab8215
On bleepingcomputer.com, the description of the problem is very through with detailed removal steps and matches what is on Lisa's laptop:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-home-security-2012
http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012
The steps seem to be: 1) Use FixNCR to re-enable the ability to run executables, 2) Use RKill to disable the trojan, and 3) Use Malware Bytes to clean it from the system.
Here it where to get RKill, which is apparently made by bleepingcomputer?
http://www.bleepingcomputer.com/download/anti-virus/rkill
Here is info on what RKill does:
http://www.bleepingcomputer.com/forums/topic308364.html
Here is the source for Malware Bytes, which is apparently also a bleepingcomputer creation:
http://www.bleepingcomputer.com/download/anti-virus/malwarebytes-anti-malware
Here is the UG for Malware Bytes:
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial
First off, the Microsoft pages for it reveal that there are Vista, XP, and Windows 7 "versions" out there. Humorously, they refer inquiries to the "bleepingcomputer.com" page on the virus:
http://answers.microsoft.com/en-us/windows/forum/windows_vista-security/how-do-i-remove-vista-home-security-2012-virus/1e3ea9ab-8b1b-486f-b840-1d1fd4988322
http://answers.microsoft.com/en-us/windows/forum/windows_7-security/getting-messages-about-win-7-home-security-2012/3d161885-299f-4231-837d-93fffeab8215
On bleepingcomputer.com, the description of the problem is very through with detailed removal steps and matches what is on Lisa's laptop:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-home-security-2012
http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012
The steps seem to be: 1) Use FixNCR to re-enable the ability to run executables, 2) Use RKill to disable the trojan, and 3) Use Malware Bytes to clean it from the system.
Here it where to get RKill, which is apparently made by bleepingcomputer?
http://www.bleepingcomputer.com/download/anti-virus/rkill
Here is info on what RKill does:
http://www.bleepingcomputer.com/forums/topic308364.html
Here is the source for Malware Bytes, which is apparently also a bleepingcomputer creation:
http://www.bleepingcomputer.com/download/anti-virus/malwarebytes-anti-malware
Here is the UG for Malware Bytes:
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-malware-tutorial
Friday, February 20, 2009
Useful Windows Shortcut Key combinations
The following Windows Shortcut Key combinations are particularly useful for continuing to use a system that has begun to crash, or has had certain functions disabled by a virus, or just doesn't have the taskbar set up nicely:
Windows-D: Iconify all windows Pretty Darn Quick, in other words get the desktop
Alt-Tab: Shift between running (or dying) applications
Ctrl-Esc: Gets the start menu. For instance if the mouse is dead, you can get this and navigate using the keyboard and arrow keys.
Ctrl-Shift-Esc: Gets the task monitor even if it's not possible to get it by other means
Windows-D: Iconify all windows Pretty Darn Quick, in other words get the desktop
Alt-Tab: Shift between running (or dying) applications
Ctrl-Esc: Gets the start menu. For instance if the mouse is dead, you can get this and navigate using the keyboard and arrow keys.
Ctrl-Shift-Esc: Gets the task monitor even if it's not possible to get it by other means
Monday, February 2, 2009
Not enough quota available to process this command
Presently unresolved thread for tracking a recurring error on one of the work XPS's.
The error is is not accessible. Not enough quota is available to process this command.
Once this is received, the only thing that can be done is close all programs and reboot the machine.
It is somewhat interesting that this is an XPS that has more memory than the others.
The hardware and software configuration is otherwise identical to the others, and no dissimilar programs are being run (Labview, Word, PDF Reader).
The interwub doesn't have a consensus to the problem, but the disparate postings and answers may all point to a common solution if I could just figure it out.
Nobody has fingered this as a virus issue.
First off is M$'s patronizing KB article:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2000Msgs/1495.mspx?mfr=true
Also here:
http://msdn.microsoft.com/en-us/library/ms820778.aspx
This thread:
http://74.125.95.132/search?q=cache:tBeocXxTxcEJ:forums.ni.com/ni/board/message%3Fboard.id%3D170%26thread.id%3D258595+Not+enough+quota+is+available+to+process+this+command&hl=en&ct=clnk&cd=7&gl=us
points to two interesting process monitoring options aside from good old Taskmon, including this one which seems well loved but looks useless:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
These guys trying to troubleshoot their software:
http://forum.sysinternals.com/forum_posts.asp?TID=4975
Have traced it to Access Control List problems? See these two:
http://groups.google.de/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/a024fb3948d5943d/ba4e698efab83ada?lnk=st&q=%22Not+enough+quota+is+available+to+process+this+command%22&rnum=9&hl=de#ba4e698efab83ada
http://support.microsoft.com/kb/185292/en-us
These guys are trying to do simple file copies in Vista and having the problem, and traced it to something to do with offline file sync?
http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/c6c79225-dd97-41ce-aeb2-b3f46f235872/
Perhaps most promising for my configuration, this guy blamed it on Dell Control Utility:
http://discussions.virtualdr.com/archive/index.php/t-129176.html
The error is
Once this is received, the only thing that can be done is close all programs and reboot the machine.
It is somewhat interesting that this is an XPS that has more memory than the others.
The hardware and software configuration is otherwise identical to the others, and no dissimilar programs are being run (Labview, Word, PDF Reader).
The interwub doesn't have a consensus to the problem, but the disparate postings and answers may all point to a common solution if I could just figure it out.
Nobody has fingered this as a virus issue.
First off is M$'s patronizing KB article:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2000Msgs/1495.mspx?mfr=true
Also here:
http://msdn.microsoft.com/en-us/library/ms820778.aspx
This thread:
http://74.125.95.132/search?q=cache:tBeocXxTxcEJ:forums.ni.com/ni/board/message%3Fboard.id%3D170%26thread.id%3D258595+Not+enough+quota+is+available+to+process+this+command&hl=en&ct=clnk&cd=7&gl=us
points to two interesting process monitoring options aside from good old Taskmon, including this one which seems well loved but looks useless:
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
These guys trying to troubleshoot their software:
http://forum.sysinternals.com/forum_posts.asp?TID=4975
Have traced it to Access Control List problems? See these two:
http://groups.google.de/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/a024fb3948d5943d/ba4e698efab83ada?lnk=st&q=%22Not+enough+quota+is+available+to+process+this+command%22&rnum=9&hl=de#ba4e698efab83ada
http://support.microsoft.com/kb/185292/en-us
These guys are trying to do simple file copies in Vista and having the problem, and traced it to something to do with offline file sync?
http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/c6c79225-dd97-41ce-aeb2-b3f46f235872/
Perhaps most promising for my configuration, this guy blamed it on Dell Control Utility:
http://discussions.virtualdr.com/archive/index.php/t-129176.html
Subscribe to:
Posts (Atom)