Soldato
whatever
He's right. Even Macs get owned this way.
Just got hit by nasty virus!
- Thread starter opethdisciple
- Start date
He's right. Even Macs get owned this way.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
I'm finding it funny at some of these comments.
/turns around
/leaves
/turns around
/leaves
Soldato
- Joined
- 27 Aug 2005
- Posts
- 3,660
What is MSE?
Microsoft security essentials?
this is what i use on my home computer. i've never had a virus on my home computer but it has blocked many many attempts. i usually advise people at home to just use this as its free and its actually dam good.
We use AVG at work.
The security where I work is quite bad.
We run Mcafee antivirus, but I have tried testing the antivirus but it doesnt seem to do a very good job of detecting malware. It reminds me of a lazy cat sleeping on the couch, whilst the mouse runs around the house.
All user profiles are on the network, which gets loaded which ever computer they log in to, but what seems to happen is that mcafee is looking at the local machine, not the network profile, so it doesnt seem to be picking up malware. Even the Firefox and Thunderbird profiles are on the network, so Mcafee doesnt seem to fussed about actively detecting malware...
I'v tried pointing it out ot boss, but he doesnt seem to bothered by it. Too busy, and if computer gets infected, we napalm it with a reinstall.
I've read a couple technical articles that claimed UAC has to be set to its highest (strictest) setting to be effective. So the first thing I do after installing/imaging is to turn UAC up to max. You get prompted for everything that needs admin privs (like Vista did).
It's still no hardship at all.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
A boss not bothered about security? I can see a disaster waiting to happen.
Caporegime
Soldato
Yep, but they really need to fix these tools. There's no good reason for them to need elevating every single time.
The tools are requesting access to information that is stored in a sensitive part of the operating system. It isn't the tools fault.
Soldato
I don't see the need to run either of those tools *constantly*. I want to play on my machine, not stare at readouts of performance counters
If you're the app developer on the other hand, you may spend more time using it
Associate
See this at work all the time, these viruses are coming from bad banner ads on legimate websites - they invoke java then run code which takes advantage of java exploits (even in the latest version) and install malware on machines.
Been using AVG myself for years, AVG is fine for viruses but these are more malware/spyware which AVG is poor at. I use Malwarebytes after running AVG to deal with this.
The platinum security and metropolitan police malware can be bypassed by booting from safe mode with command prompt, running 'rstrui.exe' (without quotes) and system restoring to before the virus was installed.
Once restored, boot into normal mode and uninstall java. You might want to delete the 'Image File Execution Options' registry folder - use regedit - goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ right click on 'Image File Execution Options' and delete it. This key is used for debugging usually and is the culprit that blocks regedit, task manager and blocks executables from running - it also starts the malware based on what executable is loaded - say explorer.exe etc.
Run combofix, then run a scan with your antivirus and antispyware (malwarebytes or similar) and you'll be clean.
Been using AVG myself for years, AVG is fine for viruses but these are more malware/spyware which AVG is poor at. I use Malwarebytes after running AVG to deal with this.
The platinum security and metropolitan police malware can be bypassed by booting from safe mode with command prompt, running 'rstrui.exe' (without quotes) and system restoring to before the virus was installed.
Once restored, boot into normal mode and uninstall java. You might want to delete the 'Image File Execution Options' registry folder - use regedit - goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ right click on 'Image File Execution Options' and delete it. This key is used for debugging usually and is the culprit that blocks regedit, task manager and blocks executables from running - it also starts the malware based on what executable is loaded - say explorer.exe etc.
Run combofix, then run a scan with your antivirus and antispyware (malwarebytes or similar) and you'll be clean.
Associate
On a side note, if you can't run regedit the key can be deleted from a elevated CMD prompt and entering:
Reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options”
(for some reason the forum is putting a space after the w in Windows NT - you need it without the space)
Reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options”
(for some reason the forum is putting a space after the w in Windows NT - you need it without the space)
Last edited:
Soldato
They need some kind of broker service running, and that's down to the developers.
Soldato
They load kernel mode drivers, this requires elevation.
Soldato
Antivirus software loads kernel mode drivers. You don't elevate that manually every time you log into Windows.
Soldato
I'm using this and my system has just got ownd by running a java addon in Chrome. It full screens a message that says pay up to decrypt your machine. Can't minimise or run task manager, it even appears in safe mode. I'm currently logged into another o/s as it's dual boot. This seems slightest compremised too as google searches using "virus" are greyed out. I'm currently running MSE in server 2008 to try and remove it :-/
I believe there's already a thread somewhere for this virus.
MW
Soldato
Try running Windows Defender Offline or alternative offline scanner.
Soldato
MSE didn't work, I've renamed my profile and forced it to create another and I can now get in.
Luckily the only stuff not backed up was on my desktop, so i've now removed those.
MW
Soldato
MSE didn't work online.