Welcome Guest [Log In] [Register]
| The Rules | Discord Server | The Staff
Who told you about this place?

Username:   Password:
Add Reply
Slayer, Whooz get in here; You done did it
Topic Started: Monday Dec 6 2010, 01:47 PM (527 Views)
-SG-
Member Avatar
For the Lulz
[ *  *  * ]
So the shop techs where I work are saying that they get about 2-3 Windows 7 PCs in a week that will not POST. They say that the cause is always a bad stick of ram, and it always appears to be DDR3. Have you guys seen any of this, on a similar scale?

Also, last Friday I had several PCs from several different clients that all got infected at the same time with this rootkit that infects MBR causing svchost(a legitimate svchost, not some bogus %appdata% crap) to utilize 50% CPU and also establishes an assload of TCP connections. You guys see any of that yet?
Oscar Gamble
 
"They don't think it be like it is, but it do"
Offline Profile Quote Post Goto Top
 
whoozwah
Member Avatar
Is it live, or is it Dave-orex?
[ *  *  *  * ]
I have not seen either of those. I rarely see machines with DDR3 except new PCs and I've yet to see one fail to POST.

And the only really common infection I see at any given time is Thinkpoint which hides itself in appdata/roaming
Realtime Last.fm feed. I have everything scrobbling to it.

Posted Image

It is possible to not understand without being confused.
It is possible to be inaccessible without hiding.
It is possible to be aware without being awake.
Offline Profile Quote Post Goto Top
 
-SG-
Member Avatar
For the Lulz
[ *  *  * ]
Yeah that thinkpoint bs is everywhere. My Dad caught it, and much to my disbelief his friggin bought it. Now he has a shiny new credit card because of it.
Oscar Gamble
 
"They don't think it be like it is, but it do"
Offline Profile Quote Post Goto Top
 
whoozwah
Member Avatar
Is it live, or is it Dave-orex?
[ *  *  *  * ]
wow. way to go.
Realtime Last.fm feed. I have everything scrobbling to it.

Posted Image

It is possible to not understand without being confused.
It is possible to be inaccessible without hiding.
It is possible to be aware without being awake.
Offline Profile Quote Post Goto Top
 
Jandurin
Member Avatar
Monstrous Member
[ *  *  *  * ]
how does a fake antivirus program = new credit card?
Photobucket? More like fotophuckit
Offline Profile Quote Post Goto Top
 
Jandurin
Member Avatar
Monstrous Member
[ *  *  *  * ]
oh. ohhhh
Photobucket? More like fotophuckit
Offline Profile Quote Post Goto Top
 
whoozwah
Member Avatar
Is it live, or is it Dave-orex?
[ *  *  *  * ]
he had to cancel his current card and get a new one because the charge on the old one was a scam
Realtime Last.fm feed. I have everything scrobbling to it.

Posted Image

It is possible to not understand without being confused.
It is possible to be inaccessible without hiding.
It is possible to be aware without being awake.
Offline Profile Quote Post Goto Top
 
Jandurin
Member Avatar
Monstrous Member
[ *  *  *  * ]
yeah, i figured it out right after i hit submit
Photobucket? More like fotophuckit
Offline Profile Quote Post Goto Top
 
-SG-
Member Avatar
For the Lulz
[ *  *  * ]
Just for you, Whooz!!!!11

Posted Image
Oscar Gamble
 
"They don't think it be like it is, but it do"
Offline Profile Quote Post Goto Top
 
whoozwah
Member Avatar
Is it live, or is it Dave-orex?
[ *  *  *  * ]
you're a real funny guy Shaun.
Realtime Last.fm feed. I have everything scrobbling to it.

Posted Image

It is possible to not understand without being confused.
It is possible to be inaccessible without hiding.
It is possible to be aware without being awake.
Offline Profile Quote Post Goto Top
 
-SG-
Member Avatar
For the Lulz
[ *  *  * ]
Oh comeon... thought you would get a eloel out of it... :(
Edited by -SG-, Monday Dec 6 2010, 02:54 PM.
Oscar Gamble
 
"They don't think it be like it is, but it do"
Offline Profile Quote Post Goto Top
 
whoozwah
Member Avatar
Is it live, or is it Dave-orex?
[ *  *  *  * ]
o rly?
Realtime Last.fm feed. I have everything scrobbling to it.

Posted Image

It is possible to not understand without being confused.
It is possible to be inaccessible without hiding.
It is possible to be aware without being awake.
Offline Profile Quote Post Goto Top
 
-SG-
Member Avatar
For the Lulz
[ *  *  * ]
ya rly
Oscar Gamble
 
"They don't think it be like it is, but it do"
Offline Profile Quote Post Goto Top
 
whoozwah
Member Avatar
Is it live, or is it Dave-orex?
[ *  *  *  * ]
I'm so glad he doesn't work in montgomery anymore.
Realtime Last.fm feed. I have everything scrobbling to it.

Posted Image

It is possible to not understand without being confused.
It is possible to be inaccessible without hiding.
It is possible to be aware without being awake.
Offline Profile Quote Post Goto Top
 
Necrotrophic
Member Avatar
change molds name back in 2011
[ *  *  *  * ]
the biggest pain in the ass about those smitfraud programs is that you usually have to remove them manually.
Offline Profile Quote Post Goto Top
 
-SG-
Member Avatar
For the Lulz
[ *  *  * ]
@Whooz yeah but he had some great one liners: "Shut your ass buddy"

It's getting to the point where most infections have to be removed manually, since they hide themselves from both Windows and AV apps.
Oscar Gamble
 
"They don't think it be like it is, but it do"
Offline Profile Quote Post Goto Top
 
Slayer706
Member Avatar
The best of the best of The Board.
[ *  *  * ]
SgSpecial180
Monday Dec 6 2010, 01:47 PM
So the shop techs where I work are saying that they get about 2-3 Windows 7 PCs in a week that will not POST. They say that the cause is always a bad stick of ram, and it always appears to be DDR3. Have you guys seen any of this, on a similar scale?

Also, last Friday I had several PCs from several different clients that all got infected at the same time with this rootkit that infects MBR causing svchost(a legitimate svchost, not some bogus %appdata% crap) to utilize 50% CPU and also establishes an assload of TCP connections. You guys see any of that yet?
I haven't seen the DDR3 thing, but we don't see many computers with DDR3 so that might be why.

The rootkit MBR thing we are seeing a ton of though. The ones we have seen so far just do one or more of the following:
*Cause the computer to boot to a black screen.
*Reinfect the computer after a fresh install or image.
*Prevent anti-virus websites and the Microsoft update page from loading.

It's now standard that we run fixmbr from the recovery console on every infected computer we service.
Posted Image
Offline Profile Quote Post Goto Top
 
-SG-
Member Avatar
For the Lulz
[ *  *  * ]
I've been using this to fix the infected PCs: http://www2.gmer.net/mbr/mbr.exe

Run the .exe, when it's done it creates a log file. Open the log and if the MBR is infected it will tell you to run the .exe again with -f. Saves time cause you don't have to boot to recovery console.
Oscar Gamble
 
"They don't think it be like it is, but it do"
Offline Profile Quote Post Goto Top
 
Slayer706
Member Avatar
The best of the best of The Board.
[ *  *  * ]
Nice, I will definitely check that out.
Posted Image
Offline Profile Quote Post Goto Top
 
Slayer706
Member Avatar
The best of the best of The Board.
[ *  *  * ]
What exactly does the -f part do? Does it actually rebuild the MBR or just try to clean it?
Posted Image
Offline Profile Quote Post Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
DealsFor.me - The best sales, coupons, and discounts for you
Go to Next Page
« Previous Topic · The Board · Next Topic »
Add Reply