Guru3D.com Forums

Go Back   Guru3D.com Forums > General > Operating Systems
Operating Systems Is Windows 8.1 giving you a hard time ? Wanna try out Windows 10 ?



Reply
 
Thread Tools Display Modes
Old
  (#26)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 02-07-2006, 01:50 | posts: 6,843 | Location: Denmark

I added a Uninstall issues to part 2.
   
Reply With Quote
 
Old
  (#27)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 02-08-2006, 01:49 | posts: 6,843 | Location: Denmark

I have add a bunch of links to the "Virus and Spyware Help:" part.
   
Reply With Quote
Old
  (#28)
bakuryu
Ancient Guru
 
bakuryu's Avatar
 
Videocard: XFX GeForce 6600LE @ 430/490
Processor: Amd Athlon64 3500+ @2.3GHz
Mainboard: Asus A8n-E
Memory: 2 x 1GB DDR 400 @ 2.5-3-3-8 2T
Soundcard: Onboard Realtek ALC850
PSU: 500W Antec SmartPower 2.0
Default 02-08-2006, 08:18 | posts: 3,270 | Location: India

I went through that browser security check, Firefox found 1 medium vulnerability, where as there was 0 in IE 7 ......... however IE7 acted up strangely, automatically opened many tabs, could'nt close some of them, Automatically opened WMP, and generated an error "cannot play file" ............

btw ... i noticed in IE7, you cannot close all tabs in IE7. Minimum 1 must be opened. Whereas in Firefox, if you close the last tab opened, it automatically opens a new blank tab
   
Reply With Quote
Old
  (#29)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 02-09-2006, 08:12 | posts: 6,843 | Location: Denmark

Mmm that's funny i passed with a Trunk build yesterday. Which one failed exactly ?.


The tab behavior can be changed on FF either a tab is always visible or not. Using Hide the tab bar when only one web site is open

In any case IE and FF tab code is not the same at all (or any other tab browser).
Quote:
http://blogs.msdn.com/ie/archive/2005/05/26/422103.aspx
Implementing Tabs

We considered a variety of approaches and built a couple prototypes, and the solution we settled on was to essentially push a large part of what you see in IE6 into a tab. We built a new frame to host the browsers and wrote a bunch of internal plumbing to manage them and cache state. This is a bit of a simplification; the address bar and so on won’t be part of the tab of course, but 3rd party toolbars and Browser Helper Objects (BHOs) are because they are tied to a single browser and sometimes make deep assumptions about how they are hosted.
   
Reply With Quote
 
Old
  (#30)
bakuryu
Ancient Guru
 
bakuryu's Avatar
 
Videocard: XFX GeForce 6600LE @ 430/490
Processor: Amd Athlon64 3500+ @2.3GHz
Mainboard: Asus A8n-E
Memory: 2 x 1GB DDR 400 @ 2.5-3-3-8 2T
Soundcard: Onboard Realtek ALC850
PSU: 500W Antec SmartPower 2.0
Default 02-09-2006, 08:25 | posts: 3,270 | Location: India

Quote:
Medium Risk Vulnerabilities
Mozilla XMLSerializer Same Origin Policy Violation Vulnerability (bid5766)
Description

This bug can allow a malicious web site to access your data on other web sites. For example it can be used to read you mail from a web mail system.

Mozilla is an open source browser. From Netscape 6 onwards, Mozilla's source code has been used to create Netscape browser. As a result, Netscape suffers from many of the same vulnerabilities as Mozilla.

Other browsers, such as Galeon, Phoenix, Camino (Chimera) also use Mozilla's source code and can be vulnerable too.
Technical Details

XMLSerializer object can be created by JavaScript code and used to serialize XML (or HTML) documents. serializeToStream method does not enforce same origin policy.

It is possible to open a document in a different domain and then use serializeToStream method to get the contents of the document.
Recommendations

* Netscape users need to upgrade to Netscape 7.01 or later to fix this vulnerability.
* Mozilla users need to upgrade to version 1.0.2 or later
* Galeon users - upgrade your Mozilla installation to version 1.0.2 or later and upgrade to Galeon version that supports it (1.2.6 or later)
* Phoenix users - upgrade to Phoenix 0.5 or later
* Camino (Chimera) users - upgrade to version 0.7
The recomendations seemed funny !! I already have a higher version than that specified
   
Reply With Quote
Old
  (#31)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 02-09-2006, 09:33 | posts: 6,843 | Location: Denmark

I have no idea how you can be vulnerable to that.

http://www.securityfocus.com/bid/5766
http://www.securityfocus.com/bid/5766/solution
http://securityresponse.symantec.com...04.07.27c.html

Try just that one test again.
http://bcheck.scanit.be/bcheck/choosetests.php
   
Reply With Quote
Old
  (#32)
bakuryu
Ancient Guru
 
bakuryu's Avatar
 
Videocard: XFX GeForce 6600LE @ 430/490
Processor: Amd Athlon64 3500+ @2.3GHz
Mainboard: Asus A8n-E
Memory: 2 x 1GB DDR 400 @ 2.5-3-3-8 2T
Soundcard: Onboard Realtek ALC850
PSU: 500W Antec SmartPower 2.0
Default 02-09-2006, 10:32 | posts: 3,270 | Location: India

All tests are OK in the branch : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060202 Firefox/1.5.0.1

But I still get that in the trunk(even with a new profile), and running only that test : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060208 Firefox/1.6a1

Now that's really strange, as you say your trunk passed all those tests
and securityfocus doesn't like to open in my computer I think. It is taking a lot of time ..........

Edit : Ok at last it opened. But I don't see it much helpful. And it looks like a very OLD bug. I don't see how I am getting velnerable to it

Last edited by bakuryu; 02-09-2006 at 10:35.
   
Reply With Quote
Old
  (#33)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 02-09-2006, 11:20 | posts: 6,843 | Location: Denmark

Woops im not running the Trunk...LOL im using tete009 build that's a Branch build (it's using the trunks artwork that's why i missed it ).

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060202 Firefox/1.5.0.1 (tete009 SSE)

Let me try in a Trunk and come back to you on it.
   
Reply With Quote
Old
  (#34)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 02-09-2006, 11:26 | posts: 6,843 | Location: Denmark

Nop it checks out fine.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060208 Firefox/1.6a1

I don't get it bak you should not be vulnerable, i'll have a look on this matter and see what i can find.
   
Reply With Quote
Old
  (#35)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 02-09-2006, 11:51 | posts: 6,843 | Location: Denmark

I can figure this out man, all i can see is this bug was fixed on 2002 ????. Ok im not done with this, cause this can't be right. I'll think about it some more.

XMLSerializer needs same-origin check (Fixed)
https://bugzilla.mozilla.org/show_bug.cgi?id=147754

XMLSerializer.serializeToStream needs same origin check (Fixed)
https://bugzilla.mozilla.org/show_bug.cgi?id=169982

bugzilla query (just remember open security bugs has access denied to the public)
https://bugzilla.mozilla.org/buglist...+Vulnerability


Vulnerability reports
http://xforce.iss.net/xforce/xfdb/10547
http://www.remoteassessment.com/arch...omain.4645.txt
Quote:
http://bcheck.scanit.be/bcheck/alltests.php
Mozilla XMLSerializer Same Origin Policy Violation Vulnerability

This bug can allow a malicious web site to access your data on other web sites. For example it can be used to read you mail from a web mail system.
XMLSerializer
http://xulplanet.com/references/objr...erializer.html

Parsing and serializing XML
http://kb.mozillazine.org/Parsing_and_serializing_XML

---
EDIT: bakuryu can you try running the Trunk on another PC and do the test ?

Last edited by Animatrix; 02-09-2006 at 12:30.
   
Reply With Quote
Old
  (#36)
bakuryu
Ancient Guru
 
bakuryu's Avatar
 
Videocard: XFX GeForce 6600LE @ 430/490
Processor: Amd Athlon64 3500+ @2.3GHz
Mainboard: Asus A8n-E
Memory: 2 x 1GB DDR 400 @ 2.5-3-3-8 2T
Soundcard: Onboard Realtek ALC850
PSU: 500W Antec SmartPower 2.0
Default 02-10-2006, 14:00 | posts: 3,270 | Location: India

Quote:
EDIT: bakuryu can you try running the Trunk on another PC and do the test ?
That's a problem, since I cannot persuade them any of my friends to download 6MB (and that too trunk ... unofficial) in a 56K line (almost all connections here are) just for that single test.
   
Reply With Quote
Old
  (#37)
darknight909
Ancient Guru
 
Videocard: EVGA GTX 970
Processor: Intel Core i7-4770K
Mainboard: ASUS Z87 Pro
Memory: 2 x 8GB DDR3 2800
Soundcard: Realtek ALC1150
PSU: Tough Power 700w
Default 02-12-2006, 07:52 | posts: 4,852 | Location: San Diego, CA

nice to see my windows 64bit thread made it into your FAQ
   
Reply With Quote
Old
  (#38)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 02-16-2006, 23:25 | posts: 6,843 | Location: Denmark

Sure no problem darknight909, if you have other good 64-bit resources/links you would like to see linked just let me know and i'll add them.


On another note i fix the quick links to each part they were messed up (apparently no one uses them ). In any case if anyone finds any dead, missing or wrong links please do let me know about it.
   
Reply With Quote
Old
  (#39)
bakuryu
Ancient Guru
 
bakuryu's Avatar
 
Videocard: XFX GeForce 6600LE @ 430/490
Processor: Amd Athlon64 3500+ @2.3GHz
Mainboard: Asus A8n-E
Memory: 2 x 1GB DDR 400 @ 2.5-3-3-8 2T
Soundcard: Onboard Realtek ALC850
PSU: 500W Antec SmartPower 2.0
Default 02-17-2006, 15:46 | posts: 3,270 | Location: India

lol ... actually there are so many links, in this thread, that you will find it very difficult to find a dead link, unless you accidently click on it.
   
Reply With Quote
Old
  (#40)
StatykiVi
Master Guru
 
StatykiVi's Avatar
 
Videocard: eVGA GTX 570 SuperClocked
Processor: i5 3570K Ivy Bridge
Mainboard: ASRock Z77 Pro4
Memory: 16 GB DDR3-1600
Soundcard: Creative SB X-Fi Titanium
PSU: Corsair 1000HX 1kW
Default 06-06-2007, 16:10 | posts: 208 | Location: East Coast

I still refer to Linux as a flat out operating system to my mother, not a kernel. She isn't very computer literate.
   
Reply With Quote
Old
  (#41)
Mannerheim
Ancient Guru
 
Mannerheim's Avatar
 
Videocard: nvidia GTX 1070 mobile
Processor: i7 7700HQ
Mainboard:
Memory: 16GB DDR4 2400
Soundcard:
PSU: HP
Default 04-12-2008, 14:25 | posts: 4,747 | Location: Finland

Can i shutdown virtual memory with 6144MB DDR2 ??? Without any probs with Vista 64bit?


   
Reply With Quote
Old
  (#42)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 04-12-2008, 19:20 | posts: 6,843 | Location: Denmark

It is not possible to turn off virtual memory. But i assume you mean the page file, not virtual memory (it's not the same). Yes you can turn off the page file, no it is not a good idea and i would not suggest doing so no matter how much RAM you have installed. Some software will look for a page file and will not run without one.
   
Reply With Quote
Old
  (#43)
Animatrix
Ancient Guru
 
Animatrix's Avatar
 
Videocard: BFG 8800GT OC2 512
Processor: Intel Core 2 Duo E6750
Mainboard: ABIT IP35 Pro
Memory: Corsair XMS2 4x1GB
Soundcard: SoundBlaster Audigy 2 ZS
PSU: Corsair VX550W
Default 11-03-2008, 17:13 | posts: 6,843 | Location: Denmark

Please save or print for offline usage.



***Malware Cleaning; short version***



1. Download and install the following tools

CCleaner
HijackThis
SUPERAntiSpyware
Malwarebytes Anti-Malware
Dr.Web CureIt!

Note: Please update all the scanners now but do not start any scan yet.

If your experiencing issues installing any of the scanners, try renaming the installer. Just give it some random name.


2. Unplug the system from the network

Unplug the network cable to the PC and do not reconnect to the network until the last step.



3. Clean junk files

Run CCleaner, press the Options button then the Advanced button, untick the option "Only delete files in Windows Temp folders older then 48 hours", go back to the cleaner page and press the Run Cleaner button.



4. Scan for malware

A). Preform a quick scan with all the scanners, let them clean what they find.

B.) Start your computer in Safe mode. Now perform a full scan on the system par****on (usually C:) with each anti-malware scanner. In safe mode that is. Not all scanners can scan in safe mode, but most can.



5. Post a HijackThis log

Rename HijackThis to some random name (blabla.exe) and post the HijackThis log to the software section. Copy and paste the log into your post.

How to generate a HijackThis log file





***Malware Cleaning; long version***


1. Clean the HOSTS file, reset IE security settings and firewall


Even if your not experiencing any connection issues it is advisable to make sure the hosts file, browser related settings such as the Internet Explorer Zones and the Windows firewall, all are reset.


2. Download and install the following tools


If your experiencing issues installing any of the scanners, try renaming the installer. Just give it some random name.


3. Unplug the system from the network

  • Unplug the network cable to the PC and do not reconnect to the network until the last step.


4. Clean junk files
  • Run ATF-Cleaner, check on Select all, press Empty selected button.

  • Run CCleaner, press the Options button then the Advanced button, untick the option "Only delete files in Windows Temp folders older then 48 hours", go back to the cleaner page and press the Run Cleaner button.


5. Scan for malware


Level 1 / 2 scans are mandatory, they must be performed.

  • Level 1 scan

    Preform quick or full scan with all the scanners.
  • Level 3 scan

    You can also scan the system without booting it, there are mainly two ways of doing it.

  • Use a boot CD with anti-malware tools and scan the hard disk.

    Caution: Word of warning on cleaning with boot CDs

  • Or connect the hard disk to another system as a data hard disk and scan it.

    As one potentially can spread the malware, caution is advised. Leave the drive alone, just scan it don't start poking around. If it is a removable drive, before you remove it and plug it in the other system look in the root of the drive for a Autorun.inf file (info on autorun), if you find one either make sure it's not malware related or just rename it to Autorun.inf.back. You can also disable Autorun first on the second system before plugging in the drive.



6. Run online scans

  • Connect the system back to the network and do at least one online scan.
Bitdefender Online Scanner
http://www.bitdefender.com/scan8/ie.html
http://kb.bitdefender.com/KB424-en--...-on-Vista.html

ESET Online Scanner
http://www.eset.com/onlinescan/

Trendmicro Online Scanner
http://housecall.trendmicro.com/housecall/
http://prerelease.trendmicro-europe.com/hc66/launch/



7. Scan with HijackThis and Autoruns

  • Rename HijackThis to some random name (blabla.exe), scan and save the log.

    How to generate a HijackThis log file

  • Run AutoRuns > press Esc to stop the scan > under Options check "Verify code signatures" and "Hide Microsoft Entries" > press F5 and let it scan, please be patient the "Verify code signatures" option needs to connect to the internet for the verification > after it's done go to File then Save this will save the log in the ".arn" format, upload the file here. If you use File > Export it will be saved as a .txt file and you can post this log like HijackThis logs (i.e. copy, paste). But only if it's not huge, which it shouldn't be as long as you made the changes to the options (i.e "Verify code signatures" and "Hide Microsoft Entries").


8. Post your HijackThis and Autoruns logs

Make a thread in the software section and post the logs. Please do NOT post any logs made from before you did the cleaning steps just outlined. When you post the logs, post any other information found during scans.





***After cleaning***


1. Clear old restore points

Restore points has to be wiped in order to make sure no malware is in the restore points. Please disable and then re-enable system restore.


XP Instructions
Vista Instructions


2. Check for updates to Windows

Microsoft Windows Update


3. Check for updates to software

Secunia Software Inspector


4. Run a system file check

SFC /scannow


5. Run a defrag on the system

While your waiting for the defrag to finish please read How did I get infected in the first place[/color]







***Manual malware detection and removal***


First a word of warning. Wise men say, once a system has been compromised it can never be trusted. And yes it is true, the only way to be sure the system is clean is to wipe it completely and reinstall the operating system from a known good clean source. On the other hand i do firmly believe that most systems can be cleaned and that what can be done can be undone. There is nothing magical or mysterious about operating systems or malware, they work by principles well understood, keep that in mind. It is in the end a judgment call and making the right choice should be based on more then just your believe in your cleaning abilities. On system of critical importance or used for sensitive information it would be unwise to gamble. On the other side you have the systems that simply are not worth wasting time cleaning. Somewhere in the middle of all this is where we will be focusing.

Just don't say i didn't warn you. Knowledge is power, but with power comes responsibility.


1. Know thy system

The better you know the system the easier it will be to spot an offender. Knowing about operating system specific components, the correct names and locations of system files and so on is necessary. You can and will learn as you go along, its a technical subject and some reading will likely be required.


2. Investigating the system

Make sure you have enable viewing of hidden files and folders.

Always start by scanning and cleaning systems using anti-malware scanners first, let the scanners do as much of the legwork as possible. Why waste time figuring out how to clean something when others have done it for you.

Next is a list of tools that can be used for finding, tracking and dealing with malware. They all have one thing in common, they do for the most not distinguish between good and bad, that will be your job. You have to learn how the tools work and understand the information they give. Otherwise they will be close to worthless, or simply dangerous in the wrong hands. I suggest you start by viewing the video Advanced Malware Cleaning, it will give you an introduction into manual malware detection and cleaning, as well as some of the tools listed here.


Auto startup tools:

Autoruns: helps you find and get rid of auto starting objects. To quickly get to the possible problem start-ups press Esc to stop the scan > under Options check "Verify code signatures" and "Hide Microsoft Entries" > press F5 and let it scan, please be patient the "Verify code signatures" option needs to connect to the internet for the verification > after it's done you can save the log by going to File > Save. Autoruns also has a handy "jump to" feature which let you jump to a particular registry key, and using the "properties" feature it can take you to the properties of a file (exe/dll) quickly.

HiJackThis: can just as Autoruns uncover and get rid of unwanted auto starting objects. It is widely used for cleaning systems and should be in your kit.

Use databases and search engines to help identify objects.

http://www.systemlookup.com
http://www.bleepingcomputer.com/filedb/
http://gladiator-antivirus.com/forum...howtopic=24610

Read some HijackThis log tutorials to learn about the tool.

Last use an auto log analyzer to quickly get to the obvious bad stuff. Some use a community feedback system which can help identify lesser know processes and auto starting objects.

http://www.hijackthis.de
http://www.help2go.com/component/detective
http://hjt.networktechs.com


File and process tools:

Filealyzer: is a neat tool to analyse and display file contents, resources, PE Header, Import/Export table, Hex dump, it also gives the CRC-32 and the MD5 checksum of the file and much more.

PEiD: detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

Warning, please note that when unpacking you may be warned about execution of the file, do NOT execute malware on your PC, if you have to execute it make sure you do so in a safe environment, like a VM, sandbox or a dedicated system.

Packers, Crypters, Protectors

Process Explorer: is a great tool to do investigation with. Use it to inspect processes and dlls. Process "Parent/Child" relationship, location and command line arguments, handles, strings, thread activity. You can suspend processes, kill processes including the process tree and close open handles. You can also verify signatures.

Process Monitor: is for monitoring live system activity with can help pinpoint files and registry resources used by malware.


Network tools:

TCPView: is handy for looking at network trafic, resolving addresses and doing Whois, as well as closing connections.

Packet sniffers: are used for looking at network traffic, unlike tools like TCPView sniffers work at a much lower level.


Sectools.org: Top 100 Network Security Tools


That which hides in the dark:

The problem with investigating compromised systems is that they can't be trusted and that all software running on the compromised system, including anti-malware and system investigation tools are possibly blinded by the malware, given bogus information, or the malware is hiding in unseen parts of the operating system like in Alternate Data Streams. More and more malware use rootkits or incorporate rootkit like technologies which makes finding and removing the malware much harder. Malware will hook, inject/load itself into processes, hijack API calls and generally do whatever it takes to avoid detection and removal. Most such malware can be quite unstable, especially when kernel mode is involved. Tools crashing, or tools causing the system to crash, can be a sign of hitting malware. However most malware is still targeting the low hanging fruit and considers the average joe user to be fairly easy to trick, rogue software and grayware can often be uninstalled using add/remove and a little manual cleaning.

In the end it's a cat and mouse game, no rootkit can hide forever and no rootkit detector can detect all rootkits. No base belongs to anyone.


Rootkit scanners:

http://www.antirootkit.com/software/index.htm
http://antivirus.about.com/od/rootki..._Detection.htm

http://www.gmer.net/index.php
http://www.microsoft.com/technet/sys...tRevealer.html
http://www.f-secure.co.uk/blacklight/blacklight.html
http://antirootkit.com/software/IceSword.htm


On-line malware scanners and analyzers:


Use multi-scanners on suspicious files, files your antivirus did not catch, or did catch, yet you want a second opinion about to check for false positives. They all have a file size limit so you can't scan very large files.

http://www.virustotal.com
http://virusscan.jotti.org
http://scanner.virus.org
http://www.virscan.org/
http://scanner.virus.org/
http://www.viruschief.com/index.html


Use malware analyses services like ThreatExpert to see how malware or unknow programs behaves and look for suspect behavior.
Quote:
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.
CWSandbox

Norman Sandbox
Sunbelt Sandbox
ThreatExpert



Virtual environments, sandboxing:

Running suspicious or unknown processes, as well as known malicious processes, inside a virtual environment or sandbox is a way of isolating harmful effects, it also gives an easy way of reverting any system changes. Great for testing and looking at stuff without having to worry about the harmful effects. It should be noted that some malware is virtual machine aware, that is they will look to see if they are running in a VM and will adjust it's behavior to fool you into thinking they are harmless, then when you run them in the real OS they show their true face. There are tell tell signs of running in a VM, but some can be mitigated. For example VMWare tools is handy but also one place malware can look to quickly figure out if it is running inside a VM.

Other malware might (at least in theory) even be able to brake out of the VM or sandbox and get to the real system. However that would be considered a exploitable security flaw in the VM or sandbox which should be fixed (if known about obviously, consider a 0day VM exploit). Having said that as far as i know all anti-virus labs use VMs, which is one of the reasons why malware has come up with the anti-VM stuff to begin with, but never the less if they can use them so can we. Some precaution should be taken such as disabling sharing and considerations to network access.


Debuggers, Disassemblers, HEX editors, Malcode analyzers:

Here we are in the realm of malware analysis, and reverse engineering. The following tools are not of much use to most people, however they are part of malware investigation never the less. For advanced users only.


Google: Disassembler, Wikipedia: Disassembler
Google: Debuggers, Wikipedia: Debugger
Softpedia, list of software

Windbg, Windows Debuggers: Part 1: A WinDbg Tutorial
RootKit Hunting: They can run, but cannot hide

OllyDbg
IDA Pro
PE Explorer
iDefense Labs software

Practical malware analysis (forum has censored the URL so i link to a google search of the pdf)
http://www.google.com/search?name=f&...cMillan-WP.pdf



3. Time to clean the system

For now all you have done is investigating the system. Now with the knowledge obtained in hand we can terminate malicious processes, delete startup/run commands and delete files. Suspending processes using Process Explorer before killing them may be helpful in cases when processes are monitoring each others back and processes get relaunched when killed (buddy system).


1. Suspend and kill the malicious processes, then find then and delete.


2 Search for the startup run commands and delete.


3. Look for services used by malware, stop and delete.

Using the command line sc stop service name, sc delete service name.


4. Clean the HOSTS file, reset IE security settings, firewall and TCP/IP.

HostsXpert
Zoneout

"Windows cannot display Windows Firewall settings" error while accessing Firewall settings in Windows XP
You cannot start the Windows Firewall service in Windows XP SP2
Reset TCP/IP settings


5. Disable and re-enable system restore to wipe old restore points which malware might be using. It is advisable to not wipe the restore points until after you have scanned and cleaned. Some malware will cripple system files and cleaning them can make the system unbootable so a restore point may be handy to have around, but in the end it should be wiped.


6. Run system file checker to search for and repair damaged system files. Have your Windows CD/DVD ready.


7. Scan the hard disk from a boot CD or second system. Take care when cleaning with boot CD's that are not specifically made for cleaning, you can use the detection just fine but cleaning without the tools full access and knowledge about the environment can cause nasty side effects, worse case scenario the system may become unbootable.

Word of warning on cleaning with boot CDs

Alternate Operating System Scanner
http://www.pctools.com/aoss/

Avira AntiVir Rescue System
http://www.free-av.com/en/tools/12/a...ue_system.html

Bitdefender: LinuxDefender Live! CD
http://www.bitdefender.com/site/Linu...r-Mirrors.html

Kaspersky Rescue Disk
http://ftp.kaspersky.com/devbuilds/RescueDisk/
http://fileforum.betanews.com/detail...k/1213647614/1

Ultimate Boot CD for Windows
http://www.ubcd4win.com/index.htm



8. Rinse and repeat. Sometimes even after your best efforts the malware returns on reboot. If it does you will just have to give it a second go hopefully the second time around the malware will be defeated.



Dark matter

There are people that in this process of learning about malware and the lowest levels of operating systems get a little too involved and some just go off the deep-end. Without the proper knowledge and depending on your mental well being it can be a bad place to go for some people. I know this might sound extreme but trust me there are many people which simply can't deal with the idea of a compromised system and for some it becomes an obsession, i have seen it happen and it's a sad sight. They start looking for strings in some executable yet they don't know what they are looking at, or for. They scan with anti-rootkit scanners not realizing the many false positives caused by, ironically enough, anti-malware software installed on the system which will hook, inject and hide itself from the system just like malware does. My point is the deeper you look the more phantoms you tend to see, don't waste your time looking for phantoms and don't freak yourself out.

Last edited by Animatrix; 02-17-2009 at 17:01.
   
Reply With Quote
Old
  (#44)
brassoo
Master Guru
 
brassoo's Avatar
 
Videocard: 9800 sli
Processor: amd phenom x4 940
Mainboard: m3n-ht
Memory:
Soundcard:
PSU: 750
Default 03-17-2009, 02:06 | posts: 172

great topic guys lots of Information
   
Reply With Quote
Old
  (#45)
danielhcn
Newbie
 
Videocard: Evga GTX260(216)896MB SSC
Processor: Q6600 OC to 3.33Ghz
Mainboard: Gigabyte GA-EX38-DS4
Memory: 4x 1GB Corsair DDR2 800
Soundcard: Creative X-Fi XGamers Pro
PSU: Thermaltake 1200w
Default 04-01-2009, 15:35 | posts: 10

Hi guys.Recently,i format my hd and installed winXp 32bit and vista ultimate 64bit(previously using xp 32bits)in 2 hd each.After everything was done then i found out that got 2 selections of xp(one new and one old)in bios and vista work fine(one selction).How to remove the unwork old xp from the xp selection?And i also follow the methods in this topic to type MSCONFIG in RUN,but it didnt work to me and i even try on EasyBCD 1.7.2 but still didnt work.Any suggestions and other solutions?Sorry for any inconvenience cause.
   
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
vBulletin Skin developed by: vBStyles.com
Copyright (c) 1995-2014, All Rights Reserved. The Guru of 3D, the Hardware Guru, and 3D Guru are trademarks owned by Hilbert Hagedoorn.