We run Sophos on all of our machines at work. I recently built a Windows 10 machine for one of our developers. He ran into a problem, however, when he tried to debug the application he was writing.
Sophos was falsely blocking his application with the following error message:
File “C:\Users\[username]\Documents\Visual Studio 2015\Projects\KillerFuckingApp\KillerFuckingApp\obj\x86\Debug\intermediatexaml\KillerFuckingApp.exe” belongs to virus/spyware ‘Mal/DotNet-C’.
Ostensibly a false positive I went to discuss the matter. It didn’t seem likely that his code shared any code with the known exploit so for shits and giggles I asked him to rename the application anything else to see if Sophos was merely objecting to the name.
Sure enough, once he removed “fucking” from the title, Sophos let things be.
At least Visual Studio wasn’t censoring our fucking developer.
I installed a rootkit on my Vista machine. It was interesting to note that I have no virus software which would detect this root kit either in its zip file or in its executable. You can read about that dangerous file here.
My usual fall-back for rooting out deep clinging nasties is ComboFix. You can read about ComboFix here, but keep in mind it’s a last-line extraction utility and should be used with care (and maybe should be used by people who know what they are doing). However, ComboFix was not able to locate this particular nasty.
Not only was ComboFix unable to find this rootkit but Spybot, Avast!, Security Essentials, Sophos Anti-Rootkit, and some random others were all unable to rid my system of this annoyance (or even find it for that matter).
Finally I heard about a utility Kaspersky is making called TDSSKiller. (Thanks, Harry.) It’s specifically a rootkit extractor so don’t expect more than that, but as far as rootkit extractors go this one’s rockin the misty bog. I think it took less than two minutes to scan my system and offer to cure the file. And it did find a bad file and cure it. As far as I can tell it’s all better now. Well, it’s still Vista; it’s not better in that respect.
Previously I would reboot the machine (usually because it was required by updates) and Avast! would snap the nasty when it poked its head up trying to take action. I’ve rebooted several times now over a couple of days, and nothing seems to be out of the ordinary. Excellent thus far.
Be careful with this post. The attached root-kit is live and will bork your Windows system. In short, do not download it unless you know what you are doing.
I downloaded this file, thinking it was something useful of course, and scanned it with Avast! and Spybot. Then I extracted the containing files and scanned them again with Avast! and Spybot. Both of these very good anti-malware tools detected nothing.
Running the contained executable did, however, cause said executable to vanish from the Desktop and installed a root-kit (on my Vista system). Further to my annoyance, neither Avast! nor ComboFix has been able to completely eradicate this root-kit from my system. (Avast! detects it whenever it pokes its head up, but neither of them is able to permanently remove it.)
I am posting it here for Avast!, ComboFix, and other security professionals; so that they might have access to this particular file and so that they might improve their respective software.
Follow this link and on that page you may download the zip file.
Some time back I stopped using, installing, and recommending AVG for virus protection due to a toolbar problem that impacted two of my clients. Today AVG has produced a phenomenal blunder on a par with the oh-so-hackable XP bug from several years back.
In short AVG issued an update that, when applied, put Windows 7 64 bit machines into a reboot loop from which there was no simple recovery using standard Windows tools. Even Safe Mode was fucked. So all over the globe folks have been waking up today to find their machines were borked beyond use, continually rebooting ad nauseum.
My friend Eric was one such sucker user. He called me this morning to explain that his computer was useless. Fixing the matter was easy enough. I walked over with an Ubuntu 10.04 Live CD, booted into Ubuntu (no installation required), and mounted his computer’s hard drive from within Ubuntu.
(For those interested in Ubuntu, I recommend 14.04 as it is the latest long-term support release—five years.)
I had found an article (modified now and lacking this important information) which pointed me to delete two AVG files from the Program Folders. I made a snapshot of that now lost information for your convenience:
The two files in question are not necessarily located where they say. Since the machines effected are 64 bit machines they could be in Program Files (as listed in the image above) but they could also be in the Program Files x86 folder. All I’m getting at here is that you may have to poke around a bit before you find the files in question. I just amended their names with .hideme so that the operating system would not be able to find them and thus run them when I rebooted the machine. (From the command line that would be mv avgrsa.exe avgrsa.exe.hideme from the containing folder.)
Worked like magic. After moving those files and rebooting the machine we were once again able to log into Eric’s account. Now to remove AVG.
Normally I use Revo Uninstaller to pluck out naughty applications, utterly. However, for whatever reason Revo was not able to see AVG so I just used the standard Windows uninstaller package through the Control Panel.
Then I downloaded, installed, and updated Avast! (the free version) as virus protection. I also made sure that Spybot was up to date and that its immunizations had been set.
This is not likely to bode well for AVG, but since it only effected a small group of users (Windows 7 64 bit, updated AVG in the last day, and rebooted last night) it may not lay them under.