topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Monday November 4, 2024, 4:15 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Scary Driveby Attack / Mysterious failure / Other  (Read 17095 times)

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Scary Driveby Attack / Mysterious failure / Other
« on: April 16, 2014, 06:56 PM »
Okay, today was a weird day.

For no apparent reason while surfing what I think are safe sites, about 2PM my computer suddenly quit responding! Well, whatever etc, time to reboot. And then upon rebooting, processes started failing to load at very low levels! It was easy to tell that both mouse and keyboard were working, aka not a simple bad battery. But what was really scary is the comp didn't want to accept the function key to choose boot modes! (I think it's F8) to go into safe mode! Then when it did boot up (partially), it worked for like five seconds before doing anything would lock it up!

Has anyone here had their comp used in a botnet? What does that look like? That was my guess, though I was thinking virus, or hard drive dangers (though the pattern felt wrong for that one), and a couple other things. The suddenness and "thoroughness" were unnerving because the usual sequence of Go-To tricks weren't working. No easy Safe Boot. No easy System Restore.

I got a break when I went to the Bios and turned off Quickboot, and some logo setting, and something else. Then that slowed the machine down long enough to get the F8 boot menu to show, and Safeboot with networking worked, and it stayed there. So I made some copies of some important data to the spare internal drive. And I had browsers, so a vague memory led me to check the web and remember msconfig, where I turned off a bunch of stuff, a couple of which looked rather fishy. I went for a System restore to a couple of days ago, and that partially worked. Then on a boot in debug mode and a couple other variants, something finally gave way and MsSecEssentials sent a different notice "this process has stopped. Restart the process?" and then it's been fine since (though I haven't rebooted since all that!) So I still don't know if it's completely fixed.

Yeah, I need to do all those virus scans and stuff, but I think that can wait a little since it all seems to be back and I need to have my energy up for all that to concentrate. But it's leading me to think, is MS isn't officially doing security updates on XP anymore, how long before someone finds something really nasty and just goes mass comp hunting?


40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #1 on: April 16, 2014, 09:16 PM »
But it's leading me to think, is MS isn't officially doing security updates on XP anymore, how long before someone finds something really nasty and just goes mass comp hunting?


That's not so much an 'if' as 'when,' unfortunately. :o

An article which discusses some things to look for if you think you've been compromised can be found here.

And a not-bad step by step guide for removing malware is this one:



« Last Edit: April 16, 2014, 09:35 PM by 40hz »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #2 on: April 17, 2014, 07:30 AM »
For no apparent reason while surfing what I think are safe sites, about 2PM my computer suddenly quit responding! Well, whatever etc, time to reboot. And then upon rebooting, processes started failing to load at very low levels! It was easy to tell that both mouse and keyboard were working, aka not a simple bad battery. But what was really scary is the comp didn't want to accept the function key to choose boot modes! (I think it's F8) to go into safe mode! Then when it did boot up (partially), it worked for like five seconds before doing anything would lock it up!

Let's stop here for a second, because what I'm seeing are several indicators of a hardware failure. Either a memory or HDD failure can result in these symptoms...botnet infestation not so much. So if diagnostic and repair efforts continue more damage may be incurred. If the HDD is failing, repair attempts may very well push it over the edge. if the memory is failing, repair attempts may (will IME) further scramble the drive.

From the top:
 Take a quick peek inside the case and make sure it's not clogged dust/overheating.
 Rule out the keyboard, especially the fancy ones that mode switch between media and F'n key functions. I always keep a basic proper 104 key keyboard handy to avoid getting trapped in the media key nightmare.
 Make sure the BIOS isn't giving you to small a window or no warning (you already did this one - and it worked). For strange machines I usually just start tapping the F8 key after the KB initializes (the lights flash) to flood the buffer.
 Run a manufacturers diag on the HDD.
 Run a memory check (preferably Memtest 86 if available).
 Boot to a command prompt and run chkdsk C: /R

Only after these more pedestrian causes have been eliminated should we start looking for signs of Ziggy Stardust's Uber hacker spiders from Mars. ;)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #3 on: April 17, 2014, 07:46 AM »
Only after these more pedestrian causes have been eliminated should we start looking for signs of Ziggy Stardust's Uber hacker spiders from Mars.

But doesn't everybody do those first before running over to the PC security blogs? :huh: ;)

And yes indeed, it does sound a lot like a HD just might be starting to go... 8)

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #4 on: April 17, 2014, 09:52 AM »
Only after these more pedestrian causes have been eliminated should we start looking for signs of Ziggy Stardust's Uber hacker spiders from Mars.

But doesn't everybody do those first before running over to the PC security blogs?
And yes indeed, it does sound a lot like a HD just might be starting to go...

Well, not that I ran to a blog - it was more an off the cuff question based on general confusion. So if a couple of opinions are coming in re hardware failure, maybe that's "the lesser evil" but it's also where my skillset drops off a cliff. Meanwhile it's still okay as of today. I'll try a couple of those checks to see what's up. Maybe a defrag will move stuff off a bad sector too.


Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #5 on: April 17, 2014, 11:51 AM »
Only after these more pedestrian causes have been eliminated should we start looking for signs of Ziggy Stardust's Uber hacker spiders from Mars.

But doesn't everybody do those first before running over to the PC security blogs?
And yes indeed, it does sound a lot like a HD just might be starting to go...

Well, not that I ran to a blog - it was more an off the cuff question based on general confusion. So if a couple of opinions are coming in re hardware failure, maybe that's "the lesser evil" but it's also where my skillset drops off a cliff. Meanwhile it's still okay as of today. I'll try a couple of those checks to see what's up. Maybe a defrag will move stuff off a bad sector too.


Hardware is not in the center of my skillset either, but as an Admin I spend a great deal of my time with a mental coin spinning in the air trying to decide if the sad faced user before me clicked on something foolishly (heads)...or if the machine for some reason is having an anthropomorphically malevolent episode (tails).

Most people - statisticians/accountants/etc. - you see would assume and cling to the commonly held belief that the odds of a coin landing on any given side are at all points 50/50. Admins however know that that notion - generally speaking - is complete bullshit. :D Things that can, will, and do influence the coins inclination one way of the other are the users own aptitude score, the age of the machine, my mood, the day of the week, and of course - most importantly - the time of day... As one must always, and in all things account for and defer to the will of Murphy's Law lest they risk incurring the wrath of the fates.

...So after weighing your score against the fact that malware "attacks" are never really "sudden" if one knows what to look for (and I get the impression you do). Also none of the tell tail signs of user guilt - they always tell on themselves if you know what to look for - appeared in the description of the issue. Hence it - the cause - had to be a hardware issue. ;)

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,937
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #6 on: April 17, 2014, 12:16 PM »
As far as I know, a defrag will not do much for you with regards to bad blocks. Checkdisk does move blocks of data around after it cannot repair bad blocks on your disk and marks these so the filesystem will not use them anymore.

That is at least the concept behind it. But often the capabilities of the software falls short and you have to resort to 3rd party software. HDSentinel, HDDscan (and for real pro's: MHDD) come to mind.

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #7 on: April 17, 2014, 01:25 PM »
As far as I know, a defrag will not do much for you with regards to bad blocks. Checkdisk does move blocks of data around after it cannot repair bad blocks on your disk and marks these so the filesystem will not use them anymore.

That is at least the concept behind it. But often the capabilities of the software falls short and you have to resort to 3rd party software. HDSentinel, HDDscan (and for real pro's: MHDD) come to mind.

I ran part of a chkdsk and it did delete one bad index entry. But for the full scan I think the file check will take a long time "step 4 of 5" so I'll try to remember to run it all again before bed one of these days.


Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #8 on: April 17, 2014, 01:56 PM »
As far as I know, a defrag will not do much for you with regards to bad blocks. Checkdisk does move blocks of data around after it cannot repair bad blocks on your disk and marks these so the filesystem will not use them anymore.

That is at least the concept behind it. But often the capabilities of the software falls short and you have to resort to 3rd party software. HDSentinel, HDDscan (and for real pro's: MHDD) come to mind.

I ran part of a chkdsk and it did delete one bad index entry. But for the full scan I think the file check will take a long time "step 4 of 5" so I'll try to remember to run it all again before bed one of these days.

Actually defrag will probably try to move more data into a bad sector in an effort to align the data in a organized and contiguous fashion. That's why the old defrag utility would generally refuse to run if the disk was marked dirty.

Please ... Take the time to run chkdsk C: /R completely (Don't make me beg damn it!). Because there is almost never only one error - there may only be one bad sector ... But there will be quite a bit of stuff riding on it.

Iceberg tips should not be ignored.

-Titanic.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #9 on: April 17, 2014, 02:01 PM »
On the odd chance that some of you may be wondering - I haven't had a cigarette since about noon Tuesday - So basically yes, I have completely snapped.

      

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,964
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #10 on: April 17, 2014, 03:16 PM »
Backup everything Tao!

and,
hang in there SJ :Thmbsup: ... not smoking can be like a drug in itself [spaced?]
Tom

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #11 on: April 17, 2014, 03:51 PM »
Spaced, not so much ... Stressed to the point where hostile, dog style, man style makes no difference...yes. I have zero patience at this point, so I'm reflexively falling back on covering stress/aggravation(/hostility) with humor to prevent myself from just screaming fuck at random people like a badly self medicated turrets patient.

Honestly, what I really wanted to do to half the users today:
See This Shit - Stop IT.jpg



tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,964
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #12 on: April 17, 2014, 04:14 PM »
^what can I say... best of luck to you, and to those users too ;)
Tom

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #13 on: April 17, 2014, 04:38 PM »
^Amen! I gave it up ages ago and it's probably the main reason I'm still here posting this. Because if I had continued smoking, the consequences would have been pretty grim. Those first few weeks going without were one of the hardest (if not actual hardest) things I ever went through.

Hang in there and good luck. It's doable - and I'm the proof:

So can you. :Thmbsup:

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #14 on: April 17, 2014, 07:15 PM »
^ serious - over 21 years here. Do it for health and for the expense reduction... the irritability is just a side benefit.  :P
vi vi vi - editor of the beast

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #15 on: April 17, 2014, 07:46 PM »
To comment on the original topic, friends don't let friends use Microsoft Security Essentials. Seriously!

I have seen it let people down time and time again. The only reason it enjoys the popularity it does is because it's free.

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #16 on: April 17, 2014, 08:57 PM »
To comment on the original topic, friends don't let friends use Microsoft Security Essentials. Seriously!

I have seen it let people down time and time again. The only reason it enjoys the popularity it does is because it's free.

Well this is a bit of a surprise, I thought it was supposed to be at least decent. But now it's "yelling at me" about the end of OS support so for that reason as well as it's been saying "service stopped" several times now for the first time ever, I'll probably switch it out kinda soon.


x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #17 on: April 18, 2014, 05:44 AM »
I have seen it let people down time and time again. The only reason it enjoys the popularity it does is because it's free.

There was also that little matter over the last few days where a defs update killed most XP boxes (and some 2003 servers too), no effect on Win 7 or 2008+ servers.  (That's System Center Endpoint Protection, which is MSE plus reporting.)  I couldn't help but wonder if there was a little "nudge" built into that.
vi vi vi - editor of the beast

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #18 on: April 18, 2014, 06:05 AM »
I have seen it let people down time and time again. The only reason it enjoys the popularity it does is because it's free.

There was also that little matter over the last few days where a defs update killed most XP boxes (and some 2003 servers too), no effect on Win 7 or 2008+ servers.  (That's System Center Endpoint Protection, which is MSE plus reporting.)  I couldn't help but wonder if there was a little "nudge" built into that.

Yikes! I didn't hear about this! I haven't downloaded new defs in a while - so I should avoid it?!!


TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #19 on: April 18, 2014, 06:08 AM »
Please ... Take the time to run chkdsk C: /R completely (Don't make me beg damn it!). Because there is almost never only one error - there may only be one bad sector ... But there will be quite a bit of stuff riding on it.

Iceberg tips should not be ignored.

-Titanic.

Okay, I found time to do that last night. I don't know what it fixed because it rebooted after it was done, but I'll trust it did whatever useful things it wanted to.


Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #20 on: April 18, 2014, 06:54 AM »
points 50/50. Admins however know that that notion - generally speaking - is complete bullshit. :D Things that can, will, and do influence the coins inclination one way of the other are the users own aptitude score, the age of the machine, my mood, the day of the week, and of course - most importantly - the time of day... As one must always, and in all things account for and defer to the will of Murphy's Law lest they risk incurring the wrath of the fates.

You forgot the phase of the moon.  :D
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #21 on: April 18, 2014, 08:11 AM »
points 50/50. Admins however know that that notion - generally speaking - is complete bullshit. :D Things that can, will, and do influence the coins inclination one way of the other are the users own aptitude score, the age of the machine, my mood, the day of the week, and of course - most importantly - the time of day... As one must always, and in all things account for and defer to the will of Murphy's Law lest they risk incurring the wrath of the fates.

You forgot the phase of the moon.  :D

And

Zwinglie's Conservation of Complexity Factor : Let n be an integer where  n = the number of possible things that can be causing the problem. n is always a large integer.

Doug's Reality Rule: You will need to go through all n possibilities to get to the bottom of it.

and

40hz's Minumum Solution Hypothesis
which states: S = n+1 where S is the minimum number of tries necessary to solve a system problem.


Because you must first try every possibility to satisfy Zwinglie & Doug. Then you must go back to the one that actually does fix the problem - but which you missed the first time you tried it.

 8)
« Last Edit: April 18, 2014, 08:16 AM by 40hz »

techidave

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,044
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #22 on: April 18, 2014, 10:11 AM »
is there any kind of a third party program that will "record" or "log" the efforts of chkdsk when it runs.  Sometimes those scans can take a really long time and it would be nice to know what if found if I am not around before it reboots.   :(  I try to run these at night anyway.

I have also looked in the Event Viewer logs but it doesn't record anything there.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,937
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #23 on: April 18, 2014, 10:29 AM »
Checkdisk does its best work when it runs before Windows is fully started, but apparently it is logged. This is what I found on the internet:

Open the Event Viewer...

Start | Run | Type: eventvwr | OK
Look in Application | Listed as Information |
Event ID: 1001
Source: Winlogon
[[Description: This includes file system type; drive letter or GUID, and
volume name or serial number to help determine what volume Chkdsk ran
against. Also included is whether Chkdsk ran because a user scheduled it or
because the dirty bit was set.]]

[[When Autochk runs against a volume at boot time it records its output to a
file called Bootex.log in the root of the volume being checked. The Winlogon
service then moves the contents of each Bootex.log file to the Application
Event log.]]

[[This file states whether Chkdsk encountered any errors and, if so,
whether they were fixed.]]

techidave

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,044
    • View Profile
    • Donate to Member
Re: Scary Driveby Attack / Mysterious failure / Other
« Reply #24 on: April 18, 2014, 11:16 AM »
Hmmm.  I will have to check it out.  Thanks Shades.