I'm assuming you mean one of the computers that was unable to use the CD?
John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 11:12 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Try to boot normally and update Malwarebytes now. On Fri, Oct 7, 2011 at 11:02 AM, John Aldrich <jaldr...@blueridgecarpet.com> wrote: Well, I was using the bootable CD, so any infection on the computer should not affect the machine in question. I'm guessing it's just old hardware that isn't up to the job. I might take a USB cd up to a couple of 'em, but honestly I'm not really worried about it on those machines. We have that IP range blocked in the firewall, so it's not as big a deal as it might have been. OTOH, I am glad I used that bootable CD as some of the computers were really infested beyond what I would have expected with Vipre installed. John-AldrichThread-Count From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Friday, October 07, 2011 10:25 AM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Did it successfully install the software and NOT allow you to update the definition files? This is a good sign of an infected computer. On Thu, Oct 6, 2011 at 6:31 PM, John Aldrich <jaldr...@blueridgecarpet.com> wrote: What do you do if the machine won't run it? I have two machines that both think the CD I just made is like 5 years old, and they won't allow me to update the definitions or anything.... :( Neither one is really "critical" but I can't replace 'em right now... From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 3:56 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection Yeah... give the one from Microsoft a try: http://connect.microsoft.com/systemsweeper Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Thu, Oct 6, 2011 at 3:28 PM, John Aldrich <jaldr...@blueridgecarpet.com> wrote: Well, we blocked the IPs of the C&C server at the firewall, and theoretically, I should have had some hits on the firewall overnight, but I never did, so I don't know what's going on. Unless/until I can find something to point me towards a good way to find this sucker, I'm going to call it "resolved." I did contact Sunbelt, but the tech I got seemed to think I'd already identified the infected PC. I think the only way I'm likely to identify the machine in question is to boot off removable media and scan the hard drive of every machine that has been turned on during the time the infection was detected (about a dozen or two.) Do y'all know of any good free/trialware that one can download a bootable ISO for to scan for this bug? From: Cynicalgeek [mailto:cynicalg...@gmail.com] Sent: Thursday, October 06, 2011 3:16 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection So you have no root cause but it is resolved? On Thu, Oct 6, 2011 at 2:57 PM, John Aldrich <jaldr...@blueridgecarpet.com> wrote: Nope. I managed to get the ASA logging to a Linux box successfully, but it's not showing any hits on the relevant IP address. *shrug* I don't know if running Malware Bytes on a few machines cleaned it or not. I didn't find anything major on those machines, so I doubt that was it. I suppose it could be a false-positive. Don't know. From: Roger Wright [mailto:rhw...@gmail.com] Sent: Thursday, October 06, 2011 12:03 PM To: NT System Admin Issues Subject: Re: Torpig/Anserin/Mebroot infection John, How'd you make out with this issue? Determine the source yet? Roger Wright ___ My short term goal is to make it through the day. My long term goal is to string a bunch of short term goals together. On Mon, Oct 3, 2011 at 1:22 PM, John Aldrich <jaldr...@blueridgecarpet.com> wrote: So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I can't figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasn't able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeek<at>gmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeek<at>gmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- -cynicalgeek- cynicalgeek<at>gmail.com -- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<image001.jpg>>
<<image002.jpg>>