There's always the chance you are missing some things... 1. I know of no AV product which scans an NTUSER.DAT file. If the user associated with this file is logged in, then it is scanned as a part of the active registry. If the associated user is logged off, then scans do not find the ugly things hidden in HK_Current_User\Software hives. (Perhaps this painful, irritating nature is why they are called "hives"!) I've found all kinds of crud either as major hives, or I've found things in .\Microsoft\Windows\CurrentVersion\Run (which, again, show only when that user is logged in).
2. I found a really nasty one a couple of months ago that VIPRE missed. (It now finds this, BTW.) Look in the \Windows, the \Windows\System, and the \Windows\System32 folders for recent files, especially DLL, COM, or EXE files with weird names (randon string of letters). Both #1 and #2 (as well as numerous others) will stay kind-of hidden but continue to download crud. The AV scans find what the malware downloads, but they miss the downloaders. -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Hornbuckle <john.hornbuc...@taylor.k12.fl.us> wrote on 09/15/2010 11:20:06 AM: > The ?Security Tools? malware is about to drive me insane. My users > keep managing to infect themselves with it, and we?re having trouble > stopping it. > > They don?t run with admin rights, so there?s no real damage done to > their systems and we can clean it up in about two minutes. But the > time adds up, and I?m tired of my technicians having to waste time on it. > > Our antimalware software is Microsoft?s Forefront Client Security, > and it?s having a tough time catching this. Every time I get > infected, I send the EXE to Microsoft and they update their > definitions?but the EXE?s used by the malware apparently change > rapidly, and seem to constantly be a step ahead of FCS?s definitions. > > I can think of a couple of options that I know would stop it, like > blocking all EXE?s at our web filter or using group policy to limit > the running of EXE?s?but this would also prevent users from doing > things like installing safe plug-ins from websites, so it?s not a > first resort. > > Suggestions? > > > > John Hornbuckle > MIS Department > Taylor County School District > www.taylor.k12.fl.us > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > NOTICE: Florida has a broad public records law. Most written > communications to or from this entity are public records that will > be disclosed to the public and the media upon request. E-mail > communications may be subject to public disclosure. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin