I guess best is just to reimage / wipe / reimage the system. Ralph what do you use for reimage of the system?
On Thu, Nov 18, 2010 at 3:46 PM, Ralph Smith <m...@gatewayindustries.org>wrote: > I've seen on a few computers over the last couple of weeks where there is > a file on the user's desktop called MSTSC.exe, and there are various > executables scattered around in the user's profile with various names the > same as or close to legitimate Windows files, including SVCHOST.EXE. > > I sent samples to the VIPRE folks a few times - haven't heard anything > back. In my case VIPRE active protection kept blocking the execution of the > files, but didn't recognize them as threats when doing a full scan. > MalwareBytes found and cleaned a bunch of stuff, but the next time the > computer was rebooted it was back. Trend also saw them but couldn't remove > them. I've been wiping and re-imaging them. > > ------------------------------ > *From:* justino garcia [mailto:jgarciaitl...@gmail.com] > *Sent:* Thursday, November 18, 2010 3:32 PM > > *To:* NT System Admin Issues > *Subject:* Re: vipre: SVCHOST.EXE virus. > > The virus came in this morning, via the internet browser. > > hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 > Torjan > windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ > Backdoor-FAAA1! Torjan > > > Internet Settigns [Proxy Server > hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 > > On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward <ezi...@lifespan.org>wrote: > >> There was a post on ISC just a day or two ago about another version of >> Conficker B++ accordingly, making the rounds. Just an idea, but might be >> your culprit. >> >> >> >> Z >> >> >> >> Edward E. Ziots >> >> CISSP, Network +, Security + >> >> Network Engineer >> >> Lifespan Organization >> >> Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> >> >> Cell:401-639-3505 >> >> >> >> *From:* justino garcia [mailto:jgarciaitl...@gmail.com] >> *Sent:* Thursday, November 18, 2010 3:14 PM >> *To:* NT System Admin Issues >> *Subject:* Re: vipre: SVCHOST.EXE virus. >> >> >> >> OH I yet to call them, I will call them soon, but want to see what the >> list says. >> >> >> >> But I wanted to see if the malling list saw this before.. >> >> Back-Door-FAAAA!1, is the name that mcafee detected it as. >> >> >> >> On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren <jholmg...@xlhealth.com> >> wrote: >> >> What did Vipre Tech Support say when you called them? >> >> >> >> >> >> Jim Holmgren >> >> Manager of Server Engineering >> >> XLHealth Corporation >> >> The Warehouse at Camden Yards >> >> 351 West Camden Street, Suite 100 >> >> Baltimore, MD 21201 >> >> 410.625.2200 (main) >> >> 443.524.8573 (direct) >> >> 443-506.2400 (cell) >> >> www.xlhealth.com >> >> >> >> >> >> >> >> *From:* justino garcia [mailto:jgarciaitl...@gmail.com] >> *Sent:* Thursday, November 18, 2010 3:10 PM >> *To:* NT System Admin Issues >> *Subject:* vipre: SVCHOST.EXE virus. >> >> >> >> Vipre did not detect it, or clean it. Anti-virus definitions were up to >> date, active scanner was running as well, so I’m a bit concerned the active >> scanner didn’t pick it up. >> >> The virus was still loading in his run command in the registry so I had to >> uninstall Vipre and put my own copy of McAfee on his machine to get rid of >> the virus. >> >> >> >> Any ideas?? >> -- >> Justin >> IT-TECH >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> >> CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole >> use of the intended recipient(s) and may contain confidential and/or >> protected health information. Under the Federal Law (HIPAA), the intended >> recipient is obligated to keep this information secure and confidential. Any >> disclosure to third parties without authorization from the member of as >> permitted by law is prohibited and punishable under Federal Law. If you are >> not the intended recipient, please contact the sender by reply e-mail and >> destroy all copies of the original message. >> >> NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para >> uso exclusivo del (los) destinatario (s) y puede incluir información >> confidencial y/o información de salud protegida. La Ley Federal (HIPAA) >> establece que el destinatario está obligado a mantener la información >> confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a >> terceras personas sin autorización del afiliado o permitido por ley. Si >> usted no es el destinatario, redirija esta mensaje al remitente, y destruye >> cualquier copia existente del mensaje original. >> >> >> >> >> -- >> Justin >> IT-TECH >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> > > > > -- > Justin > IT-TECH > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > * > > Confidentiality Notice: > > ****************** > > This communication, including any attachments, may contain confidential > information and is intended only for the individual or entity to whom it is > addressed. Any review, dissemination, or copying of this communication by an > yone other than the intended recipient is strictly prohibited. If you are no > t the intended recipient, please contact the sender by reply email, delete a > nd destroy all copies of the original message. > * > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin