So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith <m...@gatewayindustries.org>wrote:
> Yes, that's it. We had one workstation that had the fake Thinkpoint scan > running, so apparently VIPRE AP didn't block it from executing on that one. > On every affected machine we have seen, looking at the browser history each > user was on Facebook immediately prior to VIPRE AP reacting. I continue to > try to educate users about safe surfing, but I may have to block Facebook if > VIPRE is unable to deal with it soon. > ------------------------------ > *From:* Ziots, Edward [mailto:ezi...@lifespan.org] > *Sent:* Thursday, November 18, 2010 3:51 PM > > *To:* NT System Admin Issues > *Subject:* RE: vipre: SVCHOST.EXE virus. > > Yep, that is a driveby malware we have seen accordingly, it’s the > thinkpoint virus. > > > > C:\Documents and Settings\username\Application Data\hotfix.exe > > C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat > > C:\Documents and Settings\username\Desktop\mstsc.exe > > > > Is what we saw in our inspect of some workstations. > > > > Z > > > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > *From:* Ralph Smith [mailto:m...@gatewayindustries.org] > *Sent:* Thursday, November 18, 2010 3:47 PM > > *To:* NT System Admin Issues > *Subject:* RE: vipre: SVCHOST.EXE virus. > > > > I've seen on a few computers over the last couple of weeks where there is a > file on the user's desktop called MSTSC.exe, and there are various > executables scattered around in the user's profile with various names the > same as or close to legitimate Windows files, including SVCHOST.EXE. > > > > I sent samples to the VIPRE folks a few times - haven't heard anything > back. In my case VIPRE active protection kept blocking the execution of the > files, but didn't recognize them as threats when doing a full scan. > MalwareBytes found and cleaned a bunch of stuff, but the next time the > computer was rebooted it was back. Trend also saw them but couldn't remove > them. I've been wiping and re-imaging them. > > > ------------------------------ > > *From:* justino garcia [mailto:jgarciaitl...@gmail.com] > *Sent:* Thursday, November 18, 2010 3:32 PM > > *To:* NT System Admin Issues > *Subject:* Re: vipre: SVCHOST.EXE virus. > > The virus came in this morning, via the internet browser. > > > > hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 > Torjan > > windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ > Backdoor-FAAA1! Torjan > > > > > > Internet Settigns [Proxy Server > hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 > > On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward <ezi...@lifespan.org> > wrote: > > There was a post on ISC just a day or two ago about another version of > Conficker B++ accordingly, making the rounds. Just an idea, but might be > your culprit. > > > > Z > > > > Edward E. Ziots > > CISSP, Network +, Security + > > Network Engineer > > Lifespan Organization > > Email:ezi...@lifespan.org <email%3aezi...@lifespan.org> > > Cell:401-639-3505 > > > > *From:* justino garcia [mailto:jgarciaitl...@gmail.com] > *Sent:* Thursday, November 18, 2010 3:14 PM > > *To:* NT System Admin Issues > *Subject:* Re: vipre: SVCHOST.EXE virus. > > > > OH I yet to call them, I will call them soon, but want to see what the list > says. > > > > But I wanted to see if the malling list saw this before.. > > Back-Door-FAAAA!1, is the name that mcafee detected it as. > > > > On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren <jholmg...@xlhealth.com> > wrote: > > What did Vipre Tech Support say when you called them? > > > > > > Jim Holmgren > > Manager of Server Engineering > > XLHealth Corporation > > The Warehouse at Camden Yards > > 351 West Camden Street, Suite 100 > > Baltimore, MD 21201 > > 410.625.2200 (main) > > 443.524.8573 (direct) > > 443-506.2400 (cell) > > www.xlhealth.com > > > > > > > > *From:* justino garcia [mailto:jgarciaitl...@gmail.com] > *Sent:* Thursday, November 18, 2010 3:10 PM > > *To:* NT System Admin Issues > *Subject:* vipre: SVCHOST.EXE virus. > > > > Vipre did not detect it, or clean it. Anti-virus definitions were up to > date, active scanner was running as well, so I’m a bit concerned the active > scanner didn’t pick it up. > > > The virus was still loading in his run command in the registry so I had to > uninstall Vipre and put my own copy of McAfee on his machine to get rid of > the virus. > > > > Any ideas?? > -- > Justin > IT-TECH > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole > use of the intended recipient(s) and may contain confidential and/or > protected health information. Under the Federal Law (HIPAA), the intended > recipient is obligated to keep this information secure and confidential. Any > disclosure to third parties without authorization from the member of as > permitted by law is prohibited and punishable under Federal Law. If you are > not the intended recipient, please contact the sender by reply e-mail and > destroy all copies of the original message. > > NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para > uso exclusivo del (los) destinatario (s) y puede incluir información > confidencial y/o información de salud protegida. La Ley Federal (HIPAA) > establece que el destinatario está obligado a mantener la información > confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a > terceras personas sin autorización del afiliado o permitido por ley. Si > usted no es el destinatario, redirija esta mensaje al remitente, y destruye > cualquier copia existente del mensaje original. > > > > > -- > Justin > IT-TECH > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > > -- > Justin > IT-TECH > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > * * > > *Confidentiality Notice:* > > ******************** > > *This communication, including any attachments, may contain confidential > information and is intended only for the individual or entity to whom it is > addressed. Any review, dissemination, or copying of this communication by an > yone other than the intended recipient is strictly prohibited. If you are no > t the intended recipient, please contact the sender by reply email, delete a > nd destroy all copies of the original message.* > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > * > > Confidentiality Notice: > > ****************** > > This communication, including any attachments, may contain confidential > information and is intended only for the individual or entity to whom it is > addressed. Any review, dissemination, or copying of this communication by an > yone other than the intended recipient is strictly prohibited. If you are no > t the intended recipient, please contact the sender by reply email, delete a > nd destroy all copies of the original message. > * > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin