Not that kind of weed.
Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com <mailto:don.gu...@prufoxroach.com> From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Thursday, November 18, 2010 4:31 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Reefer Madness? From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, November 18, 2010 3:30 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Welcome back Kotter? That 70's show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! "Vile weed!" (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith <m...@gatewayindustries.org> wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. ________________________________ From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. ________________________________ From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward <ezi...@lifespan.org> wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-FAAAA!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren <jholmg...@xlhealth.com> wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado a mantener la información confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a terceras personas sin autorización del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Confidentiality Notice: ****************** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by an yone other than the intended recipient is strictly prohibited. If you are no t the intended recipient, please contact the sender by reply email, delete a nd destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Confidentiality Notice: ****************** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by an yone other than the intended recipient is strictly prohibited. If you are no t the intended recipient, please contact the sender by reply email, delete a nd destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin