I'm starting to recommend that clients periodically search for any EXE in any subdirectory of the 'Documents and Settings' or 'Users' folders, and also check the RUN keys of the registry that point to any profile location for executables. ( Autoruns is a good GUI for not needing to know hives and keys )
Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' -----Original Message----- From: John Aldrich [mailto:[email protected]] Sent: Wednesday, December 15, 2010 8:47 AM To: NT System Admin Issues Subject: RE: System Tool 2011 malware Yeah... I ended up disabling system restore while in safe mode. What's scary is that none of the standard tools seems to have caught this new variant and that I only apparently got rid of it by deleting the folder containing the bogus malware. 'Course there was a lot of other crap on there too... MyWebSearch and some other junk. The "usual tools" took care of that stuff. -----Original Message----- From: John Cook [mailto:[email protected]] Sent: Wednesday, December 15, 2010 7:02 AM To: NT System Admin Issues Subject: Re: System Tool 2011 malware Turn off system restore and do another scan John W. Cook Systems Administrator Partnership for Strong Families ----- Original Message ----- From: John Aldrich <[email protected]> To: NT System Admin Issues <[email protected]> Sent: Tue Dec 14 22:21:39 2010 Subject: System Tool 2011 malware I had a home user who called me to come work on his computer because it kept coming up with the "system tool 2011" malware (very similar to the fake antivirus malware.) The system is Windows XP Media Edition, and had Vipre Home installed. I ran Vipre Rescue yesterday and it supposedly cleaned some of it up, but as soon as the user rebooted into normal mode, it was back. Today, I went back and ran MalwareBytes and SpyBot S&D. Neither apparently caught it, but looking at the startup entries in SpyBot, I saw a random jumble of letters under c: \documents and settings\all users\application data\ which, when I entered the directory in Windows Explorer, showed the icon for the System Tool 2011 malware. Anyone got any clue why Vipre Rescue and Vipre Home didn't catch it? I tried to submit a zip of it to the CW Sandbox, but got a response that it couldn't be analyzed... -- Thanks, John Aldrich Blueridge Industries IT Manager ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
