Try this http://winhelp2002.mvps.org/hosts.txt
On 5 May 2011 14:26, John Aldrich <jaldr...@blueridgecarpet.com> wrote: > Good to know. Thanks, Mike! I ran across a scheduled job to download and > redeploy malware once... that was truly a bizarre situation! Never seen it > before and never again since. :D I'll have to see if I can't find a "known > bad" list of malware sites to put in the hosts file. Anyone got something > like that? That was one of the things SpyBot did that I really liked. > Having > a "blocking" hosts list like that makes it somewhat less likely (although > with those sites changing by the hour, not much) that a user could get > (re)infected. > > > > > -----Original Message----- > From: Mike Gill [mailto:lis...@canbyfoursquare.com] > Sent: Wednesday, May 04, 2011 7:31 PM > To: NT System Admin Issues > Subject: RE: Antivirus Center > > Because none of the AV/antimalware companies can keep up. I have had quite > of few of these fake AV infections show up on my desk lately on peoples > home > laptops. A couple of them involved rootkits running from the MBR. Unless > the > AV software checks the MBR, and has def's that could see it anyway, you're > not going to detect it. In those cases re-writing the MBR from a Windows > recovery environment got rid of the symptoms. In my last two cases The last > symptom was searching for something using Google/Bing/etc., seeing the > results, but clicking the links took you to a rogue site. Copy link > location > and paste in URL bar worked fine, but don't click the links! The users > opted > not to have me reinstall the OS despite me recommending it mostly due to > installed software they no longer have the install source for. What I'm > seeing lately: > > 1) malware using the task scheduler instead of more common startup methods > (e.g. Registry) for executing the malware > 2) always check the hosts file and DNS > 3) delete temp and temp internet folder contents, reset browsers to > defaults > 4) empty recycle bin (seen the malware live from in there a couple times > lately) > 5) just go ahead and rewrite the MBR just because > 6) use msconfig, process explorer, listdlls and other sysinternals tools > 7) hitman pro works well as second opinion AV (free one time use, but not > for domain joined machines) > > This is just the short list and changes from machine to machine depending > on > what I see. There's more that needs to be done most of the time. Google > image searches seem to be what is getting people a lot lately and they're > not looking for porn either. The domains some of these images are on have > just been hijacked, or bought and repurposed to deliver the bad wares now. > I > suspect ads on Facebook too. > > -- > Mike Gill > > -----Original Message----- > From: N Parr [mailto:npar...@mortonind.com] > Sent: Wednesday, May 04, 2011 12:05 PM > To: NT System Admin Issues > Subject: RE: Antivirus Center > > I've never had luck with Viper detecting, let alone stopping, any of these > fake AV's over the years. It's really my only big issue with the product. > Probably had a dozen or so home and work users get a variation and Viper's > failed every time. Most of the time I can do a system restore back to > point > in time where Virus wasn't installed and scan with other products to get > rid > of infected files. > > -----Original Message----- > From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] > Sent: Wednesday, May 04, 2011 1:58 PM > To: NT System Admin Issues > Subject: RE: Antivirus Center > > Richard, this is an end-user we're talking about. :D I found instructions > on > bleeping computer on how to get rid of it, but the end user is barely > computer literate and he's in Texas, while I'm in Georgia. He decided he'd > rather ship me his computer than take it to a local tech. I was just > curious > as to why Vipre Rescue didn't find it and whack it... > > > > From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] > Sent: Wednesday, May 04, 2011 2:55 PM > To: NT System Admin Issues > Subject: Re: Antivirus Center > > > Can you run the task manager w/o the bug blocking it? How about "cmd"? > Windows Explorer (NOT IE!)? > > Although a bug whacked the registry, we had one where we could see what > process was starting when "something" triggered the fake AV window. We > noted the name of the process, then killed that process. > > We went into Explorer and were actually able to delete the process file. > > We have been able to open the registy, go looking for (in HKLM, > HKCurrentUser, and HKUsers.Default) .\windows\CurrentVersion\Run something > that obviously does not belong there. We whack that value and reboot. > THEN > we can find things with VIPRE and MBytes scans. > > "John Aldrich" <jaldr...@blueridgecarpet.com> wrote on 05/04/2011 01:21:55 > PM: > > > I just had a remote user infected with "Antivirus Center" fake > > antivirus. I had him try to run Vipre Rescue, but it didn't find > > anything. Any idea why VR didn't find it? > > > > [image removed] [image removed] > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: http://lyris.sunbelt-software. > > com/read/my_forums/ > > or send an email to listmana...@lyris.sunbeltsoftware.com > > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." *IMPORTANT: The information in this email is CONFIDENTIAL. If its contents are disclosed in any way my lawyers will swoop down from black helicopters like Seal Team Six and drag you away with a black bag over your head. They will then take you to a secret prison and make you fight to the death with other people who dared to share this email. You will be given a large bowie knife and a supply of methamphetamines while I watch the said deathmatch and wager vast sums of money on who will be the winner. If the fight becomes boring or there is a stalemate, I will release rabid dogs and my two-stone cat into the arena to liven things up a bit. If these animals become in any way docile, I will squirt them with water pistols until they become a bit more temperamental.* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
