Re: (OT) W32.Virut.W
Not yet but I did come to a solution. The virus is doing 2 basic things. 1. spawning off new process files to run 2. opening up a back door for someone to come in and update/install new viruses I'm using a program called stopzilla to stop the backdoors from operating until I can remove them. No new processes are being spawned off and the machine isn't rebooting every few minutes 2 or 3 times a day. It's proved itself enough and I'll be ordering a subscription soon. On Thu, Mar 26, 2009 at 9:32 AM, Gerald Guido wrote: > > Shot in the dark... but did you try Dr. Web? > > http://www.freedrweb.com/ > > HTH > G! > > On Thu, Mar 26, 2009 at 5:12 AM, Michael Dinowitz < > mdino...@houseoffusion.com> wrote: > > > > > Thanks but neither solution seems to have an option to actually remove > the > > viruses. > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321036 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (OT) W32.Virut.W
On Fri, Mar 27, 2009 at 5:21 AM, Tom Chiverton wrote: > Don't get me started of SMM or red/blue pill attacks either. > Will do. But yeah, those are the ones that lend towards soiling my skivvies. I have been hacked twice (that I know of) and it is one of the worst feelings a geek can get. It is the "that I know of" part that scares the crap out of me. G! -- Gerald Guido http://www.myinternetisbroken.com "To invent, you need a good imagination and a pile of junk." -- Thomas A. Edison ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321034 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (OT) W32.Virut.W
On Thursday 26 Mar 2009, Gerald Guido wrote: > >> The BIOS could be compromised. > The BIOS? Yikes!! Put it this way. You can flash the BIOS by running a program. Someone you do not trust has been running unknown programs. Don't get me started of SMM or red/blue pill attacks either. -- Tom Chiverton Helping to adaptively participate third-generation platforms as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321031 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (OT) W32.Virut.W
>> Only way to be safe. Pretty much. "...nuke the entire site from orbit. It's the only way to be sure." http://www.youtube.com/watch?v=aCbfMkh940Q -- Gerald Guido http://www.myinternetisbroken.com "To invent, you need a good imagination and a pile of junk." -- Thomas A. Edison ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321020 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (OT) W32.Virut.W
Same here.. once compromised, unplug from network. Reformat, reinstall o/s, install applications, and restore data from known good backup (backed up right?). Only way to be safe. -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Thursday, March 26, 2009 8:50 AM To: cf-talk Subject: RE: (OT) W32.Virut.W I got this from a quick web search: "Virut is a virus that infects any executable files and screensavers that the user accesses. The parasite also opens a back door providing the attacker with unauthorized remote access to the compromised computer. The intruder can upload and run arbitrary files. " I would reformat the drive and reinstall everything. There is no way you can trust anything on the server any more and if there were credit cards in the database, they are probably stolen already ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321019 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (OT) W32.Virut.W
sonicDivx wrote: > Mike, > > The Virut stuff is mucho problemo. Another thing it does is turns your computer into a spam generator/zombie. If you have Process Explorer, you will note that the virus/rootkit will have started multiple instances of Internet Explorer in non-interactive mode (as well as netsh and cmd) for sending out a stream of spam messages. It does affect the MBR. Judith ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321007 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (OT) W32.Virut.W
>>May as well wait until Apr 2 after Conficker awakens. Damn. That thing looks *mean*. http://en.wikipedia.org/wiki/Conficker >> The BIOS could be compromised. The BIOS? Yikes!! >> if you are feeling paranoid. I *always* felt paranoid when I had a server in the wild. Root Kits gives me what Hunter Thompson use to call "The Fear". Sometimes I am *so* glad I got out of the hosting biz. Best of luck with this Michael. G! On Thu, Mar 26, 2009 at 12:05 PM, Dawson, Michael wrote: > > May as well wait until Apr 2 after Conficker awakens. > > Mike > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321000 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (OT) W32.Virut.W
Mike, The Virut stuff is mucho problemo. I just got a variant and just ended up reinstalling, mainly because antivirus started deleting/renamin/quarentining system files even after several safe boot cleans On Thu, Mar 26, 2009 at 12:05 PM, Dawson, Michael wrote: > > May as well wait until Apr 2 after Conficker awakens. > > Mike > > -Original Message- > From: Al Musella, DPM [mailto:muse...@virtualtrials.com] > Sent: Thursday, March 26, 2009 10:50 AM > To: cf-talk > Subject: RE: (OT) W32.Virut.W > > > I got this from a quick web search: > "Virut is a virus that infects any executable files and screensavers > that the user accesses. The parasite also opens a back door providing > the attacker with unauthorized remote access to the compromised > computer. The intruder can upload and run arbitrary files. " > > > > I would reformat the drive and reinstall everything. There is no way > you can trust anything on the server any more and if there were credit > cards in the database, they are probably stolen already > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320999 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: (OT) W32.Virut.W
On Thursday 26 Mar 2009, Al Musella, DPM wrote: > computer. The intruder can upload and run arbitrary files. " > I would reformat the drive and reinstall everything. Trash the whole box and get a new one, if you are feeling paranoid. The BIOS could be compromised. -- Tom Chiverton Helping to vitalistically reintermediate mission-critical attention-grabbing m-commerce as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320997 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (OT) W32.Virut.W
May as well wait until Apr 2 after Conficker awakens. Mike -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Thursday, March 26, 2009 10:50 AM To: cf-talk Subject: RE: (OT) W32.Virut.W I got this from a quick web search: "Virut is a virus that infects any executable files and screensavers that the user accesses. The parasite also opens a back door providing the attacker with unauthorized remote access to the compromised computer. The intruder can upload and run arbitrary files. " I would reformat the drive and reinstall everything. There is no way you can trust anything on the server any more and if there were credit cards in the database, they are probably stolen already ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320996 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (OT) W32.Virut.W
I got this from a quick web search: "Virut is a virus that infects any executable files and screensavers that the user accesses. The parasite also opens a back door providing the attacker with unauthorized remote access to the compromised computer. The intruder can upload and run arbitrary files. " I would reformat the drive and reinstall everything. There is no way you can trust anything on the server any more and if there were credit cards in the database, they are probably stolen already ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320995 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (OT) W32.Virut.W
This might help. Try running msconfig and select a boot method. Each OS is a little different. Terry -Original Message- From: Michael Dinowitz [mailto:mdino...@houseoffusion.com] Sent: Wednesday, March 25, 2009 7:55 PM To: cf-talk Subject: (OT) W32.Virut.W The House of Fusion webserver has the W32.Virut.W virus. Does anyone know a way to remove this virus remotely on a windows 2000 machine? I can't boot it into safe mode so that's not an option. Thanks -- Michael Dinowitz (http://www.linkedin.com/in/mdinowitz) President: House of Fusion(http://www.houseoffusion.com) Publisher: Fusion Authority(http://www.fusionauthority.com) Adobe Community Expert / Advanced Certified ColdFusion Professional Si, soy el senor "chico malo" para todos ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320990 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: (OT) W32.Virut.W
ESet will give you the path of virus file and registry values to delete. I believe Panda's free online scanner that will remove viruses for you once you register with an email. HTH. -Original Message- From: Michael Dinowitz [mailto:mdino...@houseoffusion.com] Sent: 2009-03-26 05:13 To: cf-talk Subject: Re: (OT) W32.Virut.W Thanks but neither solution seems to have an option to actually remove the viruses. On Wed, Mar 25, 2009 at 11:33 PM, Kym Kovan wrote: > > Michael Dinowitz wrote: > > The House of Fusion webserver has the W32.Virut.W virus. Does anyone know > a > > way to remove this virus remotely on a windows 2000 machine? I can't boot > it > > into safe mode so that's not an option. > > Thanks > > > > > We have used TrendMicro's Housecall successfully on some virii or check > the other online ones: > > http://www.precisesecurity.com/antivirus/online-scan.htm > > > -- > > Yours, > > Kym Kovan > mbcomms.net.au > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320988 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (OT) W32.Virut.W
Shot in the dark... but did you try Dr. Web? http://www.freedrweb.com/ HTH G! On Thu, Mar 26, 2009 at 5:12 AM, Michael Dinowitz < mdino...@houseoffusion.com> wrote: > > Thanks but neither solution seems to have an option to actually remove the > viruses. > > On Wed, Mar 25, 2009 at 11:33 PM, Kym Kovan >wrote: > > > > > Michael Dinowitz wrote: > > > The House of Fusion webserver has the W32.Virut.W virus. Does anyone > know > > a > > > way to remove this virus remotely on a windows 2000 machine? I can't > boot > > it > > > into safe mode so that's not an option. > > > Thanks > > > > > > > > > We have used TrendMicro's Housecall successfully on some virii or check > > the other online ones: > > > > http://www.precisesecurity.com/antivirus/online-scan.htm > > > > > > -- > > > > Yours, > > > > Kym Kovan > > mbcomms.net.au > > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320986 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (OT) W32.Virut.W
Thanks but neither solution seems to have an option to actually remove the viruses. On Wed, Mar 25, 2009 at 11:33 PM, Kym Kovan wrote: > > Michael Dinowitz wrote: > > The House of Fusion webserver has the W32.Virut.W virus. Does anyone know > a > > way to remove this virus remotely on a windows 2000 machine? I can't boot > it > > into safe mode so that's not an option. > > Thanks > > > > > We have used TrendMicro's Housecall successfully on some virii or check > the other online ones: > > http://www.precisesecurity.com/antivirus/online-scan.htm > > > -- > > Yours, > > Kym Kovan > mbcomms.net.au > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320984 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: (OT) W32.Virut.W
Michael Dinowitz wrote: > The House of Fusion webserver has the W32.Virut.W virus. Does anyone know a > way to remove this virus remotely on a windows 2000 machine? I can't boot it > into safe mode so that's not an option. > Thanks > We have used TrendMicro's Housecall successfully on some virii or check the other online ones: http://www.precisesecurity.com/antivirus/online-scan.htm -- Yours, Kym Kovan mbcomms.net.au ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320978 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: (OT) W32.Virut.W
Michael I think the online virus scanner by Eset can do that. -Original Message- From: Michael Dinowitz [mailto:mdino...@houseoffusion.com] Sent: 2009-03-25 22:55 To: cf-talk Subject: (OT) W32.Virut.W The House of Fusion webserver has the W32.Virut.W virus. Does anyone know a way to remove this virus remotely on a windows 2000 machine? I can't boot it into safe mode so that's not an option. Thanks -- Michael Dinowitz (http://www.linkedin.com/in/mdinowitz) President: House of Fusion(http://www.houseoffusion.com) Publisher: Fusion Authority(http://www.fusionauthority.com) Adobe Community Expert / Advanced Certified ColdFusion Professional Si, soy el senor "chico malo" para todos ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320977 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4