RE: PC that can't Google
Likely the hosts file is hidden. attrib -s -h -r c:\windows\system32\drivers\etc\hosts Then open it in notepad Lately seeing the bad hosts entries at very bottom of hosts file after about 100 blank lines. Once in a while too I see the ACLs changed on the hosts file to make difficulty in editing it. Restore ACLs then remove the bad hosts. (right click properties security advanced inherit from the parent OK out) Can you send me the bad hosts? I want to be able to get them in Vipre defs. Tammy From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: January-12-12 10:04 AM To: NT System Admin Issues Subject: RE: PC that can't Google I've searched the C drive for any hosts file and couldn't find one. -- Bob Hartung Dir of I.T. Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _ From: David Lum [mailto:david@nwea.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Thu, 12 Jan 2012 08:57:32 -0600 Subject: RE: PC that can't Google HOSTS file? From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Thursday, January 12, 2012 6:52 AM To: NT System Admin Issues Subject: PC that can't Google One of our VPs brought in his company-supplied home PC (Dell Optiplex WinXP Pro SP3). Said it was slow and something had changed his home page and he couldn't change it back. He also said he couldn't access Google. His home page had been taken over by My Web Search. I checked the Vipre quarantine and parts of My Web Search had been removed so I could uninstall it. I ran a Vipre deep scan and installed the latest version of Malwarebytes and ran its deep scan as well. It detected a number of registry My Web Search entries. Everything seemed to be running smoothly and much quicker after the scanning and deleting. My Web Search was gone but the Google problem persists. Using either Firefox or IE, you can access any website with out problem accept Google.com. At the command prompt, you can ping or tracert any website and it will resolve the name to it's IP address, accept Google.com. Google.com just times out with the error that the host name could not be found. I've checked there is no lmhost file. I've also ran ipconfig The PC is attached to our work network and through DHCP has picked up our standard DNS server to use. Everyone else can get to Google.com. What else could be interfering on just the Google.com name? -- Bob Hartung Dir of I.T. Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: PC that can't Google
Possible file was set to read-only. read only attributes wouldn't let you edit it. That ::1 is ivp6 address. Further down in that hosts.junk should be some funny addresses there with a ton of blank space between the ::1 the end of file. Tammy From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: January-12-12 12:26 PM To: NT System Admin Issues Subject: RE: PC that can't Google Interesting. Originally I searched for hosts on the C Drive and nothing showed up. Now I've navigated to windows\system32\drivers\etc, there's the hosts file. I can open it and it looks like the default hosts files with one exception, the last line is ::1 I tried to edit this out but was denied even though I'm logged in as the local administrator. I went to the command prompt and ran attrib on it and it show as an SHR. Checking another PC and normally this file doesn't have these attributes. I tried to change the attributes but still no luck. Finally, I tried renaming the hosts files to hosts.junk and that worked. Go figure. Then I copied a default hosts file from a different PC and that enabled Google.com. I don't have a clue as to why this fixed the problem. -- Bob Hartung Dir of I.T. Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _ From: David Lum [mailto:david@nwea.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Thu, 12 Jan 2012 09:41:38 -0600 Subject: RE: PC that can't Google Odd, even by default there’s one that has 127.0.0.1 in it. Show hidden and system files and look in hidden files and folders and look again, it should exist. From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Thursday, January 12, 2012 7:04 AM To: NT System Admin Issues Subject: RE: PC that can't Google I've searched the C drive for any hosts file and couldn't find one. -- Bob Hartung Dir of I.T. Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com _ From: David Lum [mailto:david@nwea.org] To: NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com] Sent: Thu, 12 Jan 2012 08:57:32 -0600 Subject: RE: PC that can't Google HOSTS file? From: Bob Hartung [mailto:bhart...@wiscoind.com] Sent: Thursday, January 12, 2012 6:52 AM To: NT System Admin Issues Subject: PC that can't Google One of our VPs brought in his company-supplied home PC (Dell Optiplex WinXP Pro SP3). Said it was slow and something had changed his home page and he couldn't change it back. He also said he couldn't access Google. His home page had been taken over by My Web Search. I checked the Vipre quarantine and parts of My Web Search had been removed so I could uninstall it. I ran a Vipre deep scan and installed the latest version of Malwarebytes and ran its deep scan as well. It detected a number of registry My Web Search entries. Everything seemed to be running smoothly and much quicker after the scanning and deleting. My Web Search was gone but the Google problem persists. Using either Firefox or IE, you can access any website with out problem accept Google.com. At the command prompt, you can ping or tracert any website and it will resolve the name to it's IP address, accept Google.com. Google.com just times out with the error that the host name could not be found. I've checked there is no lmhost file. I've also ran ipconfig The PC is attached to our work network and through DHCP has picked up our standard DNS server to use. Everyone else can get to Google.com. What else could be interfering on just the Google.com name? -- Bob Hartung Dir of I.T. Wisco Industries, Inc. 736 Janesville St. Oregon, WI 53575 Tel: (608) 835-3106 x215 Fax: (608) 835-7399 e-mail: bhartung(at)wiscoind.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
RE: test message
passed test? From: Donald Bittenbender [mailto:donald.bittenben...@gfi.com] Sent: December-09-11 5:10 PM To: NT System Admin Issues Subject: test message Just posting a friendly test message to the list. Donald Bittenbender - https://webmail.gfi.com/owa/redir.aspx?C=a061496bcac84696837344716007c6e8U RL=mailto%3adbittenbender%40gfi.com dbittenben...@gfi.com Software Developer - GFI Software - https://webmail.gfi.com/owa/UrlBlockedError.aspx www.gfi.com Salesforce / SharePoint Admin Web Mail Security, Archiving Fax, Networking Security Tel.: +1 866 389 5597 ext 6065Mob.: +1 727 748 2708 Join us on: https://webmail.gfi.com/owa/redir.aspx?C=a061496bcac84696837344716007c6e8U RL=https%3a%2f%2fwww.facebook.com%2fgfisoftware Facebook | https://webmail.gfi.com/owa/redir.aspx?C=a061496bcac84696837344716007c6e8U RL=http%3a%2f%2ftwitter.com%2fgfisoftware Twitter | https://webmail.gfi.com/owa/redir.aspx?C=a061496bcac84696837344716007c6e8U RL=http%3a%2f%2fwww.linkedin.com%2fgroups%3fgid%3d1833394 LinkedIn | https://webmail.gfi.com/owa/redir.aspx?C=a061496bcac84696837344716007c6e8U RL=http%3a%2f%2fwww.gfi.com%2fblog%2f TalkTechToMe | https://webmail.gfi.com/owa/redir.aspx?C=a061496bcac84696837344716007c6e8U RL=http%3a%2f%2fwww.youtube.com%2fgfisoftware YouTube.com | https://webmail.gfi.com/owa/redir.aspx?C=a061496bcac84696837344716007c6e8U RL=http%3a%2f%2fwww.gfi.com%2f GFI.com DISCLAIMER The information contained in this electronic mail may be confidential or legally privileged. It is for the intended recipient(s) only. Should you receive this message in error, please notify the sender by replying to this mail. Please do not read, copy, forward or store this message unless you are an intended recipient of it - unauthorized use of contents is strictly prohibited. Unless expressly stated, opinions in this message are those of the individual sender and not of GFI. While all care has been taken, GFI is not responsible for the integrity or the contents of this electronic mail and any attachments included within. (GFI2011) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Mevio?
Sounds a bit nasty -- I've run into a few of these lately. What OS? and is it 32 or 64 bit? Sounds like MBR infection - possibly mbr.sst.a or .b It is commonly dropped with that similar rogue AVs. This program should tell you if the MBR is faked http://ad13.geekstogo.com/MBRCheck.exe If you are running SonicWall it will report that file as conficker. It is a f/p detection All the tool does is check MBR, make log gives you the ability to dump copy of the MBR and re-write the MBR if found infected. If using the tool to fix MBR make sure if you have disk encryption enabled to disable that first or you may render system unbootable. If 64 bit OS check also disk management. Possibly there is a whole new partition created by the infection that is loading before the OS. If this is the case -- will need a bootable partition management tool to remove bad partition reset the right one as active etc so it will boot. Infection set its partition to load before the others. Tdsskiller might be able to detect the infection as well. (It cannot deal with the infection that creates the rootkit partition but usually can deal with MBR infection) Process explorer -- if you double click the iexplore.exe process look at tcp/ip tab you will see a ton of connections Tammy From: Len Hammond [mailto:lenhammo...@gmail.com] Sent: November-18-11 5:06 PM To: NT System Admin Issues Subject: Mevio? Got one word for the group... Mevio What is it and why would someone want it on a machine. So far I'm finding info saying it is a virus (and I tend to think that's right) and some conflicting info suggesting that it is something related to iTunes and is a music and/or video playing source and software. To the best of my knowledge, this mevio was not invited into this machine by the owner, I'm just trying to get it out of his way. It keeps popping up and wanting to be installed/validated. This machine also has reportedly been found after being idle overnight to be playing music out the speakers. They said it was like a radio station. Also, the process = iexplore.exe is always running without Internet Explorer being in the applications area in Task Manager or on the task bar. It does appear to have arrived at about the same time as a virus (trojan = AV Security 2012) that at this time seems to have been erradicated. Ultimately, I think this, being an older machine will probably get refurbished with a wipe reinstall before going back into permanent service. But, in the meantime, I'd like to get the guy working without the interruptions. Think I'll uninstall IE9 for a while and let him use Chrome, as IE seems to be the app that is causing the trouble, or IE has been compromised and the malware is causing the trouble through IE. Ass always, thanks for the thoughts and help. Len Hammond CSI:Hartland, LLC ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Renaming blank files from cmd line
Have not tried chkdsk -- good idea. Cacls/icacls usually works Del *.* /p works if the blank is not in a directory where other files reside that I cannot blanket delete. (such as sytem32) Believe I found a way to find these blanks. We have an ARK tool I can specify directories to scan from cmd line so that should work. I forgot about being able to specify directories for it to scan. Tool did pick up a blank buried in the windows\install directory. Just a few directories that seem cacls/icacls refuse to work. (GAC_32 GAC_64) Have to re-visit the ark tool and see about having it rip out those files. Quite a bit of the time yes -- wipe/reload is chosen due to the nature of the beast being fought, what the system is being used for, etc but not everyone has this luxury because either the admin for whatever reason has no backups or in case of it being an end user there are rarely ever recovery CDs that come with PCs anymore. (but these arguments are another subject entirely lol) -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, October 31, 2011 8:35 AM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line On Sat, Oct 29, 2011 at 3:47 PM, Tammy copper...@personainternet.com wrote: However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. Some things that may be useful that I haven't seen mentioned yet: CHKDSK CACLS *.* ... DEL *.* /P Also, if the system's been compromised, I usually start with a disk wipe and reinstall from known-good media. Presumably you judge the cost of that to be too high for whatever reason, but keep in mind that if the system has been compromised, you can't really ever be sure you've cleaned it. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Renaming blank files from cmd line
Thanks Ben, Indeed that should work fine. The blank always shows first in the directory when listed by name. The machine I worked on today did not have these blanks. Tammy -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, October 31, 2011 10:30 AM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line On Mon, Oct 31, 2011 at 9:06 AM, Tammy Stewart copper...@personainternet.com wrote: Del *.* /p works if the blank is not in a directory where other files reside that I cannot blanket delete. (such as sytem32) When you do a DEL *.* /P, it will prompt you for each file. If the blank name file comes first, answer Yes to that one, then CTRL+BREAK out of the command for the rest. If the blank name file comes last, yah, it won't help for a huge directory like SYSTEM32. Might be practical for a directory with a smaller number of files, though. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Renaming blank files from cmd line
Kewl. You have a link or something with details to do/use those tools? Most of the removals I am doing is remote.. I don't actually have my hands on the box physically. Thanks, Tammy _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er). 1. I need to be able to search entire drive for files with no file name/extension 2. I need to be able to adjust permissions on said files so I can delete them. (without messing with permissions on entire directory) 3. I need to delete said files without nuking the remaining contents of whatever directory these files live in. Google-Fu soes not seem to be working well. Ideas on a batch or script to perform the above? TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to
RE: Renaming blank files from cmd line
This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=view http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=bl anks.jpg current=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er). 1. I need to be able to search entire drive for files with no file name/extension 2. I need to be able to adjust permissions on said files so I can delete them. (without messing with permissions on entire directory) 3. I need to delete said files without nuking the remaining contents of whatever directory these files live in. Google-Fu soes not seem to be working well. Ideas on a batch or script to perform the above? TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a
RE: Renaming blank files from cmd line
Hmmm use short name? http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files- http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files--Fold ers -Folders Would love to know how to create a complete blank file to test the above. Thanks, Tammy _ From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:52 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=view http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=bl anks.jpg current=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er). 1. I need
RE: AV and malware protection?
Viruses (true file infectors) like Sality, Virut, XPAJ, xpiro, murofet, Mabezat and a few other true viruses are still quite common which Malwarebytes cannot deal with. Mabezat usually hauls in a variant of zbot/zues which is after banking/CC info... Malwarebytes might see the zbot files from mabezat but never fully remove it because the virus infected files put it back. Malwarebytes may see the infected hosts file temp files associated with virut or the rootkit driver associated with sality and/or some of sality's registry corruptions but it cannot disinfect files. Something like Bamital which attacks a select few files (and infects them) Malwarebytes cannot deal with either. It may see the Trojan dll involved try to pull it. If successful and since it cannot disinfect the infected explorer, winlogon, wininit, kernel32.dll, ntdll32.dll the machine ends up in a constant BSOD loop because wininit/winlogon is missing the dll it has been coded to depend on. And -- yes I have seen cases where things on a network are locked down quite well but a vendor come in to update some specialized software or re-install from his thumb drive infect the network with virut and other nasties.. Tammy -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Sunday, October 09, 2011 1:27 PM To: NT System Admin Issues Subject: Re: AV and malware protection? On Sun, Oct 9, 2011 at 12:23 PM, Alex Eckelberry alex.eckelbe...@gfi.com wrote: Its worth noting that MalwareBytes is not an antivirus product. It is, however, an excellent protecter/cleaner against modern Trojans and rogue antivirus products. And the difference between these two things is...? Viruses are largely obsolete anyway. Between ubiquitous network connectivity and autorun, nobody needs to bother. Today's injection vectors are exploitable vulnerabilities in networked software and social engineering. An attacker crafting malware to piggy-back on benign executables exchanged via sneakernet is like worrying about how to attach a team of horses to your car. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Torpig/Anserin/Mebroot infection
If Vipre does not find the culprit John, don't be shy to shoot us a support ticket request. We'll help find it. Support request page: www.gfi.com/supportform Indicate you need security response ticket will get to us faster. Tammy -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:19 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection You really don't want to be doing that, or if you must do it at least only allow it outbound to the IP of the mail server your PC's are supposed to be using. Looking at the CBL listing it appears they list you for activity other than SMTP traffic, so it may well be other traffic that's got you listed, but it still doesn't change the fact that you really don't want to allow unrestricted outbound SMTP from any/all IP's on your LAN. Ditto all other ports/protocols. If you don't already do so, start from a position of only allowing the ports required. From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 9:14 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection We don't have a mail server here. Our ISP hosts our email for us, so yeah, we do allow SMTP out. I wonder if there's a way to force all port 25 traffic to one IP in the firewall? -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 4:04 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Jus to confirm, you don't allow outbound SMTP from anything other than your corporate SMTP boxes do you? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 7:59 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Email blocklist: cbl.abuseat.org for attempting to make contact to a Torpig Command and Control server at 91.20.221.209, with contents unique to Torpig CC command protocols. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Monday, October 03, 2011 1:54 PM To: NT System Admin Issues Subject: RE: Torpig/Anserin/Mebroot infection Can you expand on blacklisted? Which blacklist and for what type of traffic? From: John Aldrich [jaldr...@blueridgecarpet.com] Sent: 03 October 2011 6:22 PM To: NT System Admin Issues Subject: Torpig/Anserin/Mebroot infection So, our external IP is blacklisted because apparently one of our machines is infected with a banking Trojan. Short of going to each and every individual machine on the network, the only thing I can think of to do is to set up logging of the ASA to a syslog server. I have downloaded and installed a trial version of Kiwi syslog, but I cant figure out how to configure it to forward the log files to my system. Anyone here able to provide a good how-to? I *did* Google, but apparently my Google-fu sucks, as I wasnt able to find instructions that made sense to me. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here:
RE: Vipre- possible false positive DAT??
Good morning everyone, I see a couple samples that have been sent in to our f/p report site so looks like they are aware. If someone wants to submit a suspect f/p file - here is where you can upload it to: http://www.sunbeltsecurity.com/falsepositive/ Regards, Tammy _ From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Tuesday, July 19, 2011 9:01 AM To: NT System Admin Issues Subject: RE: Vipre- possible false positive DAT?? Is Sunbelt (GFI) aware of this? Nothing on their website yet. From: Mike Wiebke [mailto:m...@yahoo.com] Sent: Tuesday, July 19, 2011 8:52 AM To: NT System Admin Issues Subject: Re: Vipre- possible false positive DAT?? I'm seeing the same with threatdb version 9897 - 9900 _ From: N Parr npar...@mortonind.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Tue, July 19, 2011 7:07:22 AM Subject: RE: Vipre- possible false positive DAT?? ditto _ From: John Leto [mailto:jo...@colonialsavings.com] Sent: Tuesday, July 19, 2011 6:43 AM To: NT System Admin Issues Subject: Vipre- possible false positive DAT?? This morning I came in and noticed that Vipre had flagged several machines in my organization with a possible virus, all for the same Excel gallery file which I've listed below. Is this a possible false positive from Vipre?? It just seems strange that I'd have so many machines at the very same time with the very same infected file. Threat: Exploit.Excel.CVE-2011-1278 (v) Category: Exploit Severity: High Risk Traces Found: File: C:\Program Files\Microsoft Office\OFFICE11\1033\XL8GALRY.XLS File: C:\Windows\Installer\$PatchCache$\Managed\9040210900063D11C8EF10054038389C\1 1.0.5614\XL9GALRY.XLS_1033 John Leto Network Engineer Colonial Savings, F.A. 817-877-9578 jo...@colonialsavings.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Vipre- possible false positive DAT??
For anyone seeing this false positive not yet reported it to our site/support - Please make sure you have definition 9900 or higher which should be correcting the issue. If still seeing files detected (falsely) the below site can be used to upload samples. If assistance is needed to restore files, etc from quarantine a support ticket can be filled out here: Support request page: www.gfi.com/supportform Regards, Tammy _ From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Tuesday, July 19, 2011 9:10 AM To: NT System Admin Issues Subject: RE: Vipre- possible false positive DAT?? Good morning everyone, I see a couple samples that have been sent in to our f/p report site so looks like they are aware. If someone wants to submit a suspect f/p file - here is where you can upload it to: http://www.sunbeltsecurity.com/falsepositive/ Regards, Tammy _ From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Tuesday, July 19, 2011 9:01 AM To: NT System Admin Issues Subject: RE: Vipre- possible false positive DAT?? Is Sunbelt (GFI) aware of this? Nothing on their website yet. From: Mike Wiebke [mailto:m...@yahoo.com] Sent: Tuesday, July 19, 2011 8:52 AM To: NT System Admin Issues Subject: Re: Vipre- possible false positive DAT?? I'm seeing the same with threatdb version 9897 - 9900 _ From: N Parr npar...@mortonind.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Tue, July 19, 2011 7:07:22 AM Subject: RE: Vipre- possible false positive DAT?? ditto _ From: John Leto [mailto:jo...@colonialsavings.com] Sent: Tuesday, July 19, 2011 6:43 AM To: NT System Admin Issues Subject: Vipre- possible false positive DAT?? This morning I came in and noticed that Vipre had flagged several machines in my organization with a possible virus, all for the same Excel gallery file which I've listed below. Is this a possible false positive from Vipre?? It just seems strange that I'd have so many machines at the very same time with the very same infected file. Threat: Exploit.Excel.CVE-2011-1278 (v) Category: Exploit Severity: High Risk Traces Found: File: C:\Program Files\Microsoft Office\OFFICE11\1033\XL8GALRY.XLS File: C:\Windows\Installer\$PatchCache$\Managed\9040210900063D11C8EF10054038389C\1 1.0.5614\XL9GALRY.XLS_1033 John Leto Network Engineer Colonial Savings, F.A. 817-877-9578 jo...@colonialsavings.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Vipre- possible false positive DAT??
I am currently on 9903 the below indicated file is not being detected. (xl8galry.xls) If that does not resolve it - please upload a sample to the falsepositive site below. Regards, Tammy _ From: John Leto [mailto:jo...@colonialsavings.com] Sent: Tuesday, July 19, 2011 9:39 AM To: NT System Admin Issues Subject: RE: Vipre- possible false positive DAT?? We have a machine with 9900 and it still has the issue, I do not belive this has been resolved. From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Tuesday, July 19, 2011 8:32 AM To: NT System Admin Issues Subject: RE: Vipre- possible false positive DAT?? For anyone seeing this false positive not yet reported it to our site/support - Please make sure you have definition 9900 or higher which should be correcting the issue. If still seeing files detected (falsely) the below site can be used to upload samples. If assistance is needed to restore files, etc from quarantine a support ticket can be filled out here: Support request page: www.gfi.com/supportform Regards, Tammy _ From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Tuesday, July 19, 2011 9:10 AM To: NT System Admin Issues Subject: RE: Vipre- possible false positive DAT?? Good morning everyone, I see a couple samples that have been sent in to our f/p report site so looks like they are aware. If someone wants to submit a suspect f/p file - here is where you can upload it to: http://www.sunbeltsecurity.com/falsepositive/ Regards, Tammy _ From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] Sent: Tuesday, July 19, 2011 9:01 AM To: NT System Admin Issues Subject: RE: Vipre- possible false positive DAT?? Is Sunbelt (GFI) aware of this? Nothing on their website yet. From: Mike Wiebke [mailto:m...@yahoo.com] Sent: Tuesday, July 19, 2011 8:52 AM To: NT System Admin Issues Subject: Re: Vipre- possible false positive DAT?? I'm seeing the same with threatdb version 9897 - 9900 _ From: N Parr npar...@mortonind.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Tue, July 19, 2011 7:07:22 AM Subject: RE: Vipre- possible false positive DAT?? ditto _ From: John Leto [mailto:jo...@colonialsavings.com] Sent: Tuesday, July 19, 2011 6:43 AM To: NT System Admin Issues Subject: Vipre- possible false positive DAT?? This morning I came in and noticed that Vipre had flagged several machines in my organization with a possible virus, all for the same Excel gallery file which I've listed below. Is this a possible false positive from Vipre?? It just seems strange that I'd have so many machines at the very same time with the very same infected file. Threat: Exploit.Excel.CVE-2011-1278 (v) Category: Exploit Severity: High Risk Traces Found: File: C:\Program Files\Microsoft Office\OFFICE11\1033\XL8GALRY.XLS File: C:\Windows\Installer\$PatchCache$\Managed\9040210900063D11C8EF10054038389C\1 1.0.5614\XL9GALRY.XLS_1033 John Leto Network Engineer Colonial Savings, F.A. 817-877-9578 jo...@colonialsavings.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com
RE: question about OEM Windows License Keys
I had a machine a couple years ago Jimmy, Dell as well. Customer did not have the recovery CDs the machine needed a new hard drive. I just called Dell, provided them with the model, serial, customer info etc asked for a recovery CD set. Took me a couple attempts as the person who I talked to obviously did not put my request and such on record so delivery never happened. However after a few attempts - finally got the CDs. No charge even though warranty was up. Install went w/o a hitch. I figure they must have a recovery CD set for your make/model available. In my case they did not charge for the CDs but if they do charge now I can't see it being that expensive for the customer. Cheers Tammy _ From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, July 08, 2011 1:43 PM To: NT System Admin Issues Subject: RE: question about OEM Windows License Keys So far all you've told us is that you have an OEM key, not a retail key. So having an OEM key means there is no point in downloading or trying to use retail media from any source. If you have an OEM media from another machine it *may* work with your Dell OEM key. From: Jimmy Tran [mailto:jt...@teachtci.com] Sent: Friday, July 08, 2011 1:16 PM To: NT System Admin Issues Subject: RE: question about OEM Windows License Keys Ok, with that being said, is there a way to download retail media from MS if I already have a key? From: Carl Houseman [mailto:c.house...@gmail.com] Sent: Friday, July 08, 2011 10:11 AM To: NT System Admin Issues Subject: RE: question about OEM Windows License Keys OEM media requires OEM key. Retail media requires Retail key. Etc. And I wouldn't trust any downloaded media unless it came directly from MS. Carl From: Jimmy Tran [mailto:jt...@teachtci.com] Sent: Friday, July 08, 2011 1:06 PM To: NT System Admin Issues Subject: question about OEM Windows License Keys So I have a Dell XPS laptop that needs the Vista reinstalled. The original OS version is Vista Home Premium. Since I don't have the OEM install disc from Dell, I decided to download a Vista Retail ISO (I think it was retail) So I ran the installer and it comes to the license key window. I put in the key from the COA label under the laptop but it doesn't like the key. So my real question is, does the OEM key on the Microsoft COA label work with any media type as long as it is not Volume Licensing Media and same OS version? Any clarification would be awesome! Thanks, Jimmy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: It isn't worth it
Blacklisting keygen.exe and crack.exe in your AV software, then it showing up in scans would clearly justify investigating deeper since we all know keygens can be dangerous, put networks, data etc at risk, and so on :D Tammy _ From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Friday, July 01, 2011 11:49 AM To: NT System Admin Issues Subject: Re: It isn't worth it The problem is, IT must justify the actions that found the files, applications, etc in the first place. It's pretty much, unless HR directs one to go searching a drive, one must not go search a drive. @#% -- richard John Cook john.c...@pfsf.org wrote on 07/01/2011 10:38:46 AM: Our policy is no software allowed that isn't approved and installed by IT - actions may be as harsh as termination. John W. Cook Systems Administrator Partnership for Strong Families - Original Message - From: Terry Dickson te...@treasurer.state.ks.us To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Fri Jul 01 11:15:16 2011 Subject: RE: It isn't worth it Our policy is that I have the right to remove any software I find on a PC that is questionable. I can do this without informing anyone in advance. However I do have to report it and then Management will review it and see if the software is appropriate for that persons Duties. If so it can then be reinstalled. I have removed several software packages in the past some that were purchased and installed while I was out of the office and had to be reinstalled. Most stay gone, and I can tell you in our office it if was for games it would be GONE and stay GONE! -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Friday, July 01, 2011 10:06 AM To: NT System Admin Issues Subject: RE: It isn't worth it How do you guys feel about finding a user who has password cracking / key code generator tools (for games, not work software), on their PC? Dave From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Thursday, June 30, 2011 10:06 AM To: NT System Admin Issues Subject: RE: It isn't worth it Along with that are people that get fired for stealing. I'm not talking about people who embezzle thousands. I'm talking things like office supplies and equipment. Most of the time the items taken are a fraction of their pay. I mean really, you can't go to Office Depot and pick up a $5 ream of paper or pair of scissors? That makes less sense to me than a drug addiction. From: pdw1...@hotmail.com [mailto:pdw1...@hotmail.com] Sent: Thursday, June 30, 2011 11:48 AM To: NT System Admin Issues Subject: OT: It isn't worth it A bit of a sad note. I got an phone call from the director early last night. He couldn't get a hold of the supervisor so he called me. He told me to log in and cancel all network access and disable AD account for an employee in our department. Said employee had failed his drug test. He had been on probation the last few months and it seemed he was getting his head straight. Then this week he came in late for a staff meeting and even I noticed something wrong. He didn't look good, wiping his forward a few times, hair mussed up. Anyway, he took a drug test later that day and failed. Young guy, married for about two years and hooked on pain pills. Now he's out of a job and, I hope, not a wife, too. It isn't worth it. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not the intended recipient, you do not have permission to disclose, copy, distribute, or open any attachments. If you have received this e-mail in error, please notify us immediately by returning it to the sender and delete this copy from your system. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ---
RE: Fake antivirus
If the machine has VIpre -- Give us a shout John, We'll find that hijacker. :) www.gfi.com/supportform -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, June 17, 2011 8:48 AM To: NT System Admin Issues Subject: RE: Fake antivirus Could be... He's got Google Toolbar. I wonder if some enterprising hacker has found a way to use that to load their ads? -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Friday, June 17, 2011 8:26 AM To: NT System Admin Issues Subject: RE: Fake antivirus Could be that IE is hooked with a BHO, or other malware, usually a lot of attacks can utilize the BEEF ( Browser Exploitation Framework) Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, June 17, 2011 8:23 AM To: NT System Admin Issues Subject: Re: Fake antivirus On Fri June 17 2011, you wrote: Get autoruns out and find out where the entry point is Good idea...thanks for reminding me of this tool. Unfortunately nothing jumps out at me regarding this... all I know is random IE windows pop up on this thing, going to Facebook and advertising websites. Fortunately no pr0n. -- Thanks, John Aldrich Blueridge Industries IT Manager ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake antivirus
I'm sure they'll find it. :) -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, June 17, 2011 10:02 AM To: NT System Admin Issues Subject: RE: Fake antivirus Thanks... filled out a ticket. I didn't know my Customer ID, though. :D -Original Message- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Friday, June 17, 2011 8:59 AM To: NT System Admin Issues Subject: RE: Fake antivirus If the machine has VIpre -- Give us a shout John, We'll find that hijacker. :) www.gfi.com/supportform -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, June 17, 2011 8:48 AM To: NT System Admin Issues Subject: RE: Fake antivirus Could be... He's got Google Toolbar. I wonder if some enterprising hacker has found a way to use that to load their ads? -Original Message- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Friday, June 17, 2011 8:26 AM To: NT System Admin Issues Subject: RE: Fake antivirus Could be that IE is hooked with a BHO, or other malware, usually a lot of attacks can utilize the BEEF ( Browser Exploitation Framework) Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, June 17, 2011 8:23 AM To: NT System Admin Issues Subject: Re: Fake antivirus On Fri June 17 2011, you wrote: Get autoruns out and find out where the entry point is Good idea...thanks for reminding me of this tool. Unfortunately nothing jumps out at me regarding this... all I know is random IE windows pop up on this thing, going to Facebook and advertising websites. Fortunately no pr0n. -- Thanks, John Aldrich Blueridge Industries IT Manager ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake antivirus
Good to hear Mike, Just in case some others missed it - http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76 http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76threadid =7944enterthread=y threadid=7944enterthread=y If still getting redirects after the rogue exes have been removed - it is usually volsnap.sys that is compromised. Replacing with known good copy from recovery console/barts/UBCD/etc will take care of that issue. If still active - avoid logging in with admin privs if possible use process explorer to kill the rogue, rename it etc. (run as) Logging in with admin privs will surely mangle volsnap.sys. Cheers! Tammy _ From: Mike Sullivan [mailto:neog...@gmail.com] Sent: Thursday, June 16, 2011 10:12 AM To: NT System Admin Issues Subject: Re: Fake antivirus I ran into this on Monday, at least I have my users locked down and they only saw the message that the hard drive was failing and their shortcuts disappeared. I followed Tammy's instructions and had it cleaned up pronto! On Thu, Jun 16, 2011 at 6:53 AM, Jonathan ncm...@gmail.com wrote: I've run into a nice variant of this just this morningthe window is titled, Windows Vista Restore and the caption at the top of the window says, PC Performance Stability analysis report. It is telling me hat the hard drive is failing and that private data is at risk. When I went into the root of C:. it only showed one file, named bootsect.bak. After I chose to display all hidden and os files, viola,everything in C: and on the desktop appeared. What a way to start a Thursday - at least it isn't Monday! JR On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright rhw...@gmail.com wrote: Try setting him up with ClearCloudDNS - might help prevent future infections. Roger Wright ___ Formula for success: rise early, work hard, strike oil. - J. Paul Getty On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: Thanks... This particular user is unlucky enough to have teenagers who use his computer. My guess is they are visiting infected/hostile/0wned sites and that's how he's getting infected. Never really had a problem when he was working here, so I'm suspecting it's some of his grandkids that are causing the problem. As I have not yet seen the problem, I don't know if it's going to be easy or difficult. Hopefully MBAM and Vipre won't have any problem with it. :D Thanks again! From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, June 03, 2011 10:31 AM To: NT System Admin Issues Subject: Re: Fake antivirus May be time to invest in some UAT (user awareness training). Continual re-infestation either means he is unlucky, or gung-ho in his browsing. I've had some fake AVs recently which were ridiculously easy to get rid of (kill process, delete files, remove autorun entry). Others have been more stealthy - such as killing targeted windows like Task Manager. Booting into safe mode usually prevents these extra features from bothering you. But as with everything - a reimage may be the only way to be sure. On 3 June 2011 15:26, John Aldrich jaldr...@blueridgecarpet.com wrote: I'm going to go to a former co-worker's this afternoon to clean his system (again) from another fake antivirus infestation. I've already got Vipre Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't had to deal with any fake antivirus in a few weeks. Just wondering if they have developed any new tricks recently that I should be aware of? Oh, this user had Vipre Home on his PC, and got infested anyway. Should I submit samples to Sunbelt (assuming I can find where they're quarantined)??? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. IMPORTANT: The information in this email is CONFIDENTIAL. If its contents are disclosed in any way my lawyers will swoop down from black helicopters like Seal Team Six and drag you away with a black bag over your head. They will then take you to a secret prison and make you fight to the death with other people who dared to share this email. You will be given a large bowie knife and a supply of methamphetamines while I watch the said deathmatch and wager vast sums of money on who will be the winner. If the fight becomes boring or there is a stalemate, I will release rabid dogs and my two-stone cat into the arena to liven things up a bit. If these animals
RE: Fake antivirus
Looks like Sept 1 2011. http://clearclouddns.com/ If using - may want to set a secondary DNS before anyone forgets. (OpenDNS might be a decent alternative) Cheers! Tammy _ From: David [mailto:blazer...@gmail.com] Sent: Thursday, June 16, 2011 2:46 PM To: NT System Admin Issues Subject: Re: Fake antivirus I heard Sunbelt is going to discontinue the ClearCloud service -- anyone know if/when that's going to happen? David On Thu, Jun 16, 2011 at 6:53 AM, Jonathan ncm...@gmail.com wrote: I've run into a nice variant of this just this morningthe window is titled, Windows Vista Restore and the caption at the top of the window says, PC Performance Stability analysis report. It is telling me hat the hard drive is failing and that private data is at risk. When I went into the root of C:. it only showed one file, named bootsect.bak. After I chose to display all hidden and os files, viola,everything in C: and on the desktop appeared. What a way to start a Thursday - at least it isn't Monday! JR On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright rhw...@gmail.com wrote: Try setting him up with ClearCloudDNS - might help prevent future infections. Roger Wright ___ Formula for success: rise early, work hard, strike oil. - J. Paul Getty On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: Thanks... This particular user is unlucky enough to have teenagers who use his computer. My guess is they are visiting infected/hostile/0wned sites and that's how he's getting infected. Never really had a problem when he was working here, so I'm suspecting it's some of his grandkids that are causing the problem. As I have not yet seen the problem, I don't know if it's going to be easy or difficult. Hopefully MBAM and Vipre won't have any problem with it. :D Thanks again! From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, June 03, 2011 10:31 AM To: NT System Admin Issues Subject: Re: Fake antivirus May be time to invest in some UAT (user awareness training). Continual re-infestation either means he is unlucky, or gung-ho in his browsing. I've had some fake AVs recently which were ridiculously easy to get rid of (kill process, delete files, remove autorun entry). Others have been more stealthy - such as killing targeted windows like Task Manager. Booting into safe mode usually prevents these extra features from bothering you. But as with everything - a reimage may be the only way to be sure. On 3 June 2011 15:26, John Aldrich jaldr...@blueridgecarpet.com wrote: I'm going to go to a former co-worker's this afternoon to clean his system (again) from another fake antivirus infestation. I've already got Vipre Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't had to deal with any fake antivirus in a few weeks. Just wondering if they have developed any new tricks recently that I should be aware of? Oh, this user had Vipre Home on his PC, and got infested anyway. Should I submit samples to Sunbelt (assuming I can find where they're quarantined)??? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. IMPORTANT: The information in this email is CONFIDENTIAL. If its contents are disclosed in any way my lawyers will swoop down from black helicopters like Seal Team Six and drag you away with a black bag over your head. They will then take you to a secret prison and make you fight to the death with other people who dared to share this email. You will be given a large bowie knife and a supply of methamphetamines while I watch the said deathmatch and wager vast sums of money on who will be the winner. If the fight becomes boring or there is a stalemate, I will release rabid dogs and my two-stone cat into the arena to liven things up a bit. If these animals become in any way docile, I will squirt them with water pistols until they become a bit more temperamental. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click
RE: User accounts for shared folders
Thanks Kurt, Makes sense. They likely logged onto the infected workstation as domain admin. I can't recall now but will find out. Not sure if they let users have full control on the shares. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 5:05 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders I see. What you're saying implies that the infected workstation talked with the machine hosting the shares. That's standard - and if the malware is running in the context of a user that has the Full Control permissions for the shares, it can strip out or add permissions at will, without being resident on the machine hosting the shares. I have found that all too often folks are given Full Control permissions, instead of Modify, which is all most people should have - the only difference between them is that Full Control grants the ability to modify permissions. Kurt On Mon, Jun 13, 2011 at 13:05, Tammy Stewart copper...@personainternet.com wrote: Hi Kurt, It is the NTFS permissions on the shares. (right click folder properties security) (not who on the network have access) Oddly enough other folders that are not shared have all the usual accounts listed. It is a file infecting virus (chir.b) from a few machines hitting the shares -- however the server that had the shares hit did not have the OS hit. Just shares so it did not get to memory or make registry modifications. Thanks, Tammy -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, June 13, 2011 3:42 PM To: NT System Admin Issues Subject: Re: User accounts for shared folders On Mon, Jun 13, 2011 at 10:57, Tammy Stewart copper...@personainternet.com wrote: Ran into something interesting today t-shooting a virus issue on a network. On every share there is no system account listed. Only Domain admins domain users. My google kung-fu seems to be lacking today but is there anything/reason why the system account would not show up? System account does exist on the machine - non shared directories have it. Just the shares that seem affected. Windows 2003 domain (if that makes any difference) Not just the system with infected files on the shares - all the servers are like this including clean ones (that have not been touched by the virus yet) Anyone have any kb articles or something I can look at that would explain this? (and hopefully put them back to normal) Thanks! Tammy When you say that the share doesn't list the System account - do you mean the Share permissions, or the NTFS permissions? Shares never list System for permissions, AFAIK. If the NTFS permissions for System have been deleted on the directories that are shared, that's either a conscious action by someone with Full Control permissions listed in an ACE on the directory, or else it's something that the malware did. If a person at the firm did that, I'd say it's a big mistake - well, unless they are doing something unusual, like setting up an FTP server. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Blow your wife's mind
Looks like someone's account might be p0wn3d? _ From: Leah Nunez [mailto:agbpnkyuayl...@gwido.com] Sent: Friday, June 10, 2011 3:32 AM To: NT System Admin Issues Subject: Blow your wife's mind Like a certain brand of watches, but never wanted http://ffs.cc/a/kr85oa to pay the price? Solve your dilemma now ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Win 7 recovery virus
Sounds like possibly a new variant. If you have any samples please upload them to our submit site. http://www.sunbeltsecurity.com/threat If you are also having the issue where all the files/folders are hidden start menu icons, desktop icons missing - this page should help: (unless the unhide.exe tool has been updated at bleeping page I have seen issues with it restoring shortcut files on Windows 7 Vista) http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76 http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76threadid =7944enterthread=y threadid=7944enterthread=y Regards, Tammy _ From: John Cook [mailto:john.c...@pfsf.org] Sent: Thursday, June 09, 2011 3:19 PM To: NT System Admin Issues Subject: Re: Win 7 recovery virus 3 computers today John W. Cook Systems Administrator Partnership for Strong Families _ From: Tom Miller tmil...@hnncsb.org To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Thu Jun 09 15:17:05 2011 Subject: Win 7 recovery virus Anyone getting a lot of these. One of my techs just reported to me: We have been getting hit by the Win 7 recovery virus today? Just as heads up http://www.bleepingcomputer.com/virus-removal/remove-windows-7-recovery We use Vipre here. Vipre can see it but obviously not stop it. Way to go. Tom Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin _ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: remote support and UAC
+1 on TeamViewer. No issues answering UAC prompts etc. We use it for customer support at work. (the quick support client is awesome for those situations where you need in do whatever out not likely to be a regular visit to that PC) Tammy _ From: Tony Patton [mailto:apco...@gmail.com] Sent: Thursday, June 09, 2011 4:08 PM To: NT System Admin Issues Subject: Re: remote support and UAC I've used Teamviewer in the past on my Win7 pc at home. It can also be configured to only accept LAN connections. Think it was about £1000 the last time I checked for unlimited end connections. Http://WWW.TeamViewer.com T Typed slowly on HTC Desire On 9 Jun 2011 21:01, Bill Humphries nt...@hedgedigger.com wrote: Hey all, Our current remote support software sucks when the client is a win7 with UAC. Handicapped to almost the point of useless. What do you like that handles UAC in a way that makes remote support feasible? Bill ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: 'All Programs' icons missing
We have a writeup at the GFI forums for this .. Bit of work but should help: http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76threadid= 7944enterthread=y Tammy -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Monday, June 06, 2011 4:36 PM To: NT System Admin Issues Subject: 'All Programs' icons missing A week or so ago, we had 2 users suddenly lose their icons to programs located under Start-All Programs. These are WinXP machine, local profiles. The subdirectories are all there and visible (Games, Accessories, UltraVNC, and all the others), but the shortlink links to the actual programs are ALL gone. Their desktop icons have not been effected by this. I know I can probably blow away their profile and re-create to get icons back but... any idea what might have happened and how to get them back? Short of replacing their profile? JR myhosting.com - Premium MicrosoftR WindowsR and Linux web and application hosting - http://link.myhosting.com/myhosting ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake antivirus
Hi John, If you can get the fake AV's name -- I can likely shoot you some info. There is a new(ish) one on the block that hides files, folders, shortcuts and such. (windows recovery) If that is what you see -- let me know. We have a restore procedure to restore the hidden/moved files. Also don't nuke the temps [yet] because that is where all the shortcuts are. If MBAM quarantines it -- the quarantine is normally located here: (depends on OS) c:\documents and settings\USER_WHO_SCANNED\application data\malwarebytes\malwarebyte's antimalware\quarantine -- that dir has both the logs the quarantined items (xp/2k/2k3) C:\Users\USER_WHO_SCANNED\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\quarantine (vista/win7/win2k8) Please upload anything MBAM quarantines to us. http://www.sunbeltsecurity.com/threat Thanks John, Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, June 03, 2011 10:26 AM To: NT System Admin Issues Subject: Fake antivirus I'm going to go to a former co-worker's this afternoon to clean his system (again) from another fake antivirus infestation. I've already got Vipre Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't had to deal with any fake antivirus in a few weeks. Just wondering if they have developed any new tricks recently that I should be aware of? Oh, this user had Vipre Home on his PC, and got infested anyway. Should I submit samples to Sunbelt (assuming I can find where they're quarantined)??? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fake antivirus
If it is the fake AV/HDD tool that hides all the files/folders moves the shortcuts to %temp% combofix is not recommended because one of the things combofix does is empty out all temp folders which is where the start menu icons are. Regards, Tammy _ From: David [mailto:blazer...@gmail.com] Sent: Friday, June 03, 2011 1:50 PM To: NT System Admin Issues Subject: Re: Fake antivirus +2, either at home or at the office. Combofix (be careful where you get it -- the BleepingComputer site is the most reliable), Malwarebytes, and Vipre. Vipre seems to take the longest to run. David On Fri, Jun 3, 2011 at 10:23 AM, Maglinger, Paul pmaglin...@scvl.com wrote: +1 for combofix at home. -Original Message- From: Gene Giannamore [mailto:gene.giannam...@abideinternational.com] Sent: Friday, June 03, 2011 12:05 PM To: NT System Admin Issues Subject: RE: Fake antivirus Had very good luck so far using combofix, Malwarebytes, and viper. Although 1 computer running XPsp3 is now very slow and the user does not want a wipe. I found combofix http://www.bleepingcomputer.com/combofix/how-to-use-combofix here. I do not follow the directions completely; I don't post the log file to any forum. I do, disable AV, run updated combofix, enable AV, run malwarebytes. If there is anything still going on, I'll do a quick scan with superantispyware then investigate manually (registry, running processes, files). Gene Giannamore -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, June 03, 2011 7:26 AM To: NT System Admin Issues Subject: Fake antivirus I'm going to go to a former co-worker's this afternoon to clean his system (again) from another fake antivirus infestation. I've already got Vipre Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't had to deal with any fake antivirus in a few weeks. Just wondering if they have developed any new tricks recently that I should be aware of? Oh, this user had Vipre Home on his PC, and got infested anyway. Should I submit samples to Sunbelt (assuming I can find where they're quarantined)??? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- David _ The right to be let alone - the most comprehensive of rights and the right most valued by civilized men. - Supreme Court Justice Louis Brandeis, Olmstead v. U.S., 277 U.S. 438 (1928) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: RE: Fake antivirus
Hi Johnathan all, Sorry - been a busy one today. Based on what we all have found, this has been working quite well as long as the temps have not been emptied out: If the rogue is still running nothing is seeing it normally it will be found: (where random.exe is a random name executable) Normally 2 of them. XP: C:\documents and settings\all users\application data\random.exe Vista\Windows7: C:\programdata\random.exe One will be a random set of numbers the other will be a random set of upper/lower letters. Taskkill /im filename /f Works well then rename the extensions so they don't load again or delete files. This should get most if not all the shortcuts back and unhide everything it hid. (it will also end up unhiding windows patch install directories application data folders) http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76 http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76threadid =7944enterthread=y threadid=7944enterthread=y There will be some additional registry stuff that needs fixing to repair some IE settings that can leave the system vulnerable to getting hit again. Additional info here: (reg/file info at bottom of page) http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery Regards, Tammy _ From: Jonathan [mailto:ncm...@gmail.com] Sent: Friday, June 03, 2011 12:55 PM To: NT System Admin Issues Subject: Re: RE: Fake antivirus Tammy, I ran into one a few weeks back that hid files and folders like what you described. I think I reversed everything it did, but is there any other info that you can share with the group aside from what you've posted here? Thanks, Jonathan A+, MCSA, MCSE Thumb-typed from my HTC Droid Incredible (and yes, it really is) on the Verizon network. Please excuse brevity and any misspellings. On Jun 3, 2011 10:43 AM, Tammy Stewart copper...@personainternet.com wrote: Hi John, If you can get the fake AV's name -- I can likely shoot you some info. There is a new(ish) one on the block that hides files, folders, shortcuts and such. (windows recovery) If that is what you see -- let me know. We have a restore procedure to restore the hidden/moved files. Also don't nuke the temps [yet] because that is where all the shortcuts are. If MBAM quarantines it -- the quarantine is normally located here: (depends on OS) c:\documents and settings\USER_WHO_SCANNED\application data\malwarebytes\malwarebyte's antimalware\quarantine -- that dir has both the logs the quarantined items (xp/2k/2k3) C:\Users\USER_WHO_SCANNED\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\quarantine (vista/win7/win2k8) Please upload anything MBAM quarantines to us. http://www.sunbeltsecurity.com/threat Thanks John, Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Friday, June 03, 2011 10:26 AM To: NT System Admin Issues Subject: Fake antivirus I'm going to go to a former co-worker's this afternoon to clean his system (again) from another fake antivirus infestation. I've already got Vipre Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't had to deal with any fake antivirus in a few weeks. Just wondering if they have developed any new tricks recently that I should be aware of? Oh, this user had Vipre Home on his PC, and got infested anyway. Should I submit samples to Sunbelt (assuming I can find where they're quarantined)??? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
NAS drives (search tool)
Hi, I am looking for some sort of tool that can search an entire NAS drive for a certain file, display it so it can be deleted. (not much unlike agent ransack, windows search, etc) A customer I am working with has 16 large drives with several TB of data on each and many many shares. (in the hundreds) They have conficker I expect to find several instances of the fake recycler bins, the worm copies the autorun.inf files in these shares. Scanning with AV takes ages because of the amount of data involved by the time the scan is done items removed - they (worm copies) already have been re-written again. Is there such a tool? Trying to get more info about the NAS model numbers setup so to make it easier to narrow down what will work what will not. Yes - autorun is killed via GPO at the site (although it is possible the GPO didn't take on every machine) Yes - it is believed that every machine is fitted with AV it is set up properly. (although it is possible that a few machines have missed the install or AV is broke) - this part is being investigated (in order to figure out why it keeps re-propagating) TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: NAS drives (search tool)
That indeed looks nice. Thanks. Will pass it on see if he can get it to do what is needed. Drives are: Buffalo TeraStation PRO NAS drives (model # TS-RHTGL/R5) Not sure if that makes any difference or not but thought I would throw it out there anyway. Thanks, Tammy _ From: Guyer, Don [mailto:don.gu...@fiserv.com] Sent: Friday, May 20, 2011 9:20 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) How about something like TreeSize? Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 http://www.fiserv.com/ www.fiserv.com From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Friday, May 20, 2011 9:11 AM To: NT System Admin Issues Subject: NAS drives (search tool) Hi, I am looking for some sort of tool that can search an entire NAS drive for a certain file, display it so it can be deleted. (not much unlike agent ransack, windows search, etc) A customer I am working with has 16 large drives with several TB of data on each and many many shares. (in the hundreds) They have conficker I expect to find several instances of the fake recycler bins, the worm copies the autorun.inf files in these shares. Scanning with AV takes ages because of the amount of data involved by the time the scan is done items removed - they (worm copies) already have been re-written again. Is there such a tool? Trying to get more info about the NAS model numbers setup so to make it easier to narrow down what will work what will not. Yes - autorun is killed via GPO at the site (although it is possible the GPO didn't take on every machine) Yes - it is believed that every machine is fitted with AV it is set up properly. (although it is possible that a few machines have missed the install or AV is broke) - this part is being investigated (in order to figure out why it keeps re-propagating) TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: NAS drives (search tool)
Has everything changed recently? Last time I installed it, it only showed the folders where said file exists. Therefore one would have to open each directory in turn delete file. He has many hundred shares so I expect several hundred worm copies. Thanks, Tammy _ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, May 20, 2011 9:52 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) Have you tried 'everything' ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Friday, May 20, 2011 9:11 AM To: NT System Admin Issues Subject: NAS drives (search tool) Hi, I am looking for some sort of tool that can search an entire NAS drive for a certain file, display it so it can be deleted. (not much unlike agent ransack, windows search, etc) A customer I am working with has 16 large drives with several TB of data on each and many many shares. (in the hundreds) They have conficker I expect to find several instances of the fake recycler bins, the worm copies the autorun.inf files in these shares. Scanning with AV takes ages because of the amount of data involved by the time the scan is done items removed - they (worm copies) already have been re-written again. Is there such a tool? Trying to get more info about the NAS model numbers setup so to make it easier to narrow down what will work what will not. Yes - autorun is killed via GPO at the site (although it is possible the GPO didn't take on every machine) Yes - it is believed that every machine is fitted with AV it is set up properly. (although it is possible that a few machines have missed the install or AV is broke) - this part is being investigated (in order to figure out why it keeps re-propagating) TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: NAS drives (search tool)
Thanks, I'll throw that idea out to him as well. Hopefully he does have a decent backup or at least enough space to create one on. Wiping/reloading cleaned data will take him some time though - he's in the middle of some testing stuff at the school so that can't be interrupted at the moment. Thanks, Tammy _ From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Friday, May 20, 2011 9:53 AM To: NT System Admin Issues Subject: Re: NAS drives (search tool) Just give up. Those things are truly awful speedwise. If you have a backup of the TeraStation data then I would contemplate a restoration of the backup to more responsive hardware, clean that, wipe the Terastation and restore the cleaned data. On Fri, May 20, 2011 at 9:40 AM, Tammy Stewart copper...@personainternet.com wrote: That indeed looks nice. Thanks. Will pass it on see if he can get it to do what is needed. Drives are: Buffalo TeraStation PRO NAS drives (model # TS-RHTGL/R5) Not sure if that makes any difference or not but thought I would throw it out there anyway. Thanks, Tammy _ From: Guyer, Don [mailto:don.gu...@fiserv.com] Sent: Friday, May 20, 2011 9:20 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) How about something like TreeSize? Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 tel:1-800-523-7282%20x%201673 Fax: 610-233-0404 http://www.fiserv.com/ www.fiserv.com From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Friday, May 20, 2011 9:11 AM To: NT System Admin Issues Subject: NAS drives (search tool) Hi, I am looking for some sort of tool that can search an entire NAS drive for a certain file, display it so it can be deleted. (not much unlike agent ransack, windows search, etc) A customer I am working with has 16 large drives with several TB of data on each and many many shares. (in the hundreds) They have conficker I expect to find several instances of the fake recycler bins, the worm copies the autorun.inf files in these shares. Scanning with AV takes ages because of the amount of data involved by the time the scan is done items removed - they (worm copies) already have been re-written again. Is there such a tool? Trying to get more info about the NAS model numbers setup so to make it easier to narrow down what will work what will not. Yes - autorun is killed via GPO at the site (although it is possible the GPO didn't take on every machine) Yes - it is believed that every machine is fitted with AV it is set up properly. (although it is possible that a few machines have missed the install or AV is broke) - this part is being investigated (in order to figure out why it keeps re-propagating) TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: NAS drives (search tool)
Sweet! Will send him that info as well. Thanks, Tammy _ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, May 20, 2011 10:00 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) I've got version 1.2.1.371 and from the results, I can select files the normal way, contiguous or non-contiguous, and then shift-delete all at once to bypass the recycle bin. Sounds to me exactly like what you want, and it's fast once the index is complete. Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Friday, May 20, 2011 9:56 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) Has everything changed recently? Last time I installed it, it only showed the folders where said file exists. Therefore one would have to open each directory in turn delete file. He has many hundred shares so I expect several hundred worm copies. Thanks, Tammy _ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Friday, May 20, 2011 9:52 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) Have you tried 'everything' ? Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Friday, May 20, 2011 9:11 AM To: NT System Admin Issues Subject: NAS drives (search tool) Hi, I am looking for some sort of tool that can search an entire NAS drive for a certain file, display it so it can be deleted. (not much unlike agent ransack, windows search, etc) A customer I am working with has 16 large drives with several TB of data on each and many many shares. (in the hundreds) They have conficker I expect to find several instances of the fake recycler bins, the worm copies the autorun.inf files in these shares. Scanning with AV takes ages because of the amount of data involved by the time the scan is done items removed - they (worm copies) already have been re-written again. Is there such a tool? Trying to get more info about the NAS model numbers setup so to make it easier to narrow down what will work what will not. Yes - autorun is killed via GPO at the site (although it is possible the GPO didn't take on every machine) Yes - it is believed that every machine is fitted with AV it is set up properly. (although it is possible that a few machines have missed the install or AV is broke) - this part is being investigated (in order to figure out why it keeps re-propagating) TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: NAS drives (search tool)
I think it runs on Samba 3.0 Thanks, Tammy _ From: Matthew B Ames [mailto:matthew.a...@qinetiq.com] Sent: Friday, May 20, 2011 10:37 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) Mine lives in the loft in its original box. Useless piece of junk. On a more useful note, if it runs a version of linux, I think you can ssh to it, and then use find on rather than having to access it via any shares it may be presenting. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: 20 May 2011 14:53 To: NT System Admin Issues Subject: Re: NAS drives (search tool) Just give up. Those things are truly awful speedwise. If you have a backup of the TeraStation data then I would contemplate a restoration of the backup to more responsive hardware, clean that, wipe the Terastation and restore the cleaned data. On Fri, May 20, 2011 at 9:40 AM, Tammy Stewart copper...@personainternet.com wrote: That indeed looks nice. Thanks. Will pass it on see if he can get it to do what is needed. Drives are: Buffalo TeraStation PRO NAS drives (model # TS-RHTGL/R5) Not sure if that makes any difference or not but thought I would throw it out there anyway. Thanks, Tammy _ From: Guyer, Don [mailto:don.gu...@fiserv.com] Sent: Friday, May 20, 2011 9:20 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) How about something like TreeSize? Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 tel:1-800-523-7282%20x%201673 x 1673 Fax: 610-233-0404 http://www.fiserv.com/ www.fiserv.com From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Friday, May 20, 2011 9:11 AM To: NT System Admin Issues Subject: NAS drives (search tool) Hi, I am looking for some sort of tool that can search an entire NAS drive for a certain file, display it so it can be deleted. (not much unlike agent ransack, windows search, etc) A customer I am working with has 16 large drives with several TB of data on each and many many shares. (in the hundreds) They have conficker I expect to find several instances of the fake recycler bins, the worm copies the autorun.inf files in these shares. Scanning with AV takes ages because of the amount of data involved by the time the scan is done items removed - they (worm copies) already have been re-written again. Is there such a tool? Trying to get more info about the NAS model numbers setup so to make it easier to narrow down what will work what will not. Yes - autorun is killed via GPO at the site (although it is possible the GPO didn't take on every machine) Yes - it is believed that every machine is fitted with AV it is set up properly. (although it is possible that a few machines have missed the install or AV is broke) - this part is being investigated (in order to figure out why it keeps re-propagating) TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. http://www.qinetiq.com http
RE: NAS drives (search tool)
Goes to show you how much Linus experience I have (or not) Thanks, Tammy _ From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Friday, May 20, 2011 10:54 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) Samba, in turn, runs on unix/linux systems, so the ssh option should work. -- RMc Tammy Stewart copper...@personainternet.com wrote on 05/20/2011 09:51:33 AM: I think it runs on Samba 3.0 Thanks, Tammy From: Matthew B Ames [mailto:matthew.a...@qinetiq.com] Sent: Friday, May 20, 2011 10:37 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) Mine lives in the loft in its original box. Useless piece of junk. On a more useful note, if it runs a version of linux, I think you can ssh to it, and then use find on rather than having to access it via any shares it may be presenting. From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: 20 May 2011 14:53 To: NT System Admin Issues Subject: Re: NAS drives (search tool) Just give up. Those things are truly awful speedwise. If you have a backup of the TeraStation data then I would contemplate a restoration of the backup to more responsive hardware, clean that, wipe the Terastation and restore the cleaned data. On Fri, May 20, 2011 at 9:40 AM, Tammy Stewart copper...@personainternet.com wrote: That indeed looks nice. Thanks. Will pass it on see if he can get it to do what is needed. Drives are: Buffalo TeraStation PRO NAS drives (model # TS-RHTGL/R5) Not sure if that makes any difference or not but thought I would throw it out there anyway. Thanks, Tammy From: Guyer, Don [mailto:don.gu...@fiserv.com] Sent: Friday, May 20, 2011 9:20 AM To: NT System Admin Issues Subject: RE: NAS drives (search tool) How about something like TreeSize? Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Friday, May 20, 2011 9:11 AM To: NT System Admin Issues Subject: NAS drives (search tool) Hi, I am looking for some sort of tool that can search an entire NAS drive for a certain file, display it so it can be deleted. (not much unlike agent ransack, windows search, etc) A customer I am working with has 16 large drives with several TB of data on each and many many shares. (in the hundreds) They have conficker I expect to find several instances of the fake recycler bins, the worm copies the autorun.inf files in these shares. Scanning with AV takes ages because of the amount of data involved by the time the scan is done items removed - they (worm copies) already have been re-written again. Is there such a tool? Trying to get more info about the NAS model numbers setup so to make it easier to narrow down what will work what will not. Yes - autorun is killed via GPO at the site (although it is possible the GPO didn't take on every machine) Yes - it is believed that every machine is fitted with AV it is set up properly. (although it is possible that a few machines have missed the install or AV is broke) - this part is being investigated (in order to figure out why it keeps re-propagating) TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient
RE: Antivirus Center
Hi John, Log onto a different account -- that one is normally profile specific. Log off first user though or you risk infecting the next account. If only one account on the machine -- try safe mode admin account or safe mode user account (threat shouldn't run in safe mode) Decent writeup on this one.. http://www.bleepingcomputer.com/virus-removal/remove-antivirus-center Can omit MBAM though if desired. I use autoruns from sysinternals -- I LOVE that tool! http://technet.microsoft.com/en-us/sysinternals/bb963902 Once you grab that app initial scan is done hit the users menu at top choose infected user. Reg path file path should be there. (either a user run key or runonce under the logon tab in autoruns) Since Rescue didn't nail it -- found samples can be uploaded here: http://www.sunbeltsecurity.com/threat We'll be sure to get it in the defs. Cheers! Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 2:56 PM To: NT System Admin Issues Subject: RE: Antivirus Center No, Vipre is NOT installed. User has McAfee AND AVG on there... I know that McAfee gets installed by default with Acrobat Reader and other Adobe products... From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Wednesday, May 04, 2011 2:42 PM To: NT System Admin Issues Subject: Re: Antivirus Center If VIPRE is installed, then call! Tammy knows the entire boot process, and she can probably figure out what is loading what. Some bugs disable the task manager, the CLI, and the ability to boot into SafeMode. Note that some of these bugs will scamble the registry, so no applications can run anymore. She has fixed that one as well. -- richard John Aldrich jaldr...@blueridgecarpet.com 05/04/2011 01:22 PM Please respond to NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com To NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Press this button if the To is a fax number. Enter in the fax number like 123-456-7890. cc Subject Antivirus Center I just had a remote user infected with Antivirus Center fake antivirus. I had him try to run Vipre Rescue, but it didnt find anything. Any idea why VR didnt find it? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Antivirus Center
No Problem John, Figured autoruns might be easier to walk users through -- You might also be able to remote access the box in safe mode with networking too. (I know shipping costs are deadly) Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 3:29 PM To: NT System Admin Issues Subject: RE: Antivirus Center Thanks! Will do! 'Preciate it, Tammy! :D -Original Message- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Wednesday, May 04, 2011 3:23 PM To: NT System Admin Issues Subject: RE: Antivirus Center Hi John, Log onto a different account -- that one is normally profile specific. Log off first user though or you risk infecting the next account. If only one account on the machine -- try safe mode admin account or safe mode user account (threat shouldn't run in safe mode) Decent writeup on this one.. http://www.bleepingcomputer.com/virus-removal/remove-antivirus-center Can omit MBAM though if desired. I use autoruns from sysinternals -- I LOVE that tool! http://technet.microsoft.com/en-us/sysinternals/bb963902 Once you grab that app initial scan is done hit the users menu at top choose infected user. Reg path file path should be there. (either a user run key or runonce under the logon tab in autoruns) Since Rescue didn't nail it -- found samples can be uploaded here: http://www.sunbeltsecurity.com/threat We'll be sure to get it in the defs. Cheers! Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 2:56 PM To: NT System Admin Issues Subject: RE: Antivirus Center No, Vipre is NOT installed. User has McAfee AND AVG on there... I know that McAfee gets installed by default with Acrobat Reader and other Adobe products... From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Wednesday, May 04, 2011 2:42 PM To: NT System Admin Issues Subject: Re: Antivirus Center If VIPRE is installed, then call! Tammy knows the entire boot process, and she can probably figure out what is loading what. Some bugs disable the task manager, the CLI, and the ability to boot into SafeMode. Note that some of these bugs will scamble the registry, so no applications can run anymore. She has fixed that one as well. -- richard John Aldrich jaldr...@blueridgecarpet.com 05/04/2011 01:22 PM Please respond to NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com To NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Press this button if the To is a fax number. Enter in the fax number like 123-456-7890. cc Subject Antivirus Center I just had a remote user infected with Antivirus Center fake antivirus. I had him try to run Vipre Rescue, but it didnt find anything. Any idea why VR didnt find it? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Antivirus Center
TeamViewer has free version as well. Works great. Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 4:48 PM To: NT System Admin Issues Subject: RE: Antivirus Center Probably. :D -Original Message- From: Martin Blackstone [mailto:mblackst...@gmail.com] Sent: Wednesday, May 04, 2011 4:29 PM To: NT System Admin Issues Subject: RE: Antivirus Center If it was used or refurbished they would buy it. -Original Message- From: Sam Cayze [mailto:sca...@gmail.com] Sent: Wednesday, May 04, 2011 1:19 PM To: NT System Admin Issues Subject: RE: Antivirus Center LogMeIn is free. Or has a free option. In the very limited cases where I will actually provide tech support, this is the main requirement I have. -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 2:43 PM To: NT System Admin Issues Subject: RE: Antivirus Center Well, he's already shipping it out, and he's frustrated, I'm frustrated... wish I could get the company to spring for a logmein account.. *sigh* -Original Message- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Wednesday, May 04, 2011 3:32 PM To: NT System Admin Issues Subject: RE: Antivirus Center No Problem John, Figured autoruns might be easier to walk users through -- You might also be able to remote access the box in safe mode with networking too. (I know shipping costs are deadly) Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 3:29 PM To: NT System Admin Issues Subject: RE: Antivirus Center Thanks! Will do! 'Preciate it, Tammy! :D -Original Message- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Wednesday, May 04, 2011 3:23 PM To: NT System Admin Issues Subject: RE: Antivirus Center Hi John, Log onto a different account -- that one is normally profile specific. Log off first user though or you risk infecting the next account. If only one account on the machine -- try safe mode admin account or safe mode user account (threat shouldn't run in safe mode) Decent writeup on this one.. http://www.bleepingcomputer.com/virus-removal/remove-antivirus-center Can omit MBAM though if desired. I use autoruns from sysinternals -- I LOVE that tool! http://technet.microsoft.com/en-us/sysinternals/bb963902 Once you grab that app initial scan is done hit the users menu at top choose infected user. Reg path file path should be there. (either a user run key or runonce under the logon tab in autoruns) Since Rescue didn't nail it -- found samples can be uploaded here: http://www.sunbeltsecurity.com/threat We'll be sure to get it in the defs. Cheers! Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 2:56 PM To: NT System Admin Issues Subject: RE: Antivirus Center No, Vipre is NOT installed. User has McAfee AND AVG on there... I know that McAfee gets installed by default with Acrobat Reader and other Adobe products... From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Wednesday, May 04, 2011 2:42 PM To: NT System Admin Issues Subject: Re: Antivirus Center If VIPRE is installed, then call! Tammy knows the entire boot process, and she can probably figure out what is loading what. Some bugs disable the task manager, the CLI, and the ability to boot into SafeMode. Note that some of these bugs will scamble the registry, so no applications can run anymore. She has fixed that one as well. -- richard John Aldrich jaldr...@blueridgecarpet.com 05/04/2011 01:22 PM Please respond to NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com To NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Press this button if the To is a fax number. Enter in the fax number like 123-456-7890. cc Subject Antivirus Center I just had a remote user infected with Antivirus Center fake antivirus. I had him try to run Vipre Rescue, but it didnt find anything. Any idea why VR didnt find it? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt
RE: Antivirus Center
Hehe. Completely understandable. On the teamviewer page downloads additional downloads/for the instant customer there's jut the client app rather than the full install. (you would need the full install though) That way they won't see the beg to buy me nag screen at end of session it is just a single executable that drops a few files in temp so there is nothing for them to have to uninstall. I like the fact I can blank out the user's bright fuchsia desktop background (or other horrible things) so I don't go blind working on PCs. LOL! App is a bit slow to start but connection is decent, has file transfer ability even a chat applet if you have trouble hearing them over the phone, language barriers, etc. Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 5:11 PM To: NT System Admin Issues Subject: RE: Antivirus Center Thanks. I'll have to remember that. I occasionally have to walk a sales rep through something on the phone and we all know how computer literate Sales Droids can be. ;-) -Original Message- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Wednesday, May 04, 2011 4:53 PM To: NT System Admin Issues Subject: RE: Antivirus Center TeamViewer has free version as well. Works great. Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 4:48 PM To: NT System Admin Issues Subject: RE: Antivirus Center Probably. :D -Original Message- From: Martin Blackstone [mailto:mblackst...@gmail.com] Sent: Wednesday, May 04, 2011 4:29 PM To: NT System Admin Issues Subject: RE: Antivirus Center If it was used or refurbished they would buy it. -Original Message- From: Sam Cayze [mailto:sca...@gmail.com] Sent: Wednesday, May 04, 2011 1:19 PM To: NT System Admin Issues Subject: RE: Antivirus Center LogMeIn is free. Or has a free option. In the very limited cases where I will actually provide tech support, this is the main requirement I have. -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 2:43 PM To: NT System Admin Issues Subject: RE: Antivirus Center Well, he's already shipping it out, and he's frustrated, I'm frustrated... wish I could get the company to spring for a logmein account.. *sigh* -Original Message- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Wednesday, May 04, 2011 3:32 PM To: NT System Admin Issues Subject: RE: Antivirus Center No Problem John, Figured autoruns might be easier to walk users through -- You might also be able to remote access the box in safe mode with networking too. (I know shipping costs are deadly) Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 3:29 PM To: NT System Admin Issues Subject: RE: Antivirus Center Thanks! Will do! 'Preciate it, Tammy! :D -Original Message- From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Wednesday, May 04, 2011 3:23 PM To: NT System Admin Issues Subject: RE: Antivirus Center Hi John, Log onto a different account -- that one is normally profile specific. Log off first user though or you risk infecting the next account. If only one account on the machine -- try safe mode admin account or safe mode user account (threat shouldn't run in safe mode) Decent writeup on this one.. http://www.bleepingcomputer.com/virus-removal/remove-antivirus-center Can omit MBAM though if desired. I use autoruns from sysinternals -- I LOVE that tool! http://technet.microsoft.com/en-us/sysinternals/bb963902 Once you grab that app initial scan is done hit the users menu at top choose infected user. Reg path file path should be there. (either a user run key or runonce under the logon tab in autoruns) Since Rescue didn't nail it -- found samples can be uploaded here: http://www.sunbeltsecurity.com/threat We'll be sure to get it in the defs. Cheers! Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Wednesday, May 04, 2011 2:56 PM To: NT System Admin Issues Subject: RE: Antivirus Center No, Vipre is NOT installed. User has McAfee AND AVG on there... I know that McAfee gets installed by default with Acrobat Reader and other Adobe products... From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Wednesday, May 04, 2011 2:42 PM To: NT System Admin Issues Subject: Re: Antivirus Center If VIPRE is installed, then call! Tammy knows the entire boot process, and she can probably figure out what is loading what. Some bugs disable the task manager, the CLI, and the ability to boot into SafeMode. Note that some of these bugs will scamble the registry, so no applications can run anymore. She has fixed that one as well. -- richard John Aldrich jaldr...@blueridgecarpet.com 05/04/2011 01:22 PM Please respond
RE: Trend Micro Internet Security 14
I had to rip that app off a friend's system a while back -- (which proved to be a nightmare until I found a post similar to below) Last post here worked: http://www.bleepingcomputer.com/forums/topic128005.html Not sure what the difference between the downloadable utility from their site the on-board one but the on-board one worked. Tammy Stewart -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Tuesday, April 19, 2011 5:47 PM To: NT System Admin Issues Subject: RE: Trend Micro Internet Security 14 Well, I suppose if Trend can't provide a way to remove their junk, I might have to resort to hacking the registry... dont really like it, but I might have to. :-( From: Shauna Hensala [mailto:she...@msn.com] Sent: Tuesday, April 19, 2011 5:46 PM To: NT System Admin Issues Subject: RE: Trend Micro Internet Security 14 doesn't matter whether you want to or not - sometimes the answer is not appealing. Shauna Hensala From: jaldr...@blueridgecarpet.com To: ntsysadmin@lyris.sunbelt-software.com Subject: RE: Trend Micro Internet Security 14 Date: Tue, 19 Apr 2011 17:43:27 -0400 Gary, thank you for your concern. I *did* Google the answer and I did try the Diagnostic utility that Trend provides. No luck with either. The only other option Trend offers on their website is to hack the registry. I don't want to, nor do I feel I should have to hack the registry to uninstall something. -Original Message- From: Gary Slinger [mailto:gary.slin...@gmail.com] Sent: Tuesday, April 19, 2011 5:39 PM To: NT System Admin Issues Subject: Re: Trend Micro Internet Security 14 Do you actually do any friggin' work, or is this your posted support procedure -- receive problem | forward problem to mailing list | wait for someone else to resolve problem ? --Original Message-- From: John Aldrich To: NT System Admin Issues ReplyTo: NT System Admin Issues Subject: Trend Micro Internet Security 14 Sent: Apr 19, 2011 17:03 I've got a client (daughter-in-law to be of one of our managers) who's got a laptop with Trend Micro Internet Security 14 for Dell on it. I'm trying to load Vipre Home Premium on it, but I want to get rid of Trend first. The uninstall utility from Trend's website doesn't do squat. Any ideas on how to get rid of Trend? It refuses to uninstall from the add/remove programs and as I say the uninstall utility doesn't do a thing! :( Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: search program
I use like Agent Ransack: (the free version works fine) http://www.mythicsoft.com/page.aspx?type=agentransack http://www.mythicsoft.com/page.aspx?type=agentransackpage=home page=home Tammy _ From: roberto.gri...@gmail.com [mailto:roberto.gri...@gmail.com] Sent: Thursday, April 14, 2011 2:27 AM To: NT System Admin Issues Subject: Re: search program Everything http://www.voidtools.com/ Roberto Grippi 2011/4/13 andy afo...@psu.edu Does anybody know of a search program that will run on Vista or Windows 7? It has to be fast and not cause problems with other programs. Something like the old windows search. The search in Windows 7 really stinks and is very slow. Even after indexing. Google search has too many problems with it and seems to slow down computers. Is there any way to get the old windows search function back? Andy0 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Dr. Roberto Grippi ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Windows Update problem
This might also be worth a check: (kb2524375) http://social.technet.microsoft.com/Forums/en-US/w7itproinstall/thread/eed44 107-d44b-4ce6-8c3c-9b123303920a Tammy -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Thursday, April 14, 2011 9:11 AM To: NT System Admin Issues Subject: RE: Windows Update problem Ok. Thanks I already passed that along to the user. :-) From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, April 14, 2011 9:02 AM To: NT System Admin Issues Subject: Re: Windows Update problem I don't know whether it is available on XP or not either, might be an idea to check On 14 April 2011 13:34, John Aldrich jaldr...@blueridgecarpet.com wrote: Dunno. I havent actually laid eyes on it. He just told me that he was going to shut down the computer the other night and it prompted him to install a bunch of updates, so he let it and went to bed, and when he started it up the next day, it was asking for the install media for WordPerfect, Sonic, and other apps that were already installed... not to mention Windows couldn't find the wireless signal. *shrug* I'll mention IE9 (didn't think it was available on XP... *shrug*) From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, April 14, 2011 8:25 AM To: NT System Admin Issues Subject: Re: Windows Update problem Did his recent updates include IE9? I had a guy phone me yesterday saying IE9 had killed his internet access. As he is just one of my friends, a quick uninstall and revert back to IE8 did the trick to get him off the line and let me do some work :-) On 14 April 2011 13:22, John Aldrich jaldr...@blueridgecarpet.com wrote: One of my users called to ask a question about a problem with his personal machine. He says that after some recent Windows updates it asks him to reinstall a whole bunch of apps including WordPerfect. Also he says his wireless isn't working. Machine is running Windows XP. Anyone seen this and got any suggestions other than reinstalling the apps? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or no grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the kelpie next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. IMPORTANT: This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not
RE: Rogue AV kills XP box
In the last week we have seen an explosion of these threats our guys are working flat out to get better detections in for them. We have a write-up some registry fixes on our support forums to help remove/recover from this bazaa. It even runs in safe mode because exe file association has been mangled up to run the rogue every time an exe is run. Once the actual exe causing the popups is nuked -- user gets the open with prompt when trying to run exe files. If it killed Vipre it may also have been able to drag in an additional rootkit (this causes search redirects in browsers with no obvious cause) http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security -2011 exe file assoc fixes: http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76threadid= 6702enterthread=y If you are on VIPRE still got hit -- we have the free malware removal service you may want to consider: Submit support request http://www.sunbeltsoftware.com/SupportForm/ Don't be shy to give us a shout. Regards, Tammy Stewart Malware Removal Specialist GFI Software -Original Message- From: Guyer, Don [mailto:don.gu...@fiserv.com] Sent: Monday, April 04, 2011 11:38 AM To: NT System Admin Issues Subject: RE: Rogue AV kills XP box That malware is a bugger. I worked on 2 systems that had it and ended up wiping after a few hours trying different remedies, with no luck. Don Guyer Windows Systems Engineer Datasafe Platform Enterprise Technology Group Fiserv don.gu...@fiserv.com Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com -Original Message- From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Monday, April 04, 2011 11:34 AM To: NT System Admin Issues Subject: RE: Rogue AV kills XP box Also Vipre Rescue is a good tool to get rid of this crap! It runs in Safe Mode, command-prompt. You have to install it in GUI mode, though. :-( From: Steve Ens [mailto:stevey...@gmail.com] Sent: Monday, April 04, 2011 11:22 AM To: NT System Admin Issues Subject: Re: Rogue AV kills XP box I've found recently that these are killing the profiles...logon as a different user...then nuke the bastage! On Mon, Apr 4, 2011 at 10:19 AM, richardmccl...@aspca.org wrote: Greetings! I was greeted by our overnight vet who was working at someone else's desk. She said she had a rogue AV popping up all the time. Dell PWS-3500; Windows XP Professional 32-bit, SP3 Popups are something like AntiVirus XP 2011. Found that VIPRE had been shut down by the rogue, and it could not be launched. Could not install MalwareBytes. Could not open a command prompt. All resulted in a new rogue window opening. Booted into SafeMode; no improvement! I launched Task Manager. I noticed that whenver I tried to restart VIPRE, to launch the MBytes installer, or even to Start-Run- cmd, I'd get a rogue window (forgot to mention - the roque windows would begin scanning with a separate window about registrering). In Task Manager, I noticed a new task, tmu.exe, starting at the time of the popup. When I highlighted tmu.exe and then End process..., the window would close. I went to another PC, ran REGEDIT, then Open Network Registry to access that machine. I checked both HKLM\Software and HKLM\Users\.Default, and I found nothing unexpected in ...\Microsoft\Windows\CurrentVersion\Run, or in other places I've seen registry changed by malware. I made a remote connection to the infected machine's drive and searched for tmu.exe. I found it in ADMIN$\System32\config\systemprofile\Application Data. I checked some of its neighbors, and TMU.EXE was not found. So, I deleted it from the infected machine. Still playing around, I booted the machine in Safe Mode with Command Prompt. I was able to give the command chkdsk /f, and it did run a file system check when rebooted. Again from booting into Safe Mode w/Command Prompt, I was able to launch the MBytes installer. The app, though, would not start (I would imagine this is because in command prompt mode, there would be no GUI displays.) Booted into both normal and Safe modes. Nothing will run! Double-click a short-cut, double-click a file icon in Explorer, or enter something (ie, Start-Run- cmd), and a window opens asking with which application to open the file. So, the machine is such that remote access to the file system and registry is available. At the actual machine, the only way to do anything is to boot into command prompt mode. Again, however, no apps will run if they involve a GUI - only console-type commands will run. Next steps? Thanks! -- richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http