RE: vipre: SVCHOST.EXE virus.
Given the nature of your audience and their challenges, kudos for reaching out in whatever methods may prove successful Erik Goldoff IT Consultant Systems, Networks, Security ' Security is an ongoing process, not a one time event ! ' From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 10:53 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. 1) possibly they have or created an account they used for that purpose but don't use it as a means of communication. 2) we are talking about people with mental illnesses, severe emotional problems and social disabilities, people who come from broken homes, abusive parents, severe poverty... how do they expect to be taken seriously because they don't use email??? Often we are trying to get them to understand the necessity to bathe if they wan't to stay employed. We do a lot of work with teenagers and young adults. To a lot of them, and this is increasingly true of a lot of younger people, email is kind of a quant old fashioned way to communicate. They text, they instant message, they chat on social networking sites, but email is for old people. _ From: Mike Gill [mailto:lis...@canbyfoursquare.com] Sent: Thursday, November 18, 2010 5:32 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. How does 1) someone sign up to Facebook without an email account and 2) expect to be taken seriously AT ALL telling someone FB is the only way they communicate with people? -- Mike Gill From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 1:37 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Confidentiality Notice: ** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by an yone other than the intended recipient is strictly prohibited. If you are no t the intended recipient, please contact the sender by reply email, delete a nd destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
Flatten the box, DBAN the drive and or replace with a fresh HD out of the box and move on. Thinkpoint is particularly nasty and you can't always tell what it has infected, or dropped accordingly. http://www.bleepingcomputer.com/virus-removal/remove-thinkpoint But the instructions above could be helpful to folks. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 4:15 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE
RE: vipre: SVCHOST.EXE virus.
I would actually look at your web-reputation/filtering software to allow access to the facebook website ( specific part) per AD group, and get assurances that only folks in the HR group are authorized to utilize it. A firewall rule is a moving target, ( CPU's get new IP's via DHCP etc etc) Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Thursday, November 18, 2010 4:57 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Set up a firewall rule that allows certain people access - that's what I did for our folks. Otherwise, they're blocked. Sean Rector, MCSE From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 4:37 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject
RE: vipre: SVCHOST.EXE virus.
Seinfeld. Neuman was complaing about how much he hates broccoli. Subject: RE: vipre: SVCHOST.EXE virus. Date: Thu, 18 Nov 2010 16:31:50 -0500 From: don.gu...@prufoxroach.com To: ntsysadmin@lyris.sunbelt-software.com No, no and never heard of that show-no. Don GuyerSystems Engineer - Information ServicesPrudential, Fox Roach/Trident Group431 W. Lancaster AvenueDevon, PA 19333Direct: (610) 993-3299Fax: (610) 650-5306don.gu...@prufoxroach.com From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, November 18, 2010 4:30 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Welcome back Kotter? That 70’s show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! “Vile weed!” (who can tell me which TV show that line came from?) Don GuyerSystems Engineer - Information ServicesPrudential, Fox Roach/Trident Group431 W. Lancaster AvenueDevon, PA 19333Direct: (610) 993-3299Fax: (610) 650-5306don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible..On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote:Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one.On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin IssuesSubject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it’s the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exeC:\Documents and Settings\username\Application Data\dkfjasdfshd.batC:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. ZiotsCISSP, Network +, Security +Network EngineerLifespan OrganizationEmail:ezi...@lifespan.orgcell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin IssuesSubject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjanwindows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote:There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. ZiotsCISSP, Network +, Security +Network EngineerLifespan OrganizationEmail:ezi...@lifespan.orgcell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before..Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote:What did Vipre Tech Support say when you called them? Jim HolmgrenManager of Server EngineeringXLHealth CorporationThe Warehouse at Camden Yards351 West Camden Street, Suite 100Baltimore, MD 21201 410.625.2200 (main)443.524.8573 (direct)443-506.2400 (cell)www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010
RE: vipre: SVCHOST.EXE virus.
What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este facsímile, incluyendo lo adjunto, es para el uso exclusivo del destinatario(s) y puede contener información confidencial y/o información protegida de salud. En virtud de la Ley Federal (HIPAA), el destinatario tiene la obligación de mantener esta información segura y confidencial. Cualquier divulgación a terceros sin la autorización de los miembros de lo permitido por la ley está prohibido y penado en virtud de la Ley Federal. Si usted no es el destinatario, por favor, póngase en contacto con el remitente por teléfono y destruir todas las copias del mensaje original ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.comwrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:10 PM *To:* NT System Admin Issues *Subject:* vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado a mantener la información confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a terceras personas sin autorización del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
I had one today Win32.Autorun.gen (v) Vipre detected it, but could not clean it. Malwarebytes (free) took care of it. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado a mantener la información confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a terceras personas sin autorización del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin . ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I?m a bit concerned the active scanner didn?t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado a mantener la información confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a terceras personas sin autorización del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
Interesting... My machine blue screened twice on me today, and another user's machine gave him the BSOD as well. Makes me wonder if maybe we dont have something on our machines. I'll run a quick check on mine and see if I find anything. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:23 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so Im a bit concerned the active scanner didnt pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado a mantener la información confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a terceras personas sin autorización del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org email%3aezi...@lifespan.org Cell:401-639-3505 *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:14 PM *To:* NT System Admin Issues *Subject:* Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:10 PM *To:* NT System Admin Issues *Subject:* vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado a mantener la información confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a terceras personas sin autorización del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group *ASPCA®* 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 *www.aspca.org* http://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
So any ideas? is COnficker2 not being stoped by vipre? On Thu, Nov 18, 2010 at 3:33 PM, RS rich...@gmail.com wrote: Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group *ASPCA®* 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 *www.aspca.org* http://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals®(ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
Contact Support. It could be that you have a new variant that isn't picked up yet, and won't be until the A/V companies see it. -Jeff Steward On Thu, Nov 18, 2010 at 3:39 PM, justino garcia jgarciaitl...@gmail.comwrote: So any ideas? is COnficker2 not being stoped by vipre? On Thu, Nov 18, 2010 at 3:33 PM, RS rich...@gmail.com wrote: Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group *ASPCA®* 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 *www.aspca.org* http://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals®(ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
I am on hold with vipre tech... On Thu, Nov 18, 2010 at 3:39 PM, justino garcia jgarciaitl...@gmail.comwrote: So any ideas? is COnficker2 not being stoped by vipre? On Thu, Nov 18, 2010 at 3:33 PM, RS rich...@gmail.com wrote: Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group *ASPCA®* 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 *www.aspca.org* http://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals®(ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
The funny thing is, mcafee did catch it (I had to uninstall vipre, and use mcafee). On Thu, Nov 18, 2010 at 3:41 PM, justino garcia jgarciaitl...@gmail.comwrote: I am on hold with vipre tech... On Thu, Nov 18, 2010 at 3:39 PM, justino garcia jgarciaitl...@gmail.comwrote: So any ideas? is COnficker2 not being stoped by vipre? On Thu, Nov 18, 2010 at 3:33 PM, RS rich...@gmail.com wrote: Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group *ASPCA®* 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 *www.aspca.org* http://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals®(ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado
Re: vipre: SVCHOST.EXE virus.
I guess best is just to reimage / wipe / reimage the system. Ralph what do you use for reimage of the system? On Thu, Nov 18, 2010 at 3:46 PM, Ralph Smith m...@gatewayindustries.orgwrote: I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. -- *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:32 PM *To:* NT System Admin Issues *Subject:* Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.orgwrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org email%3aezi...@lifespan.org Cell:401-639-3505 *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:14 PM *To:* NT System Admin Issues *Subject:* Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:10 PM *To:* NT System Admin Issues *Subject:* vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o información de salud protegida. La Ley Federal (HIPAA) establece que el destinatario está obligado a mantener la información confidencial y sequra. HIPAA prohíbe y castiga cualquier divulgación a terceras personas sin autorización del afiliado o permitido por ley. Si usted no es el destinatario, redirija esta mensaje al remitente, y destruye cualquier copia existente del mensaje original. -- Justin IT-TECH
RE: vipre: SVCHOST.EXE virus.
Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este mensaje incluyendo cualquier anejo es para uso exclusivo del (los) destinatario (s) y puede incluir información confidencial y/o
RE: vipre: SVCHOST.EXE virus.
It depends on the machine. At various times we have used Norton Ghost, GhostImage, Drive Image XML and Acronis to create an image, so the appropriate tool is used to restore it. When we set up a new computer we create an image of the clean install, and then use that if we need to reimage it in the future. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:50 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. I guess best is just to reimage / wipe / reimage the system. Ralph what do you use for reimage of the system? On Thu, Nov 18, 2010 at 3:46 PM, Ralph Smith m...@gatewayindustries.org wrote: I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums
RE: vipre: SVCHOST.EXE virus.
I’ll send you a bill. -sc From: RS [mailto:rich...@gmail.com] Sent: Thursday, November 18, 2010 3:34 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org http://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may
Re: vipre: SVCHOST.EXE virus.
So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.orgwrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. -- *From:* Ziots, Edward [mailto:ezi...@lifespan.org] *Sent:* Thursday, November 18, 2010 3:51 PM *To:* NT System Admin Issues *Subject:* RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it’s the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org email%3aezi...@lifespan.org Cell:401-639-3505 *From:* Ralph Smith [mailto:m...@gatewayindustries.org] *Sent:* Thursday, November 18, 2010 3:47 PM *To:* NT System Admin Issues *Subject:* RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. -- *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:32 PM *To:* NT System Admin Issues *Subject:* Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org email%3aezi...@lifespan.org Cell:401-639-3505 *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:14 PM *To:* NT System Admin Issues *Subject:* Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com *From:* justino garcia [mailto:jgarciaitl...@gmail.com] *Sent:* Thursday, November 18, 2010 3:10 PM *To:* NT System Admin Issues *Subject:* vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt
Re: vipre: SVCHOST.EXE virus.
I would think that Mr. McClary's brilliantly executed joke would be payment enough*, but if you require old fashioned monetary compensation I'll be happy to send a check. What's your address again? * Seriously, one of several great LOL moments today. On Thu, Nov 18, 2010 at 4:09 PM, Steven M. Caesare scaes...@caesare.comwrote: I’ll send you a bill. -sc *From:* RS [mailto:rich...@gmail.com] *Sent:* Thursday, November 18, 2010 3:34 PM *To:* NT System Admin Issues *Subject:* Re: vipre: SVCHOST.EXE virus. Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group *ASPCA®* 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com mailto:don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T
Re: vipre: SVCHOST.EXE virus.
His current location doesn't have postal service. On Thu, Nov 18, 2010 at 4:17 PM, RS rich...@gmail.com wrote: I would think that Mr. McClary's brilliantly executed joke would be payment enough*, but if you require old fashioned monetary compensation I'll be happy to send a check. What's your address again? * Seriously, one of several great LOL moments today. On Thu, Nov 18, 2010 at 4:09 PM, Steven M. Caesare scaes...@caesare.comwrote: I’ll send you a bill. -sc *From:* RS [mailto:rich...@gmail.com] *Sent:* Thursday, November 18, 2010 3:34 PM *To:* NT System Admin Issues *Subject:* Re: vipre: SVCHOST.EXE virus. Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group *ASPCA®* 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals®(ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I’m a bit concerned the active scanner didn’t pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
Welcome back Kotter? That 70's show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run
RE: vipre: SVCHOST.EXE virus.
Reefer Madness? From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, November 18, 2010 3:30 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Welcome back Kotter? That 70's show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell) www.xlhealth.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:10 PM To: NT System Admin Issues Subject: vipre: SVCHOST.EXE virus. Vipre did not detect it, or clean
RE: vipre: SVCHOST.EXE virus.
No, no and never heard of that show-no. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com mailto:don.gu...@prufoxroach.com From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, November 18, 2010 4:30 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Welcome back Kotter? That 70's show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main
RE: vipre: SVCHOST.EXE virus.
Not that kind of weed. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com mailto:don.gu...@prufoxroach.com From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Thursday, November 18, 2010 4:31 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Reefer Madness? From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, November 18, 2010 3:30 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Welcome back Kotter? That 70's show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren
RE: vipre: SVCHOST.EXE virus.
Seinfeld From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 4:32 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. No, no and never heard of that show-no. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, November 18, 2010 4:30 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Welcome back Kotter? That 70s show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. _ From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, its the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. _ From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351
RE: vipre: SVCHOST.EXE virus.
Seinfield (non)show From: Don Guyer [mailto:don.gu...@prufoxroach.com] Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com
RE: vipre: SVCHOST.EXE virus.
Little Shop of Horrors? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Not that kind of weed. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: Maglinger, Paul [mailto:pmaglin...@scvl.com] Sent: Thursday, November 18, 2010 4:31 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Reefer Madness? From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, November 18, 2010 3:30 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Welcome back Kotter? That 70's show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected
RE: vipre: SVCHOST.EXE virus.
Ding-Ding-Ding! Quick, honey mustard! Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com mailto:don.gu...@prufoxroach.com From: Rod Trent [mailto:rodtr...@myitforum.com] Sent: Thursday, November 18, 2010 4:37 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Seinfeld From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 4:32 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. No, no and never heard of that show-no. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Thursday, November 18, 2010 4:30 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Welcome back Kotter? That 70's show? FBI, with Inspector Erskine? From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Thursday, November 18, 2010 3:28 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I never thought the day would come!!! Vile weed! (who can tell me which TV show that line came from?) Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT
RE: vipre: SVCHOST.EXE virus.
Set up a firewall rule that allows certain people access - that's what I did for our folks. Otherwise, they're blocked. Sean Rector, MCSE From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 4:37 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim Holmgren Manager of Server Engineering XLHealth Corporation The Warehouse at Camden Yards 351 West Camden Street, Suite 100 Baltimore, MD 21201 410.625.2200 (main) 443.524.8573 (direct) 443-506.2400 (cell
RE: vipre: SVCHOST.EXE virus.
That's what I'll do. From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Thursday, November 18, 2010 4:57 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Set up a firewall rule that allows certain people access - that's what I did for our folks. Otherwise, they're blocked. Sean Rector, MCSE From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 4:37 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 4:18 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So maybe facebook needs to be blocked, oh how horrible.. On Thu, Nov 18, 2010 at 4:14 PM, Ralph Smith m...@gatewayindustries.org wrote: Yes, that's it. We had one workstation that had the fake Thinkpoint scan running, so apparently VIPRE AP didn't block it from executing on that one. On every affected machine we have seen, looking at the browser history each user was on Facebook immediately prior to VIPRE AP reacting. I continue to try to educate users about safe surfing, but I may have to block Facebook if VIPRE is unable to deal with it soon. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, November 18, 2010 3:51 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Yep, that is a driveby malware we have seen accordingly, it's the thinkpoint virus. C:\Documents and Settings\username\Application Data\hotfix.exe C:\Documents and Settings\username\Application Data\dkfjasdfshd.bat C:\Documents and Settings\username\Desktop\mstsc.exe Is what we saw in our inspect of some workstations. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 3:47 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. I've seen on a few computers over the last couple of weeks where there is a file on the user's desktop called MSTSC.exe, and there are various executables scattered around in the user's profile with various names the same as or close to legitimate Windows files, including SVCHOST.EXE. I sent samples to the VIPRE folks a few times - haven't heard anything back. In my case VIPRE active protection kept blocking the execution of the files, but didn't recognize them as threats when doing a full scan. MalwareBytes found and cleaned a bunch of stuff, but the next time the computer was rebooted it was back. Trend also saw them but couldn't remove them. I've been wiping and re-imaging them. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:32 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. The virus came in this morning, via the internet browser. hkey_users\default\software\Microsoft\Windows NT\Current backdoor-faaa!1 Torjan windows|Load hkey_users\s-1-5-19\Software\WIndows NT\CUrrent\ Backdoor-FAAA1! Torjan Internet Settigns [Proxy Server hkey_users\s-1-5-21-3786461165-302493939458-2064062449-500 On Thu, Nov 18, 2010 at 3:23 PM, Ziots, Edward ezi...@lifespan.org wrote: There was a post on ISC just a day or two ago about another version of Conficker B++ accordingly, making the rounds. Just an idea, but might be your culprit. Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:ezi...@lifespan.org mailto:email%3aezi...@lifespan.org Cell:401-639-3505 From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Thursday, November 18, 2010 3:14 PM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. OH I yet to call them, I will call them soon, but want to see what the list says. But I wanted to see if the malling list saw this before.. Back-Door-F!1, is the name that mcafee detected it as. On Thu, Nov 18, 2010 at 3:11 PM, Jim Holmgren jholmg...@xlhealth.com wrote: What did Vipre Tech Support say when you called them? Jim
RE: vipre: SVCHOST.EXE virus.
How does 1) someone sign up to Facebook without an email account and 2) expect to be taken seriously AT ALL telling someone FB is the only way they communicate with people? -- Mike Gill From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 1:37 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
It is a step up from their AOL address? grin -Jeff Steward On Thu, Nov 18, 2010 at 5:31 PM, Mike Gill lis...@canbyfoursquare.comwrote: How does 1) someone sign up to Facebook without an email account and 2) expect to be taken seriously AT ALL telling someone FB is the only way they communicate with people? -- Mike Gill *From:* Ralph Smith [mailto:m...@gatewayindustries.org] *Sent:* Thursday, November 18, 2010 1:37 PM *To:* NT System Admin Issues *Subject:* RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
why won't aol die? On Thu, Nov 18, 2010 at 9:53 PM, Jeff Steward jstew...@gmail.com wrote: It is a step up from their AOL address? grin -Jeff Steward On Thu, Nov 18, 2010 at 5:31 PM, Mike Gill lis...@canbyfoursquare.comwrote: How does 1) someone sign up to Facebook without an email account and 2) expect to be taken seriously AT ALL telling someone FB is the only way they communicate with people? -- Mike Gill *From:* Ralph Smith [mailto:m...@gatewayindustries.org] *Sent:* Thursday, November 18, 2010 1:37 PM *To:* NT System Admin Issues *Subject:* RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
1) possibly they have or created an account they used for that purpose but don't use it as a means of communication. 2) we are talking about people with mental illnesses, severe emotional problems and social disabilities, people who come from broken homes, abusive parents, severe poverty... how do they expect to be taken seriously because they don't use email??? Often we are trying to get them to understand the necessity to bathe if they wan't to stay employed. We do a lot of work with teenagers and young adults. To a lot of them, and this is increasingly true of a lot of younger people, email is kind of a quant old fashioned way to communicate. They text, they instant message, they chat on social networking sites, but email is for old people. From: Mike Gill [mailto:lis...@canbyfoursquare.com] Sent: Thursday, November 18, 2010 5:32 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. How does 1) someone sign up to Facebook without an email account and 2) expect to be taken seriously AT ALL telling someone FB is the only way they communicate with people? -- Mike Gill From: Ralph Smith [mailto:m...@gatewayindustries.org] Sent: Thursday, November 18, 2010 1:37 PM To: NT System Admin Issues Subject: RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin Confidentiality Notice: -- This communication, including any attachments, may contain confidential inf ormation and is intended only for the individual or entity to whom it is add ressed. Any review, dissemination, or copying of this communication by anyon e other than the intended recipient is strictly prohibited. If you are not t he intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
That's more of a lateral move isn't it? ;) WJR - from my Crackberry. If you find yourself in a fair fight, your tactics suck. -Original Message- From: Jeff Steward jstew...@gmail.com Date: Thu, 18 Nov 2010 21:53:21 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: Re: vipre: SVCHOST.EXE virus. It is a step up from their AOL address? grin -Jeff Steward On Thu, Nov 18, 2010 at 5:31 PM, Mike Gill lis...@canbyfoursquare.comwrote: How does 1) someone sign up to Facebook without an email account and 2) expect to be taken seriously AT ALL telling someone FB is the only way they communicate with people? -- Mike Gill *From:* Ralph Smith [mailto:m...@gatewayindustries.org] *Sent:* Thursday, November 18, 2010 1:37 PM *To:* NT System Admin Issues *Subject:* RE: vipre: SVCHOST.EXE virus. Wouldn't bother me, but the last time I did it the HR department complained because they use Facebook for recruiting, and a lot of our vocational counselors complained. We are a non-profit that provides various services for people with physical and mental disabilities, or have difficulty gaining employment and or housing due to other disadvantages. Many clients don't have email but do all of their electronic communication through sites like Facebook (which seems to be the trend now especially among our younger clients). So Facebook is the means by which a lot of our staff keep in contact with their clients. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: vipre: SVCHOST.EXE virus.
VIPRE has full coverage of Conficker, including all the new variants. If there is a detection issue, it's generally a configuration thing. From: justino garcia [mailto:jgarciaitl...@gmail.com] Sent: Biernes, Nobyembre 19, 2010 4:40 AM To: NT System Admin Issues Subject: Re: vipre: SVCHOST.EXE virus. So any ideas? is COnficker2 not being stoped by vipre? On Thu, Nov 18, 2010 at 3:33 PM, RS rich...@gmail.commailto:rich...@gmail.com wrote: Oof! (TM -sc) On Thu, Nov 18, 2010 at 3:22 PM, richardmccl...@aspca.orgmailto:richardmccl...@aspca.org wrote: Personally, I'd prefer using AntiVirus 2010 over McAfee. When you get things under control, could you please share with us what it was which tipped you off, what it was doing, etc? I think many of us are curious now. -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA(r) 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.orgmailto:richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.orghttp://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. justino garcia jgarciaitl...@gmail.commailto:jgarciaitl...@gmail.com wrote on 11/18/2010 02:09:44 PM: Vipre did not detect it, or clean it. Anti-virus definitions were up to date, active scanner was running as well, so I'm a bit concerned the active scanner didn't pick it up. The virus was still loading in his run command in the registry so I had to uninstall Vipre and put my own copy of McAfee on his machine to get rid of the virus. Any ideas?? -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software. com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Justin IT-TECH ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: vipre: SVCHOST.EXE virus.
For instance? -- ME2 On Thu, Nov 18, 2010 at 10:40 PM, Alex Eckelberry al...@sunbelt-software.com wrote: If there is a detection issue, it’s generally a configuration thing. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
