I killed a Vundo variant with ListDLLs too. Made it easy to pick out the malware files and delete them.
Ben M. Schorr Chief Executive Officer Roland Schorr & Tower www.rolandschorr.com <http://www.rolandschorr.com/> / www.officeforlawyers.com <http://www.officeforlawyers.com/> Member: American Bar Association - 01473703 Author: The Lawyer's Guide to Microsoft Outlook 2007: http://tinyurl.com/ol4law-amazon <http://tinyurl.com/ol4law-amazon> Author: The Lawyer's Guide to Microsoft Word 2007: http://tinyurl.com/abaword2007 From: Mike Gill [mailto:[email protected]] Sent: Friday, December 04, 2009 7:25 AM To: NT System Admin Issues Subject: RE: New virus trick I'm kind of amazed how ineffective mbam is these days based on a few cases I've dealt with recently. I have had a couple clients and a couple family members bring their machines to me and mbam detected things but wasn't able to clean any of it after repeated attempts. I had to manually remove things as lately I've been curious as to the reach and tactics of current malware. The latest one was Windows Enterprise Suite. It installs in the users %appdata%\local & %userprofile%\Recent folder. Before that I cleaned a Vundo variant. I read an article that someone used sysinternal's listdlls to find it, as it was dll based. The dll's for that have no version number. Redirecting listdll's output to a test file made it easy to identify the last three dll's that didn't belong. -- Mike Gill From: John Aldrich [mailto:[email protected]] Sent: Friday, December 04, 2009 6:39 AM To: NT System Admin Issues Subject: New virus trick I was at a seminar yesterday put on by Sunbelt and during a break I had a chance to talk to one of the presenters and told him of a recent malware incident I'd cleaned up. He'd never heard of such a trick before so I thought I'd bring it to y'all's attention so you can be on the lookout for it. Basically it was the same old malware that's been going around with the Antivirus Pro sort of stuff, but the twist was that even using Malware Bytes we were not able to get rid of it. After I was poking around a bit, (I don't recall why I was looking at the root of C:, but I was) I noticed a batch file in the root of the C: drive that, when I opened it and looked at it, it created a bunch of scheduled tasks to re-download the malware/adware. I wised up and deleted that file, then went into the Scheduled Tasks and deleted all the malware-created scheduled tasks. Then I was able to successfully clean the stuff out! What really got us was that Malware Bytes would clean it, then say it needed to reboot to finish, and then as soon as we came back, the fake antivirus was right back there. What I believe it was doing was re-downloading itself from the internet each time we cleaned it. So, anyway, if you guys ever have a problem like this, it wouldn't hurt to check the scheduled tasks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<image001.jpg>>
<<image002.jpg>>
