Understood. I knew there was a lag in the infection and you being able to work on it. Makes the ability to identify the infection source more challenging.
On Thu, May 5, 2011 at 4:26 PM, John Aldrich <[email protected]>wrote: > Only clue I have is that there was some sort of suspicious installer in his > temporary internet files. Not sure if it was a "drive-by" install or if he > actually clicked on something he shouldn't have. That's really the only > clue > I have. First I knew of it, the user was calling me yesterday afternoon > saying he had firewall warnings, so I walked him through downloading > VipreRescue and when that didn't find anything, and he was still having the > pop-up warnings, I tried to get him to download MBAM, but he didn't want to > go through that and decided to send me his laptop. *shrug* > > > > From: Jonathan Link [mailto:[email protected]] > Sent: Thursday, May 05, 2011 4:19 PM > To: NT System Admin Issues > Subject: Re: Antivirus Center > > Any idea how it was acquired? > > > > On Thu, May 5, 2011 at 4:16 PM, John Aldrich <[email protected] > > > wrote: > FYI, I just uploaded the infection to Sunbelt. Tammy advises that this > appears to be a new strain. Gee... lucky me. I get to be the one to find > the > new version. ;D > > > > > -----Original Message----- > From: Ray [mailto:[email protected]] > Sent: Thursday, May 05, 2011 10:32 AM > To: NT System Admin Issues > Subject: RE: Antivirus Center > > +1 for teamviewer. > > -----Original Message----- > From: Roger Wright [mailto:[email protected]] > Sent: Thursday, May 05, 2011 7:02 AM > To: NT System Admin Issues > Subject: Re: Antivirus Center > > I learned it from here as well. It's from the LogMeIn company. > > Of all the remote access tools out there, I like TeamViewer best. > Being able to reboot into safe mode and auto-reconnect is great, and TV has > the smoothest screen action. However, it's not free for commercial use so > I > can only use it to support family and friends (unless accepting homemade > cookies in exchange for services constitutes "payment" - <grin>). > > > Roger Wright > ___ > > I'm out of bed and dressed... what more do you want? > > > > > > On Thu, May 5, 2011 at 9:52 AM, David Lum <[email protected]> wrote: > > Thanks for this Roger! > > > > It never ceases to amaze me the little tidbits I find from this list... > > > > Dave > > > > -----Original Message----- > > From: Roger Wright [mailto:[email protected]] > > Sent: Thursday, May 05, 2011 6:26 AM > > To: NT System Admin Issues > > Subject: Re: Antivirus Center > > > > www.join.me is a free alternative to logmein. > > > > > > Roger Wright > > ___ > > > > I'm out of bed and dressed... what more do you want? > > > > > > > > > > > > On Wed, May 4, 2011 at 3:43 PM, John Aldrich > > <[email protected]> wrote: > >> Well, he's already shipping it out, and he's frustrated, I'm > frustrated... > >> wish I could get the company to spring for a "logmein" account.. > >> *sigh* > >> > >> > >> > >> > >> -----Original Message----- > >> From: Tammy Stewart [mailto:[email protected]] > >> Sent: Wednesday, May 04, 2011 3:32 PM > >> To: NT System Admin Issues > >> Subject: RE: Antivirus Center > >> > >> No Problem John, > >> > >> Figured autoruns might be easier to walk users through -- You might > >> also be able to remote access the box in safe mode with networking > >> too. (I know shipping costs are deadly) > >> > >> Tammy > >> > >> -----Original Message----- > >> From: John Aldrich [mailto:[email protected]] > >> Sent: Wednesday, May 04, 2011 3:29 PM > >> To: NT System Admin Issues > >> Subject: RE: Antivirus Center > >> > >> Thanks! Will do! 'Preciate it, Tammy! :D > >> > >> > >> > >> > >> -----Original Message----- > >> From: Tammy Stewart [mailto:[email protected]] > >> Sent: Wednesday, May 04, 2011 3:23 PM > >> To: NT System Admin Issues > >> Subject: RE: Antivirus Center > >> > >> Hi John, > >> > >> Log onto a different account -- that one is normally profile specific. > >> Log off first user though or you risk infecting the next account. > >> If only one account on the machine -- try safe mode admin account or > >> safe mode user account (threat shouldn't run in safe mode) > >> > >> Decent writeup on this one.. > >> http://www.bleepingcomputer.com/virus-removal/remove-antivirus-center > >> > >> Can omit MBAM though if desired. > >> > >> I use "autoruns" from sysinternals -- I LOVE that tool! > >> http://technet.microsoft.com/en-us/sysinternals/bb963902 > >> > >> Once you grab that app & initial scan is done hit the "users" menu at > >> top> choose infected user. Reg path & file path should be there. > >> (either a user run key or runonce under the logon tab in autoruns) > >> > >> Since Rescue didn't nail it -- found samples can be uploaded here: > >> > >> http://www.sunbeltsecurity.com/threat > >> > >> We'll be sure to get it in the defs. > >> > >> Cheers! > >> > >> Tammy > >> > >> -----Original Message----- > >> From: John Aldrich [mailto:[email protected]] > >> Sent: Wednesday, May 04, 2011 2:56 PM > >> To: NT System Admin Issues > >> Subject: RE: Antivirus Center > >> > >> No, Vipre is NOT installed. User has McAfee AND AVG on there... I > >> know that McAfee gets installed by default with Acrobat Reader and > >> other Adobe products... > >> > >> > >> > >> From: [email protected] [mailto:[email protected]] > >> Sent: Wednesday, May 04, 2011 2:42 PM > >> To: NT System Admin Issues > >> Subject: Re: Antivirus Center > >> > >> > >> If VIPRE is installed, then call! Tammy knows the entire boot > >> process, and she can probably figure out what is loading what. > >> > >> Some bugs disable the task manager, the CLI, and the ability to boot > >> into SafeMode. > >> > >> Note that some of these bugs will scamble the registry, so no > >> applications can run anymore. She has fixed that one as well. > >> -- > >> richard > >> > >> > >> > >> "John Aldrich" <[email protected]> > >> 05/04/2011 01:22 PM > >> Please respond to > >> "NT System Admin Issues" <[email protected]> > >> > >> To > >> "NT System Admin Issues" <[email protected]> > >> Press this button if the "To" is a fax number. Enter in the fax > >> number like 123-456-7890. > >> cc > >> > >> Subject > >> Antivirus Center > >> > >> > >> > >> > >> > >> > >> > >> I just had a remote user infected with "Antivirus Center" fake > >> antivirus. I had him try to run Vipre Rescue, but it didn't find > >> anything. Any idea why VR didn't find it? > >> > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint > >> security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > >> > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > >> > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > >> > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > >> > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > >> > >> > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
