You said ESET, right? You might of had another problem like a lot of us did today http://www.thinq.co.uk/2010/9/2/eset-nod32-antivirus-pains/
Ugh. Long day. On Sep 2, 2010, at 6:28 PM, Chris Keladis <[email protected]> wrote: > Err TMPFILE location search was.. > > wmic environment list /format:list > > Another handy one.. Need to find if a patch or "QFE" is installed? And > on what date and by whom? Try... > > wmic qfe list brief /format:list > > > > Cheers, > > Chris. > > On Fri, Sep 3, 2010 at 10:25 AM, Chris Keladis <[email protected]> wrote: >> No worries. >> >> I nearly forgot, you dont even need to install SysInternals "pslist" >> to copy a process-list to a share. Windows (from XP on i think) gives >> you the tool already (see "tasklist" command). >> >> Something like "tasklist > X:\my\network\share\user1_machine10.txt" >> >> Also do variations like "tasklist /svc" to see services and their >> dependencies. >> >> You can use the "wmic" tool locally or even remotely to pull info out >> of machines (assuming the malware hasn't impacted WMI operating or >> subverted it's results). >> >> Get a list of popular auto-run locations.. >> >> wmic startup list brief >> >> Or a more detailed list.. >> >> wmic startup list full >> >> Put it in a nice HTML on a share.. >> >> wmic /output:Z:\share\user1_machine10_autoruns.htm startup list full >> /format:hform.xsl >> >> Need the machines BIOS info? Easy.. >> >> wmic bios get /format:list >> >> Drives inside the machine? >> >> wmic diskdrive list brief /format:list >> >> Need to find TMPFILE locations malware likes to hide in? >> >> wmic diskdrive list brief /format:list >> >> And so on.. "wmic" will auto-install (no CD or CABs required) if never >> used before, and you can remotely query machines on your LAN to gather >> info via WMI to perform triage, assuming their XP or newer. >> >> WMI can be installed as an add-on for prior releases. >> >> All with no additional software installed. In your case however, keep >> in mind the malware may have broken WMI and will likely require manual >> clean-up. >> >> >> Cheers, >> >> Chris. >> >> >> On Fri, Sep 3, 2010 at 7:20 AM, Tyler Robinson <[email protected]> >> wrote: >>> Thanks that is awesome advice I am starting thereand running ossim and >>> trying to analyze ya I could use 2 more people for sure but thanks everyone >>> again the advice given is invaluable keep any ideas coming I will be trying >>> a lot of things and hopefully can post what works and my experience to help >>> others . >>> TR >>> >>> On Sep 2, 2010 3:08 PM, "Chris Keladis" <[email protected]> wrote: >>>> On Fri, Sep 3, 2010 at 5:24 AM, Tyler Robinson <[email protected]> >>>> wrote: >>>> >>>> Hey Tyler, >>>> >>>>> Thanks everyone for all the ideas the enviroment has about 350 machines >>>>> at >>>>> least all on flat domain can't vlan due to stupid software >>>>> configurations. I >>>>> have several systems that have to be live all the time (911 systems) and >>>>> vmware esx servers in cluster. Any other suggestions is again so much >>>>> appreciated I am willing to try just about anything right now I have a >>>>> lot >>>>> of angry users right now due to network performace ( for there >>>>> facebooking I >>>>> am sure) wanting this fixed and the sheriffs department has its busiest >>>>> week >>>>> of the year starting sat so please no idea will not be tried. >>>> >>>> Ouch! Sounds like you need more hands and eyes on the problem :) >>>> >>>> The only thing i can think of, bar running around to 350 PCs is maybe >>>> sample a few to understand what malware you've got going on. >>>> >>>> Make use of Microsoft's (ex-Sysinternals) tools to investigate. >>>> AutoRuns, ProcExp, etc etc. >>>> >>>> One handy tip when using ProcExp, dont "kill" malicious processes, >>>> rather, "pause" or "freeze" them. Most malware these days have SIGKILL >>>> handlers to spawn their cousins when their killed and you end up with >>>> more problems. >>>> >>>> Once you understand what you've got going on you can perhaps download >>>> a removal tool and make everyone run it. >>>> >>>> Also keep in mind sensitive information may have been leaked by the >>>> malware, so once you have a handle on the situation, change ALL >>>> passwords, and follow up on anything important that might have leaked >>>> out of the organization (this may have ramifications down the track). >>>> >>>> Most malware infections these days aren't one-off's (they use >>>> droppers, stagers, load root-kits and other add-ons) so you can try to >>>> control the primary infection on the LAN, but at some point manual >>>> review will be needed as well, eg, booting off a USB key/CD and >>>> checking for rootkits etc etc.. >>>> >>>> Also tell people to stop using any form of removable media to avoid >>>> the (re)spread in or out of the organization, until you get a handle >>>> on the situation. >>>> >>>> Maybe you can script something and use Sysinternals tools like >>>> "pslist" to copy a process list to a share you can then analyze >>>> further? Maybe setup a job via the RunOnce reg-key or Scheduler and >>>> ask everyone to reboot (RunOnce) or wait (Scheduler), so you at least >>>> get a peak into the processes running and can make a plan of attack. >>>> >>>> Hope i've given you some practical advice, unfortunately since the >>>> previous admin hadnt set up controls to mitigate you face a very >>>> difficult task. >>>> >>>> But, this disaster may give you the ammunition you need to make >>>> improvements! :) >>>> >>>> >>>> Cheers, >>>> >>>> Chris. >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
