LISTSERV 16.0 - MSUNAG Archives

I always accepted users comments that they didn't know how they got
infested because its generally the truth. I didn't understand how they
couldn't have noticed that their machine had slowed, but even on campus
the network can get frustratingly slow at times. Now that it happened to
me, I can tell you one way to get it. Using MSIE, browse to a
recommended site from a news aggregator who has never let you down in
the past. After thirty seconds or so your machine slows to the point
that any tech knows it's been infested. There are thousands of sites
that are harboring mal-ware scripts. I know I should have been using
Firefox, but for some reason I was in IE. 

 

For my home machine running online scans offered by both
www.antivirus.com (Trend Micro) and
http://www.kaspersky.com/virusscanner (Kaspersky Labs) cleaned up the
problem. While not requiring much interaction from me, the scan process
did take hours. 

 

Here at work I used to trust HitmanPro II
http://www.hitmanpro.nl/hitmanpro/ but even it hasn't been catching the
latest script installed malware. 

Best practice as of today - Run Firefox or Opera with scripting turned
off. I was amazed at the number of everyday sites that require scripting
to do simple things that could have been better coded. Now I generally
recover data from another profile and re-image the machine. 

 

Good luck.

 

 

Don Bosman 
Information Technologist 
Libraries, Michigan State University 
  100 Library 
  East Lansing, MI 48824-1048 
  [log in to unmask] 
  (517) 432-6123 ext 233 
  Fax (517) 432-8374 

 

 

 

 

 

 

 

 

 

 

From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Lee Duynslager
Sent: Thursday, June 26, 2008 9:06 AM
To: [log in to unmask]
Subject: [MSUNAG] XP or Vista Antivirus 2008 ..... What is the mechanism
of infection

 

I've seen the ravages of this ransomware ./ malware on a couple of
peoples systems.  I've always asked what preceded the infection.  You
know ..... So then I could tell other users to avoid that.  I've not
been able to pin point exactly what happened maybe the users are so
embarrassed that they've been had?

 

Does anybody know how this gets installed?  Is it a popup that tells the
user that their computer is infected with Viruses or Trojans?  Is it a
supposed video codec that contains the malware? 

 

Once I know I am going to tell my users about it.

 

LD

 

 

 

Lee Duynslager

Information Technology Professional

Michigan State University

517-432-5296

 

________________________________

From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Skutt, Tim
Sent: Thursday, June 26, 2008 6:46 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Removing Vista Antivirus 2008?

 

Al,

I came across a system with this last week.  It was quite a pain, but I
did notice that I could get most of the stuff removed if I logged into
the machine with a different profile.  I then used superantispyware to
scan and delete the malware.  I finally had to delete the users profile
as there were still reminants of this running to reinstall it from
there.

 

Symantec Antivirus 10.2 didn't detect anything either.

 

 

________________________________

From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Al Puzzuoli
Sent: Wednesday, June 25, 2008 10:15 PM
To: [log in to unmask]
Subject: [MSUNAG] Removing Vista Antivirus 2008?

 

I'm working on a pC that has this malware.  It's one of those programs
that pop up a fake  antivirus dialog and try to scare the user into
either installing something, or buying something that they shouldn't.
Has anyone seen this particular variant before?  Nod32  isn't detecting
it at all.  I've seen similar trojans in the past, and I was able to
remove those using a little utility called SmitfraudFix.exe; However,
SmitfraudFix isn't  detecting this particular worm.  The issue is
further complicated by the fact that this machine is offsite, and I'm
trying to talk a user through fixing this over the phone.  I therefore
really want to stay away from solutions that require hand editing the
registry if at all possible.

 

Thanks,

 

 

 

 

 Al Puzzuoli                              

 

Michigan State University

 

Information Technologist                                       
http://www.rcpd.msu.edu <http://www.rcpd.msu.edu/> 

 

Resource Center for Persons with Disabilities

 

120 Bessey Hall East Lansing, MI  48824-1033

 

517-884-1915