Penny Arcade Forums Help / Advice Forum
As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

a

GPIA7RGPIA7R Registered User regular
edited August 2017 in Help / Advice Forum
.

GPIA7R on

Posts

  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2009
    http://www.greatis.com/appdata/d/u/upnpsvc.exe.htm

    Has some information on that, that may or may not pertain to your particular virus.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    PeregrineFalconPeregrineFalcon Registered User regular
    edited February 2009
    Are each of these files 404,992 bytes?

    Sounds like you caught one of the generic password/game info stealer trojans - but if they're in a company whoever's botting them might figure that out and start keylogging everything.

    In addition to knocking off your AV program they spread via network shares, so you're going to need to pretty much drop to DEFCON 1 to knock this out.

    PeregrineFalcon on
    Looking for a DX:HR OnLive code for my kid brother.
    Can trade TF2 items or whatever else you're interested in. PM me.
  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2009
    Any computers infected need to be isolated post haste. Unplug the network, drop into safe mode.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    GPIA7RGPIA7R Registered User regular
    edited August 2017
    .

    GPIA7R on
  • Options
    PeregrineFalconPeregrineFalcon Registered User regular
    edited February 2009
    GPIA7R wrote: »
    Thanks for the suggestions so far.

    We've been knocking IT people off throughout the day and cleaning them up. Still got all these users out there (around 700 PC's) with that .exe and various bad registry entries just waiting to kick it off.

    Seems like with the IT people cleaned up, the pushing around has stopped (or at least waned because users don't have permissions to write to other users folders). Now to wait on a patch or solution... or make our own script to clean up the files. While it spread fast and persistantly hit everyone in the company... there doesn't SEEM to be damage at this very moment... but for those that had the file actually run, we can't be sure of what it was doing (50-100% CPU use)

    ... you're going to "wait and see" on a fucking trojan? o_O

    PeregrineFalcon on
    Looking for a DX:HR OnLive code for my kid brother.
    Can trade TF2 items or whatever else you're interested in. PM me.
  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2009
    I ..
    What?

    You've got to clean off all infected PCs. Now. I don't care if it's 400 or so, they all have to be brought offline and cleaned before rejiggering it into the network.

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    embrikembrik Registered User regular
    edited February 2009
    Do you have any software distribution system? (e.g. Microsoft SMS, etc) Can you make something that deletes the offending file and replaces it with a 0 byte version with the same name, and set the permissions on it to deny deletion/modification by all? It's a quick way to stop some things from running. Often, other unseen processes are starting the offending processes, and this can at least help until you can get a full handle on it. You also need to be prepared for the possibility that there won't be a good way to remove it, (like if it ends up being a bad rootkit) so you should be able to start reimaging/rebuilding workstations.

    embrik on
    "Damn you and your Daily Doubles, you brigand!"

    I don't believe it - I'm on my THIRD PS3, and my FIRST XBOX360. What the heck?
  • Options
    bowenbowen How you doin'? Registered User regular
    edited February 2009
    No, seriously, what?

    bowen on
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Options
    GPIA7RGPIA7R Registered User regular
    edited August 2017
    .

    GPIA7R on
  • Options
    Enos316Enos316 Registered User regular
    edited February 2009
    Our place got hit with this today too, looked like the Oliga Win32 virus. Near as we could tell it was spreading via Microsoft AD when people were logging in. We also saw "1.exe".

    I am in Networking so there wasn't much we could do, but I think they are also talking to CA to get an Etrust update or something out there.

    Enos316 on

    Enos.jpg
Sign In or Register to comment.
Penny Arcade Forums Help / Advice Forum