 tekmunkiTekmunkiPremium
join:2001-12-06
Lake City, FL | user accounts infected (elevation, somewhere?) How are my non-adim user accounts getting infected with this Vista Antivirus Spyware (Fake AV)?
»www.wiki-security.com/wiki/Paras···rus2012/
I'm keeping my WSUS server deploying updates and flash/java updates manually constantly--- where is the elevation occuring that allows it to install? I find very little info on it's deployment abilities and the means by which it installs--- it's getting annoying cleaning this off a PC every other day. Trend Officescan doesn't seem concerned with preventing the spyware, but does well on viral infections.
I appreciate any help you can provide to help me prevent this from reoccuring.
--
TekMunki
"There are 10 types of people in this world, those who understand binary and those who don't."
www.tekmunki.com |
|
| What I'm seeing on non-admin accounts is an EXE that gets dropped into the user's profile folder. I've also seen the perms on the user's folders (where the user has 'Full Control') get re-written. This makes a mess that is tedious to fix.
But I haven't seen a computer used by a non-admin user get an infection that affected the Windows and/or other system directories. |
|
 DC DSLThere's a reason I'm Command.Premium
join:2000-07-30
Washington, DC
kudos:2
 ·Covad Communicat..
·Verizon Online DSL
| reply to tekmunki
I don't know how big your org is but with my clients, I put the desktops on MSE and haven't had any problems with the fake av and a slew of other crap for over 2 years now. Keep Malwarebytes Anti Malware and Spybot S&D on the machines as well and run full scans regularly as an added measure of protection.
--
"Dance like the photo isn't being tagged; love like you've never been unfriended; and tweet like nobody is following." |
|
 ModusI hate smartassery on forumsPremium
join:2005-05-02
us
 ·Verizon FiOS
| reply to lorennerol
said by lorennerol:What I'm seeing on non-admin accounts is an EXE that gets dropped into the user's profile folder. I've also seen the perms on the user's folders (where the user has 'Full Control') get re-written. This makes a mess that is tedious to fix.
But I haven't seen a computer used by a non-admin user get an infection that affected the Windows and/or other system directories.
Yeah i have noticed this to mostly on my windows xp computers C:\Documents and Settings\%username%\Local Settings\Application Data\somefile.exe
OP
Do have a daily scan setup? I have a daily scan that runs @ 4:15pm and i have the settings to delete virus files and anything suspicious then the next day i may some email notifications that looks like this
User: NT AUTHORITY\SYSTEM
Scan: Daily scan
Machine: computername
File "C:\Documents and Settings\%username%\Local Settings\Application Data\qkm.exe" belongs to virus/spyware 'Mal/FakeAV-NO'.
File "C:\Documents and Settings\%username%\Local Settings\Temp\oiu0.5133661777639996.exe" belongs to virus/spyware 'Mal/FakeAV-NO'.
Virus/spyware 'Mal/FakeAV-NO' has been removed.
--
Think Ahead. Learn More. Solve Now! |
|
tekmunkiTekmunkiPremium
join:2001-12-06
Lake City, FL | Sorry for not getting back in-time, it's been crazy busy around here. As a follow up, thank you for the responses. It turned out that the machines infected had issues getting my java updates that deploy from GP , only the Vista machines had the issues which lead me to the cause. It was a java exploitation from an older release that caused the infections, since running the updates manually, the issues of elevating privs / infections have stopped.
--
TekMunki
"There are 10 types of people in this world, those who understand binary and those who don't."
www.tekmunki.com |
|
