Solved

Virus

Posted on 2011-03-01
9
492 Views
Last Modified: 2013-12-09
we had few computers infected with  PWDdump

we have symantec End Point Protections which could disintected.
is it virus outbreak?

Capture.GIF
Capture.GIF
0
Comment
Question by:pdsmicro
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 4

Accepted Solution

by:
RobertParten earned 215 total points
ID: 35008011
Are you stating that Symantec is NOT able to clean the viral infection?

Windows 7 or XP?

Use Malware bytes if you have Windows 7 and COMBOFIX if you have Windows XP

Have you tried clearing out all Temporary Internet files?

Use this program to clean up your systems first:
http://www.stevengould.org/index.php?option=com_content&task=view&id=15&Itemid=69
0
 

Assisted Solution

by:pdsmicro
pdsmicro earned 0 total points
ID: 35008179
windows visa and XPs.

i see the user name is not same as the aactual user on that computer.
John is the computer log on id, but i see user1 shows up?
0
 
LVL 4

Assisted Solution

by:RobertParten
RobertParten earned 215 total points
ID: 35008241
I would log off and log back in as an administrator to see if any new users were added.
0
 
LVL 5

Assisted Solution

by:sweeps
sweeps earned 71 total points
ID: 35008243
PwDump is usually used to extract passwords out of hash files.  For either of the programs RobertParten is refering to, you will want to run them in Safe mode on the computers.  If the program is live (running) on the laptop you will most likely not be able to delete any Dll file that is active and most programs are not active in safe mode.  Malware is great for virus removal.  ComboFix ix good but you cannot run it on windows 7 and it also can set proxy settings in internet explorer connections that it may not take out so just remember to look there after the reboot if you cant get online.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 4

Assisted Solution

by:RobertParten
RobertParten earned 215 total points
ID: 35008256
Thanks sweeps, but I thought Combofix had to eb run in normal mode for it to work?
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 214 total points
ID: 35008326
CF can definitely be used on Windows 7 and is definitely ONLY run in Normal Mode (unless the workstation will ONLY boot to Safe Mode):

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 214 total points
ID: 35008488
pdsmicro,
CF has already been recommended above, so I am just posting the generic instructions that get used around here.

I am a little concerned that you may only be getting 'False Positives" with your alerts - which has been all too common with many anti-malware applications.

PWDump is a very old problem and Symantec should have been able to prevent any actual infection (unless there is a new variant just out).

Can you confirm that all of your systems are fully patched/updated from MS and that all of them have current Symantec DAT files?


****************************
Please download ComboFix by sUBs:(and attach the resulting log) http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and
Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*** NOTE
Please post the logs generated for both Malwarebytes and ComboFix so that we can review the results.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 214 total points
ID: 35008537
@sweeps,
I see that you are a brand new Member posting here, so welcome.

Please double-check any information before you post any suggestions here.
If fighting malware is not something that you truly consider yourself an "Expert" at doing, you should focus on those Zones where you are.

We always welcome new Experts around here, but you will do better to focus on the Zones you know best.

Welcome!
0
 

Author Closing Comment

by:pdsmicro
ID: 35045622
Thank you for the quick reply.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now