We had a none critical server get infected with the Cheetah virus.  I have run Sophos and Malwarebytes and neither has fixed it.  I can change the extensions manually but that will take forever.

There must be a simple solution that one of you have tried.   HELP!

Mysterious Z: drive in Windows 7.  Client called today with Excel files missing from documents and instead all of the files he had deleted some time ago returned.  I have removed the unwanted files, no problem there.  The missing files were in the apps\roaming\Microsoft\network folder.  This is a stand alone PC, what would move them?  Next I noticed a Z: drive???  The drive has the same physical space used and capacity of C:, but doesn't have the same contents.  The Z: drive doesn't appear in the registry or Disk Management.  There is not 2 physical drives in the machine.  Norton is the AV and failed to detect (Full scan) Poweliks.  Roguekiller, ADWcleaner and virustotal.com website detected the virus.  I believe things are cleaned up now, but still suspicious of this Z: drive.  It only contains log files and copy of PDF files (From documents).  The logs are were updating as of this morning.  They don't appear to be updating this afternoon yet (Post removal of virus).

Google hijacked by https://www.searchencrypt.com/search?eq=7buN3wW%2BTmjyobKDgBD8X643alvLjHyhwe8LPxbEnaE%3D

Every time I search using Google in Firefox I get this crap.

In Chrome, it works fine.

How do I get rid of this & prevent it in the future?

Thanks

Hallo Experts
       
I would like to collect the following Threat Artifacts from a compromised Windows System:
     

• CPU

• Routing-, ARP- & Process tables

• Memory

• Temporary files

• Relevant data from storage media

   
What would you collect? Is there any best practice from NIST or anyware?
 
Thanks a lot

It's not uncommon to go to a website that gives you a frowny face and guilt tripping you that "We see you have an ad blocker. But that's how we make our money." So then if you really want the site you can white list them. And then typically you forget about it. Is there any way to tell in what ways the sites have taken advantage of your white listing? If they gave you spyware or something else malicious can you trace the malware to the site that gave it to you?

Does anyone know of a tool that can successfully remove EMOTET?

Hello, I have a windows 10 system that a pop up on the right corner of windows keeps popping up with oload.club virus removal if you click on it, it takes you to a webpage doing a scan so I assume it malware or virus, I ran Malwarebytes, McAfee and MS Defender with no luck .... any suggestions on removing this?

I’m trying to compare the two solutions, between Webroot anywhere secure with DNS protection or Sophos interecptX advanced with EDR.
I do have a Sophos Firewall, but I’ve been using Webroot for now and just tested InterceptX and I have to decide which route to take.


Does anyone have any recommendations?

https://thehackernews.com/2018/12/china-ransomware-wechat.html?m=1

referring to above link, it did not give the hash for the malware but I need to check if signature has been released by Trendmicro.

Once I have the hash value, can enter into virustotal to check

We have 3 apps that a user runs on his computer every other day: 'SUPERAntiSpyware', 'Spy-Bot Search and Destroy' and 'Comodo Antivirus'.  The user runs the 3 apps at that same time whenever cleaning up is desired.  The user would leave theses tools running overnight.

The app 'Comodo Antivirus' never finds a virus.  The apps 'SUPERAntiSpyware' and 'Spy-Bot Search and Destroy' always finds spyware.  In  the morning the user would first click 'SUPERAntiSpyware' to delete or isolate the threats reported and then do the same to 'Spy-Bot Search and Destroy'.  Finally restart the computer.   Note, prior running the apps, the user would run cCleaner to cleanup any junk in his drive.

To-Date, there is no problem we have identified and all seems to be ok.  Our question is more directed to know EE opinion on:

• Why 'SUPERAntiSpyware' and 'Spy-Bot Search and Destroy' display different results?

• Any negative effect by running these 3 apps simultaneously?

• Finally, is it necessary to run cCleaner prior running the apps?

Q1:
If I use a Solaris server as repository server to get from Internet
ClamAV updates, can it be used by other platform 'satellite'
ClamAV such as Windows, Linux?   Ie can freshclam on
Windows/Linux pull signature updates from a Solaris ?


Q2:
Are the 3 cvd files (main, daily, bytecode) inter-useable
between Solaris x86, RHEL & Windows ?

Hacked e-mail account help required.

Last night a client received an e-mail that starts out:
My nickname in darknet is konstantine23.
I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

They then list the actual password correctly to her account.  It is an Office 365 account.  She does access her account on her personal laptop, which I will have this afternoon in my possession.   I am currently scanning her work computer, and having everyone else check for the same e-mail in their SPAM folder (Where she found hers).  We are in process of changing password to all of her online accounts (Including e-mail) on another computer, not part of their network.  The business does have a UTM router in place, and logs will be looked at next.  TDSS Killer did not find any rootkits, but more scanning will be done.

Looking for information on this possible.

a couple of years back, Trendmicro's  .DAT file can be searched using (find or grep command) for
certain malware names.

I'm now using OfficeScan V12.0.1352 & I think the signature file is VsapiNT.sys

I'm trying to track if  globeimposter  ransomware is in our current officescan signature &
the 2 links below seems to say that TM has documented them quite some time ago:
 https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-4th-2017-globeimposter-notpetya-and-more/
 https://www.trendmicro.com/vinfo/in/security/news/cybercrime-and-digital-threats/ransomware-recap-crypshed-spoofs-amazon-in-ransomware-campaign

but when I searched for "glob"  (I suppose FakeGlobal as it's known to Trendmicro) would have it
listed in the latest VsapiNT.sys signature but it's not there:
appreciate steps on how to list the malwares covered by Officescan's signature file:

C:\foren>find/i "glob" *.sys |more

---------- TMPREFLT.SYS

---------- TMXPFLT.SYS

---------- VSAPINT.SYS
GlobalAddAtomA
GlobalAddAtomW
GlobalAlloc
GlobalCompact
GlobalDeleteAtom
GlobalFindAtomA
GlobalFindAtomW
GlobalFix
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalGetAtomNameW
GlobalHandle
GlobalLock
GlobalMemoryStatus
GlobalReAlloc
GlobalSize
GlobalUnWire
GlobalUnfix
GlobalUnlock
GlobalWire
MakeCriticalSectionGlobal
JungUm Global
Corel Global Macro(GMS)
GLOBAL:
GLOBALNE:
GLOBALDOTPROMPT
GLOBAL
GLOBAL.DOT:
GLOBAL:
ExecuteGlobal
Global