And that's why I need to deploy SAV 10

By Roger on September 14, 2005 6:13 PM | | Comments (0)

As I was leaving work today, I glanced down at the blackberry and saw pages and pages of virus alerts. In outlook that is filtered to another folder so I dont see it. The virus alerts were coming once per minute from a file in the users temp internet files.

After going to dinner :) I came back and found that the file being detected was a running process. Since SAV versions earlier than 10 cant end the process, it just kept detecting it and being unable to do anything. I used pskill to take out the process and then used SAV to delete the file.

Interesting enough, this user is not a local administrator. However, she also was not added to the correct security group for our "managed user" group policy to apply so she was able to get this autorunning under her hkey_user etc etc windows current version run registry key.

The file was BubbleShotter15[1].com and it was detected as Backdoor.Sdbot. Only other thing on the system that was suspicious was Plaxo. I hate that program.

Categories

Antivirus

Leave a comment

Powered by Ajax Comments

About this Entry

This page contains a single entry by Roger published on September 14, 2005 6:13 PM.

IMLogic User Survey results was the previous entry in this blog.

Linksys WRt54G vulnerabilities is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search