pinky

Hi guys, do not see current spread of Ordinypt being detected on virusradar, is ESET currently detecting this infection? Ordinypt / HSDFSDCrypt Hash: SHA256: 085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09 https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/

Recently being targeted by the latest modification of Locky/Zepto MAlware that is not detected by our mail server antivirus neither client's local EEA 5.0 (Livegrid and HIPS on). Payload in .zip attachment containing javascript. Enclosed is a link to the script (the extension was changed to prevent execution, content otherwise unchanged) https://drive.google.com/open?id=0B5iWxDIPYCCcOGxqRHg4RVFUVVE

Some more updates picked from WUPDATE today, after two latest PUP infections cleaned, no new detected and system appears to run okay. SOLVED

Spend a good 6 hrs with this machien yesterday but all seemed to be resolved thsi morning. We run Endpoint5 and all clients have LiveGrid enabled. A new scan just running highlights two infections from PUP found again. After disabling the autostart programs I could run MS FixIt to be able to activate windows firewall - this has been turned off and unable to turn-on with error 80070422. Ther has been many updates missing and Wupdate was running so I started patching the system while running another full system scan. Not sure what was the definition file at that time, yes there were another type of infection detected. These were Win32/Wigon.OV, Win32/SPAM.Tool.Mailbot.NAH trojan - both in svchost.exe process and one SecurityDisabler in useer.js javascript on the local drive. The javascritp was in %appdata%\Mozilla folder, starnge enough there was no mozilla installed on this machine. The zumtoxitbgy.exe I have suspected initially was not detected as infected during this and none of consequent scans. Nevertheless I left this disabled in autostart. I still think about where from were the attempts to start new infected svchost processes initiated. Did not see anything suspicious in the Task Scheduler, neither among running processes (all processes from signed vendors, all negative on VirusTotal check)... I did not figure out yet how how to get details of svchost started in SysWOW64 .. will do a bit research on this as I know hwo to check what a regilar svchost is related to, and thsi WOW64 approach has catched me unprepared this time. Several reboots and patching, full scan reveals no further infection and PC appears to behave normally, yet the two new detections after clean scan yesterday make me think there is still something not quite right. The existing services running are: Görüntü Adı pid Hizmetler ========================= ======== ============================================ svchost.exe 980 DcomLaunch, PlugPlay, Power svchost.exe 308 RpcEptMapper, RpcSs svchost.exe 624 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc svchost.exe 668 AudioEndpointBuilder, CscService, hidserv, IPBusEnum, Netman, PcaSvc, SysMain, TrkWks, UxSms, WdiSystemHost, Wlansvc, WPDBusEnum, wudfsvc svchost.exe 516 EventSystem, fdPHost, FontCache, netprofm, nsi, WdiServiceHost, WinHttpAutoProxySvc svchost.exe 924 BITS, EapHost, gpsvc, IKEEXT, iphlpsvc, LanmanServer, MMCSS, ProfSvc, Schedule, seclogon, ShellHWDetection, Themes, Winmgmt, wuauserv svchost.exe 1304 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc svchost.exe 1400 BFE, DPS, MpsSvc, WwanSvc svchost.exe 2616 bthserv svchost.exe 3100 RapiMgr, WcesComm svchost.exe 3912 SSDPSRV, upnphost svchost.exe 3268 WinDefend

Hi, I installed on one of our Win7 x64 company PCs and immediately an infection has been detected. ESET continuously repoerts Wigon.PI trojan to be detected in svchost.exe, cleaning it, yet the message comes back every second as new process is started. I checked running processes using ProcessExplorer and see there are numerous C:\Windows\SysWOW64\svchost.exe running. Checking the hash of these svchosts.exe at virustotal.com reveals no suspicion, the file is signed and appears to be authentic. However this does not look like a regular service host, I can't see any dlls it would be running. I tried to kill all processes but withing short time new are started. There is a suspicios zomtuxitbogy.exe set in autostart as well as regedit.exe, both disabled in msconfig now. Apparently ESET is unable to find the root cause of the installation while it detects attempts to run malicious process and stop it. Any ideas how to further investigate and clean in full?

Is there a way to initiate from ERA Windows Updates to be downloaded and installed?? I see several machines in our 5.2 ERA where users seem not to care much about installing these. And these are different domains we do not have single domain environemnt, many office run as smal, isolated islands, despite all under the same AV protection. If we were in one domain, using loigin script and group policy would be where I rather look for solution... Basically I would like these machines to donwload a script and execute it to force wupdate.... https://msdn.microsoft.com/en-us/library/aa387102(VS.85).aspx Is ERA good tool to be used for this type job at all?