![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Well, this is early in the discovery process, but here's what we're seeing.
We have several machines, about 8 out of about 600 that are getting either massive spyware issues or sasser like 60 second shutdown warning windows.
This all happened after we deployed a number of recent patches (I will get a list shortly if someone has some wants it, IIRC it was the recent slew of MS patches) through our SUS sever. We do not force patching/reboots, so it's likely many of the machines have not been patched. The patches may or may not have anything to do with the issue. We had people report they ran the patch, rebooted and were having issues. We had another who hadn't run the patch, and was seeing the issue.
One of the machines was cleaned by hand, we used automated tools (MS Antispy+ one other) to get as much off as possible. Then we used hijackthis to get the rest off. It appeared to work, we were able to reboot several times and the process weren't starting.
The second machine was re-imaged.
After doing little work on the machines (testing standard apps on the first, adding the other to the domain, and opening outlook) both were "infected" again. Once infected the machine appears to download an install other various spyware (making finding the cause a little harder). I'll get a hijack this log in a bit to let you see what's going on.
So what it looks like is a worm that installs spyware, that downloads and installs other spyware.
Again, we JUST started TSing this problem, some of all of this may be incorrect/incomplete.
Anyways I'm not so much asking for help, we seem to be making headway. This is kinda a heads up, I guess...
We have several machines, about 8 out of about 600 that are getting either massive spyware issues or sasser like 60 second shutdown warning windows.
This all happened after we deployed a number of recent patches (I will get a list shortly if someone has some wants it, IIRC it was the recent slew of MS patches) through our SUS sever. We do not force patching/reboots, so it's likely many of the machines have not been patched. The patches may or may not have anything to do with the issue. We had people report they ran the patch, rebooted and were having issues. We had another who hadn't run the patch, and was seeing the issue.
One of the machines was cleaned by hand, we used automated tools (MS Antispy+ one other) to get as much off as possible. Then we used hijackthis to get the rest off. It appeared to work, we were able to reboot several times and the process weren't starting.
The second machine was re-imaged.
After doing little work on the machines (testing standard apps on the first, adding the other to the domain, and opening outlook) both were "infected" again. Once infected the machine appears to download an install other various spyware (making finding the cause a little harder). I'll get a hijack this log in a bit to let you see what's going on.
So what it looks like is a worm that installs spyware, that downloads and installs other spyware.
Again, we JUST started TSing this problem, some of all of this may be incorrect/incomplete.
Anyways I'm not so much asking for help, we seem to be making headway. This is kinda a heads up, I guess...