Virus removal help needed...

ajstan · 5 May 2010 at 15:32

SiriusB said:
They're all rubbish. Symantec has the nickname The Yellow Peril among certain security companies apparantly!

Try a real AV, such as Kaspersky or NOD32. Malwarebyte's Antimalware is another good free program to try.

Well I've always been quite impressed with Symantec actually, just wish they would hurry up and sort this out so the other computers will be virus free because I don't fancy going round and deleting it all manually

As for the others, I'm not sure if they would get it...if you google 'bar32.exe' there are a couple of threads that come up including this one and both are very late April/early May.

If you have so much faith in NOD32 and Kaspersky I'm sure I could send you the virus to try it out?

theheyes · 5 May 2010 at 16:36

Upload it to Kaspersky

http://www.kaspersky.co.uk/scanforvirus

bledd · 5 May 2010 at 16:59

This place scans with tons of scanners

http://virusscan.jotti.org/en-GB

eXor · 5 May 2010 at 17:46

ajstan said:
Since this thread is the second link on google to deal with this

If I ever need an SEO guy, I know who to talk to.

ajstan · 5 May 2010 at 17:58

theheyes said:
Upload it to Kaspersky

http://www.kaspersky.co.uk/scanforvirus

I'll try this when I get to work tomorrow...

If I ever need an SEO guy, I know who to talk to.

ajstan · 10 May 2010 at 11:54

theheyes said:
Upload it to Kaspersky

http://www.kaspersky.co.uk/scanforvirus

Just to update, Kasperspy does recognise it, apparently it was realeased on 17th which explains why so little was on the web

Look here if your interested: http://www.securelist.com/en/descriptions/7554742/Net-Worm.Win32.Kolab.hsa

This place scans with tons of scanners

http://virusscan.jotti.org/en-GB

This link did not work for me

Annoyingly, even after my boss sent the bar32.exe to Symantec on Friday, there still have been no updates to fix it.

bledd · 10 May 2010 at 13:00

working here now..
try it again..

ajstan · 10 May 2010 at 13:54

Works now, here are results:

Says filename is MsMxEng.exe when I actually uploaded bar32.exe, so I was right about them being linked

I then found a similar website which had symantec and here are results.

File bar32.exe received on 2010.05.10 11:39:38 (UTC)
Current status: finished
Result: 25/40 (62.50%)
Compact
Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.10 Backdoor.Tofsee!IK
AhnLab-V3 2010.05.09.00 2010.05.08 -
AntiVir 8.2.1.236 2010.05.10 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2010.05.10 Worm/Win32.Kolab.gen
Authentium 5.2.0.5 2010.05.10 W32/Kolab.A.gen!Eldorado
Avast 4.8.1351.0 2010.05.09 Win32:Flot-C
Avast5 5.0.332.0 2010.05.09 Win32:Flot-C
AVG 9.0.0.787 2010.05.09 Crypt.RVQ
BitDefender 7.2 2010.05.10 Gen:Heur.Krypt.10
CAT-QuickHeal 10.00 2010.05.10 I-Worm.Kolab.hsa
ClamAV 0.96.0.3-git 2010.05.10 -
Comodo 4812 2010.05.10 -
DrWeb 5.0.2.03300 2010.05.10 Win32.HLLW.Lime.18
eSafe 7.0.17.0 2010.05.09 -
eTrust-Vet 35.2.7477 2010.05.10 Win32/Rimecud.AEH
F-Prot 4.5.1.85 2010.05.10 W32/Kolab.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.05.10 Gen:Heur.Krypt.10
Fortinet 4.1.133.0 2010.05.10 -
GData 21 2010.05.10 Gen:Heur.Krypt.10
Ikarus T3.1.1.84.0 2010.05.10 Backdoor.Tofsee
Jiangmin 13.0.900 2010.05.10 Worm/Kolab.gm
Kaspersky 7.0.0.125 2010.05.10 Net-Worm.Win32.Kolab.hsa
McAfee 5.400.0.1158 2010.05.09 -
McAfee-GW-Edition 2010.1 2010.05.10 -
Microsoft 1.5703 2010.05.10 VirTool:Win32/CeeInject.gen!CN
NOD32 5101 2010.05.10 Win32/Peerfrag.EC
Norman 6.04.12 2010.05.10 -
nProtect 2010-05-10.01 2010.05.10 -
Panda 10.0.2.7 2010.05.09 W32/Rimecud.T.worm
PCTools 7.0.3.5 2010.05.10 -
Rising 22.47.00.04 2010.05.10 -
Sophos 4.53.0 2010.05.10 Mal/Resdro-A
Sunbelt 6284 2010.05.10 -
Symantec 20091.2.0.41 2010.05.10 WS.Reputation.1
TheHacker 6.5.2.0.277 2010.05.10 Trojan/Injector.bfi
TrendMicro 9.120.0.1004 2010.05.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.10 -
VBA32 3.12.12.4 2010.05.06 Net-Worm.Win32.Kolab.hsa
ViRobot 2010.5.10.2308 2010.05.10 -
VirusBuster 5.0.27.0 2010.05.09 Worm.Kolab.CXS

Too long to screenshot so looks more complicated, basically the ones with the dash after don't know what it is.

That is suggesting Symantec does know, but it still isn't picking it up here despite being the latest version. :confused:

Guest2 · 10 May 2010 at 14:05

Sorry cant provide you with any help on the virus but maybe in future you could have USB/optical drives disabled to stop people bringing any old crap into your network. We do this, if someone needs something off a memory stick or something putting onto a work memory stick we will test it first on a network seperate to our main one

ajstan · 10 May 2010 at 14:11

Guest2 said:
Sorry cant provide you with any help on the virus but maybe in future you could have USB/optical drives disabled to stop people bringing any old crap into your network. We do this, if someone needs something off a memory stick or something putting onto a work memory stick we will test it first on a network seperate to our main one

There would be outcry, madness and chaos if I did this, not an option I'm afraid.

Guest2 · 10 May 2010 at 15:15

ajstan said:
There would be outcry, madness and chaos if I did this, not an option I'm afraid.

I have never worked anywhere where people are allowed to connect personal memory sticks to the network. We did allow Ipods at one of my old workplaces but not this one.

As a network admin of 500 machines (presumably 500 people) I would look at beefing up security if people are allowed to connect anything they like to your network. What if this virus is sat happlily collecting company data or destroying it?

What things do people need off personal storage anyway?

ajstan · 10 May 2010 at 15:27

First off, I work in a school so its 1000+ people (teachers+students) and so USB pens are regularly carried around with coursework etc on. The computers the kids can access is an RM CC3 network and is already fairly strict on things like this and anyway Symantec has never let anything through in the time I have been here so I'm sure I can let it off once.

Guest2 · 10 May 2010 at 16:13

In which case, may I suggest something like a program that rebuilds the machines back to a certain state every night (forgot the names, but theres a few) This way if one gets a virus it doesnt matter because they are scrubbed and go back to being shiny OSs with all the programs you need

When I was at college Norton Ghost was used to do this. It didnt stop people unscrewing the PCs and removing memory though (Doncaster for ya)

ajstan · 11 May 2010 at 09:30

Guest2 said:
In which case, may I suggest something like a program that rebuilds the machines back to a certain state every night (forgot the names, but theres a few) This way if one gets a virus it doesnt matter because they are scrubbed and go back to being shiny OSs with all the programs you need

When I was at college Norton Ghost was used to do this. It didnt stop people unscrewing the PCs and removing memory though (Doncaster for ya)

Well its too late now, we are happy with the system, we just need symantec to get their act together and we will be sorted

ajstan · 14 May 2010 at 10:08

One final update, Symantec is now on top and the virus is dead

Turns out there were 7 different versions.

fail at the internets · 16 May 2010 at 23:01

Looks like it was a rat to me. I wonder how much data the person obtained. Did you check the network logs to make sure data wasn't being allowed to get past the firewall?