Re: Please Help! Hijacked Network.
From: RandyH (RHollaw_at_HotMail.com)
Date: 03/30/04
- Next message: Samurai: "Re: OWA goes down every so often"
- Previous message: tmarando: "RE: Please Help! Hijacked Network."
- In reply to: PLD: "Please Help! Hijacked Network."
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 30 Mar 2004 15:33:09 -0500
might try this
http://www.spychecker.com/program/hijackthis.html
"PLD" <anonymous@discussions.microsoft.com> wrote in message
news:15c2901c41685$d86b0410$a501280a@phx.gbl...
> I'm having a serious problem with SBS2003. Within days
> after installing and configuring ISA2000, performance
> degraded substantially. Event Viewer revealed numerous IP
> Spoof and NDR errors. Anti-virus software was strangely
> disabled. Re-installed NAV Corp Edition and detected
> several mass-mailer worms on the box (W32.Netsky.K@mm,
> W32.Netsky.D@mm, W32.Beagle.M@mm, W32.Mydoom.A@mm).
>
> I blocked outgoing email but noticed the Exchange mailroot
> Queue and BadMail folders were growing rapidly (gobbling
> up GBs of HD space). I immediately stopped and disabled
> all MS Exchange services and locked down the hardware
> firewall to deny all SMTP/POP3 traffic. This slowed down
> the queue growth, but did not stop it. Subsequent virus
> scans came up clean (couldn't check in Safe Mode though -
> NAV won't initialize). I downloaded Symantec virus
> removal tools for each virus type and ran/re-ran in
> regular and Safe Mode. The tools found nothing.
>
> This led me to suspect the problem may no longer be a
> virus, but some rogue hidden program on the box that
> initializes at startup. I scanned the Registry with
> AdAware (which caught minor stuff) but nothing related. I
> manually inspected the Registry key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
> n\Run - to check for rogue programs launching at startup.
> Only found one suspect item (C:\WINDOWS\System32
> \83744448.exe) - but subsequent searches of the directory
> (set to show hidden and OS files) can't locate the file.
> I suspect it's just a key left over from one of the old
> viruses?? I looked up and validated all running processes
> showing in Task Manager. I also searched the Add/Remove
> Programs control panel for anything out of the ordinary.
> Only found one suspect file called "NPO.exe" which I
> uninstalled (supposedly). Couldn't find much about it on
> the Internet.
>
> The good news is that Safe Mode prevents the queues from
> growing. Bad news is I can't run the network in Safe
> Mode. I suspect some rogue program has tweaked the
> Registry and renamed itself as a system file. Every time
> the box boots up in normal mode, it launches itself and
> takes over. Can anyone suggest a way to stop this thing?
> I'm afraid I've run out of moves at this point. :[
>
> ...Paul
>
- Next message: Samurai: "Re: OWA goes down every so often"
- Previous message: tmarando: "RE: Please Help! Hijacked Network."
- In reply to: PLD: "Please Help! Hijacked Network."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
