Re: Virus that causes a lot of traffic ?

From: Paul fpvt2 (Paulfpvt2_at_discussions.microsoft.com)
Date: 12/02/04 

Date: Thu, 2 Dec 2004 08:49:07 -0800

Thank you very much for the offer to email you, Dave. I appreciate it.

They decided for now not to use this 1 machine that has the most viruses (.
Bkdr./bounce.a. and . Troj SQLSpida.B), but they told me to look at it when I
have a minute.
Another person in my company had deleted the 2 files (c:\winnt\system32
\config\services.exe and c:\winnt\system32\drivers\services.exe) in safe
mode. Then, he reran Housecall (not in safe mode) and it says no more
viruses. But, after that the high bandwidth traffic still happened, and as
soon as we disconnect this computer, everything was fine again.

So, my plan was to follow your suggestion to boot in safe mode and run
sysclean in safe mode. Shall I choose to boot in DOS or not ?
I will also run stinger in safemode.
I will post my result.
If I don't find anymore viruses, I will email you regarding ther other
Command Line
scanner.

Thanks a lot for your help.

"David H. Lipman" wrote:

> YES !
>
> They would definitely bog down the Server -- No doubt.
>
> Please don NOT follow the "other" Dave's suggestion. You do not need to rebuild the server
> at this time.
>
> You need to run the utilities in Safe Mode ! This increases the effectiveness of both
> finding infectors and removing them.
>
> You need to load the Task Manager and shutdown as many running processes as possible.
>
> Then run the utilities. I also suggest going back to Trend and downloading both the latest
> trend Pattern Files and Sysclean.com -- Both were updated Today.
>
> I also invite you to email me and I can provide you with information on another Command Line
> Scanner. I can't post the information in public due to licensing issues.
>
> Just remove ~nospam~.
>
> Dave
>
>
>
>
> "Paul fpvt2" <anonymous@discussions.microsoft.com> wrote in message
> news:16ed01c4d6e9$6279f3e0$a501280a@phx.gbl...
> | Hi Dave,
> | Yesterday, our network administrator ran the Stinger and
> | Trend Housecall (albeit not in a safe mode) on our
> | Win2000 servers.
> |
> | The following were the viruses that can not be cleaned.
> | Do you know the best way to clean these viruses ? Do we
> | need to reboot the machine in a safe mode, go to DOS
> | prompt, unhide the directory and files, and delete them ?
> |
> | . Bkdr./bounce.a. It is in c:\winnt\system32
> | \config\services.exe. Housecall can not clean it.
> | . Troj SQLSpida.B. It is in c:\winnt\system32
> | \drivers\services.exe. This is a hidden file that was
> | only shown when when "Show all hidden files and
> | directories" in Windows explorer was selected. Housecall
> | can not clean it.
> | . HTML_Netsky.P. It is in c:\program
> | files\..\..\RYGJYXY0* Layer2 nonamefl*. In Windows
> | explorer, even after "Show all hidden files and
> | directories" was selected, you still can not see this
> | directory. Housecall can not clean it.
> | . IRC/Flood.ap Trojan at c:\winnt\system32
> | \OCXDLL.EXE\DLL32NT.HLP. Stinger can not clean this file.
> |
> |
> | The following were viruses that were successfully cleaned:
> | . Malware.pe_parite.a
> | . malware.worm_agobot-2
> | . W32/Sdbot.worm.gen.T
> | . W32/Sdbot.worm.gen.R
> |
> | Do you think any of the malware that were found above
> | could cause the high bandwith traffic on the servers ?
> |
> | Thanks again in advance.
> |
> | >-----Original Message-----
> | >You will have to use Ethereal or some other packet
> | analysis tool and examine the traffic
> | >to/from the server to see what's going on. In the mean
> | time, I suggest performing the
> | >following...
> | >
> | >1) Download the following four items...
> | >
> | > McAfee Stinger
> | > http://vil.nai.com/vil/stinger/
> | >
> | > Trend Sysclean Package
> | > http://www.trendmicro.com/download/dcs.asp
> | >
> | > Latest Trend Pattern File.
> | > http://www.trendmicro.com/download/pattern.asp
> | >
> | > Adaware SE (free personal version v1.05)
> | > http://www.lavasoftusa.com/
> | >
> | >Create a directory.
> | >On drive "C:\"
> | >(e.g., "c:\New Folder")
> | >or the desktop
> | >(e.g., "C:\Documents and Settings\lipman\Desktop\New
> | Folder")
> | >
> | >Download Sysclean.com and place it in that directory.
> | >Download the Trend Pattern File by obtaining the ZIP
> | file.
> | >For example; lpt265.zip
> | >
> | >Extract the contents of the ZIP file and place the
> | contents in the same directory as
> | >sysclean.com.
> | >
> | >2) Update Adaware with the latest definitions.
> | >3) If you are using WinME or WinXP, disable System
> | Restore
> | >
> | http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.ht
> | m
> | >4) Reboot your PC into Safe Mode
> | >5) Using Trend Sysclean, Stinger and Adaware,
> | perform a Full Scan of your
> | > platform and clean/delete any
> | infectors/parasites found.
> | > (a few cycles may be needed)
> | >6) Restart your PC and perform a "final" Full Scan
> | of your platform using the three
> | > utilities; Trend Sysclean, Stinger and Adaware
> | >7) If you are using WinME or WinXP, Re-enable System
> | Restore and re-apply any
> | > System Restore preferences, (e.g. HD space to
> | use suggested 400 ~ 600MB),
> | >8) Reboot your PC.
> | >9) If you are using WinME or WinXP, create a new
> | Restore point
> | >
> | >
> | >* * * Please report your results ! * * *
> | >
> | >Dave
> | >
> | >
> | >
> | >
> | >
> | >
> | >"Paul fpvt2" <anonymous@discussions.microsoft.com> wrote
> | in message
> | >news:0ac601c4d49b$07adda30$a501280a@phx.gbl...
> | >| Recently some of our servers received many traffic that
> | >| it caused the servers to go down. We have installed SP3
> | >| for SQL Server 2000, so I don't think it is related
> | with
> | >| the W32/SQLSlammer.worm. We also installed Symantec
> | >| antivirus software in all our servers. Is there any
> | other
> | >| viruses that would case a lot of traffic to your
> | machine ?
> | >|
> | >| Thank you.
> | >
> | >
> | >.
> | >
>
>
>

Relevant Pages

  • Still Cant Log On/Needs Password
    ... Ok.....I had viruses and cleaned them. ... restore. ... Problem is now when it boots up it wants a ... In safe mode have tried to log ...
    (microsoft.public.windowsxp.security_admin)
  • Re: a new virus??
    ... i did what dave suggested me to do. ... >> i already did what cris told me to do. ... >> safe mode and it could not find any viruses. ...
    (microsoft.public.security.virus)
  • Re: error 0x80070002 cannot accurately check license.
    ... > thanks for the reply Dave: ... > and safe mode is the only way I can get logged into the computer. ... > anybody knows how to accomplish this in safe mode? ... > I also tried a restore, ...
    (microsoft.public.windowsxp.general)
  • Re: problems with IE freezing
    ... progress bar down at the bottom. ... Scanned for spyware and viruses - found a few sywares but nothing serious I ... unwanted stuff from PCs over the last couple of years so I ran 'autoruns' and analysed any entries I wasn't sure of against a database on the web. ... This was running in 'normal' Windows - can't remember if I did it in 'safe mode with networking' or not, but you'd presumably expect to see nasties in normal mode. ...
    (uk.comp.homebuilt)
  • Re: Is this Smitfraud?
    ... Thanks Dave. ... I thought that might be the solution but the email sending made ... > It is suggested that you execute each tool in Normal Mode then in Safe Mode. ... > you are are strongly urged to remove any/all versions that are prior to JRE ...
    (microsoft.public.windowsxp.security_admin)