Please Help! Hijacked Network!
From: PLD (anonymous_at_discussions.microsoft.com)
Date: 03/30/04
- Next message: Bjorn Landemoo: "Re: Restored mirror won't boot"
- Previous message: Giridhar: "Re: Routing and remote access"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Please Help! Hijacked Network!"
- Reply: Lanwench [MVP - Exchange]: "Re: Please Help! Hijacked Network!"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 30 Mar 2004 10:40:42 -0800
I'm having a serious problem with SBS2003. Within days
after installing and configuring ISA2000, performance
degraded substantially. Event Viewer revealed numerous IP
Spoof and NDR errors. Anti-virus software was strangely
disabled. Re-installed NAV Corp Edition and detected
several mass-mailer worms on the box (W32.Netsky.K@mm,
W32.Netsky.D@mm, W32.Beagle.M@mm, W32.Mydoom.A@mm).
I blocked outgoing email but noticed the Exchange mailroot
Queue and BadMail folders were growing rapidly (gobbling
up GBs of HD space). I immediately stopped and disabled
all MS Exchange services and locked down the hardware
firewall to deny all SMTP/POP3 traffic. This slowed down
the queue growth, but did not stop it. Subsequent virus
scans came up clean (couldn't check in Safe Mode though -
NAV won't initialize). I downloaded Symantec virus
removal tools for each virus type and ran/re-ran in
regular and Safe Mode. The tools found nothing.
This led me to suspect the problem may no longer be a
virus, but some rogue hidden program on the box that
initializes at startup. I scanned the Registry with
AdAware (which caught minor stuff) but nothing related. I
manually inspected the Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run - to check for rogue programs launching at startup.
Only found one suspect item (C:\WINDOWS\System32
\83744448.exe) - but subsequent searches of the directory
(set to show hidden and OS files) can't locate the file.
I suspect it's just a key left over from one of the old
viruses?? I looked up and validated all running processes
showing in Task Manager. I also searched the Add/Remove
Programs control panel for anything out of the ordinary.
Only found one suspect file called "NPO.exe" which I
uninstalled (supposedly). Couldn't find much about it on
the Internet.
The good news is that Safe Mode prevents the queues from
growing. Bad news is I can't run the network in Safe
Mode. I suspect some rogue program has tweaked the
Registry and renamed itself as a system file. Every time
the box boots up in normal mode, it launches itself and
takes over. Can anyone suggest a way to stop this thing?
I'm afraid I've run out of moves at this point. :[
...Paul
- Next message: Bjorn Landemoo: "Re: Restored mirror won't boot"
- Previous message: Giridhar: "Re: Routing and remote access"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Please Help! Hijacked Network!"
- Reply: Lanwench [MVP - Exchange]: "Re: Please Help! Hijacked Network!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
