Please Help! Hijacked Network!
From: Gary (anonymous_at_discussions.microsoft.com)
Date: 04/01/04
- Previous message: Terry Liu [MSFT]: "Re: Need Last Logon Date"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 31 Mar 2004 18:10:10 -0800
One other thing: Use the Spybot - Search & Destroy -
freeware Application to scan for spyware, adware,
hijackers and other malicious software:
http://www.safer-networking.org/index.php?page=download
Gary
>-----Original Message-----
>I'm having a serious problem with SBS2003. Within days
>after installing and configuring ISA2000, performance
>degraded substantially. Event Viewer revealed numerous IP
>Spoof and NDR errors. Anti-virus software was strangely
>disabled. Re-installed NAV Corp Edition and detected
>several mass-mailer worms on the box (W32.Netsky.K@mm,
>W32.Netsky.D@mm, W32.Beagle.M@mm, W32.Mydoom.A@mm).
>
>I blocked outgoing email but noticed the Exchange
mailroot
>Queue and BadMail folders were growing rapidly (gobbling
>up GBs of HD space). I immediately stopped and disabled
>all MS Exchange services and locked down the hardware
>firewall to deny all SMTP/POP3 traffic. This slowed down
>the queue growth, but did not stop it. Subsequent virus
>scans came up clean (couldn't check in Safe Mode though -
>NAV won't initialize). I downloaded Symantec virus
>removal tools for each virus type and ran/re-ran in
>regular and Safe Mode. The tools found nothing.
>
>This led me to suspect the problem may no longer be a
>virus, but some rogue hidden program on the box that
>initializes at startup. I scanned the Registry with
>AdAware (which caught minor stuff) but nothing related.
I
>manually inspected the Registry key:
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
o
>n\Run - to check for rogue programs launching at
startup.
>Only found one suspect item (C:\WINDOWS\System32
>\83744448.exe) - but subsequent searches of the directory
>(set to show hidden and OS files) can't locate the file.
>I suspect it's just a key left over from one of the old
>viruses?? I looked up and validated all running
processes
>showing in Task Manager. I also searched the Add/Remove
>Programs control panel for anything out of the ordinary.
>Only found one suspect file called "NPO.exe" which I
>uninstalled (supposedly). Couldn't find much about it on
>the Internet.
>
>The good news is that Safe Mode prevents the queues from
>growing. Bad news is I can't run the network in Safe
>Mode. I suspect some rogue program has tweaked the
>Registry and renamed itself as a system file. Every time
>the box boots up in normal mode, it launches itself and
>takes over. Can anyone suggest a way to stop this
thing?
>I'm afraid I've run out of moves at this point. :[
>
>....Paul
>
>.
>
- Previous message: Terry Liu [MSFT]: "Re: Need Last Logon Date"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
