Re: Please Help! Hijacked Network!

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Henry Craven (IUnknown_at_d.com)
Date: 03/30/04

• Next message: Javier Gomez [SBS MVP]: "Re: SBS cals, Exchange cals, SQL cals ?"
• Previous message: Les Connor [SBS MVP]: "Re: SBS cals, Exchange cals, SQL cals ?"
• In reply to: PLD: "Please Help! Hijacked Network!"
• Next in thread: Tom Csanadi: "Re: Please Help! Hijacked Network!"
• Reply: Tom Csanadi: "Re: Please Help! Hijacked Network!"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 31 Mar 2004 05:09:47 +1000

Given your position, the system having been compromised, I wouldn't
hesitate in re-formatting and re-installing SBS and then restoring the
Backed Up data.

That's the -only- way to be certain of the state of the system, and in
the long run will be take less time.

I'd also be asking a big question as to -HOW- given that SBS 2003
installs in a locked down state by default.

I'd also make doubly sure the (New) system is locked down and Malware
protected prior to connecting it to the Internet and the LAN, and that
all machines connecting to the Domain are squeaky clean and individually
protected.

Depending upon your industry you may also need to roll back to a "Known
Good" backup in the event that the data
itself was also compromised/altered, or if possibly stolen notify the
entities and Regulatory authorities concerned.

-- 
Henry Craven
(SBS-MVP) Melbourne
"PLD" <anonymous@discussions.microsoft.com> wrote in message
news:1617901c41685$ff3150e0$a101280a@phx.gbl...
> I'm having a serious problem with SBS2003. Within days
> after installing and configuring ISA2000, performance
> degraded substantially. Event Viewer revealed numerous IP
> Spoof and NDR errors.  Anti-virus software was strangely
> disabled.  Re-installed NAV Corp Edition and detected
> several mass-mailer worms on the box (W32.Netsky.K@mm,
> W32.Netsky.D@mm, W32.Beagle.M@mm, W32.Mydoom.A@mm).
>
> I blocked outgoing email but noticed the Exchange mailroot
> Queue and BadMail folders were growing rapidly (gobbling
> up GBs of HD space).  I immediately stopped and disabled
> all MS Exchange services and locked down the hardware
> firewall to deny all SMTP/POP3 traffic.  This slowed down
> the queue growth, but did not stop it.  Subsequent virus
> scans came up clean (couldn't check in Safe Mode though -
> NAV won't initialize).  I downloaded Symantec virus
> removal tools for each virus type and ran/re-ran in
> regular and Safe Mode.  The tools found nothing.
>
> This led me to suspect the problem may no longer be a
> virus, but some rogue hidden program on the box that
> initializes at startup.  I scanned the Registry with
> AdAware (which caught minor stuff) but nothing related.  I
> manually inspected the Registry key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
> n\Run - to check for rogue programs launching at startup.
> Only found one suspect item (C:\WINDOWS\System32
> \83744448.exe) - but subsequent searches of the directory
> (set to show hidden and OS files) can't locate the file.
> I suspect it's just a key left over from one of the old
> viruses??  I looked up and validated all running processes
> showing in Task Manager.  I also searched the Add/Remove
> Programs control panel for anything out of the ordinary.
> Only found one suspect file called "NPO.exe" which I
> uninstalled (supposedly).  Couldn't find much about it on
> the Internet.
>
> The good news is that Safe Mode prevents the queues from
> growing.  Bad news is I can't run the network in Safe
> Mode.  I suspect some rogue program has tweaked the
> Registry and renamed itself as a system file.  Every time
> the box boots up in normal mode, it launches itself and
> takes over.  Can anyone suggest a way to stop this thing?
> I'm afraid I've run out of moves at this point. :[
>
> ...Paul
>

---

• Next message: Javier Gomez [SBS MVP]: "Re: SBS cals, Exchange cals, SQL cals ?"
• Previous message: Les Connor [SBS MVP]: "Re: SBS cals, Exchange cals, SQL cals ?"
• In reply to: PLD: "Please Help! Hijacked Network!"
• Next in thread: Tom Csanadi: "Re: Please Help! Hijacked Network!"
• Reply: Tom Csanadi: "Re: Please Help! Hijacked Network!"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Please Help! Hijacked Network! ... > scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... > This led me to suspect the problem may no longer be a ... > n\Run - to check for rogue programs launching at startup. ... (microsoft.public.windows.server.sbs) Please Help! Hijacked Network. ... scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... This led me to suspect the problem may no longer be a ... n\Run - to check for rogue programs launching at startup. ... (microsoft.public.exchange.admin) Please Help! Hijacked Network! ... scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... This led me to suspect the problem may no longer be a ... n\Run - to check for rogue programs launching at startup. ... (microsoft.public.windows.server.general) Please Help! Network Hijacked! ... scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... This led me to suspect the problem may no longer be a ... n\Run - to check for rogue programs launching at startup. ... (microsoft.public.isa) Please Help! Hijacked Network! ... scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... This led me to suspect the problem may no longer be a ... n\Run - to check for rogue programs launching at startup. ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2004-03