Re: Please Help! Hijacked Network!
From: M Callinan (mcallinan_at_dslextreme.com)
Date: 03/30/04
- Next message: Henry Craven: "Re: Please Help! Hijacked Network!"
- Previous message: Lawrence: "Web Site Permissions"
- In reply to: PLD: "Please Help! Hijacked Network!"
- Next in thread: M Callinan: "Re: Please Help! Hijacked Network!"
- Reply: M Callinan: "Re: Please Help! Hijacked Network!"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 30 Mar 2004 13:11:39 -0800
There are several other places where auto-run type applications can reside
beyond what you've checked below. There's a free tool called AutoRuns on
the Sysinternals website that shows most (all?) of them:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
It doesn't say it supports Win2k3 yet, so not sure if it will work on
SBS2k3. Works great on XP, no installation, just run it, inspect the
output, and delete the entries that shouldn't be running. There's also an
article referenced at this URL that discusses all the auto-run locations in
case you need to scan the system manually.
"PLD" <anonymous@discussions.microsoft.com> wrote in message
news:1617901c41685$ff3150e0$a101280a@phx.gbl...
> I'm having a serious problem with SBS2003. Within days
> after installing and configuring ISA2000, performance
> degraded substantially. Event Viewer revealed numerous IP
> Spoof and NDR errors. Anti-virus software was strangely
> disabled. Re-installed NAV Corp Edition and detected
> several mass-mailer worms on the box (W32.Netsky.K@mm,
> W32.Netsky.D@mm, W32.Beagle.M@mm, W32.Mydoom.A@mm).
>
> I blocked outgoing email but noticed the Exchange mailroot
> Queue and BadMail folders were growing rapidly (gobbling
> up GBs of HD space). I immediately stopped and disabled
> all MS Exchange services and locked down the hardware
> firewall to deny all SMTP/POP3 traffic. This slowed down
> the queue growth, but did not stop it. Subsequent virus
> scans came up clean (couldn't check in Safe Mode though -
> NAV won't initialize). I downloaded Symantec virus
> removal tools for each virus type and ran/re-ran in
> regular and Safe Mode. The tools found nothing.
>
> This led me to suspect the problem may no longer be a
> virus, but some rogue hidden program on the box that
> initializes at startup. I scanned the Registry with
> AdAware (which caught minor stuff) but nothing related. I
> manually inspected the Registry key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
> n\Run - to check for rogue programs launching at startup.
> Only found one suspect item (C:\WINDOWS\System32
> \83744448.exe) - but subsequent searches of the directory
> (set to show hidden and OS files) can't locate the file.
> I suspect it's just a key left over from one of the old
> viruses?? I looked up and validated all running processes
> showing in Task Manager. I also searched the Add/Remove
> Programs control panel for anything out of the ordinary.
> Only found one suspect file called "NPO.exe" which I
> uninstalled (supposedly). Couldn't find much about it on
> the Internet.
>
> The good news is that Safe Mode prevents the queues from
> growing. Bad news is I can't run the network in Safe
> Mode. I suspect some rogue program has tweaked the
> Registry and renamed itself as a system file. Every time
> the box boots up in normal mode, it launches itself and
> takes over. Can anyone suggest a way to stop this thing?
> I'm afraid I've run out of moves at this point. :[
>
> ...Paul
>
- Next message: Henry Craven: "Re: Please Help! Hijacked Network!"
- Previous message: Lawrence: "Web Site Permissions"
- In reply to: PLD: "Please Help! Hijacked Network!"
- Next in thread: M Callinan: "Re: Please Help! Hijacked Network!"
- Reply: M Callinan: "Re: Please Help! Hijacked Network!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
