Re: Please Help! Hijacked Network!

From: M Callinan (mcallinan_at_dslextreme.com)
Date: 03/30/04 

Date: Tue, 30 Mar 2004 13:26:24 -0800

Another application to try is Spybot Search & Destroy. It catches stuff
that AdAware misses, and visa-versa. I've successfully used the combination
of S&D, AdAware, and AutoRuns to clean up several XP workstations that their
users had corrupted. Your mileage on an SBS2k3 server may vary.

"M Callinan" <mcallinan@dslextreme.com> wrote in message
news:O9tfZupFEHA.3880@TK2MSFTNGP10.phx.gbl...
> There are several other places where auto-run type applications can reside
> beyond what you've checked below. There's a free tool called AutoRuns on
> the Sysinternals website that shows most (all?) of them:
> http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
> It doesn't say it supports Win2k3 yet, so not sure if it will work on
> SBS2k3. Works great on XP, no installation, just run it, inspect the
> output, and delete the entries that shouldn't be running. There's also an
> article referenced at this URL that discusses all the auto-run locations
in
> case you need to scan the system manually.
>
> "PLD" <anonymous@discussions.microsoft.com> wrote in message
> news:1617901c41685$ff3150e0$a101280a@phx.gbl...
> > I'm having a serious problem with SBS2003. Within days
> > after installing and configuring ISA2000, performance
> > degraded substantially. Event Viewer revealed numerous IP
> > Spoof and NDR errors. Anti-virus software was strangely
> > disabled. Re-installed NAV Corp Edition and detected
> > several mass-mailer worms on the box (W32.Netsky.K@mm,
> > W32.Netsky.D@mm, W32.Beagle.M@mm, W32.Mydoom.A@mm).
> >
> > I blocked outgoing email but noticed the Exchange mailroot
> > Queue and BadMail folders were growing rapidly (gobbling
> > up GBs of HD space). I immediately stopped and disabled
> > all MS Exchange services and locked down the hardware
> > firewall to deny all SMTP/POP3 traffic. This slowed down
> > the queue growth, but did not stop it. Subsequent virus
> > scans came up clean (couldn't check in Safe Mode though -
> > NAV won't initialize). I downloaded Symantec virus
> > removal tools for each virus type and ran/re-ran in
> > regular and Safe Mode. The tools found nothing.
> >
> > This led me to suspect the problem may no longer be a
> > virus, but some rogue hidden program on the box that
> > initializes at startup. I scanned the Registry with
> > AdAware (which caught minor stuff) but nothing related. I
> > manually inspected the Registry key:
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
> > n\Run - to check for rogue programs launching at startup.
> > Only found one suspect item (C:\WINDOWS\System32
> > \83744448.exe) - but subsequent searches of the directory
> > (set to show hidden and OS files) can't locate the file.
> > I suspect it's just a key left over from one of the old
> > viruses?? I looked up and validated all running processes
> > showing in Task Manager. I also searched the Add/Remove
> > Programs control panel for anything out of the ordinary.
> > Only found one suspect file called "NPO.exe" which I
> > uninstalled (supposedly). Couldn't find much about it on
> > the Internet.
> >
> > The good news is that Safe Mode prevents the queues from
> > growing. Bad news is I can't run the network in Safe
> > Mode. I suspect some rogue program has tweaked the
> > Registry and renamed itself as a system file. Every time
> > the box boots up in normal mode, it launches itself and
> > takes over. Can anyone suggest a way to stop this thing?
> > I'm afraid I've run out of moves at this point. :[
> >
> > ...Paul
> >
>
>

Relevant Pages

  • Re: Please Help! Hijacked Network!
    ... > scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... > This led me to suspect the problem may no longer be a ... > n\Run - to check for rogue programs launching at startup. ...
    (microsoft.public.windows.server.sbs)
  • Re: Please Help! Hijacked Network!
    ... > scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... > This led me to suspect the problem may no longer be a ... > n\Run - to check for rogue programs launching at startup. ...
    (microsoft.public.windows.server.sbs)
  • Re: Please Help! Hijacked Network!
    ... There's a free tool called AutoRuns on ... > This led me to suspect the problem may no longer be a ... > n\Run - to check for rogue programs launching at startup. ... > The good news is that Safe Mode prevents the queues from ...
    (microsoft.public.windows.server.sbs)
  • Please Help! Hijacked Network.
    ... scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... This led me to suspect the problem may no longer be a ... n\Run - to check for rogue programs launching at startup. ...
    (microsoft.public.exchange.admin)
  • Please Help! Hijacked Network!
    ... scans came up clean (couldn't check in Safe Mode though - ... I downloaded Symantec virus ... This led me to suspect the problem may no longer be a ... n\Run - to check for rogue programs launching at startup. ...
    (microsoft.public.windows.server.general)