Cawper
asked on
Please help, I have backdoor.winshell on a windows NT back office small business server system.
I searched the data base of previous questions and found one exactly like the problem I am having with one minor exception. It can be found at the following link if it works, I am not sure I did it right.
https://www.experts-exchange.com/questions/20922773/Cannot-remove-Backdoor-Winshell-Virus.html?query=backdoor.winshell&searchType=all
The difference is I currently have windows NT as an operating system and the infected file is server.exe. In case the link does not work, the problem is I have backdoor.winshell, it comes up on the Symantec scan. I download the fix and run it and it says that the virus is not there. The registries are clean but everytime I force a scan it shows up in the server.exe file.
The previous question was not closed and was from March of this year. I assume that the solutions provided did not work. I followed the link to download the last solution that was given but the link was dead and it was for a more recent version of the software in any event.
Some futher information that may be helpful is that I think the person who is using this software is a previous IT employee of our firm. As you may be able to tell I am not really an IT person, I am a hobbist who knows my way around a mother board but we have had such bad luck at our firm with IT people either leaving us or not being available when we need them that I have decided to give it a try. Anyway I think it is a previous employee and when I go to our exchange outgoing mail queue it is filled with all kinds of spam emails that are outgoing. As far as I know no one here activated the virus in an email. I think it was set up previously and then activated remotely. I am under the impression that once access was gained settings were
changed to allow regular access from a remote network, thus if the virus is ever removed the perputrator can access the network by regular means to reinstall the virus.
I have already bought a new server with sbs 2000 on it but dont want to implement it until I am sure all the data files and all of the workstations are clear. By the way I am currently using windows NT 4.0 all service packs with Back office small business server ver 4.5.
I would like to know;
How to close the ports allowing this entry?
If I can just delete the server.exe file and reinstall a clean copy off the original software?
How to stop remote access to my network, it is not necessary at this time?
If I cannot delete the server.exe file, how the heck to I burn this thing out.
I dont know if the following info will help but I am including it!
Scan type: Scheduled Scan
Event: Virus Found!
Virus name: Backdoor.Winshell
File: C:\WINNT.SBS\system32\serv
Location: C:\WINNT.SBS\system32
User: Administrator
Action taken: Clean failed : Quarantine failed :
Date found: Sun Feb 01 00:24:35 2004
Scan type: Manual Scan
Event: Virus Found!
Virus name: Backdoor.Winshell
File: C:\WINNT.SBS\system32\serv
Location: Quarantine
User: Administrator
Action taken: Clean failed : Quarantine succeeded :
Date found: Tue Mar 02 08:32:15 2004
Any help would be greatly appreciated, our network is being used as a spam provider and I would really like to stop it and feel safe that someone cant delete my data files at any given moment. Thanks very much in advance!
https://www.experts-exchange.com/questions/20922773/Cannot-remove-Backdoor-Winshell-Virus.html?query=backdoor.winshell&searchType=all
The difference is I currently have windows NT as an operating system and the infected file is server.exe. In case the link does not work, the problem is I have backdoor.winshell, it comes up on the Symantec scan. I download the fix and run it and it says that the virus is not there. The registries are clean but everytime I force a scan it shows up in the server.exe file.
The previous question was not closed and was from March of this year. I assume that the solutions provided did not work. I followed the link to download the last solution that was given but the link was dead and it was for a more recent version of the software in any event.
Some futher information that may be helpful is that I think the person who is using this software is a previous IT employee of our firm. As you may be able to tell I am not really an IT person, I am a hobbist who knows my way around a mother board but we have had such bad luck at our firm with IT people either leaving us or not being available when we need them that I have decided to give it a try. Anyway I think it is a previous employee and when I go to our exchange outgoing mail queue it is filled with all kinds of spam emails that are outgoing. As far as I know no one here activated the virus in an email. I think it was set up previously and then activated remotely. I am under the impression that once access was gained settings were
changed to allow regular access from a remote network, thus if the virus is ever removed the perputrator can access the network by regular means to reinstall the virus.
I have already bought a new server with sbs 2000 on it but dont want to implement it until I am sure all the data files and all of the workstations are clear. By the way I am currently using windows NT 4.0 all service packs with Back office small business server ver 4.5.
I would like to know;
How to close the ports allowing this entry?
If I can just delete the server.exe file and reinstall a clean copy off the original software?
How to stop remote access to my network, it is not necessary at this time?
If I cannot delete the server.exe file, how the heck to I burn this thing out.
I dont know if the following info will help but I am including it!
Scan type: Scheduled Scan
Event: Virus Found!
Virus name: Backdoor.Winshell
File: C:\WINNT.SBS\system32\serv
Location: C:\WINNT.SBS\system32
User: Administrator
Action taken: Clean failed : Quarantine failed :
Date found: Sun Feb 01 00:24:35 2004
Scan type: Manual Scan
Event: Virus Found!
Virus name: Backdoor.Winshell
File: C:\WINNT.SBS\system32\serv
Location: Quarantine
User: Administrator
Action taken: Clean failed : Quarantine succeeded :
Date found: Tue Mar 02 08:32:15 2004
Any help would be greatly appreciated, our network is being used as a spam provider and I would really like to stop it and feel safe that someone cant delete my data files at any given moment. Thanks very much in advance!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jorgen thank you for the link to Pestpatrol I am going to try that right away but before I do that I want to close down remote access and close any ports that may be used to reinfect. Could anyone help me with this issue.
you might also want to take a look at the following link... it will bring up three links for variants of the virus and will give you individual steps to manually clean your pc. This should provide you with all the information you need to protect yourself in the future...
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=a&virus=winshell&alt=winshell&key=winshell&payload=&type=&day=&month=&year=&wkday=
also, try doing a scan via http://housecall.trendmicro.com to see if there are any other virus names it is picked up as and perform manual cleans for each one found...
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=a&virus=winshell&alt=winshell&key=winshell&payload=&type=&day=&month=&year=&wkday=
also, try doing a scan via http://housecall.trendmicro.com to see if there are any other virus names it is picked up as and perform manual cleans for each one found...
these links should also give you the ports you need to block for each of the viruses...
ASKER
thank you RevelationCS. I am not sure how to block the port though. I have found all kinds of things on how firewalls work I have read the cisco info provided with our cisco equipment and I have looked all over the server for a place to close certian ports. I know the ports it uses to listen....just dont know how to shut them down. =(
do you have a firewall on your network or are you running a software filewall on the computer? depending on the environment, this is how it would be done... what brand is the firewall?
ASKER
I have a Cisco 2600 pc of equipment, and then I have a netgear dual speed hub DS108, as well as a 3Com Superstack ll baseline hub...one for the wan and one for the lan. Thank you for you your help! As far as a software firewall I have not even figured out how to check.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
:o) Glad we could help you - thank you for the points
As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.
The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.
It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open