Solved

inoculan and winlogon

Posted on 2002-07-29
3
1,440 Views
Last Modified: 2007-12-19
Hi

i just found the backdoor Subseven 2.2 server virus.

I'm doing a full scan of the HD. During the first part of the scanning everything runs smoothly.
I'm also runing task manager to see if no weird programs are running, but only inocuLAN.exe used cpu time.

Once the scanning reached WINNT\system32 i noticed that
winlogon.exe started to run, and using over 90% of the time.

What is the reason of winlogon to start running?

upto now i foudn 3 infected files in WINNT\SYSTEM32
the filenames are LJFF.exe, MBQT.exe and EYMGDKWE.exe.
Inoculan was not able to cure these files, so i moved them to another location. Are these programs part of windows 200? or are they created by the Virus?
0
Comment
Question by:elfie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
tituba2 earned 100 total points
ID: 7186609
Go to
http://www.europe.f-secure.com/v-descs/subseven.shtml

They have a tool for subseven and more detailed info for you

0
 
LVL 24

Expert Comment

by:SunBow
ID: 7189408
IMO when your system goes so screwy, your best bet to reduce problems and downtime is to rebuild. Sorry. You should firm up on good administrative techniques, and after rebuild, do NOT plug into network until you've locked the hatches and performed the upgrades.

Abide rules of never use server to do any workstation function, whether surfing web, downloading, or eMail, eChat or whatever.

Once you've let remote users manage your machine, you've lost complete control. They could have done anything, and you cannot recover from such unknown. Start it fresh, completely clean disk, with OS and no additional 'toys'.

> I'm also runing task manager to see

you are too late

> Are these programs part of windows 200?

This no longer matters. You gave control to a foreigner (outside your building) such that they could have renamed anything to anything.

Giving control to 'friends' is not my implication. There may even be a good reason to run sub-seven. and, Inoculan may be wrong, it has been before. but... to KISS it, simplify, I vote for the rebuild.
0
 
LVL 3

Author Comment

by:elfie
ID: 7202947
the free dos tool couldn't clean the files, but found a other number of suspicious files (that Inoculan didn't found). The filename resembled like to files that had the viruses in them.

I just removed the files completely from the systems, and now all tools indicate that the syustem is clean.
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange Performance Query related to TLS upgrade 6 149
Zeus black pop up screen virus 7 78
Antivirus - Webroot vs Symantec? 6 232
Powershell script reporting 12 46
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question