?
Solved

inoculan and winlogon

Posted on 2002-07-29
3
Medium Priority
?
1,466 Views
Last Modified: 2007-12-19
Hi

i just found the backdoor Subseven 2.2 server virus.

I'm doing a full scan of the HD. During the first part of the scanning everything runs smoothly.
I'm also runing task manager to see if no weird programs are running, but only inocuLAN.exe used cpu time.

Once the scanning reached WINNT\system32 i noticed that
winlogon.exe started to run, and using over 90% of the time.

What is the reason of winlogon to start running?

upto now i foudn 3 infected files in WINNT\SYSTEM32
the filenames are LJFF.exe, MBQT.exe and EYMGDKWE.exe.
Inoculan was not able to cure these files, so i moved them to another location. Are these programs part of windows 200? or are they created by the Virus?
0
Comment
Question by:elfie
3 Comments
 
LVL 4

Accepted Solution

by:
tituba2 earned 300 total points
ID: 7186609
Go to
http://www.europe.f-secure.com/v-descs/subseven.shtml

They have a tool for subseven and more detailed info for you

0
 
LVL 24

Expert Comment

by:SunBow
ID: 7189408
IMO when your system goes so screwy, your best bet to reduce problems and downtime is to rebuild. Sorry. You should firm up on good administrative techniques, and after rebuild, do NOT plug into network until you've locked the hatches and performed the upgrades.

Abide rules of never use server to do any workstation function, whether surfing web, downloading, or eMail, eChat or whatever.

Once you've let remote users manage your machine, you've lost complete control. They could have done anything, and you cannot recover from such unknown. Start it fresh, completely clean disk, with OS and no additional 'toys'.

> I'm also runing task manager to see

you are too late

> Are these programs part of windows 200?

This no longer matters. You gave control to a foreigner (outside your building) such that they could have renamed anything to anything.

Giving control to 'friends' is not my implication. There may even be a good reason to run sub-seven. and, Inoculan may be wrong, it has been before. but... to KISS it, simplify, I vote for the rebuild.
0
 
LVL 3

Author Comment

by:elfie
ID: 7202947
the free dos tool couldn't clean the files, but found a other number of suspicious files (that Inoculan didn't found). The filename resembled like to files that had the viruses in them.

I just removed the files completely from the systems, and now all tools indicate that the syustem is clean.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question