Solved

inoculan and winlogon

Posted on 2002-07-29
3
1,420 Views
Last Modified: 2007-12-19
Hi

i just found the backdoor Subseven 2.2 server virus.

I'm doing a full scan of the HD. During the first part of the scanning everything runs smoothly.
I'm also runing task manager to see if no weird programs are running, but only inocuLAN.exe used cpu time.

Once the scanning reached WINNT\system32 i noticed that
winlogon.exe started to run, and using over 90% of the time.

What is the reason of winlogon to start running?

upto now i foudn 3 infected files in WINNT\SYSTEM32
the filenames are LJFF.exe, MBQT.exe and EYMGDKWE.exe.
Inoculan was not able to cure these files, so i moved them to another location. Are these programs part of windows 200? or are they created by the Virus?
0
Comment
Question by:elfie
3 Comments
 
LVL 4

Accepted Solution

by:
tituba2 earned 100 total points
Comment Utility
Go to
http://www.europe.f-secure.com/v-descs/subseven.shtml

They have a tool for subseven and more detailed info for you

0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
IMO when your system goes so screwy, your best bet to reduce problems and downtime is to rebuild. Sorry. You should firm up on good administrative techniques, and after rebuild, do NOT plug into network until you've locked the hatches and performed the upgrades.

Abide rules of never use server to do any workstation function, whether surfing web, downloading, or eMail, eChat or whatever.

Once you've let remote users manage your machine, you've lost complete control. They could have done anything, and you cannot recover from such unknown. Start it fresh, completely clean disk, with OS and no additional 'toys'.

> I'm also runing task manager to see

you are too late

> Are these programs part of windows 200?

This no longer matters. You gave control to a foreigner (outside your building) such that they could have renamed anything to anything.

Giving control to 'friends' is not my implication. There may even be a good reason to run sub-seven. and, Inoculan may be wrong, it has been before. but... to KISS it, simplify, I vote for the rebuild.
0
 
LVL 3

Author Comment

by:elfie
Comment Utility
the free dos tool couldn't clean the files, but found a other number of suspicious files (that Inoculan didn't found). The filename resembled like to files that had the viruses in them.

I just removed the files completely from the systems, and now all tools indicate that the syustem is clean.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now