Solved

inoculan and winlogon

Posted on 2002-07-29
3
1,448 Views
Last Modified: 2007-12-19
Hi

i just found the backdoor Subseven 2.2 server virus.

I'm doing a full scan of the HD. During the first part of the scanning everything runs smoothly.
I'm also runing task manager to see if no weird programs are running, but only inocuLAN.exe used cpu time.

Once the scanning reached WINNT\system32 i noticed that
winlogon.exe started to run, and using over 90% of the time.

What is the reason of winlogon to start running?

upto now i foudn 3 infected files in WINNT\SYSTEM32
the filenames are LJFF.exe, MBQT.exe and EYMGDKWE.exe.
Inoculan was not able to cure these files, so i moved them to another location. Are these programs part of windows 200? or are they created by the Virus?
0
Comment
Question by:elfie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
tituba2 earned 100 total points
ID: 7186609
Go to
http://www.europe.f-secure.com/v-descs/subseven.shtml

They have a tool for subseven and more detailed info for you

0
 
LVL 24

Expert Comment

by:SunBow
ID: 7189408
IMO when your system goes so screwy, your best bet to reduce problems and downtime is to rebuild. Sorry. You should firm up on good administrative techniques, and after rebuild, do NOT plug into network until you've locked the hatches and performed the upgrades.

Abide rules of never use server to do any workstation function, whether surfing web, downloading, or eMail, eChat or whatever.

Once you've let remote users manage your machine, you've lost complete control. They could have done anything, and you cannot recover from such unknown. Start it fresh, completely clean disk, with OS and no additional 'toys'.

> I'm also runing task manager to see

you are too late

> Are these programs part of windows 200?

This no longer matters. You gave control to a foreigner (outside your building) such that they could have renamed anything to anything.

Giving control to 'friends' is not my implication. There may even be a good reason to run sub-seven. and, Inoculan may be wrong, it has been before. but... to KISS it, simplify, I vote for the rebuild.
0
 
LVL 3

Author Comment

by:elfie
ID: 7202947
the free dos tool couldn't clean the files, but found a other number of suspicious files (that Inoculan didn't found). The filename resembled like to files that had the viruses in them.

I just removed the files completely from the systems, and now all tools indicate that the syustem is clean.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question