Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Strange W2k OS behaviour spreading between machines like a virus (but no AV can identify one)

Posted on 2004-11-01
13
Medium Priority
?
1,047 Views
Last Modified: 2008-01-09
My Win2k servers are behaving very strangely, as are my 2k desktops. The first thing that you notice is that when you click on an application icon, you get the message "unable to run this command".
After a reboot, on the 2k servers, you cannot log in at all. The "Press AltConDel" message does not react to the key combination. Mouse is an hourglass.
You can terminal server to the boxes. Clicking icons gives you the message above. Entering the executable name into Start->Run works; but many of the system apps (like event manager) do not work properly with red crosses where you would expect to see the various logs.
A few services do not start.
Plug&Play, Messenger, Logical Disk Manager, Internet Authentication Service.  Other services start OK. No correlation between who they log in as, and which ones start/don't start.
Regedit displays the top level hives, but when you open them, the registry looks empty.

All this has happened on two different W2k servers which are DCs for two different domains, running in different site but connected by a 64kb link. The W2k desktops at THREE sites are doing similar things. The third site (yet another domain connected by IP slow link) has W2k3 for a domain controller. The W2k3 servers are not entirely unaffected. They are losing they License Authorisation. Seems to be problems with the Device Manager.

Device Manager is a common thread here. Sometimes when booting the 2k servers, you briefly get a message refering to the Hotplug Device Manager. I suspect that the other services depend on this one but am not sure.

This is the wierdest problem I have even seen (considering the scope of the problem). It seems virus like because it suddenly affect so many machines in three sites. Running the Mcafee sting does not find anything. Running spybot doesn't find anything either.

A corrupt group policy might do something like this; but I wouldn't have though it would do it across domains. The domains do have bi-directional trust relationships.

If anyone is suffering from this problem, or has any ideas, I would be very keen to hear from them.

Mark
0
Comment
Question by:Multiprogramming
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
13 Comments
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12470704
I think it is virus like problem you are having..
Looks as though u have been hacked...
try online virus scans..
http:\\housecall.trendmicro.com
Also try HijackThis  http://s89223352.onlinehome.us/mirror/hjt/#introduction
Post the log to the site and it should tell if there any problems..
0
 

Author Comment

by:Multiprogramming
ID: 12470935
Thanks 1stITMAN, I can't try the on-line scan as IE is playing up. When you type in an address, the text in the address bar flickers violently and the page stays blank.

Here is the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 4:56:41 PM, on 2/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ActiveFax\Server\ActSrvNT.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Lotus\Domino\nservice.exe
C:\WINNT\System32\nslsvice.exe
C:\WINNT\system32\nsl.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Lotus\Domino\nSERVER.EXE
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\ups.exe
C:\Program Files\Network Associates\TVD\WebShield SMTP\MailCFG.exe
C:\Program Files\Network Associates\TVD\WebShield SMTP\mailscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CpqRcmc.exe
C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\Lotus\Domino\nReplica.EXE
C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe
C:\Lotus\Domino\nRouter.EXE
C:\Lotus\Domino\nUpdate.EXE
C:\Lotus\Domino\nStats.EXE
C:\Lotus\Domino\nAMgr.EXE
C:\Lotus\Domino\namgr.EXE
C:\Lotus\Domino\nAdminp.EXE
C:\Lotus\Domino\nSched.EXE
C:\Lotus\Domino\nCalConn.EXE
C:\Lotus\Domino\nEvent.EXE
C:\Lotus\Domino\nGSDConfig.EXE
C:\Lotus\Domino\nGSDOAScan.EXE
C:\Lotus\Domino\nGSDODScan.EXE
C:\Lotus\Domino\nGSDUpdate.EXE
C:\Lotus\Domino\nGSDReport.EXE
C:\Lotus\Domino\nMAPS.EXE
C:\Lotus\Domino\nHTTP.EXE
C:\Lotus\Domino\nPOP3.EXE
C:\Lotus\Domino\nSMTP.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\logon.scr
D:\2\Install\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multipro.com.au/internal/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Kagara
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Kagara
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Kagara
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet



0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12470993
This malware
C:\WINNT\System32\nslsvice.exe
remove this..

here we are hope this helps..

Logfile of HijackThis v1.98.2    
Safe.   Shows the version of HijackThis an. The newest version is: v1.98.2!   This should be the newest version. (v1.98.2 )
  Platform: Windows 2000 SP4 (WinNT 5.00.2195)          
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)    
Safe.   Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106!   This should be the newest version. (6.00.2800.1106)
  C:\WINNT\System32\smss.exe    
Safe.   running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen. smss.exe    
  C:\WINNT\system32\csrss.exe    
Safe.   running process. (csrss.exe)
Systemprozess - Client Server Runtime csrss.exe    
  C:\WINNT\system32\winlogon.exe    
Safe.   running process. (winlogon.exe)
Systemprozess - Windows Login Routine winlogon.exe    
  C:\WINNT\system32\services.exe    
Safe.   running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste. services.exe    
  C:\WINNT\system32\lsass.exe    
Safe.   running process. (lsass.exe)
Systemprozess lsass.exe    
  C:\WINNT\System32\termsrv.exe    
Safe.   running process. (termsrv.exe)
termsrv.exe    
  C:\WINNT\system32\svchost.exe    
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
  C:\WINNT\system32\spoolsv.exe    
Safe.   running process. (spoolsv.exe)
Systemprozess spoolsv.exe    
  C:\Program Files\ActiveFax\Server\ActSrvNT.exe    
Unknown   running process. (ActSrvNT.exe)
   This is a unknown process.
  C:\Compaq\vcagent\vcagent.exe    
Unknown   running process. (vcagent.exe)
   This is a unknown process.
  C:\WINNT\system32\Dfssvc.exe    
Safe.   running process. (Dfssvc.exe)
Dfssvc.exe    
  C:\WINNT\System32\tcpsvcs.exe    
Safe.   running process. (tcpsvcs.exe)
tcpsvcs.exe    
  C:\WINNT\System32\svchost.exe    
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
  C:\WINNT\System32\ismserv.exe    
Safe.   running process. (ismserv.exe)
ismserv.exe    
  C:\WINNT\System32\llssrv.exe    
Safe.   running process. (llssrv.exe)
Lizenz-Verwaltung unter Windows NT llssrv.exe    
  C:\Lotus\Domino\nservice.exe    
Unknown   running process. (nservice.exe)
   This is a unknown process.
  C:\WINNT\System32\nslsvice.exe    
Nasty   running process. (nslsvice.exe)
Malware nslsvice.exe   This is a nasty process! You should fix it and try to delete it manually!
  C:\WINNT\system32\nsl.exe    
Unknown   running process. (nsl.exe)
   This is a unknown process.
  C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe    
Safe.   running process. (VsTskMgr.exe)
VsTskMgr.exe    
  C:\Lotus\Domino\nSERVER.EXE    
Unknown   running process. (nSERVER.EXE)
   This is a unknown process.
  C:\WINNT\system32\ntfrs.exe    
Safe.   running process. (ntfrs.exe)
ntfrs.exe    
  C:\WINNT\system32\regsvc.exe    
Safe.   running process. (regsvc.exe)
regsvc.exe    
  C:\WINNT\System32\locator.exe    
Safe.   running process. (locator.exe)
RPC Locator locator.exe    
  C:\WINNT\system32\MSTask.exe    
Safe.   running process. (MSTask.exe)
Gehört zu den Windows Powertoys von MS. MSTask.exe    
  C:\WINNT\System32\snmp.exe    
Safe.   running process. (snmp.exe)
snmp.exe    
  C:\compaq\survey\Surveyor.EXE    
Unknown   running process. (Surveyor.EXE)
   This is a unknown process.
  C:\WINNT\System32\ups.exe    
Unknown   running process. (ups.exe)
   This is a unknown process.
  C:\Program Files\Network Associates\TVD\WebShield SMTP\MailCFG.exe    
Unknown   running process. (MailCFG.exe)
   This is a unknown process.
  C:\Program Files\Network Associates\TVD\WebShield SMTP\mailscan.exe    
Safe.   running process. (mailscan.exe)
eScan mailscan.exe    
  C:\WINNT\System32\WBEM\WinMgmt.exe    
Safe.   running process. (WinMgmt.exe)
WinMgmt.exe    
  C:\Program Files\TightVNC\WinVNC.exe    
Safe.   running process. (WinVNC.exe)
WinVNC.exe    
  C:\WINNT\system32\svchost.exe    
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
  C:\WINNT\system32\CpqRcmc.exe    
Unknown   running process. (CpqRcmc.exe)
   This is a unknown process.
  C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe    
Unknown   running process. (cqmgserv.exe)
   This is a unknown process.
  C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe    
Unknown   running process. (cqmgstor.exe)
   This is a unknown process.
  C:\WINNT\System32\dns.exe    
Safe.   running process. (dns.exe)
dns.exe    
  C:\WINNT\System32\sysdown.exe    
Unknown   running process. (sysdown.exe)
   This is a unknown process.
  C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe    
Unknown   running process. (cqmghost.exe)
   This is a unknown process.
  C:\Lotus\Domino\nReplica.EXE    
Unknown   running process. (nReplica.EXE)
   This is a unknown process.
  C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe    
Unknown   running process. (cpqwmgmt.exe)
   This is a unknown process.
  C:\Lotus\Domino\nRouter.EXE    
Unknown   running process. (nRouter.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nUpdate.EXE    
Unknown   running process. (nUpdate.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nStats.EXE    
Unknown   running process. (nStats.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nAMgr.EXE    
Unknown   running process. (nAMgr.EXE)
   This is a unknown process.
  C:\Lotus\Domino\namgr.EXE    
Unknown   running process. (namgr.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nAdminp.EXE    
Unknown   running process. (nAdminp.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nSched.EXE    
Unknown   running process. (nSched.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nCalConn.EXE    
Unknown   running process. (nCalConn.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nEvent.EXE    
Unknown   running process. (nEvent.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDConfig.EXE    
Unknown   running process. (nGSDConfig.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDOAScan.EXE    
Unknown   running process. (nGSDOAScan.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDODScan.EXE    
Unknown   running process. (nGSDODScan.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDUpdate.EXE    
Unknown   running process. (nGSDUpdate.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDReport.EXE    
Unknown   running process. (nGSDReport.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nMAPS.EXE    
Unknown   running process. (nMAPS.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nHTTP.EXE    
Unknown   running process. (nHTTP.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nPOP3.EXE    
Unknown   running process. (nPOP3.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nSMTP.EXE    
Unknown   running process. (nSMTP.EXE)
   This is a unknown process.
  C:\WINNT\system32\csrss.exe    
Safe.   running process. (csrss.exe)
Systemprozess - Client Server Runtime csrss.exe    
  C:\WINNT\system32\winlogon.exe    
Safe.   running process. (winlogon.exe)
Systemprozess - Windows Login Routine winlogon.exe    
  C:\WINNT\system32\rdpclip.exe    
Safe.   running process. (rdpclip.exe)
rdpclip.exe    
  C:\WINNT\Explorer.EXE    
Safe.   running process. (Explorer.EXE)
Systemprozess für Desktop und Taskleiste. explorer.exe    
  C:\WINNT\system32\cpqteam.exe    
Unknown   running process. (cpqteam.exe)
   This is a unknown process.
  C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE    
Safe.   running process. (SHSTAT.EXE)
SHSTAT.EXE    
  C:\WINNT\system32\internat.exe    
Safe.   running process. (internat.exe)
Systemprozess - Application that provides multi-language support on keyboards for Microsoft Windows programs. internat.exe    
  C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe    
Safe.   running process. (sqlmangr.exe)
sqlmangr.exe    
  C:\WINNT\system32\mmc.exe    
Unknown   running process. (mmc.exe)
   This is a unknown process.
  C:\WINNT\System32\svchost.exe    
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
  D:\2\Install\HijackThis.exe    
Safe.   running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. HijackThis.exe   Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multipro.com.au/internal/   
Possibly nasty   This page could possibly be nasty.   If you do not know the entry 'http://www.multipro.com.au/internal/', delete it.
  O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx    
Safe.   Entries found in this registry zone are potentially nasty. This application ([8E718888-423F-11D2-876E-00A0C9082467] - Result: 8E718888-423F-11D2-876E-00A0C9082467) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %    
  O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe    
Unknown   The entered application CPQTEAM was identified: None. Hit rate: -1 % (result)   Unknown application.
  O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey    
Safe.   The entered application McAfeeUpdaterUI was identified: McAfeeUpdaterUI. Hit rate: 95 % (result)    
  O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE    
Safe.   The entered application ShStatEXE was identified: ShStatEXE. Hit rate: 94 % (result)    
  O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper    
Safe.   The entered application WinVNC was identified: WinVNC. Hit rate: 94 % (result)    
  O4 - HKCU\..\Run: [internat.exe] internat.exe    
Safe.   The entered application internat.exe was identified: internat.exe. Hit rate: 95 % (result)   Not dangerous, but unnecessary.
  O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe    
Safe.   The entered application 'Service Manager.lnk (sqlmangr.exe)' was identified: 'Service Manager (sqlmangr.exe )'. Hit rate: 89 % (result)   Not dangerous, but unnecessary.
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Kagara    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Kagara    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet '? If not, fix this entry.
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Kagara    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet '? If not, fix this entry.
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet  
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet'? If not, fix this entry.
0
Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

 

Author Comment

by:Multiprogramming
ID: 12483059
I think that nslsvice.exe is a part of Lotus Domino/Notes, which we are running, not malware.
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12483926
mmm.  why does it say that it is nasty...
SO changed anything else according to the log..
0
 

Author Comment

by:Multiprogramming
ID: 12493205
It's a virus. After many hours work with a 'virgin system' sitting the LAN watched by a packet sniffer, we caught it in the act. No AV can identify it so it's a new one.  The AVERT people are looking at it and I'll post when it's got a name.

The following is based on my guesses as I don't read SMB that often.

Infected machines, ping various addresses. When they get a reply, they negotiate an SMB session. The infected machine connects to the IPC$ share. It then creates a file called svcctl. It then connects to C$ and creates ntadint.dll, then creates hotplug.exe. The latter two files end up in c:\winnt\system32 on a W2k machine.

I suspect that for infection to work, the machines must be on the same domain. My laptop is on this LAN, and I don't think it's infected.

A service is created on the target machine called HOTPLUG.  A key is added to the PLUGPLAY service so that it depends on the HOTPLUG service. The target machine is then infected.

I cleaned a machine using the following sequence:
Installed a new Win2k into C:\winnt2. It booted successfully. I then deleted the file hotplug.exe in the c:\winnt (infected) system32 folder.
Booted the c:\winnt version
It booted slowly. I suspect this is because it is trying to start a service which now has a file missing.
Ran regedit, searched for all instances of hotplug; deleted them all. There were some keys: LEGACY_HOTPLUG... which could not be deleted.
This version of the OS now seems to be virus free, but I need to keep the PC disconnected from the LAN or it will infect again.
Hopefully Mcafee will come up with the goods so I don't have to do this on hundreds of machines.
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 12494420
OK nice1..
0
 

Author Comment

by:Multiprogramming
ID: 14447744
Excuse me for not closing off properly, it was a truly horrible time having a new virus take out most of my network as you can imagine; so I dropped the ball a bit. The problem turned out to be a virus as I suspected; I managed to bag it up and send it to McAfee who came out with a fix. Symantec did the same.

McAfee called it W32/Hpl.worm:  http://vil.nai.com/vil/content/v_129905.htm
and Symantec called it W32.Orpheus.A:  http://securityresponse.symantec.com/avcenter/venc/data/w32.orpheus.a.html

I don't know how often Administrators have new viruses hit their network but it was a new one for me. I notice that my sites were the only ones who reported it (see Symantec synopsis) Thanks to everyone who helped.
0
 

Author Comment

by:Multiprogramming
ID: 14447822
Sorry but I need some help here. I answered my own question so would like to keep some points, but 1stITMAN went to the trouble of giving me some assistance so it's not fair that he gets nothing. Can I give 1stITMAN 150 points and keep the rest (or whatever you think appropriate).
0
 
LVL 19

Expert Comment

by:Zaheer Iqbal
ID: 14448585
Exscuse me I said that you were having a virus like problem didnt I..
So I did point you in the right direction to issue virus scans on the system..
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14465639
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Article by: evilrix
Looking for a way to avoid searching through large data sets for data that doesn't exist? A Bloom Filter might be what you need. This data structure is a probabilistic filter that allows you to avoid unnecessary searches when you know the data defin…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question