Solved

Strange W2k OS behaviour spreading between machines like a virus (but no AV can identify one)

Posted on 2004-11-01
1,033 Views
Last Modified: 2008-01-09
My Win2k servers are behaving very strangely, as are my 2k desktops. The first thing that you notice is that when you click on an application icon, you get the message "unable to run this command".
After a reboot, on the 2k servers, you cannot log in at all. The "Press AltConDel" message does not react to the key combination. Mouse is an hourglass.
You can terminal server to the boxes. Clicking icons gives you the message above. Entering the executable name into Start->Run works; but many of the system apps (like event manager) do not work properly with red crosses where you would expect to see the various logs.
A few services do not start.
Plug&Play, Messenger, Logical Disk Manager, Internet Authentication Service.  Other services start OK. No correlation between who they log in as, and which ones start/don't start.
Regedit displays the top level hives, but when you open them, the registry looks empty.

All this has happened on two different W2k servers which are DCs for two different domains, running in different site but connected by a 64kb link. The W2k desktops at THREE sites are doing similar things. The third site (yet another domain connected by IP slow link) has W2k3 for a domain controller. The W2k3 servers are not entirely unaffected. They are losing they License Authorisation. Seems to be problems with the Device Manager.

Device Manager is a common thread here. Sometimes when booting the 2k servers, you briefly get a message refering to the Hotplug Device Manager. I suspect that the other services depend on this one but am not sure.

This is the wierdest problem I have even seen (considering the scope of the problem). It seems virus like because it suddenly affect so many machines in three sites. Running the Mcafee sting does not find anything. Running spybot doesn't find anything either.

A corrupt group policy might do something like this; but I wouldn't have though it would do it across domains. The domains do have bi-directional trust relationships.

If anyone is suffering from this problem, or has any ideas, I would be very keen to hear from them.

Mark
0
Question by:Multiprogramming
    11 Comments
     
    LVL 19

    Expert Comment

    by:1stITMAN
    I think it is virus like problem you are having..
    Looks as though u have been hacked...
    try online virus scans..
    http:\\housecall.trendmicro.com
    Also try HijackThis  http://s89223352.onlinehome.us/mirror/hjt/#introduction
    Post the log to the site and it should tell if there any problems..
    0
     

    Author Comment

    by:Multiprogramming
    Thanks 1stITMAN, I can't try the on-line scan as IE is playing up. When you type in an address, the text in the address bar flickers violently and the page stays blank.

    Here is the HijackThis log:

    Logfile of HijackThis v1.98.2
    Scan saved at 4:56:41 PM, on 2/11/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\ActiveFax\Server\ActSrvNT.exe
    C:\Compaq\vcagent\vcagent.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\ismserv.exe
    C:\WINNT\System32\llssrv.exe
    C:\Lotus\Domino\nservice.exe
    C:\WINNT\System32\nslsvice.exe
    C:\WINNT\system32\nsl.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Lotus\Domino\nSERVER.EXE
    C:\WINNT\system32\ntfrs.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\locator.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\compaq\survey\Surveyor.EXE
    C:\WINNT\System32\ups.exe
    C:\Program Files\Network Associates\TVD\WebShield SMTP\MailCFG.exe
    C:\Program Files\Network Associates\TVD\WebShield SMTP\mailscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\TightVNC\WinVNC.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\CpqRcmc.exe
    C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe
    C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe
    C:\WINNT\System32\dns.exe
    C:\WINNT\System32\sysdown.exe
    C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe
    C:\Lotus\Domino\nReplica.EXE
    C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe
    C:\Lotus\Domino\nRouter.EXE
    C:\Lotus\Domino\nUpdate.EXE
    C:\Lotus\Domino\nStats.EXE
    C:\Lotus\Domino\nAMgr.EXE
    C:\Lotus\Domino\namgr.EXE
    C:\Lotus\Domino\nAdminp.EXE
    C:\Lotus\Domino\nSched.EXE
    C:\Lotus\Domino\nCalConn.EXE
    C:\Lotus\Domino\nEvent.EXE
    C:\Lotus\Domino\nGSDConfig.EXE
    C:\Lotus\Domino\nGSDOAScan.EXE
    C:\Lotus\Domino\nGSDODScan.EXE
    C:\Lotus\Domino\nGSDUpdate.EXE
    C:\Lotus\Domino\nGSDReport.EXE
    C:\Lotus\Domino\nMAPS.EXE
    C:\Lotus\Domino\nHTTP.EXE
    C:\Lotus\Domino\nPOP3.EXE
    C:\Lotus\Domino\nSMTP.EXE
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\rdpclip.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\cpqteam.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINNT\system32\mmc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\logon.scr
    D:\2\Install\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multipro.com.au/internal/
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Kagara
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Kagara
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Kagara
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet



    0
     
    LVL 19

    Expert Comment

    by:1stITMAN
    This malware
    C:\WINNT\System32\nslsvice.exe
    remove this..

    here we are hope this helps..

    Logfile of HijackThis v1.98.2    
    Safe.   Shows the version of HijackThis an. The newest version is: v1.98.2!   This should be the newest version. (v1.98.2 )
      Platform: Windows 2000 SP4 (WinNT 5.00.2195)          
      MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)    
    Safe.   Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106!   This should be the newest version. (6.00.2800.1106)
      C:\WINNT\System32\smss.exe    
    Safe.   running process. (smss.exe)
    Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen. smss.exe    
      C:\WINNT\system32\csrss.exe    
    Safe.   running process. (csrss.exe)
    Systemprozess - Client Server Runtime csrss.exe    
      C:\WINNT\system32\winlogon.exe    
    Safe.   running process. (winlogon.exe)
    Systemprozess - Windows Login Routine winlogon.exe    
      C:\WINNT\system32\services.exe    
    Safe.   running process. (services.exe)
    Systemprozess - Verwaltet die Systemdienste. services.exe    
      C:\WINNT\system32\lsass.exe    
    Safe.   running process. (lsass.exe)
    Systemprozess lsass.exe    
      C:\WINNT\System32\termsrv.exe    
    Safe.   running process. (termsrv.exe)
    termsrv.exe    
      C:\WINNT\system32\svchost.exe    
    Safe.   running process. (svchost.exe)
    Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
      C:\WINNT\system32\spoolsv.exe    
    Safe.   running process. (spoolsv.exe)
    Systemprozess spoolsv.exe    
      C:\Program Files\ActiveFax\Server\ActSrvNT.exe    
    Unknown   running process. (ActSrvNT.exe)
       This is a unknown process.
      C:\Compaq\vcagent\vcagent.exe    
    Unknown   running process. (vcagent.exe)
       This is a unknown process.
      C:\WINNT\system32\Dfssvc.exe    
    Safe.   running process. (Dfssvc.exe)
    Dfssvc.exe    
      C:\WINNT\System32\tcpsvcs.exe    
    Safe.   running process. (tcpsvcs.exe)
    tcpsvcs.exe    
      C:\WINNT\System32\svchost.exe    
    Safe.   running process. (svchost.exe)
    Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
      C:\WINNT\System32\ismserv.exe    
    Safe.   running process. (ismserv.exe)
    ismserv.exe    
      C:\WINNT\System32\llssrv.exe    
    Safe.   running process. (llssrv.exe)
    Lizenz-Verwaltung unter Windows NT llssrv.exe    
      C:\Lotus\Domino\nservice.exe    
    Unknown   running process. (nservice.exe)
       This is a unknown process.
      C:\WINNT\System32\nslsvice.exe    
    Nasty   running process. (nslsvice.exe)
    Malware nslsvice.exe   This is a nasty process! You should fix it and try to delete it manually!
      C:\WINNT\system32\nsl.exe    
    Unknown   running process. (nsl.exe)
       This is a unknown process.
      C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe    
    Safe.   running process. (VsTskMgr.exe)
    VsTskMgr.exe    
      C:\Lotus\Domino\nSERVER.EXE    
    Unknown   running process. (nSERVER.EXE)
       This is a unknown process.
      C:\WINNT\system32\ntfrs.exe    
    Safe.   running process. (ntfrs.exe)
    ntfrs.exe    
      C:\WINNT\system32\regsvc.exe    
    Safe.   running process. (regsvc.exe)
    regsvc.exe    
      C:\WINNT\System32\locator.exe    
    Safe.   running process. (locator.exe)
    RPC Locator locator.exe    
      C:\WINNT\system32\MSTask.exe    
    Safe.   running process. (MSTask.exe)
    Gehört zu den Windows Powertoys von MS. MSTask.exe    
      C:\WINNT\System32\snmp.exe    
    Safe.   running process. (snmp.exe)
    snmp.exe    
      C:\compaq\survey\Surveyor.EXE    
    Unknown   running process. (Surveyor.EXE)
       This is a unknown process.
      C:\WINNT\System32\ups.exe    
    Unknown   running process. (ups.exe)
       This is a unknown process.
      C:\Program Files\Network Associates\TVD\WebShield SMTP\MailCFG.exe    
    Unknown   running process. (MailCFG.exe)
       This is a unknown process.
      C:\Program Files\Network Associates\TVD\WebShield SMTP\mailscan.exe    
    Safe.   running process. (mailscan.exe)
    eScan mailscan.exe    
      C:\WINNT\System32\WBEM\WinMgmt.exe    
    Safe.   running process. (WinMgmt.exe)
    WinMgmt.exe    
      C:\Program Files\TightVNC\WinVNC.exe    
    Safe.   running process. (WinVNC.exe)
    WinVNC.exe    
      C:\WINNT\system32\svchost.exe    
    Safe.   running process. (svchost.exe)
    Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
      C:\WINNT\system32\CpqRcmc.exe    
    Unknown   running process. (CpqRcmc.exe)
       This is a unknown process.
      C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe    
    Unknown   running process. (cqmgserv.exe)
       This is a unknown process.
      C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe    
    Unknown   running process. (cqmgstor.exe)
       This is a unknown process.
      C:\WINNT\System32\dns.exe    
    Safe.   running process. (dns.exe)
    dns.exe    
      C:\WINNT\System32\sysdown.exe    
    Unknown   running process. (sysdown.exe)
       This is a unknown process.
      C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe    
    Unknown   running process. (cqmghost.exe)
       This is a unknown process.
      C:\Lotus\Domino\nReplica.EXE    
    Unknown   running process. (nReplica.EXE)
       This is a unknown process.
      C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe    
    Unknown   running process. (cpqwmgmt.exe)
       This is a unknown process.
      C:\Lotus\Domino\nRouter.EXE    
    Unknown   running process. (nRouter.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nUpdate.EXE    
    Unknown   running process. (nUpdate.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nStats.EXE    
    Unknown   running process. (nStats.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nAMgr.EXE    
    Unknown   running process. (nAMgr.EXE)
       This is a unknown process.
      C:\Lotus\Domino\namgr.EXE    
    Unknown   running process. (namgr.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nAdminp.EXE    
    Unknown   running process. (nAdminp.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nSched.EXE    
    Unknown   running process. (nSched.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nCalConn.EXE    
    Unknown   running process. (nCalConn.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nEvent.EXE    
    Unknown   running process. (nEvent.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nGSDConfig.EXE    
    Unknown   running process. (nGSDConfig.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nGSDOAScan.EXE    
    Unknown   running process. (nGSDOAScan.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nGSDODScan.EXE    
    Unknown   running process. (nGSDODScan.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nGSDUpdate.EXE    
    Unknown   running process. (nGSDUpdate.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nGSDReport.EXE    
    Unknown   running process. (nGSDReport.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nMAPS.EXE    
    Unknown   running process. (nMAPS.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nHTTP.EXE    
    Unknown   running process. (nHTTP.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nPOP3.EXE    
    Unknown   running process. (nPOP3.EXE)
       This is a unknown process.
      C:\Lotus\Domino\nSMTP.EXE    
    Unknown   running process. (nSMTP.EXE)
       This is a unknown process.
      C:\WINNT\system32\csrss.exe    
    Safe.   running process. (csrss.exe)
    Systemprozess - Client Server Runtime csrss.exe    
      C:\WINNT\system32\winlogon.exe    
    Safe.   running process. (winlogon.exe)
    Systemprozess - Windows Login Routine winlogon.exe    
      C:\WINNT\system32\rdpclip.exe    
    Safe.   running process. (rdpclip.exe)
    rdpclip.exe    
      C:\WINNT\Explorer.EXE    
    Safe.   running process. (Explorer.EXE)
    Systemprozess für Desktop und Taskleiste. explorer.exe    
      C:\WINNT\system32\cpqteam.exe    
    Unknown   running process. (cpqteam.exe)
       This is a unknown process.
      C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE    
    Safe.   running process. (SHSTAT.EXE)
    SHSTAT.EXE    
      C:\WINNT\system32\internat.exe    
    Safe.   running process. (internat.exe)
    Systemprozess - Application that provides multi-language support on keyboards for Microsoft Windows programs. internat.exe    
      C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe    
    Safe.   running process. (sqlmangr.exe)
    sqlmangr.exe    
      C:\WINNT\system32\mmc.exe    
    Unknown   running process. (mmc.exe)
       This is a unknown process.
      C:\WINNT\System32\svchost.exe    
    Safe.   running process. (svchost.exe)
    Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
      D:\2\Install\HijackThis.exe    
    Safe.   running process. (HijackThis.exe)
    Tool, mit dem sie dieses Logfile erzeugt haben. HijackThis.exe   Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multipro.com.au/internal/    
    Possibly nasty   This page could possibly be nasty.   If you do not know the entry 'http://www.multipro.com.au/internal/', delete it.
      O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx    
    Safe.   Entries found in this registry zone are potentially nasty. This application ([8E718888-423F-11D2-876E-00A0C9082467] - Result: 8E718888-423F-11D2-876E-00A0C9082467) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %    
      O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe    
    Unknown   The entered application CPQTEAM was identified: None. Hit rate: -1 % (result)   Unknown application.
      O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey    
    Safe.   The entered application McAfeeUpdaterUI was identified: McAfeeUpdaterUI. Hit rate: 95 % (result)    
      O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE    
    Safe.   The entered application ShStatEXE was identified: ShStatEXE. Hit rate: 94 % (result)    
      O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper    
    Safe.   The entered application WinVNC was identified: WinVNC. Hit rate: 94 % (result)    
      O4 - HKCU\..\Run: [internat.exe] internat.exe    
    Safe.   The entered application internat.exe was identified: internat.exe. Hit rate: 95 % (result)   Not dangerous, but unnecessary.
      O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe    
    Safe.   The entered application 'Service Manager.lnk (sqlmangr.exe)' was identified: 'Service Manager (sqlmangr.exe )'. Hit rate: 89 % (result)   Not dangerous, but unnecessary.
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Kagara    
    Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
      O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Kagara    
    Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
      O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet    
    Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet '? If not, fix this entry.
      O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Kagara    
    Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
      O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet    
    Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet '? If not, fix this entry.
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet  
    Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet'? If not, fix this entry.
    0
     

    Author Comment

    by:Multiprogramming
    I think that nslsvice.exe is a part of Lotus Domino/Notes, which we are running, not malware.
    0
     
    LVL 19

    Expert Comment

    by:1stITMAN
    mmm.  why does it say that it is nasty...
    SO changed anything else according to the log..
    0
     

    Author Comment

    by:Multiprogramming
    It's a virus. After many hours work with a 'virgin system' sitting the LAN watched by a packet sniffer, we caught it in the act. No AV can identify it so it's a new one.  The AVERT people are looking at it and I'll post when it's got a name.

    The following is based on my guesses as I don't read SMB that often.

    Infected machines, ping various addresses. When they get a reply, they negotiate an SMB session. The infected machine connects to the IPC$ share. It then creates a file called svcctl. It then connects to C$ and creates ntadint.dll, then creates hotplug.exe. The latter two files end up in c:\winnt\system32 on a W2k machine.

    I suspect that for infection to work, the machines must be on the same domain. My laptop is on this LAN, and I don't think it's infected.

    A service is created on the target machine called HOTPLUG.  A key is added to the PLUGPLAY service so that it depends on the HOTPLUG service. The target machine is then infected.

    I cleaned a machine using the following sequence:
    Installed a new Win2k into C:\winnt2. It booted successfully. I then deleted the file hotplug.exe in the c:\winnt (infected) system32 folder.
    Booted the c:\winnt version
    It booted slowly. I suspect this is because it is trying to start a service which now has a file missing.
    Ran regedit, searched for all instances of hotplug; deleted them all. There were some keys: LEGACY_HOTPLUG... which could not be deleted.
    This version of the OS now seems to be virus free, but I need to keep the PC disconnected from the LAN or it will infect again.
    Hopefully Mcafee will come up with the goods so I don't have to do this on hundreds of machines.
    0
     
    LVL 19

    Expert Comment

    by:1stITMAN
    OK nice1..
    0
     

    Author Comment

    by:Multiprogramming
    Excuse me for not closing off properly, it was a truly horrible time having a new virus take out most of my network as you can imagine; so I dropped the ball a bit. The problem turned out to be a virus as I suspected; I managed to bag it up and send it to McAfee who came out with a fix. Symantec did the same.

    McAfee called it W32/Hpl.worm:  http://vil.nai.com/vil/content/v_129905.htm
    and Symantec called it W32.Orpheus.A:  http://securityresponse.symantec.com/avcenter/venc/data/w32.orpheus.a.html

    I don't know how often Administrators have new viruses hit their network but it was a new one for me. I notice that my sites were the only ones who reported it (see Symantec synopsis) Thanks to everyone who helped.
    0
     

    Author Comment

    by:Multiprogramming
    Sorry but I need some help here. I answered my own question so would like to keep some points, but 1stITMAN went to the trouble of giving me some assistance so it's not fair that he gets nothing. Can I give 1stITMAN 150 points and keep the rest (or whatever you think appropriate).
    0
     
    LVL 19

    Expert Comment

    by:1stITMAN
    Exscuse me I said that you were having a virus like problem didnt I..
    So I did point you in the right direction to issue virus scans on the system..
    0
     

    Accepted Solution

    by:
    PAQed with points refunded (500)

    modulo
    Community Support Moderator
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Title # Comments Views Activity
    Server Hard Drive Expansion 2 124
    Active directory user account audit 4 725
    auto copy 8 606
    Dell PowerEdge raid drive replacement 13 466
    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
    This video Micro Tutorial is the second in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles a…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    931 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now