Strange W2k OS behaviour spreading between machines like a virus (but no AV can identify one)

My Win2k servers are behaving very strangely, as are my 2k desktops. The first thing that you notice is that when you click on an application icon, you get the message "unable to run this command".
After a reboot, on the 2k servers, you cannot log in at all. The "Press AltConDel" message does not react to the key combination. Mouse is an hourglass.
You can terminal server to the boxes. Clicking icons gives you the message above. Entering the executable name into Start->Run works; but many of the system apps (like event manager) do not work properly with red crosses where you would expect to see the various logs.
A few services do not start.
Plug&Play, Messenger, Logical Disk Manager, Internet Authentication Service.  Other services start OK. No correlation between who they log in as, and which ones start/don't start.
Regedit displays the top level hives, but when you open them, the registry looks empty.

All this has happened on two different W2k servers which are DCs for two different domains, running in different site but connected by a 64kb link. The W2k desktops at THREE sites are doing similar things. The third site (yet another domain connected by IP slow link) has W2k3 for a domain controller. The W2k3 servers are not entirely unaffected. They are losing they License Authorisation. Seems to be problems with the Device Manager.

Device Manager is a common thread here. Sometimes when booting the 2k servers, you briefly get a message refering to the Hotplug Device Manager. I suspect that the other services depend on this one but am not sure.

This is the wierdest problem I have even seen (considering the scope of the problem). It seems virus like because it suddenly affect so many machines in three sites. Running the Mcafee sting does not find anything. Running spybot doesn't find anything either.

A corrupt group policy might do something like this; but I wouldn't have though it would do it across domains. The domains do have bi-directional trust relationships.

If anyone is suffering from this problem, or has any ideas, I would be very keen to hear from them.

Mark
MultiprogrammingAsked:
Who is Participating?
 
moduloConnect With a Mentor Commented:
PAQed with points refunded (500)

modulo
Community Support Moderator
0
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
I think it is virus like problem you are having..
Looks as though u have been hacked...
try online virus scans..
http:\\housecall.trendmicro.com
Also try HijackThis  http://s89223352.onlinehome.us/mirror/hjt/#introduction
Post the log to the site and it should tell if there any problems..
0
 
MultiprogrammingAuthor Commented:
Thanks 1stITMAN, I can't try the on-line scan as IE is playing up. When you type in an address, the text in the address bar flickers violently and the page stays blank.

Here is the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 4:56:41 PM, on 2/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ActiveFax\Server\ActSrvNT.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Lotus\Domino\nservice.exe
C:\WINNT\System32\nslsvice.exe
C:\WINNT\system32\nsl.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Lotus\Domino\nSERVER.EXE
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\ups.exe
C:\Program Files\Network Associates\TVD\WebShield SMTP\MailCFG.exe
C:\Program Files\Network Associates\TVD\WebShield SMTP\mailscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CpqRcmc.exe
C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\Lotus\Domino\nReplica.EXE
C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe
C:\Lotus\Domino\nRouter.EXE
C:\Lotus\Domino\nUpdate.EXE
C:\Lotus\Domino\nStats.EXE
C:\Lotus\Domino\nAMgr.EXE
C:\Lotus\Domino\namgr.EXE
C:\Lotus\Domino\nAdminp.EXE
C:\Lotus\Domino\nSched.EXE
C:\Lotus\Domino\nCalConn.EXE
C:\Lotus\Domino\nEvent.EXE
C:\Lotus\Domino\nGSDConfig.EXE
C:\Lotus\Domino\nGSDOAScan.EXE
C:\Lotus\Domino\nGSDODScan.EXE
C:\Lotus\Domino\nGSDUpdate.EXE
C:\Lotus\Domino\nGSDReport.EXE
C:\Lotus\Domino\nMAPS.EXE
C:\Lotus\Domino\nHTTP.EXE
C:\Lotus\Domino\nPOP3.EXE
C:\Lotus\Domino\nSMTP.EXE
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\logon.scr
D:\2\Install\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multipro.com.au/internal/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Kagara
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Kagara
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Kagara
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet



0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
This malware
C:\WINNT\System32\nslsvice.exe
remove this..

here we are hope this helps..

Logfile of HijackThis v1.98.2    
Safe.   Shows the version of HijackThis an. The newest version is: v1.98.2!   This should be the newest version. (v1.98.2 )
  Platform: Windows 2000 SP4 (WinNT 5.00.2195)          
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)    
Safe.   Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106!   This should be the newest version. (6.00.2800.1106)
  C:\WINNT\System32\smss.exe    
Safe.   running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen. smss.exe    
  C:\WINNT\system32\csrss.exe    
Safe.   running process. (csrss.exe)
Systemprozess - Client Server Runtime csrss.exe    
  C:\WINNT\system32\winlogon.exe    
Safe.   running process. (winlogon.exe)
Systemprozess - Windows Login Routine winlogon.exe    
  C:\WINNT\system32\services.exe    
Safe.   running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste. services.exe    
  C:\WINNT\system32\lsass.exe    
Safe.   running process. (lsass.exe)
Systemprozess lsass.exe    
  C:\WINNT\System32\termsrv.exe    
Safe.   running process. (termsrv.exe)
termsrv.exe    
  C:\WINNT\system32\svchost.exe    
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
  C:\WINNT\system32\spoolsv.exe    
Safe.   running process. (spoolsv.exe)
Systemprozess spoolsv.exe    
  C:\Program Files\ActiveFax\Server\ActSrvNT.exe    
Unknown   running process. (ActSrvNT.exe)
   This is a unknown process.
  C:\Compaq\vcagent\vcagent.exe    
Unknown   running process. (vcagent.exe)
   This is a unknown process.
  C:\WINNT\system32\Dfssvc.exe    
Safe.   running process. (Dfssvc.exe)
Dfssvc.exe    
  C:\WINNT\System32\tcpsvcs.exe    
Safe.   running process. (tcpsvcs.exe)
tcpsvcs.exe    
  C:\WINNT\System32\svchost.exe    
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
  C:\WINNT\System32\ismserv.exe    
Safe.   running process. (ismserv.exe)
ismserv.exe    
  C:\WINNT\System32\llssrv.exe    
Safe.   running process. (llssrv.exe)
Lizenz-Verwaltung unter Windows NT llssrv.exe    
  C:\Lotus\Domino\nservice.exe    
Unknown   running process. (nservice.exe)
   This is a unknown process.
  C:\WINNT\System32\nslsvice.exe    
Nasty   running process. (nslsvice.exe)
Malware nslsvice.exe   This is a nasty process! You should fix it and try to delete it manually!
  C:\WINNT\system32\nsl.exe    
Unknown   running process. (nsl.exe)
   This is a unknown process.
  C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe    
Safe.   running process. (VsTskMgr.exe)
VsTskMgr.exe    
  C:\Lotus\Domino\nSERVER.EXE    
Unknown   running process. (nSERVER.EXE)
   This is a unknown process.
  C:\WINNT\system32\ntfrs.exe    
Safe.   running process. (ntfrs.exe)
ntfrs.exe    
  C:\WINNT\system32\regsvc.exe    
Safe.   running process. (regsvc.exe)
regsvc.exe    
  C:\WINNT\System32\locator.exe    
Safe.   running process. (locator.exe)
RPC Locator locator.exe    
  C:\WINNT\system32\MSTask.exe    
Safe.   running process. (MSTask.exe)
Gehört zu den Windows Powertoys von MS. MSTask.exe    
  C:\WINNT\System32\snmp.exe    
Safe.   running process. (snmp.exe)
snmp.exe    
  C:\compaq\survey\Surveyor.EXE    
Unknown   running process. (Surveyor.EXE)
   This is a unknown process.
  C:\WINNT\System32\ups.exe    
Unknown   running process. (ups.exe)
   This is a unknown process.
  C:\Program Files\Network Associates\TVD\WebShield SMTP\MailCFG.exe    
Unknown   running process. (MailCFG.exe)
   This is a unknown process.
  C:\Program Files\Network Associates\TVD\WebShield SMTP\mailscan.exe    
Safe.   running process. (mailscan.exe)
eScan mailscan.exe    
  C:\WINNT\System32\WBEM\WinMgmt.exe    
Safe.   running process. (WinMgmt.exe)
WinMgmt.exe    
  C:\Program Files\TightVNC\WinVNC.exe    
Safe.   running process. (WinVNC.exe)
WinVNC.exe    
  C:\WINNT\system32\svchost.exe    
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
  C:\WINNT\system32\CpqRcmc.exe    
Unknown   running process. (CpqRcmc.exe)
   This is a unknown process.
  C:\WINNT\system32\CPQMgmt\CqMgServ\cqmgserv.exe    
Unknown   running process. (cqmgserv.exe)
   This is a unknown process.
  C:\WINNT\system32\CPQMgmt\CqMgStor\cqmgstor.exe    
Unknown   running process. (cqmgstor.exe)
   This is a unknown process.
  C:\WINNT\System32\dns.exe    
Safe.   running process. (dns.exe)
dns.exe    
  C:\WINNT\System32\sysdown.exe    
Unknown   running process. (sysdown.exe)
   This is a unknown process.
  C:\WINNT\system32\CPQMgmt\CqMgHost\cqmghost.exe    
Unknown   running process. (cqmghost.exe)
   This is a unknown process.
  C:\Lotus\Domino\nReplica.EXE    
Unknown   running process. (nReplica.EXE)
   This is a unknown process.
  C:\WINNT\system32\CPQMgmt\cpqwmgmt.exe    
Unknown   running process. (cpqwmgmt.exe)
   This is a unknown process.
  C:\Lotus\Domino\nRouter.EXE    
Unknown   running process. (nRouter.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nUpdate.EXE    
Unknown   running process. (nUpdate.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nStats.EXE    
Unknown   running process. (nStats.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nAMgr.EXE    
Unknown   running process. (nAMgr.EXE)
   This is a unknown process.
  C:\Lotus\Domino\namgr.EXE    
Unknown   running process. (namgr.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nAdminp.EXE    
Unknown   running process. (nAdminp.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nSched.EXE    
Unknown   running process. (nSched.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nCalConn.EXE    
Unknown   running process. (nCalConn.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nEvent.EXE    
Unknown   running process. (nEvent.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDConfig.EXE    
Unknown   running process. (nGSDConfig.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDOAScan.EXE    
Unknown   running process. (nGSDOAScan.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDODScan.EXE    
Unknown   running process. (nGSDODScan.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDUpdate.EXE    
Unknown   running process. (nGSDUpdate.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nGSDReport.EXE    
Unknown   running process. (nGSDReport.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nMAPS.EXE    
Unknown   running process. (nMAPS.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nHTTP.EXE    
Unknown   running process. (nHTTP.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nPOP3.EXE    
Unknown   running process. (nPOP3.EXE)
   This is a unknown process.
  C:\Lotus\Domino\nSMTP.EXE    
Unknown   running process. (nSMTP.EXE)
   This is a unknown process.
  C:\WINNT\system32\csrss.exe    
Safe.   running process. (csrss.exe)
Systemprozess - Client Server Runtime csrss.exe    
  C:\WINNT\system32\winlogon.exe    
Safe.   running process. (winlogon.exe)
Systemprozess - Windows Login Routine winlogon.exe    
  C:\WINNT\system32\rdpclip.exe    
Safe.   running process. (rdpclip.exe)
rdpclip.exe    
  C:\WINNT\Explorer.EXE    
Safe.   running process. (Explorer.EXE)
Systemprozess für Desktop und Taskleiste. explorer.exe    
  C:\WINNT\system32\cpqteam.exe    
Unknown   running process. (cpqteam.exe)
   This is a unknown process.
  C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE    
Safe.   running process. (SHSTAT.EXE)
SHSTAT.EXE    
  C:\WINNT\system32\internat.exe    
Safe.   running process. (internat.exe)
Systemprozess - Application that provides multi-language support on keyboards for Microsoft Windows programs. internat.exe    
  C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe    
Safe.   running process. (sqlmangr.exe)
sqlmangr.exe    
  C:\WINNT\system32\mmc.exe    
Unknown   running process. (mmc.exe)
   This is a unknown process.
  C:\WINNT\System32\svchost.exe    
Safe.   running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste. svchost.exe    
  D:\2\Install\HijackThis.exe    
Safe.   running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. HijackThis.exe   Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.multipro.com.au/internal/   
Possibly nasty   This page could possibly be nasty.   If you do not know the entry 'http://www.multipro.com.au/internal/', delete it.
  O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx    
Safe.   Entries found in this registry zone are potentially nasty. This application ([8E718888-423F-11D2-876E-00A0C9082467] - Result: 8E718888-423F-11D2-876E-00A0C9082467) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 99 %    
  O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe    
Unknown   The entered application CPQTEAM was identified: None. Hit rate: -1 % (result)   Unknown application.
  O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey    
Safe.   The entered application McAfeeUpdaterUI was identified: McAfeeUpdaterUI. Hit rate: 95 % (result)    
  O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE    
Safe.   The entered application ShStatEXE was identified: ShStatEXE. Hit rate: 94 % (result)    
  O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper    
Safe.   The entered application WinVNC was identified: WinVNC. Hit rate: 94 % (result)    
  O4 - HKCU\..\Run: [internat.exe] internat.exe    
Safe.   The entered application internat.exe was identified: internat.exe. Hit rate: 95 % (result)   Not dangerous, but unnecessary.
  O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe    
Safe.   The entered application 'Service Manager.lnk (sqlmangr.exe)' was identified: 'Service Manager (sqlmangr.exe )'. Hit rate: 89 % (result)   Not dangerous, but unnecessary.
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Kagara    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Kagara    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet '? If not, fix this entry.
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Kagara    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'Kagara '? If not, fix this entry.
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet    
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet '? If not, fix this entry.
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = kagara,mtgarnet  
Possibly nasty   If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.   Do you know the IP or Domain 'kagara,mtgarnet'? If not, fix this entry.
0
 
MultiprogrammingAuthor Commented:
I think that nslsvice.exe is a part of Lotus Domino/Notes, which we are running, not malware.
0
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
mmm.  why does it say that it is nasty...
SO changed anything else according to the log..
0
 
MultiprogrammingAuthor Commented:
It's a virus. After many hours work with a 'virgin system' sitting the LAN watched by a packet sniffer, we caught it in the act. No AV can identify it so it's a new one.  The AVERT people are looking at it and I'll post when it's got a name.

The following is based on my guesses as I don't read SMB that often.

Infected machines, ping various addresses. When they get a reply, they negotiate an SMB session. The infected machine connects to the IPC$ share. It then creates a file called svcctl. It then connects to C$ and creates ntadint.dll, then creates hotplug.exe. The latter two files end up in c:\winnt\system32 on a W2k machine.

I suspect that for infection to work, the machines must be on the same domain. My laptop is on this LAN, and I don't think it's infected.

A service is created on the target machine called HOTPLUG.  A key is added to the PLUGPLAY service so that it depends on the HOTPLUG service. The target machine is then infected.

I cleaned a machine using the following sequence:
Installed a new Win2k into C:\winnt2. It booted successfully. I then deleted the file hotplug.exe in the c:\winnt (infected) system32 folder.
Booted the c:\winnt version
It booted slowly. I suspect this is because it is trying to start a service which now has a file missing.
Ran regedit, searched for all instances of hotplug; deleted them all. There were some keys: LEGACY_HOTPLUG... which could not be deleted.
This version of the OS now seems to be virus free, but I need to keep the PC disconnected from the LAN or it will infect again.
Hopefully Mcafee will come up with the goods so I don't have to do this on hundreds of machines.
0
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
OK nice1..
0
 
MultiprogrammingAuthor Commented:
Excuse me for not closing off properly, it was a truly horrible time having a new virus take out most of my network as you can imagine; so I dropped the ball a bit. The problem turned out to be a virus as I suspected; I managed to bag it up and send it to McAfee who came out with a fix. Symantec did the same.

McAfee called it W32/Hpl.worm:  http://vil.nai.com/vil/content/v_129905.htm
and Symantec called it W32.Orpheus.A:  http://securityresponse.symantec.com/avcenter/venc/data/w32.orpheus.a.html

I don't know how often Administrators have new viruses hit their network but it was a new one for me. I notice that my sites were the only ones who reported it (see Symantec synopsis) Thanks to everyone who helped.
0
 
MultiprogrammingAuthor Commented:
Sorry but I need some help here. I answered my own question so would like to keep some points, but 1stITMAN went to the trouble of giving me some assistance so it's not fair that he gets nothing. Can I give 1stITMAN 150 points and keep the rest (or whatever you think appropriate).
0
 
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Exscuse me I said that you were having a virus like problem didnt I..
So I did point you in the right direction to issue virus scans on the system..
0
All Courses

From novice to tech pro — start learning today.