Virus on Network
Posted on 2005-05-12
I am having a virus (Spyware) on network (with the process name of windowsp.exe). I notice that this one come with a package of different spayware and adware like powerscan, optimize, canada.exe and so on. All other threats in the package can be various except windowsp.
I stress windowsp here for three reasons: no info about this one; the pc with "windowsp" tries to logon to windows domain with fixed user name and catched user name along with predefined (fixed) password (not dictionary, more like brute attack); nothing can identify windowsp as a dirty process or windowsp.exe as a suspicious threat.
Manually removal is possible, but on half of the infected computers, this threat come back in the previously mentioned package.
Asking some users changed their password does not work.
Removing deafult sharing does not help.
Most of the time the original source file is called P.exe (or I.exe occasionally) locate in root of drive C:
Change IP on workstation does not work.
Time for the threat to work is pre-set or when you power on the machine.
It disable Norton real-time protection and defination update (not 100%).
Had a failure experience with windows update (Update is done but threat came back in the same time).
No obvious remote session has taken my attention.
On previously infected PC, it can come back without you opening IE.
There is a lot others I see here like the open ports, etc.
Thanks for your comments.