?
Solved

Virus on Network

Posted on 2005-05-12
4
Medium Priority
?
180 Views
Last Modified: 2010-03-18
I am having a virus (Spyware) on network (with the process name of windowsp.exe). I notice that this one come with a package of different spayware and adware like powerscan, optimize, canada.exe and so on. All other threats in the package can be various except windowsp.

I stress windowsp here for three reasons: no info about this one; the pc with "windowsp" tries to logon to windows domain with fixed user name and catched user name along with predefined (fixed) password (not dictionary, more like brute attack); nothing can identify windowsp as a dirty process or windowsp.exe as a suspicious threat.

Manually removal is possible, but on half of the infected computers, this threat come back in the previously mentioned package.

Asking some users changed their password does not work.

Removing deafult sharing does not help.

Most of the time the original source file is called P.exe (or I.exe occasionally) locate in root of drive C:

Change IP on workstation does not work.

Time for the threat to work is pre-set or when you power on the machine.

 It disable Norton real-time protection and defination update (not 100%).

Had a failure experience with windows update (Update is done but threat came back in the same time).

No obvious remote session has taken my attention.

On previously infected PC, it can come back without you opening IE.

There is a lot others I see here like the open ports, etc.

Thanks for your comments.
0
Comment
Question by:igmp
1 Comment
 
LVL 20

Accepted Solution

by:
nedvis earned 1000 total points
ID: 13992713

I would sugest you to purge JAVA cache and resize (if not to disable cashing JAVA applets) space alocated for JAVA cache ( from JAVA Control Panel applet).
On Windows XP computers disable System Restore.
Run also hard-disk cleaner ( http://www.ccleaner.com)  
Then run and excellent on-line antivirus scanner from  http://www.command2.co.uk capable of scanning and disinfecting even networked computers and mounted volumes,shared folders and partitions curently available on your LAN.
On infected computers enable  entire hard-disks sharing ( c:\  ) and than scan them from remote systems on the network.

good luck
nedvis
 
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Screencast - Getting to Know the Pipeline

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question