Re: Hacked

From: Alvaro Prieto (alvaro_at_apg88.com)
Date: 04/14/05

  • Next message: Joshua Berry: "RE: Hacked"
    Date: Thu, 14 Apr 2005 14:27:13 -0400
    To: mfernandez@fdta-valles.org
    
    

    Mauricio,

    What if you try loading knoppix, or another live cd and remove the files
    without starting windows. You can also do a virus scan through there.
    If it is only in that folder, just delete it and run a virus-scan to
    make sure everything is clean.

    I have used knoppix before, and even if you are not familiar with linux,
    it will be very easy to do what you need.
    You can get knoppix at http://www.knoppix.org

    I hope this helps.

    Alvaro

     

    Mauricio Fernandez wrote:

    >This morning I found a wwwhack window opened on one of my w2k servers,
    >antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
    >found about 4500 viruses named PE_PARITE.B
    >
    >Now the virus is still regenerating itself creating files on winnt\temp
    >folder, I saw the task list and stopped all the suspicious process, but
    >the virus still goes on...
    >
    >The virus/hacker created a folder named RADMIN, where he copied these
    >files:
    >r_server.exe
    >admdll.dll
    >hide.reg
    >raddrv.dll
    >pro.bat
    >start.bat
    >
    >Does anyone knows how to remove this virus and avoid this hack
    >vulnerability?
    >
    >
    >Mauricio Fernández S.
    >IT Manager
    >Tel. 591- 445-25160
    >Fax. 591- 441-15056
    >mfernandez@fdta-valles.org
    >www.fdta-valles.org
    >Cochabamba - Bolivia
    >
    >
    >

    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information security
    professionals. Norwich University is fulfilling this demand with its MS in
    Information Security offered online. Recognized by the NSA as an
    academically excellent program, NU offers you the opportunity to earn your
    degree without disrupting your home or work life.

    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------


  • Next message: Joshua Berry: "RE: Hacked"

    Relevant Pages

    • Re: virus infested machine
      ... There were no virus rescue CD's and no way to connect to the Internet to do a remote scan from Trend Micro House Call. ... I would back up the data by using either a Bart's PE or Knoppix and then flatten the system. ... Make sure you scan the backed up data with a current version AV using updated virus definitions before you put it back onto the clean system. ... Then boot with it and it will be able to see the Windows files. ...
      (microsoft.public.windowsxp.general)
    • Re: After running spyware - XP wont let me boot - keeps logging out
      ... from one of the free Live Linux CDs (such as Knoppix). ... there's little chance of the virus moving over on its own unless you ... I am guessing the virus wouldn't jump ...
      (microsoft.public.windowsxp.general)
    • RE: newfolder.exe containment procedure
      ... but what is it upto in the background? ... File Size equals 208Kb, uses a folder Icon the same name as parent folder, ... Ensure you set the PC to show hidden and system files and file extensions. ... delete the dormant virus files. ...
      (microsoft.public.security.virus)
    • The ISO17799 Security Newsletter - Issue 3
      ... The third edition of the ISO17799 Newsletter has been published this ... commentary on recent Information Security incidents. ... Internet and E-mail: ... ISO17799 Section 8: When a Virus Attacks ...
      (comp.security.misc)
    • newfolder.exe containment procedure
      ... File Size equals 208Kb, uses a folder Icon the same name as parent folder, ... Ensure you set the PC to show hidden and system files and file extensions. ... That is the entry that starts the bug. ... delete the dormant virus files. ...
      (microsoft.public.security.virus)