Re: Please Help! Network Hijacked!
From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 03/31/04
- Next message: Phil Weldon: "Re: Please Help! Network Hijacked!"
- Previous message: Russell: "Annoying..."
- In reply to: PLD: "Please Help! Network Hijacked!"
- Next in thread: Phil Weldon: "Re: Please Help! Network Hijacked!"
- Reply: Phil Weldon: "Re: Please Help! Network Hijacked!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Mar 2004 17:26:52 -0500
I think you have replies to this post in another group - pls. don't
multipost.
PLD wrote:
> I'm having a serious problem with SBS2003. Within days
> after installing and configuring ISA2000, performance
> degraded substantially. Event Viewer revealed numerous IP
> Spoof and NDR errors. Anti-virus software was strangely
> disabled. Re-installed NAV Corp Edition and detected
> several mass-mailer worms on the box (W32.Netsky.K@mm,
> W32.Netsky.D@mm, W32.Beagle.M@mm, W32.Mydoom.A@mm).
>
> I blocked outgoing email but noticed the Exchange mailroot
> Queue and BadMail folders were growing rapidly (gobbling
> up GBs of HD space). I immediately stopped and disabled
> all MS Exchange services and locked down the hardware
> firewall to deny all SMTP/POP3 traffic. This slowed down
> the queue growth, but did not stop it. Subsequent virus
> scans came up clean (couldn't check in Safe Mode though -
> NAV won't initialize). I downloaded Symantec virus
> removal tools for each virus type and ran/re-ran in
> regular and Safe Mode. The tools found nothing.
>
> This led me to suspect the problem may no longer be a
> virus, but some rogue hidden program on the box that
> initializes at startup. I scanned the Registry with
> AdAware (which caught minor stuff) but nothing related. I
> manually inspected the Registry key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
> n\Run - to check for rogue programs launching at startup.
> Only found one suspect item (C:\WINDOWS\System32
> \83744448.exe) - but subsequent searches of the directory
> (set to show hidden and OS files) can't locate the file.
> I suspect it's just a key left over from one of the old
> viruses?? I looked up and validated all running processes
> showing in Task Manager. I also searched the Add/Remove
> Programs control panel for anything out of the ordinary.
> Only found one suspect file called "NPO.exe" which I
> uninstalled (supposedly). Couldn't find much about it on
> the Internet.
>
> The good news is that Safe Mode prevents the queues from
> growing. Bad news is I can't run the network in Safe
> Mode. I suspect some rogue program has tweaked the
> Registry and renamed itself as a system file. Every time
> the box boots up in normal mode, it launches itself and
> takes over. Can anyone suggest a way to stop this thing?
> I'm afraid I've run out of moves at this point. :[
>
> ...Paul
- Next message: Phil Weldon: "Re: Please Help! Network Hijacked!"
- Previous message: Russell: "Annoying..."
- In reply to: PLD: "Please Help! Network Hijacked!"
- Next in thread: Phil Weldon: "Re: Please Help! Network Hijacked!"
- Reply: Phil Weldon: "Re: Please Help! Network Hijacked!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
