Re: qhost and...

From: Malke (malke_at_nospoonnotreally.com)
Date: 08/05/04

• Next message: Malke: "Re: netsky virus"
• Previous message: Malke: "Re: Backdoor Trojan virus"
• In reply to: Jmax: "qhost and..."
• Next in thread: Jmax: "Re: qhost and..."
• Reply: Jmax: "Re: qhost and..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 05 Aug 2004 05:32:55 -0700

Jmax wrote:

>
> Hi, I've a problem with a server 2000 and a lot of Xp pro with a
> virus. The virus close Norton antivirus (corporate edition) deleting
> the icon tray also.
> Regedit is also closed after a few second that i try to use it.
>
> If the computer start without the net plugged it there aren't problem,
> when i insert the plug to connect.... norton and regedit close and the
> cpu works at 100%.
>
> Using STINGER I've found a QHOST trojan in
> winnt/system32/driver/host... which says it has repaired but if I
> reboot with the net .....
>
> Any suggestion??

It sounds like your entire network is infected and probably with more
than just Qhost. Perhaps you weren't keeping your NAV definitions
updated.

You need to take the network down. Disconnect all boxen from the network
and clean each one, including the server of course. Start by running
TrendMicro's Sysclean utility in Safe Mode. Once you have cleaned up
the major infections, you should be able to reinstall regular av.
Download updated definitions from an unaffected machine outside of the
network and burn to cd-r. Install the new defs to your regular av and
scan all machines again in Safe Mode. Do not reconnect anything to the
network until you are 100% sure all boxen are clean.

Malke

-- 
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"

---

• Next message: Malke: "Re: netsky virus"
• Previous message: Malke: "Re: Backdoor Trojan virus"
• In reply to: Jmax: "qhost and..."
• Next in thread: Jmax: "Re: qhost and..."
• Reply: Jmax: "Re: qhost and..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Mysterious file - WINXPINIT.EXE ... Symantec has released new virus defs on Sep 13: ... > Although I have not found this file on any machines on my network, ... > before and after plugging the server into the isolated network. ... (microsoft.public.security.virus) RE: security logon failures ... In the security event log there is no source network ... end of your message you mentioned why not try a virus, ... Do you think it is something on the server itself a virus or someone ... A Clean Boot will allow us to isolate any device ... (microsoft.public.windows.server.sbs) Re: Connection problem on a workgroup ... Since it was infected with a virus, a reinstall may be your best solution ... Try to ping the server by name and IP address and do the same from the ... > I have a client that has a workgroup for a network that is using a server ... (microsoft.public.win2000.networking) Re: We are being blocked from various mail servers because of trojan ... honestly wish I was ONLY the network admin here and had the time to ... Make sure all clients data that isn't "sync'd" with the server is ... this isn't a black and white, virus gets caught or virus runs amok ... It helps provide a timeline of infection. ... (microsoft.public.windows.server.sbs) Re: NIMDA Q. ... >> the Virus Protection on the file server should see it coming through NetBios ... > the loveletter plague on a 1500+ user network. ... and see what it says as I am not too sure I trust the messages from Nortons ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)