Re: Virus like activity, local security policy problem

From: Edward Alfert (edward@alfert.com)
Date: 08/29/02

• Next message: Drew Cooper [MS]: "Re: profile logon problem"
• Previous message: Drew Cooper [MS]: "Re: File ENcryption Problem Detail"
• In reply to: dejann@: "Virus like activity, local security policy problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Edward Alfert <edward@alfert.com>
Date: Thu, 29 Aug 2002 15:44:35 -0400

dejann@ wrote:

> I am having a virus like problem with 2 windows 2000 (sp3) worstations.
>
> On both machines interactive logon right was revoked for everyone except
> for a single domain user (same user in both cases).
> This can be changed using ntrights tool alowing me to log on, but the
> changes are reverted as soon as I reopen local security policy.
>
> Both machines were scanned for viruses with latest McAfee and Symantec AV
> tools and no viruses were found.
>
> Please help!
>
> Dejan

this is definitely a trojan of some kind...i have just come from helping
clean 2 w2kpro systems.

I should have written down the name of the files...but..go to
/winnt/system32/ and sort by date... you will notice there are several
programs that don't belong with very recent date/time ... i think one is
secedit.sdb or something like that...

another file is tftp<number> ...there are several of these files

there are also (i think) 3 files with 3 letters (with the same date and
time)... i think mdp or ndp or something like that.

also there is a fake taskmgr.exe ..it is called taskmngr.exe ...

norton dat dated 8/28 detected 12 virus (irc trojan) and was able to
quaranteen them.

i have managed to clean the systems but am having problems login in from one
machine to the other... it works in one machines, but not the other.... one
way authorization.

as i get more information, i will post...

-- 
Edward Alfert
http://edward.alfert.com/ * http://www.sysadmin.info/
"Choose a job you love, and you will never have to work a day in your life."
 - Unknown Sage

---

• Next message: Drew Cooper [MS]: "Re: profile logon problem"
• Previous message: Drew Cooper [MS]: "Re: File ENcryption Problem Detail"
• In reply to: dejann@: "Virus like activity, local security policy problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: HijackThis Log Help ... almost always suggest a reformat even if it took me seconds to discover ... I try and clean it up. ... All my clients are SBS 2003 Premium, ... lots of clients and lots of machines to look after. ... (microsoft.public.windows.server.sbs) Pins for Sale near Chicago ... All machines working 100%, Tech has gone through all machines. ... clean machines. ... near perfect cabinet except lockdown bar ... Lord of the Rings, Cabinet and playfield excellent condition, Very ... (rec.games.pinball) Re: Adware and Spyware wont go away ... both computer have Norton Antivirus ... > recent versions of SpyHunter for Spyware, and, and Webroot's ... Install Ad-aware and Spybot on both machines. ... to the lan until both machines are clean. ... (microsoft.public.security.virus) Re: HijackThis Log Help ... The point is that if we teach people that we can mostly clean their ... machines, that it's good enough, and they don't feel the "pain", not ... Calling an illegal alien an "undocumented worker" is like calling a ... (microsoft.public.windows.server.sbs) Re: Your favorite SM cleaning tool? ... I have a sister like you Sandy, except the amount of things she'll ... clean is almost none! ... I don't like parting with my machines and unless we have a near ... very best tool I've found is a silly chenille pipe cleaner sort of thing. ... (rec.crafts.textiles.quilting)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)