|
Posted by Gary S. Terhune on September 24, 2006, 3:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
this network remotely and won't be getting down there until November. But
yeah, I figure I'll flatten it then. No, no imaging being done, just backup
of data files.
I don't notice any other odd traffic, and this stuff is being blocked. Guess
I'll run HJT and see what comes up.
--
Gary S. Terhune
MS MVP Shell/User
> Gary S. Terhune wrote:
>
> > I have an XP Pro box on an SBS network (one SBS Premium server w/ ISA
> > 2004, two XP Pro clients.) The box was heavily infected by numerous
> > viruses and other malware on 9/11. Issues with antivirus installation
> > resulted in its not updating for some time, but I'm not certain just how
> > it all got started. Far as I can tell, none of it got to any of the
other
> > machines on the network,
> >
> > I cleaned up using various AV and anti-spyware tools (AdAware, Spybot,
> > Trend-Micro AV) and it seems to be healthy now, but the ISA logs show
this
> > machine making repeated calls on DNS protocol, port 53, to two different
> > IPs that belong to a web hosting company in the Ukraine. I can't help
but
> > think that this is malware in action, but can't determine what is doing
> > it. The ISA firewall is blocking the requests, but I'd like to know
what's
> > going on. Any ideas on how to trace this? I can't find anything in
running
> > processes that isn't supposed to be there. Note that these calls are
being
> > made even when nobody is logged on to the machine. They're averaging one
> > per second.
> >
>
> The box is definitely still infected. Since this is a work machine, I
would
> flatten it and apply your latest image. If you don't image your
> workstations, I would still flatten it because you can't be 100% sure it
is
> trustworthy. Then examine your security policies on that workstation to
see
> how it got infected; i.e., make sure users can't install software, etc.
>
> If you still want to work with it without flattening (not recommended), I
> would remove it from the network first. Then run HijackThis and post your
> log at one of the specialty sites listed below (in no particular order and
> not here, please):
>
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
> http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 - another
> tutorial
>
> http://www.atribune.org/forums/index.php?showforum=9
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
>
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://forums.subratam.org/index.php?showforum=7
> http://spywarewarrior.com/viewforum.php?f=5
> http://forums.techguy.org/54-security/
> http://forums.tomcoyote.org/
>
> Malke
> --
> MS-MVP Windows Shell/User
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic"
| 
XML site map