|
Posted by Malke on August 9, 2006, 8:37 am
If you were Registered and logged in, you could reply and use other advanced thread options
Vida wrote:
> Dear Messrs,
>
> In our domain infrastructure we found, in some W2KPRO, the problem
> mentioned in the object.
> After I logged on as administrator of domain, and the proxy setting's
> has been removed, I run windows update.
> Then after reboot, the computer work very slowly and it seems that the
> virtual memory doesn't work properly.
> Every process in progress need a high memory consumption.
> So please be informed that the following infections were found:
> - in "document and settings" folder there is a strange folder user
> - in that folder I find a new folder with the machine name like "COMP$"
> - on the user management a strange user was set as administrators
> - on the user right assignment I found the strange user with particular
> settings
> - in c:\winnt\temp I found an .exe file and symantec security response
> found a new virus
> - after antivirus update (corporate edition 10.0.2) this file is kept
> in quarantine, but immediatey a new .exe file was created.
> - I found that this (or a new) file is called in
> HKLM\sofware\microsoft\windows\currentversion\run.
> - in c:\programmi\file comuni\system (or microsoft shared) I found one
> or more .exe files that are encrypted by the strange user.
> - I found a service that use this .exe file and the strange user on
> logon tab
You will need to take the network down and either individually clean all
workstations and servers or - the better choice - flatten all systems and
apply your backup images. There is no other way to be 100% sure you've
gotten all infection and your machines are no longer compromised.
If your IT Dept. didn't make backup images and you cannot flatten the
systems, then take down the network and go machine-by-machine. Do not bring
the network back up until all machines are clean. Afterwards, review your
security, deployment, and backup policies and make necessary changes.
Here are some general cleanup instructions. Without knowing the name of the
virus Symantec av found, I can't comment on it.
Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware
If you are a small company and do not have an on-staff IT person or
department, then the smartest thing for you to do now is have a competent
professional computer repair person come on-site and clean up the mess.
Afterwards s/he can offer recommendations to you to help prevent this
happening again. Do not use "a friend of your brother's" or the like. Find
someone who is skilled and has experience working with networks.
Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"
| 
XML site map