Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...This site is like first coffee in the winter morning..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > MIS/IT > Security Solutions > -Virus/Spyware discussion Forum

Virus/ Worm on Win2003 Server

thread760-1526335
Read More Threads Like This One
Mourad70007 (Programmer)
25 Jan 09 5:14
Hello all,
I have a malware on our server (Windows 2003 with Exchange) that causes the following:
1- I keep getting spam from all the users on the domain
2- When I try to search for "virus" on IE on the server, the search is blocked and no results are displayed !
3- The network is really slow (the server acts as the gateway as well)
I have downloaded ThreatFire, Malware bytes and others, but can't find anything !
Any ideas ?
BadBigBen (MIS)
25 Jan 09 10:54
Download HiJackThis, from the TREND MICRO website...

e.g. onto a USB Flash stick...

run it with logging feature, paste the log here for our perusal...

Note: read the log first, and make changes to sensitive data, e.g. IP addies, by replacing them with asterisks ...  

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.

Mourad70007 (Programmer)
26 Jan 09 3:37
For the record, I've used Bitdefender's rescue disk. It found about 2000 infections and deleted them, but the problem still persists.
Here's the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:53 AM, on 1/26/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft ISA Server\isastg.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\locator.exe
D:\Program Files\Avira\AntiVir Exchange\Engine\savapi2s.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SMSUtilityService.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESrv.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\ConsoleAppMgr.exe
D:\Program Files\Symantec\CMaF\2.0\bin\CmafReportSrv.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\tcpsvcs.exe
D:\Program Files\Exchsrvr\bin\exmgmt.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSECtrl.EXE
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSEUI.EXE
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSELog.EXE
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESJM.EXE
D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSETask.exe
D:\Program Files\Exchsrvr\bin\mad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
D:\Program Files\Exchsrvr\bin\store.exe
D:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
C:\Program Files\SPAMfighter\bin\SPAMfighter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SRNMIC~2\SOLOSENT.EXE
C:\PROGRA~1\SRNMIC~2\SOLOCFG.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = server:8080
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Downloads\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~2\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~2\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~2\SYSCHECK.COM
O4 - HKLM\..\Run: [ThreatFire] d:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - D:\Downloads\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Downloads\GetRight\GRbrowse.htm
O15 - ESC Trusted Zone: http://www.9down.com
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://cache1.badongo.com
O15 - ESC Trusted Zone: http://www.badongo.com
O15 - ESC Trusted Zone: http://dist.belnk.com
O15 - ESC Trusted Zone: http://www.betaupdate.com
O15 - ESC Trusted Zone: http://cn.bitcomet.com
O15 - ESC Trusted Zone: http://www.bitcomet.com
O15 - ESC Trusted Zone: http://www.christensen-software.com
O15 - ESC Trusted Zone: http://blog.crowe.co.nz
O15 - ESC Trusted Zone: http://ftp.cvut.cz
O15 - ESC Trusted Zone: http://ad.doubleclick.net
O15 - ESC Trusted Zone: http://download3.emsisoft.com
O15 - ESC Trusted Zone: http://www.ewido.net
O15 - ESC Trusted Zone: http://search.experts-exchange.com
O15 - ESC Trusted Zone: http://www.experts-exchange.com
O15 - ESC Trusted Zone: http://download.f-secure.com
O15 - ESC Trusted Zone: http://www.f-secure.com
O15 - ESC Trusted Zone: http://fs7.filehippo.com
O15 - ESC Trusted Zone: http://*.filehippo.com
O15 - ESC Trusted Zone: http://dl11.filekicker.net
O15 - ESC Trusted Zone: http://dl5.filekicker.net
O15 - ESC Trusted Zone: http://www.google-analytics.com
O15 - ESC Trusted Zone: http://pagead2.googlesyndication.com
O15 - ESC Trusted Zone: http://downloads.grisoft.cz
O15 - ESC Trusted Zone: http://iplaza.hanjin.com
O15 - ESC Trusted Zone: *.hotmail.com
O15 - ESC Trusted Zone: http://h20000.www2.hp.com
O15 - ESC Trusted Zone: http://h20180.www2.hp.com
O15 - ESC Trusted Zone: http://welcome.hp.com
O15 - ESC Trusted Zone: http://www.hp.com
O15 - ESC Trusted Zone: http://www.internetaccessmonitor.com
O15 - ESC Trusted Zone: http://forums.isaserver.org
O15 - ESC Trusted Zone: http://www.isaserver.org
O15 - ESC Trusted Zone: http://ads.isoftmarketing.com
O15 - ESC Trusted Zone: http://www.ivasoft.biz
O15 - ESC Trusted Zone: http://www.liutilities.com
O15 - ESC Trusted Zone: http://www.marshal.com
O15 - ESC Trusted Zone: http://*.milmar.com.eg
O15 - ESC Trusted Zone: http://www.mininova.org
O15 - ESC Trusted Zone: http://www.msexchange.org
O15 - ESC Trusted Zone: http://www.mynetwatchman.com
O15 - ESC Trusted Zone: http://www.pandasoftware.com
O15 - ESC Trusted Zone: http://loginnet.passport.com
O15 - ESC Trusted Zone: http://login.passport.net
O15 - ESC Trusted Zone: http://www.pctools.com
O15 - ESC Trusted Zone: http://gw.senatorlines.com
O15 - ESC Trusted Zone: http://*.server
O15 - ESC Trusted Zone: http://www.soft32.com
O15 - ESC Trusted Zone: http://download.softpedia.com
O15 - ESC Trusted Zone: http://www.softwarearchives.com
O15 - ESC Trusted Zone: http://heanet.dl.sourceforge.net
O15 - ESC Trusted Zone: http://mesh.dl.sourceforge.net
O15 - ESC Trusted Zone: http://www.srnmicro.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://download.sysinternals.com
O15 - ESC Trusted Zone: http://www.tacteam.net
O15 - ESC Trusted Zone: http://mirror2.mirrors.tds.net
O15 - ESC Trusted Zone: http://adclient1.tucows.com
O15 - ESC Trusted Zone: http://www.tucows.com
O15 - ESC Trusted Zone: http://ie.releases.ubuntu.com
O15 - ESC Trusted Zone: http://www.ubuntu.com
O15 - ESC Trusted Zone: http://mirror.its.uidaho.edu
O15 - ESC Trusted Zone: http://download.utorrent.com
O15 - ESC Trusted Zone: http://www.windowsecurity.com
O15 - ESC Trusted Zone: http://www.windowsitpro.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://ad.yieldmanager.com
O15 - ESC Trusted Zone: http://torrent.zoink.it
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://82.201.208.165
O15 - ESC Trusted IP range: http://10.70.49.1
O15 - ESC Trusted IP range: http://82.201.208.166
O16 - DPF: {475DF11A-2BC2-41A9-8A97-E989E023E517} (SetupComponent Class) - http://gw.senatorlines.com/ezIcd.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139302760281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205827782671
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MILMAR.COM.EG
O17 - HKLM\Software\..\Telephony: DomainName = MILMAR.COM.EG
O17 - HKLM\System\CCS\Services\Tcpip\..\{A710B035-825F-4331-A98C-CFB66F6D9AF6}: NameServer = 213.131.66.246,213.131.66.138,10.70.49.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8BF6E49-066B-4DF7-924D-CD25C488D446}: NameServer = 10.70.49.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MILMAR.COM.EG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MILMAR.COM.EG
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Microsoft Exchange Event (MSExchangeES) - Unknown owner - D:\Program Files\Exchsrvr\bin\events.exe (file missing)
O23 - Service: Savapi-Service - Avira GmbH - D:\Program Files\Avira\AntiVir Exchange\Engine\savapi2s.exe
O23 - Service: Savapi-Update-Service - Unknown owner - D:\Program Files\Avira\AntiVir Exchange\Engine\DwldSvc.exe (file missing)
O23 - Service: Symantec Mail Security Utility Service (SAVFMSESpamStatsManager) - Unknown owner - D:\Program Files\Symantec\SMSMSE\6.0\Server\SMSUtilityService.exe
O23 - Service: Symantec Mail Security for Microsoft Exchange (SMSMSE) - Symantec Corporation - D:\Program Files\Symantec\SMSMSE\6.0\Server\SAVFMSESrv.exe
O23 - Service: SPAMfighter - SPAMfighter ApS - C:\Program Files\SPAMfighter\bin\SPAMfighter.exe
O23 - Service: SQLSERVERAGENT - Unknown owner - D:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE (file missing)
O23 - Service: ThreatFire - PC Tools - d:\Program Files\ThreatFire\TFService.exe

--
End of file - 11951 bytes

 
sggaunt (Programmer)
26 Jan 09 6:37
I cannot see anything obvious in the log.
Did you run Malware bytes and the other AV Tools in Safe mode?

Do you have anyway to run a network traffic analysis?

Its possible there is Malware on your network, but not necessarily on the server!





 

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

Mourad70007 (Programmer)
26 Jan 09 7:30
Thanks for your help.
The main problem is that I cannot load in safe mode. Whenever I try to boot in safe mode, I get a blue screen. Is it possible a virus could do that ??
I already did a scan using Malware bytes (in normal mode) but it found nothing.
I went ahead and disabled a lot of the services, and startup programs using HijackThis. Things appear to  be normal now but the exchange services stopped working !
sggaunt (Programmer)
26 Jan 09 8:09

Quote:

The main problem is that I cannot load in safe mode. Whenever I try to boot in safe mode, I get a blue screen. Is it possible a virus could do that ??

Unlikley: Make a note of the exact message that comes up on the blue scree and post it in the forum for your Operting system.

Quote:

I already did a scan using Malware bytes (in normal mode) but it found nothing.
Malware bytes is a very highly recomended at present if it finds nothing at all, not even remnants then there probobly isn't anything to find.
 


Quote:

I went ahead and disabled a lot of the services, and startup programs using HijackThis. Things appear to  be normal now but the exchange services stopped working !
Hmmm, Viri and other Malware don't usually advertise themselves in the services list or the startup list.
Turn stuff back on one by one, until you get your funtionality back!!


 

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

BadBigBen (MIS)
26 Jan 09 12:02

Quote:

It found about 2000 infections and deleted them, but the problem still persists.
This is a hell of a lot of stuff... maybe time to redo the server...
especially with all those 0-Day, warez, P2P sites and ad-sites that are listed in your TRUSTED ZONE... a sure fire way of getting malware...

besides that I can only concur with sggaunt...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.

sggaunt (Programmer)
26 Jan 09 14:50
To be honest I did wonder about all that stuff on a commercial server! But not for us to comment!
 

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

BadBigBen (MIS)
26 Jan 09 16:39
sggaunt - to be honest, if I see something amiss, I will comment on it, and if he is the admin then he should know about that...  

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.

Mourad70007 (Programmer)
27 Jan 09 1:56
Thanks for all the suggestions.
I have done another scan with BitDefender Rescue disk. It cleaned everything up but the server is still terribly slow.
Frankly, I am starting to doubt there is still malware on the server- I think it's simply corrupted now.
I still get the spam email. But that may as well be coming from outside. The IP in the header is external. But that spam thing (appearing to be coming from users inside our network) only started recently.
 
goombawaho (MIS)
27 Jan 09 12:41
Somebody needs to get into big trouble because they probably got the malware/virus on the server by surfing the internet FROM the server.  That is basically a big NO-NO.

If somebody wasn't surfing the web, was the machine not protected by Anti-malware or A/V or were the definitions not up to date?  Again - a punishable offense.
wahnula (TechnicalUser)
29 Jan 09 17:33

Quote (sggaunt):

...But not for us to comment!

Absolutely incorrect!  When someone posts that they have malware or other problems on their SERVER and asks for help it is our duty to advise them that browsing questionable sites is bad enough if you do it from a client, it's a Worst Practice to do it from a server and deserving of comment.

I treat my server like an immune-deficient baby, only browsing the Web when absolutely necessary, protecting it from the world as best I can.  If I need something from the Web, I download it on a client, scan for viruses, then store it to a shared folder on the server and install it from there.  Safe computing is no accident...   

Tony

Users helping Users...

Grenage (MIS)
30 Jan 09 6:23
Nobody coming onto a technical help forum needs people telling them that heads must roll.

Mourad70007:
It would be worth your time formatting and reinstalling that server, it sounds like a lost cause.  The posts referring to browsing from the server are correct, it's not really advised.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

Mourad70007 (Programmer)
30 Jan 09 8:14
Thank you all for your help. I know one shouldn't be browsing the internet from the server (it wasn't me actually)

UPDATE: I discovered we have "Sality.Y" virus all over the network. I can't format and reinstall the server now, it will take a long time and people are using the server.
Other infected computers would not boot in safe mood. Can this virus do this ? I've never seen this before. I am cleaning all the machines one by one.
 
Grenage (MIS)
30 Jan 09 8:27
A virus can do a lot of things, especially if it's got domain access rights on a server.  You'll need to clean the workstations, and proof them against further infection (what AV are they running).  Cleaning out and restoring the server should be done as soon as you can.

For reference, see the following link to that virus:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-031607-5450-99&tabid=1

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

goombawaho (MIS)
30 Jan 09 8:28
Hey - I'm not trying to be mean or anything, but it's a reality that we are here to help and if helping means solving the problem and suggesting ways for it not be  REPEAT OCURRENCE, then that's what I'll do.

Server downtime due to incompetence is not acceptable where I come from.  Sure, everybody makes a mistake once in a while, but if in fact (and we don't know this for sure) the malware was gotten first on the server from surfing the web, I'd be real worried.
PaulTEG (TechnicalUser)
30 Jan 09 14:14
He's explained it wasn't him ...
He's aware of best and worst practices now ...
We don't know where he works, or for whom, or whether they have a decent Internet Acceptable Use Policy ...

"Learn from the mistakes of others, you'll never grow old enough to make them all yourself"  --Martin Vann Bee

Paul
------------------------------------
Spend an hour a week on CPAN, helps cure all known programming ailments winky smile

cmeagan656 (TechnicalUser)
30 Jan 09 15:16

Quote (Mourad 70007):

I can't format and reinstall the server now, it will take a long time and people are using the server.
If you are only cleaning one computer at a time and that computer is then reconnected to the network then it risks being reinfected by the server or another infected machine since it appears that your anti-virus solution isn't catching it.

Sality.Y has been around since March of 2007.  I'm surprised that your anti-virus solution didn't pick up the infection before it spread.  Surely it can't have been on your network for almost two years?  Sality.Y is a key logger so once you get your entire network clean I would force a change of all passwords.

Cheers.
BadBigBen (MIS)
30 Jan 09 15:31

Quote (PaulTEG):

We don't know where he works, or for whom
MILMAR SHIPPING COMPANY, 8 Ahmed Orabi st, Alexandria, Egypt. Would be my humbly educated guess...

Quote (PaulTEG):

He's aware of best and worst practices now ...
quite correct, and what he should do as well...

Quote (cmeagan656):

Sality.Y is a key logger so once you get your entire network clean I would force a change of all passwords.
GOOD advice...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.

2ffat (Programmer)
30 Jan 09 16:25
Network World has an article about a product called Reimage that might be what you are looking for. I can't vouch for it personally but it might be worth a shot.

 

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

Mourad70007 (Programmer)
30 Jan 09 16:28
Thanks again. Like I said, we've had an intern who messed up the server real bad. I am trying to rectify the situation now.

I guess I should've removed my IP from the log file before posting after all ! I don't want this page to show up in search results !
 
goombawaho (MIS)
31 Jan 09 9:18
Spies R Us.
Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To -Virus/Spyware discussion

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close