Pesky INfection

Discussion in 'Trojan Defence Suite' started by Pesky infection, Jul 7, 2004.

Thread Status:
Not open for further replies.
  1. I got what appears to be a Netsky infection. I also can't seem to delete a folder in my exchange server.
    MacAfee found 7 infected files. TDS3 found 1 trojan in a video folder. But once the o/s was turned on Exchange Begin dumping badmail. One of the problems I found was in the recovery dir. A user which is not part of the system, actually I can trace that user to a server that has been removed from the network. Anyhow that user deleted the badmail folder back in Oct. last year. I followed a MS process to kill the recover dir. but I couldn't complete the task. I went to the DOS shell and used the ATTRIB command to show hidden files. I kill everything I could see. Now the recovery dir has two dir.. but I can't clean them. When I use the o/s explorer I can see a SID file related to a user and in there are the BAD and BRD files that where deleted months ago. I think this is one of locations the virus is spawning. Just a few minutes ago Norton pickup the netsky virus in a exchange queue file.
     
  2. FanJ

    FanJ Guest


    Hi,

    On a strictly personal note:

    Having read your posting, I think that I might assume that you are a system admin.
    Am I right?
    What I don't understand is that a system admin :
    1- doesn't have the resources to solve this;
    2- doesn't register on this board;
    3- is asking for free help on something that could be, but I could well be wrong here, a MS exchange issue;
    4- doesn't ask MS for help.

    But that all is strictly my personal opinion.
     
  3. Sorry but I thought an internet was meant for information exchange.
    Sorry if I was wrong.
    Sorry if I ever thought that this was a security forum.
    I have ERD Commander 2003 but it's my own personal copy and I don't want to use it at my work due to registration restrictions. Hence I was asking for help from others. I alos know that I can use KNOPIX Linux to remove the folder but I am soo sorry that I ever thought that I can get any other help from this board.
     
  4. FanJ

    FanJ Guest


    Hi Pesky infection,

    I have to apologize to you !
    Most definitely I was the one who was wrong here :oops:

    Of course you can get help, if members have the knowledge to give it.
    I should have said: I don't know any thing about Exchange from MS :oops:

    I really hope that someone else will jump in and try to help you !!!

    Sorry again !!!
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, and welcome to the forum,
    With full respect to Fanj's questions too.
    Knowing FanJ for many years, and how he helped thousands of people on internet, i'm sure part of his consideration is also he does not want your system damaged by possible wrong advices from us, and the risk of your company ending in bad words.

    This needs indeed more advanced help, by people who are familiar with the environment and problems you describe. They certainly are here on this board, need to find them, but we will! :) There are fine network and MS VIPs around, just wished i could place an advertisement on top in the forum for one of them to jump in here! right this moment, asking around in the mean time for you :D
    My own skills go till TDS and other DiamondCS tools, mainly.

    What is there against using the other tools for a cleansing except licency issues, could KNOPIX do the job for you? Are there other/better more wanted ways and better results or risks to expect?
    You know, we do what we can, of course, and fortunately you do know what you are involved with so can avoid dramas for your system!

    Would you like us to concentrate on the netsky infection first? (guess you will and are here for in the first place)
    Did TDS find only one infection, also when you scanned with all other scanners completely closed? And TDS fully updated and with every possible scan option checked?
    Could you right click on one of the alerts in the bottom screen and save as text --which is the scandump.txt file in the TDS directory-- and post that here in your next posting?
    Thanks a lot!

    In the meantime i'm thinking about Port Explorer, a port-to-process mapper which gives you an almost realtime overview of all happening on your system, suspicious connections etc, spy-options on sockets, with which you might be able to locate and kill the nasties immediately and stop the spamming. Very handy tool and light in resources.
    Get the free eval at the DiamondCS site too (see my signature).
    I would feel better if i know you can locate and stop those things and we can go (with MS VIPs ) deeper into the netsky removal.
     
    Last edited: Jul 8, 2004
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Oh yeah, i have one more tool for you:
    Is your server win2003 or other?

    Did you also see on the DiamondCS pages the AutoStartViewer, which with all scan options checked will show you all autostarting processes and services, drivers, whatever might be hidden and can be cleansed with that same tool?
    http://www.diamondcs.com.au/index.php?page=asviewer
    (all free)
    There are more very handy tools there, as you will see.
    After you're cleansed you might like to look at ProcessGuard to immunise your system lots more, but that should be installed on a clean(ed) system.

    Looking forward to your scan reports!
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Sounds like it has nothing to do with Netsky - you say you had emails in the server, but they were just data ? You cant be infected unless you either manually ran one of the attachments, or you VIEWED an infected email in Outlook Express on a system that was missing old old patches. Highly unlikely from what you have posted !

    I'd try Safe Mode or boot to some other OS if you have one of those undeletable folders.. but first, WHAT folder ? where is it located ?
     
  8. I apologize for my previous post.
    Yes when I get back to work I will try the port mapper. I am not the admin of that service. I am only trying to help a friend out. I am an admin in a different location.
    We allready went to Exchange and other forums. Bascially we are working on the ask, siff and analyze technique. Asking questions and different boards and then analyzing the answers that way we can attack the problem from different angles.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Nice to see you back! And nothing to apologise aboout of course.
    It was just we thought not to spoil your precious business systems with maybe inadequate advices!

    It is always good to look from various sides, but maybe the solution is very easy in the end.

    Hope in your next posting you can answer Gavin's questions too?
    It might help to see what was tried already in other forums. What has been tried, results, like we can read in links you might post for us!
    Withn TDS on both systems you can do remote administration too, which might be helpful in this situation. The TDS helpfile tells only some of it, for understandable reasons, in the scripts files is a little TDS script for that purpose too.
    Hmmm since your friend is in another location, did you try to install the CryptoSuite which has a secure messaging box to chat with your friend while the other main function of the tool is of course securing data via encryption and safe deletion etc.

    On the DiamondCS site is a wealth on tools, even test tools to terminate processes which even help in undeletable occasions i heard. So go shopping there, those tools are all free anyway, so are the evaluation versions of the programs!

    I'm sure your friend's system is clean in no time!
     
Thread Status:
Not open for further replies.