I couldn't remove or replace the explorer.exe but I did hunt down an 'extra' inetinfo and svchost program running as well as 2 kill utilities that should not have existed. I think I've cleaned out everything but I'll know after a day or two with no instant-reboot. Thanks for the help.
I'm just a bit worried how they got on as the machine is secure and I never had any problems in the past. This happened as soon as the hardware was moved to a new network. > After some checking: > > - W32.Mocbot.A injects a program into Explorer.exe. Try shutting down > explorer and restarting it from cmd. Than run another scan to hopefully > clear out the offender. > > - Win32.Rbot.DSV is primarily a common form or spyware. This is probably > being re-spread on every reboot. > > - Win32.Esbot.M is an alias of the W32.Mocbot.A > > It looks like the culprit is the first. The others don't seem to be as > aggressive... > > Cheers, > > Kevin > > > > ----- Original Message ----- > From: "Michael Dinowitz" <[EMAIL PROTECTED]> > To: "CF-Talk" <[email protected]> > Sent: Friday, November 04, 2005 1:54 PM > Subject: Re: (OT) server rebooting after virus > > >> W32.Mocbot.A was the first one but when I ran the CA anti-viral, it found >> (at different times) >> Win32.Rbot.DSV >> Win32.Esbot.M >> >> I've removed accounts from the drives that looked like they didn't >> belong, >> removed permissions on the drives that looked added, cleaned out >> everything I can think of and looked everywhere for how the virus got on >> in the first place. The machine is secure and the password is obscure. It >> was either network or physically added after the move to the new >> location. >> >> The fact that its still rebooting the machine which is disrupting service >> to the community is really upsetting me. :( >> >>>MIchael, >>> >>>What virus did you find originally? >>> >>>-Mark >>> >>> >>>-----Original Message----- >>>From: Michael Dinowitz [mailto:[EMAIL PROTECTED] >>>Sent: Friday, November 04, 2005 2:21 PM >>>To: CF-Talk >>>Subject: (OT) server rebooting after virus >>> >>> >>>The House of Fusion box picked up a virus somehow and even after I've >>>cleaned it out the box is rebooting at random times. I suspect that the >>>virus has put something in that causes a reboot but I can't find it. >>>Anyone >>>have a clue? >>>This is the error message that keeps showing up in the logs: >>>"The previous system shutdown at 1:26:52 PM on 11/4/2005 was unexpected. >>>" >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:223353 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
