Only defense here really is to reformat - move data to new server and start afresh.
Experience tells you that as soon as a machine gets infected it needs to be reformatted; You just don't know how many rootkits you may have etc... "This e-mail is from Reed Exhibitions (Oriel House, 26 The Quadrant, Richmond, Surrey, TW9 1DL, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions." Visit our website at http://www.reedexpo.com -----Original Message----- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: CF-Talk <[email protected]> Sent: Sun Nov 06 01:45:23 2005 Subject: Re: (OT) server rebooting after virus I couldn't remove or replace the explorer.exe but I did hunt down an 'extra' inetinfo and svchost program running as well as 2 kill utilities that should not have existed. I think I've cleaned out everything but I'll know after a day or two with no instant-reboot. Thanks for the help. I'm just a bit worried how they got on as the machine is secure and I never had any problems in the past. This happened as soon as the hardware was moved to a new network. > After some checking: > > - W32.Mocbot.A injects a program into Explorer.exe. Try shutting down > explorer and restarting it from cmd. Than run another scan to hopefully > clear out the offender. > > - Win32.Rbot.DSV is primarily a common form or spyware. This is probably > being re-spread on every reboot. > > - Win32.Esbot.M is an alias of the W32.Mocbot.A > > It looks like the culprit is the first. The others don't seem to be as > aggressive... > > Cheers, > > Kevin > > > > ----- Original Message ----- > From: "Michael Dinowitz" <[EMAIL PROTECTED]> > To: "CF-Talk" <[email protected]> > Sent: Friday, November 04, 2005 1:54 PM > Subject: Re: (OT) server rebooting after virus > > >> W32.Mocbot.A was the first one but when I ran the CA anti-viral, it found >> (at different times) >> Win32.Rbot.DSV >> Win32.Esbot.M >> >> I've removed accounts from the drives that looked like they didn't >> belong, >> removed permissions on the drives that looked added, cleaned out >> everything I can think of and looked everywhere for how the virus got on >> in the first place. The machine is secure and the password is obscure. It >> was either network or physically added after the move to the new >> location. >> >> The fact that its still rebooting the machine which is disrupting service >> to the community is really upsetting me. :( >> >>>MIchael, >>> >>>What virus did you find originally? >>> >>>-Mark >>> >>> >>>-----Original Message----- >>>From: Michael Dinowitz [mailto:[EMAIL PROTECTED] >>>Sent: Friday, November 04, 2005 2:21 PM >>>To: CF-Talk >>>Subject: (OT) server rebooting after virus >>> >>> >>>The House of Fusion box picked up a virus somehow and even after I've >>>cleaned it out the box is rebooting at random times. I suspect that the >>>virus has put something in that causes a reboot but I can't find it. >>>Anyone >>>have a clue? >>>This is the error message that keeps showing up in the logs: >>>"The previous system shutdown at 1:26:52 PM on 11/4/2005 was unexpected. >>>" >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:223598 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
