It's a trojan. Make sure you have the server updated with all the hotfixes from MS. When you reboot the trojan will reinstall itself. Go to the system32 folder and sort by date and see which files has been changed after the reboot. Typical filenames will be: cmd.exe cscript.exe debug.exe ftp.exe mshta.exe net1.exe net.exe rcp.exe tftp.exe wscript.exe
You have to compare these files to the original files. One consistent characteristics is that all replaced files are 239KB. The file size and the modification date is your ticket. Search the registry for the name of those files, you might have to open the .ini that configures the trojan and look for filenames in that file. Remove the registry entries (if it make sense to you to remove them), rename or delete the infected files and copy over the original files. Reboot. Check the above. Reboot again. Check again. Reboot etc... The first thing they do is to test the speed of the server from different countries and the spec of the server using an application from Winternals. You will most likely find hidden directories - look for one called "sys" - with the latest movies and games and other stuff. My impression is that the trojan is mainly for storing warez. <disclaimer> I take no responsibility for the success of fixing your server with the above information. Use the information at your own risk. </disclaimer> Jonas Fornander - System Administrator Netwood Communications,LLC - www.netwood.net "Find Out Why We're Better" - 310-442-1530 -------------------------------------------------------------------- Now offering Fiber Optic Internet service throughout the Continental USA. Speeds start at 5Mbps/2Mbps Go to www.netwood.net to fill in a qualification request > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Richard Farris > Sent: Friday, February 03, 2006 4:54 PM > To: [email protected] > Subject: [IMail Forum] Polish? > > I have a Windows NT box running 7.11. When I go to the C> > and try to go to > the IMAIL directory (or any other directory) I get results below: > > C:\>dir > Nazwa 'dir' nie jest rozpoznawana jako polecenie wewnetrzne > lub zewnetrzne, > program wykonywalny lub plik wsadowy. > > > Has anyone ever seen such a thing? It started a few days ago > but I have no > idea what is going on...the box seems to be normal other than this... > > Richard Farris > Ethixs Online > 1.270.247.5555 Office > 1.800.548.3877 Tech Support > "Crossroads to a Cleaner Internet" > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.375 / Virus Database: 267.15.0/249 - Release > Date: 2/2/2006 > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.0/249 - Release Date: 2/2/2006 To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
