Richard Farris wrote:
Since 10/06/06 I have been fighting a virus on my mail server...was
not too concerned about it until last week when it evidently helped me
get blacklisted with spamcop, spamhause, UBL and some others....can
anyone tell me how to get rid of it...I have tried everything to no
avail....
The virus is putting "a.exe" and ".exe" in the winnt\system32 folder
and or the C:\ drive
Also it has 1x32.exe or 2X32.exe or 0X32.exe running in the Task
Manager and it installs Numeric file in Registry...
It also puts files like Hub101bl in the Internet.IE5 folder in
Temporary Internet Files...
As others have said the safest route is to do a fresh install.
Having said that there are a few things I've done in the past to keep a
machine running in an emergency. Proceed at your own risk and understand
there is no way to 100% sure that the server is not compromised beyond
repair.
HijackThis is a free program that can assist in determining what is
running and what the computer loads on boot. I use this tool to try to
remove all of the start up commands for nasty stuff. I also write down
the path of programs that are running that shouldn't be. Please note
that this program can really hose things up if you start removing
commands and/or registry items that you shouldn't. There are a few
websites out there helping people figure out what the program is telling
you.
After HijackThis I'll look at the task manager and add anything bad to
my list of nasties if it isn't there already. I'll do a search for these
programs so I know what directory they are in.
Now the idea is to get rid of everything on your list.
Sometimes you can end the task in task manager and then delete the file.
More often than not task manager will not end the task. In these cases I
use a command line program called pskill. Use with care as you can
easily use it to crash the system. Once you've killed a process with
pskill you should be able to remove the file. Sometimes you'll kill a
process and it will restart before you can delete it. In that case I
make a note of it and work on the others and then come back to it.
Chances are if you have added all of the bad processes to your list one
of the ones you haven't gotten to yet is responsible for restarting the
problematic one. If you simply can't get rid of a process you can try to
remove it in safe mode or use the feature in hijackthis that deletes a
file on reboot.
When I'm done with that I usually reboot to see how bad things *really*
are. If all of the processes are back you obviously missed something and
you might be in for a rough time. If there is one or two that are back I
usually search for these processes in the registry and remove them.
Sometimes the registry gives clues as to dependencies too. Again,
standard warning: you can hose your machine messing around in the
registry if you don't know what you are doing.
When everything appears to be gone I'll run anti-virus, adaware and
spybot. I've been surprised in the past what I've found *after* doing
all of the above steps.
Finally, I'll run root kit revealer from sysinternals.
Good luck.
Paul Navarre
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
