Your not using the Norton's FixCRed.exe are you? because if you are, the
tool DOES NOT give accurate results.
It told me that a server with IIS NOT EVEN INSTALLED was infected (in
memory). What a crappy tool.
~Seth
Zangara, Jim writes:
> I know I patched this server but I am not taking any more chances.
>
> Hello Folks -
>
> It appears one of my servers got the backdoor worm - I can scan it sometimes
> and it shows clean and other times a memory scan shows an infection. There
> is no root.exe file anywhere on the server so I am not totally convinced but
> I prefer not to take chances.
>
> I have disabled the www service for now and am backing up my data. I am
> wondering if there is a way to recover my SAM database without running a
> risk of re-infection? I can recreate it but it would add hours to this and
> I would prefer not to. Since I do not know when the infection took place I
> am not sure of a reliable pre-infection backup so I am not even going to
> attempt that route.
>
> Would an ERD made today have the SAM? Should I trust it if it does?
>
> The server is a P111 with 2 gigs of ram Win2k SP2 Sql 7 IIS 5 - web server -
> no standalone - no domain.
>
>
> TIA
>
> Jim
>
>
> http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
>
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
