I am having a really strange problem that was caused by a backdoor virus. I have NT4.0 SP6 running CA ETrust Antivirus. Somehow, the server didn't pick up 3 viruses that were just hanging out apparantly. I scanned yesterday and found them. They are:
Backdoor/Wollf.16.Server
Win32/Sub0T.HookDLL.Trojan
Win32/Netsky.P.Worm
So, I updated the virus sig's and cured all infected files. I also ran any cleaning utilities for each virus
where available to take our registry keys, etc.
Here's the problem I have now.
When I log in after booting the machine, 4 quick dos windows open up with c:\winnt\net.exe at the top. What I am pretty sure they are doing is trying to give trust to outside domains. I think this b/c as soon as this happens, nobody here can login! They get an "access to your logon server has been denied" message, so matter what username or password is used. They are mostly 98 machines, so I go in to Client for Microsoft Networks, deselect the log in to domain check box, reboot them and they can get in. Problem with this is now not everything works for them... they're not a true member of the domain anymore.
I have checked every dag-blastid key in the registry, looked in all profile's startup folders, and researched every service and process running. I can't find what is calling these net commands! The key here is they only occur after logging in, so if I don't log in to the server - everything is peachy keen.
Oh, I've also tried renaming the net.exe to net.old. It then shows that the dos commands are not running, but still screws up everybody's logins.
Thanks in advance for any help you can give.
Backdoor/Wollf.16.Server
Win32/Sub0T.HookDLL.Trojan
Win32/Netsky.P.Worm
So, I updated the virus sig's and cured all infected files. I also ran any cleaning utilities for each virus
where available to take our registry keys, etc.
Here's the problem I have now.
When I log in after booting the machine, 4 quick dos windows open up with c:\winnt\net.exe at the top. What I am pretty sure they are doing is trying to give trust to outside domains. I think this b/c as soon as this happens, nobody here can login! They get an "access to your logon server has been denied" message, so matter what username or password is used. They are mostly 98 machines, so I go in to Client for Microsoft Networks, deselect the log in to domain check box, reboot them and they can get in. Problem with this is now not everything works for them... they're not a true member of the domain anymore.
I have checked every dag-blastid key in the registry, looked in all profile's startup folders, and researched every service and process running. I can't find what is calling these net commands! The key here is they only occur after logging in, so if I don't log in to the server - everything is peachy keen.
Oh, I've also tried renaming the net.exe to net.old. It then shows that the dos commands are not running, but still screws up everybody's logins.
Thanks in advance for any help you can give.