Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

got hit by worm in W2K Help!

Status
Not open for further replies.
pirateclem

pirateclem

Technical User
Feb 4, 2005
68
US
got hit by a worm doing the following:

propogates over port 139. Does a buffer overflow attack on symantec AV. Leaves a file on the root of the C drive called: U.exe. Is only affecting Windows 2000 OS's that are a bit behind in patch levels. Systems I patched just this weekend are unafected. Some XP systems are having errors in symantec AV on their desktops.

Any ideas what it is? Most recent heuristic on symantec AV 10.1 can not find the purpotrator on infected systems.

Help!

 
Sort by date Sort by votes
Try starving the offending executable by booting in safemode and deleting it or running a virus removal tool to delete it.
 
Upvote 0 Downvote
I am curious if there was a solution to this. I am having a very similiar problem with a few variatons.
 
Upvote 0 Downvote
Get the systems up to date with patches and security hotfixes and remove Symantec and get a decent AV package installed.

Paul

MCSE 2003

"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein
 
Upvote 0 Downvote
Everything is up to date and current. I do not have the option to buy a different Antivirus and really dont see a need to. I have ran over 14 different anti viruses on one of these computers and they do not clean or find the problem.
I will open up a new post I just thought maybe someone who had this exact problem could help.

Thanks for the opinion though!
 
Upvote 0 Downvote
Suggestion:
1. Google the name of the executable to search for removal intsructions.
2. In task manager, look for processes that are running that you may be unfamilair with - google their names to see what comes up.
3. download (free) HijackThis, run a system report. It reports processes running, location of the .exe's, and registry locations. It can clean the system of any of these. If the worm is memeory resident it can remove files during a re-boot.
4. Post your HijackThis log into this forum or any others to find those who have delt with the same issue.
 
Upvote 0 Downvote
Hi, I have fixed it. Thanks for the advice I tried the stuff you suggested already. It would work for the time being but soon the computer would be reinfected as it was on a very large network and spreading like crazy. It ended up being about four different viruses that they released a new update for today.

Thanks for the help all.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
264
gbaughma
gbaughma
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
519
gbaughma
gbaughma
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
292
Aquiles Vidal
Aquiles Vidal
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
237
mangentle
mangentle
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
118
RRankin355
RRankin355

Part and Inventory Search

Sponsor

Back
Top