Gandalf The White (infected)

By Jeb on November 27, 2004 10:29 PM | | Comments (2) |

Gandalf (the white) was set up two weeks ago without anti-virus protection. So a worm (or two) moved in and started routing pirated files. This morning it started being so "loud" on the network it ground everything else to a halt.

I had to go make a personal call to perform surgery. Norton Anti-Virus found the following:

C:\WINNT\MSsrvs32.exe is infected with W32.Randex.gen C:\WINNT\system32\MSsrvs32.exe is infected with W32.Randex.gen C:\WINNT\system32\webchecks.dll is infected with W32.IRCBot C:\WINNT\system32\dhcp\csrss.exe is infected with W32.IRCBot C:\Documents and Settings\DoNotUse\payload.dat is infected with W32.Randex.gen C:\Documents and Settings\Default User\Templates\winspsv.exe is infected with W32.Spybot.Worm C:\Documents and Settings\Administrator\payload.dat is infected with W32.Randex.gen

I had to manually delete MSsrvs32.exe and webchecks.dll using a command line because Norton and Windows were "denied access."


Categories

Tech

2 Comments

Jeb said:

Removed two register entries that wanted to run MSsrv32.exe per Symantec's step 5.

November 28, 2004 10:15 AM
Eric said:

what is gandalf (the white)?

November 28, 2004 11:54 AM

Leave a comment

About this Entry

This page contains a single entry by Jeb published on November 27, 2004 10:29 PM.

Raleigh St. Augustine Grass was the previous entry in this blog.

No Irish Need Apply is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Powered by Movable Type 4.31-en

Search

 

Good Reads

Flickr Badge

www.flickr.com
This is a Flickr badge showing items in a set called Wallet. Make your own badge here.