Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Server Messed Up again by VIRUS

  1. #1
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466

    Unhappy Server Messed Up again by VIRUS

    Hi guys !

    Once again my server is behaving strangly..... It started when this SEAMEWE3 backbone problem ..... we were unable to receive emails and i thought its normal as the backbone is down so obviously we would have encounter the same problem..... but from last 2 days i saw there were mails on server which are stuck there over and over no matter when i process the remote queue same mails were in queue and they are there from last three days...... I noticed the that one of the mail is 1 MB while one is 2 MB rest are small mails. But the problem is not these mails i saw that when i close my proxy server and shutdown the mail server still my modem is sending and receiving data..... so i used netstat to see the active connection and i saw there were more than 200 ports open and some other connection were there (epmap connections.) I thought something fishy there so i scan my system with NORTOn and you know what i encounter 4 different types of virus among them i was able to delete only 3.

    The 3 rd virus is still there and its running as windows service i couldnot remove it.... the name of the file is rtftp.exe its at c drive root. Now i need your help to remove this.

    OS. WIndows 2000 service pack 4.
    Mail Server MDaemon.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Well, not my specialty, but I'll give it a go with the default troubleshooting steps.

    Can you reboot this server? I'd take it down, and reboot in safe mode...or better yet, reboot from the Norton CD or another, secure boot image, and run an AV scanner from there.

    What does online research tell you about rtftp.exe? I'm curious why Norton didn't catch these real-time. Do you use an older version, are your definitions out of date?

    I know the enterprise messaging guys I work with swear by anything from Trend for email server protection. There are also a lot of 'pre-scanner' solutions that filter the mail stream as it comes in, before it hits exchange. Dont know how effective these would be with MDaemon, but I can't imagine they are LESS effective. Also a lot depends on your budget.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    YOu look at
    (regedt32)
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run | RunOnce ?
    (explorer)
    or \Documents and Settings\Default User | Administrator | All Users | * \Start Menu\Program Files\Startup ?

    You can also look at:
    (regedt32)
    HKLM\System\CurrentControlSet\Services\

    You sould be able to look there and maybe remove the service from there.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    You might need to stop the service first. Also, check the security rights to the file. If you're logged on as admin, you might not have rights, but you can add rights. Give yourself full access to it and try to delete it.

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by zENGER
    You might need to stop the service first. Also, check the security rights to the file. If you're logged on as admin, you might not have rights, but you can add rights. Give yourself full access to it and try to delete it.
    That reminds me, if you are running the scheduling serivce (AT), you can escalate your privelage to system and do whatever: AT <TIME> <CMD> (from a command shell), so like for example: AT 10:30 CMD.exe You will then have a shell with system privelage. You might have to play with the syntax, been a while since I messed with AT.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    I believe to have that work you need to have /interactive after it. Can do it with taskmanager also so that you can kill processes that are "system" and won't let even an admin stop them.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You have a bigger problem..... I won't bother with the cleanup.... That's the easy bit.

    If you are getting a server infected with a virus, (not a worm), then you have been using the server in some fashion that it isn't meant to be used for. STOP IT! If you don't the problems will continue in different forms forever.

    If it's a worm you need to look at your firewall rules and your OS/application patching process. You also need to pay more attention to the new vulnerabilities found in the OS and apps you run on this server.

    Either way you will be chasing malware on this server till you retire until you start using it for what it is there for rather than as a workstation or fix your processes.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    I run the hijackthis log file and heres the result.


    Logfile of HijackThis v1.97.7
    Scan saved at 10:57:03 AM, on 7/2/2005
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\rtftp.exe
    C:\Program Files\SAV\DefWatch.exe
    C:\WINNT\System32\dhcpclient.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\cba\pds.exe
    C:\WINNT\System32\llssrv.exe
    C:\MDaemon\APP\MDAEMON.EXE
    C:\Program Files\SAV\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\WinGate\WinGate.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\MDaemon\WCStandard\WCStandard.exe
    C:\MDaemon\WebConfig\WebConfig.exe
    C:\WINNT\Explorer.exe
    C:\PROGRA~1\SAV\vptray.exe
    C:\Program Files\WinGate\wgengmon.exe
    C:\Documents and Settings\grace\Desktop\windows 2000 updates\Q251170_W2K_SP1_X86_en.EXE
    c:\temp\ext32840\hotfix.exe
    C:\Documents and Settings\grace\Desktop\windows 2000 updates\Q269049_W2K_SP2_x86_en.EXE
    c:\temp\ext2086\hotfix.exe
    C:\Documents and Settings\grace\Desktop\windows 2000 updates\HijackThis.exe

    O1 - Hosts: 82.146.42.123 lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 online.lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 www.lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 www.lloydstsb.com
    O1 - Hosts: 82.146.42.123 personal.barclays.co.uk
    O1 - Hosts: 82.146.42.123 barclays.co.uk
    O1 - Hosts: 82.146.42.123 ibank.barclays.co.uk
    O1 - Hosts: 82.146.42.123 www.barclays.co.uk
    O1 - Hosts: 82.146.42.123 www.nwolb.com
    O1 - Hosts: 82.146.42.123 nwolb.com
    O1 - Hosts: 82.146.42.123 hsbc.co.uk
    O1 - Hosts: 82.146.42.123 www.hsbc.co.uk
    O1 - Hosts: 82.146.42.123 abbey.com
    O1 - Hosts: 82.146.42.123 www.abbey.com
    O1 - Hosts: 82.146.42.123 www.abbey.co.uk
    O1 - Hosts: 82.146.42.123 abbey.co.uk
    O1 - Hosts: 82.146.42.123 cahoot.com
    O1 - Hosts: 82.146.42.123 www.cahoot.com
    O1 - Hosts: 82.146.42.123 www.cahoot.co.uk
    O1 - Hosts: 82.146.42.123 cahoot.co.uk
    O1 - Hosts: 82.146.42.123 www.co-operativebank.co.uk
    O1 - Hosts: 82.146.42.123 co-operativebank.co.uk
    O1 - Hosts: 82.146.42.123 www.co-operativebank.com
    O1 - Hosts: 82.146.42.123 co-operativebank.com
    O1 - Hosts: 82.146.42.123 welcome2.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome6.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome8.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome10.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 www.smile.co.uk
    O1 - Hosts: 82.146.42.123 smile.co.uk
    O1 - Hosts: 82.146.42.123 www.cajamar.es
    O1 - Hosts: 82.146.42.123 cajamar.es
    O1 - Hosts: 82.146.42.123 www.cajamar.com
    O1 - Hosts: 82.146.42.123 www.unicaja.es
    O1 - Hosts: 82.146.42.123 unicaja.es
    O1 - Hosts: 82.146.42.123 www.unicaja.com
    O1 - Hosts: 82.146.42.123 unicaja.com
    O1 - Hosts: 82.146.42.123 www.caixagalicia.es
    O1 - Hosts: 82.146.42.123 caixagalicia.es
    O1 - Hosts: 82.146.42.123 www.caixagalicia.com
    O1 - Hosts: 82.146.42.123 caixagalicia.com
    O1 - Hosts: 82.146.42.123 activa.caixagalicia.es
    O1 - Hosts: 82.146.42.123 www.caixapenedes.es
    O1 - Hosts: 82.146.42.123 caixapenedes.es
    O1 - Hosts: 82.146.42.123 www.caixapenedes.com
    O1 - Hosts: 82.146.42.123 caixapenedes.com
    O1 - Hosts: 82.146.42.123 bancae.caixapenedes.com
    O1 - Hosts: 82.146.42.123 www.caixasabadell.es
    O1 - Hosts: 82.146.42.123 caixasabadell.es
    O1 - Hosts: 82.146.42.123 www.caixasabadell.net
    O1 - Hosts: 82.146.42.123 caixasabadell.net
    O1 - Hosts: 82.146.42.123 www.cajamadrid.es
    O1 - Hosts: 82.146.42.123 cajamadrid.es
    O1 - Hosts: 82.146.42.123 www.cajamadrid.com
    O1 - Hosts: 82.146.42.123 cajamadrid.com
    O1 - Hosts: 82.146.42.123 oi.cajamadrid.es
    O1 - Hosts: 82.146.42.123 www.ccm.es
    O1 - Hosts: 82.146.42.123 ccm.es
    O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru
    O1 - Hosts: 17.145.117.11 www.kaspersky.ru
    O1 - Hosts: 17.145.117.11 kaspersky.ru
    O1 - Hosts: 17.145.117.11 kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
    O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINNT\System32\mmsvc32.exe
    O4 - HKLM\..\Run: [Spools Service Controller] C:\WINNT\System32\spools.exe
    O4 - HKLM\..\Run: [ff] 221.exe
    O4 - HKLM\..\RunServices: [ff] 221.exe
    O4 - HKCU\..\Run: [ff] 221.exe
    O4 - Global Startup: WinGate Engine Monitor.lnk = C:\Program Files\WinGate\wgengmon.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B373427-8D44-4722-BD4A-8D82B31E08B7}: NameServer = 202.87.109.10 202.87.80.10
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B373427-8D44-4722-BD4A-8D82B31E08B7}: NameServer = 202.87.109.10 202.87.80.10


    -----------------------

    Now i updated the Antivirus definition today and even updated the service pack and also updated windows online..... heres the new result.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:17:10 PM, on 7/4/2005
    Platform: Windows 2000 SP4, RC 4.68 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\rtftp.exe
    C:\Program Files\SAV\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\cba\pds.exe
    C:\WINNT\System32\llssrv.exe
    C:\MDaemon\APP\MDAEMON.EXE
    C:\Program Files\SAV\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\WinGate\WinGate.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\SAV\vptray.exe
    C:\Program Files\Agnitum\Jammer 2.0\Jammer.exe
    C:\Program Files\WinGate\wgengmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\MDaemon\WCStandard\WCStandard.exe
    C:\MDaemon\WebConfig\WebConfig.exe
    C:\WINNT\system32\Netlib.exe
    C:\Documents and Settings\grace\Desktop\windows 2000 updates\HijackThis.exe

    O1 - Hosts: 82.146.42.123 lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 online.lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 www.lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 www.lloydstsb.com
    O1 - Hosts: 82.146.42.123 personal.barclays.co.uk
    O1 - Hosts: 82.146.42.123 barclays.co.uk
    O1 - Hosts: 82.146.42.123 ibank.barclays.co.uk
    O1 - Hosts: 82.146.42.123 www.barclays.co.uk
    O1 - Hosts: 82.146.42.123 www.nwolb.com
    O1 - Hosts: 82.146.42.123 nwolb.com
    O1 - Hosts: 82.146.42.123 hsbc.co.uk
    O1 - Hosts: 82.146.42.123 www.hsbc.co.uk
    O1 - Hosts: 82.146.42.123 abbey.com
    O1 - Hosts: 82.146.42.123 www.abbey.com
    O1 - Hosts: 82.146.42.123 www.abbey.co.uk
    O1 - Hosts: 82.146.42.123 abbey.co.uk
    O1 - Hosts: 82.146.42.123 cahoot.com
    O1 - Hosts: 82.146.42.123 www.cahoot.com
    O1 - Hosts: 82.146.42.123 www.cahoot.co.uk
    O1 - Hosts: 82.146.42.123 cahoot.co.uk
    O1 - Hosts: 82.146.42.123 www.co-operativebank.co.uk
    O1 - Hosts: 82.146.42.123 co-operativebank.co.uk
    O1 - Hosts: 82.146.42.123 www.co-operativebank.com
    O1 - Hosts: 82.146.42.123 co-operativebank.com
    O1 - Hosts: 82.146.42.123 welcome2.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome6.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome8.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome10.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 www.smile.co.uk
    O1 - Hosts: 82.146.42.123 smile.co.uk
    O1 - Hosts: 82.146.42.123 www.cajamar.es
    O1 - Hosts: 82.146.42.123 cajamar.es
    O1 - Hosts: 82.146.42.123 www.cajamar.com
    O1 - Hosts: 82.146.42.123 www.unicaja.es
    O1 - Hosts: 82.146.42.123 unicaja.es
    O1 - Hosts: 82.146.42.123 www.unicaja.com
    O1 - Hosts: 82.146.42.123 unicaja.com
    O1 - Hosts: 82.146.42.123 www.caixagalicia.es
    O1 - Hosts: 82.146.42.123 caixagalicia.es
    O1 - Hosts: 82.146.42.123 www.caixagalicia.com
    O1 - Hosts: 82.146.42.123 caixagalicia.com
    O1 - Hosts: 82.146.42.123 activa.caixagalicia.es
    O1 - Hosts: 82.146.42.123 www.caixapenedes.es
    O1 - Hosts: 82.146.42.123 caixapenedes.es
    O1 - Hosts: 82.146.42.123 www.caixapenedes.com
    O1 - Hosts: 82.146.42.123 caixapenedes.com
    O1 - Hosts: 82.146.42.123 bancae.caixapenedes.com
    O1 - Hosts: 82.146.42.123 www.caixasabadell.es
    O1 - Hosts: 82.146.42.123 caixasabadell.es
    O1 - Hosts: 82.146.42.123 www.caixasabadell.net
    O1 - Hosts: 82.146.42.123 caixasabadell.net
    O1 - Hosts: 82.146.42.123 www.cajamadrid.es
    O1 - Hosts: 82.146.42.123 cajamadrid.es
    O1 - Hosts: 82.146.42.123 www.cajamadrid.com
    O1 - Hosts: 82.146.42.123 cajamadrid.com
    O1 - Hosts: 82.146.42.123 oi.cajamadrid.es
    O1 - Hosts: 82.146.42.123 www.ccm.es
    O1 - Hosts: 82.146.42.123 ccm.es
    O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru
    O1 - Hosts: 17.145.117.11 www.kaspersky.ru
    O1 - Hosts: 17.145.117.11 kaspersky.ru
    O1 - Hosts: 17.145.117.11 kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
    O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINNT\System32\mmsvc32.exe
    O4 - HKLM\..\Run: [Spools Service Controller] C:\WINNT\System32\spools.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Jammer] C:\Program Files\Agnitum\Jammer 2.0\Jammer.exe
    O4 - HKLM\..\Run: [ff] 221.exe
    O4 - HKLM\..\RunServices: [ff] 221.exe
    O4 - HKCU\..\Run: [ff] 221.exe
    O4 - Global Startup: WinGate Engine Monitor.lnk = C:\Program Files\WinGate\wgengmon.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...535.1238078704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B373427-8D44-4722-BD4A-8D82B31E08B7}: NameServer = 202.87.109.10 202.87.80.10
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B373427-8D44-4722-BD4A-8D82B31E08B7}: NameServer = 202.87.109.10 202.87.80.10


    Now if you can see here a new file 221.exe is there it seems to be the same file... i try to block the file via firewall it keep on replicating itself. ALso i have tried to delete the registry but it keeps on adding it again and again.
    I cannot stop the service even in the safe mode.... i have the admin privilliges. So what should i do ?
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  9. #9
    Senior Member
    Join Date
    May 2004
    Posts
    274
    our isp has blocked smtp, pop and other traffic due to see me wee 3 problem. I think u are having the same problems.
    Excuse me, is there an airport nearby large enough for a private jet to land?

  10. #10
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Nope the ISP has not blocking anything, i can download these emails directly on my laptop...... Its the server problem..
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •