Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Server Messed Up again by VIRUS

  1. #11
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    C:\WINNT\system32\Netlib.exe
    This may well be:Troj/Crater-A

    Details here:http://www.sophos.com/virusinfo/anal...ojcratera.html
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  2. #12
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Originally posted here by FanacooL
    [B]
    C:\rtftp.exe
    C:\WINNT\system32\Netlib.exe
    These two processes are what I would aim at first.

    O1 - Hosts: 82.146.42.123 lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 online.lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 www.lloydstsb.co.uk
    O1 - Hosts: 82.146.42.123 www.lloydstsb.com
    O1 - Hosts: 82.146.42.123 personal.barclays.co.uk
    O1 - Hosts: 82.146.42.123 barclays.co.uk
    O1 - Hosts: 82.146.42.123 ibank.barclays.co.uk
    O1 - Hosts: 82.146.42.123 www.barclays.co.uk
    O1 - Hosts: 82.146.42.123 www.nwolb.com
    O1 - Hosts: 82.146.42.123 nwolb.com
    O1 - Hosts: 82.146.42.123 hsbc.co.uk
    O1 - Hosts: 82.146.42.123 www.hsbc.co.uk
    O1 - Hosts: 82.146.42.123 abbey.com
    O1 - Hosts: 82.146.42.123 www.abbey.com
    O1 - Hosts: 82.146.42.123 www.abbey.co.uk
    O1 - Hosts: 82.146.42.123 abbey.co.uk
    O1 - Hosts: 82.146.42.123 cahoot.com
    O1 - Hosts: 82.146.42.123 www.cahoot.com
    O1 - Hosts: 82.146.42.123 www.cahoot.co.uk
    O1 - Hosts: 82.146.42.123 cahoot.co.uk
    O1 - Hosts: 82.146.42.123 www.co-operativebank.co.uk
    O1 - Hosts: 82.146.42.123 co-operativebank.co.uk
    O1 - Hosts: 82.146.42.123 www.co-operativebank.com
    O1 - Hosts: 82.146.42.123 co-operativebank.com
    O1 - Hosts: 82.146.42.123 welcome2.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome6.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome8.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 welcome10.co-operativebankonline.co.uk
    O1 - Hosts: 82.146.42.123 www.smile.co.uk
    O1 - Hosts: 82.146.42.123 smile.co.uk
    O1 - Hosts: 82.146.42.123 www.cajamar.es
    O1 - Hosts: 82.146.42.123 cajamar.es
    O1 - Hosts: 82.146.42.123 www.cajamar.com
    O1 - Hosts: 82.146.42.123 www.unicaja.es
    O1 - Hosts: 82.146.42.123 unicaja.es
    O1 - Hosts: 82.146.42.123 www.unicaja.com
    O1 - Hosts: 82.146.42.123 unicaja.com
    O1 - Hosts: 82.146.42.123 www.caixagalicia.es
    O1 - Hosts: 82.146.42.123 caixagalicia.es
    O1 - Hosts: 82.146.42.123 www.caixagalicia.com
    O1 - Hosts: 82.146.42.123 caixagalicia.com
    O1 - Hosts: 82.146.42.123 activa.caixagalicia.es
    O1 - Hosts: 82.146.42.123 www.caixapenedes.es
    O1 - Hosts: 82.146.42.123 caixapenedes.es
    O1 - Hosts: 82.146.42.123 www.caixapenedes.com
    O1 - Hosts: 82.146.42.123 caixapenedes.com
    O1 - Hosts: 82.146.42.123 bancae.caixapenedes.com
    O1 - Hosts: 82.146.42.123 www.caixasabadell.es
    O1 - Hosts: 82.146.42.123 caixasabadell.es
    O1 - Hosts: 82.146.42.123 www.caixasabadell.net
    O1 - Hosts: 82.146.42.123 caixasabadell.net
    O1 - Hosts: 82.146.42.123 www.cajamadrid.es
    O1 - Hosts: 82.146.42.123 cajamadrid.es
    O1 - Hosts: 82.146.42.123 www.cajamadrid.com
    O1 - Hosts: 82.146.42.123 cajamadrid.com
    O1 - Hosts: 82.146.42.123 oi.cajamadrid.es
    O1 - Hosts: 82.146.42.123 www.ccm.es
    O1 - Hosts: 82.146.42.123 ccm.es
    O1 - Hosts: 17.145.117.11 d-ru-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-2f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-ru-2h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-2f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-2h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-eu-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-us-1f.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 d-us-1h.kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 downloads1.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads2.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads3.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads4.kaspersky.ru
    O1 - Hosts: 17.145.117.11 downloads5.kaspersky.ru
    O1 - Hosts: 17.145.117.11 www.kaspersky.ru
    O1 - Hosts: 17.145.117.11 kaspersky.ru
    O1 - Hosts: 17.145.117.11 kaspersky-labs.com
    O1 - Hosts: 17.145.117.11 www.kaspersky-labs.com
    O4 - HKLM\..\Run: [ff] 221.exe
    O4 - HKLM\..\RunServices: [ff] 221.exe
    O4 - HKCU\..\Run: [ff] 221.exe
    Remove all of those lines, unless for some reason you added those to your host file yourself. The way to remove the 221.exe file would be to install MS Antispyware (Which is looks like you have running), then boot off of LiveCD such as BartPE. From this you can delete the files since they won't ever start. Then when you boot back into your main OS, the files should not bootup. If there is anything else that is adding them back into startup and recreating them the anti-spyware program will stop them from being added.

    At this point your can remove any registry entries that correlate.

    You will want to update your signatures in both the anti-spyware and your AV and run a full scan on your system after this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •