Sircam on my server

[bArGuS_4_$]

If you do not mind, what is the directory where the malicious code is being found?

[Sgt_B]

What happens if you do a manual scan on the machine. Does Norton pick anything up? or is the AMS just sending you an email for fun? I've ran into this once or twice with Norton's console, where the "same virus" keeps popping up on the same machine. Keep in mind there was no virus present on that machine, Norton just kept reporting the same thing over and over again.
My problem went away by itself. It drove me nuts for a while though.

I'll check on Symantec's site to see if anything regarding this is there.

[soia]

bargus_4_$: The virus is found on an old directory with an old version of Windows NT 4.0 in that directory. Now nt 4 is not installed in the machine, the machine is Windows 2000 server. It says that the rundll32 is infected but i deleted that file.

SgtB: tried manual scan and came up with nothing.

[DjM]

Have you tried contacting Symantec's Technical Support? I have had to use them on various occasions and they are usually pretty good. Might be worth a try.


Cheers:

[bArGuS_4_$]

Where did it find the virus? Directory location if you do not mind. Did it locate the virus in any other places?

If it found the virus in an old directory, a manual scan does not report the virus and you are not running any exclusions in the manual scan (scanning all files with no exclusions), and it appears to pop-up everytime new defs arrive, and the scan type in the log indicates manual, and (running out of breath and "ands") the virus was found before on your system and a different action was performed other than left alone then it is possible that you are not infected.

Verify first but this could be it...
in NAVCE there is an option in the Symantec System Center all tasks->NAV-->Quarantine Options I believe that says what to do when new virus definitions arrive. Scan quarantined items. Sometimes when new defs arrive if a worm (which is totally malicious and unrepairable EVER!!!) Is continually attempted to be repaired....New defs-->scan quarantine--> cannot clean (becuase it is a worm) --->Cannot quarantine (because it no longer exists or is in quarantine)--->action left alone.

I recommend you investigate but if you feel this is the case 1) change the option for NAV/SAV 2) delete items in quarantine (manually) 3) delete all log files.

Hope that helps

[mohaughn]

have you tried a scanner from a different vendor to see if you get the same results. I always recommend to anybody that you totally rebuild a system after it has been compromised. Whether it is by a script kiddie, virus, trojan.. whatever.. The only sure way to know that your system is the way it should be is to reinstall.