J
jimt@
Guest
Originally posted by smerkel
It was a partner email that was sent out. Additionally, several vulnerability databases sent notifications with regards to the Mail Enable issue.
http://secunia.com/advisories/23127/
Regards,
Steve
It would really be nice if they sent that to all partners...
I have managed to get a severely infected box stable again. I can reboot it without problems and the OS at least is stable (with one exception).
Since the OS would not stay up for more than 2 minutes, I could only access it from the recovery console. Here's what I did.
I deleted the following files:
c:\windows\system32\bw.exe
c:\windows\system32\nc.exe
c:\windows\system32\pack.exe
c:\windows\system32\gethashes.exe
c:\windows\system32\saminside.ini
c:\windows\system32\psinfo.exe
c:\windows\system32\start.bat
2. I disabled all MailEnable services and the rdriv service.
3. I deleted all task files in the c:\windows\Tasks directory. I think the trojan had a task running a minute or so after a boot.
4. I then ran a windows setup to repair the OS files.
The server boots now and seems to be stable. I have one exception... after the boot, the winlogon exe crashes 4 or 5 times, but then starts working. If anyone has any ideas on this it would be appreciated.
I still have a bit of work to do....
Jim
Bocacom