Sign in with
Sign up | Sign in
Your question

HELP!! I'm losing my mind

Tags:
Last response: in Windows 2000/NT
Share
August 10, 2004 11:49:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

We seem to have contracted a version of the Gaobot in our company. Some pc's
(interestingly enough, all Windows 2000) keep getting hit with a
systemdll.exe file by an unknown source. I've deleted the file from all the
found locations, did a search through the registry and deleted all instances.
Everything is fine for a while, but then it appears again. I tried using
the Gaobot repair tool, but it comes up empty. What the file appears to do
is use or create network shares, it's favorites so far have been WINNT and
SYSTEM32, but it also uses print shares by creating a copy of an existing
printing on the pc and creating a share for it. I've also seen where it
creates a share on a user's My Documents folder, the C drive, and the
SYSTEM32\SPOOL\DRIVERS. Here are the share names:
C = C$ (default share set up by windows)
WINNT = ADMIN$ (default share set up by windows)
SYSTEM32\SPOOL\DRIVERS = print$
My Document = My Document
It will also create a randomly named service that shows up under Manage (ie.
aerwse) that will either be set up as Manual run or Disabled which I've
searched through the registry for and delete.
It looks like the process is being run by user (pc name\Administrators or NT
AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
those to a more secure password, but I can't do anything with NT
AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
be happy to supply it and as always thanks in advance for any help.

More about : losing mind

Anonymous
August 11, 2004 12:02:02 AM

Archived from groups: microsoft.public.win2000.security (More info?)

This is from SARC http://www.sarc.com/ and it sounds a lot like what you may have.
The link also includes removal instructions.

http://securityresponse.symantec.com/avcenter/venc/data...

Your computers could becoming infected and reinfected from either the internet or
infected computers on your network. Make sure your firewall is correctly configured
and you can do a basic scan at http://scan.sygatetech.com/ . Be sure that you are
using the latest virus definitions as of today from your vendors website. Tools such
as TCPView from Sysinternals can help in determining what computer or computers are
infecting other computers on the network.

You should isolate infected computers by disconnecting them from the network, then
repairing them, and patching them with the latest critical updates from Windows
Updates. Being current on critical updates may have prevented your problem in the
first place. Note that installing critical updates does not help an already infected
computer and ideally a repaired computer would have the drive reformatted and a fresh
install/image of the operating system but that is your call. It would also be best to
not put repaired computers back on the network until all infected computers have been
removed, though again that is your call and a properly patched computer may not get
reinfected. A temporary solution to help protect computers on the network that do not
offer shares [domain controllers do] to other computers is to use tcp/ip filtering on
the network adapter to enable IP filtering for TCP permit only and add no ports to
the list. Be sure to disable tcp/ip filtering when done as it will interfere with
remote access to a computer for things like remote Computer Man.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798 -- tcp/ip filtering

I guess you learned your lesson on not using any or weak passwords and the trouble
that it can cause. It would be wise to enforce complex passwords on the network in
Domain Security policy and also have an account lockout policy with a threshold of no
less than ten bad attempts. This can go a long way to protecting your network. ---
Steve

http://www.microsoft.com/smallbusiness/gtm/securityguid... -- Microsoft
security recommendations for small businesses.

"Gary" <Gary@discussions.microsoft.com> wrote in message
news:3462DC9C-F43E-46DC-8538-3D7D4725327F@microsoft.com...
> We seem to have contracted a version of the Gaobot in our company. Some pc's
> (interestingly enough, all Windows 2000) keep getting hit with a
> systemdll.exe file by an unknown source. I've deleted the file from all the
> found locations, did a search through the registry and deleted all instances.
> Everything is fine for a while, but then it appears again. I tried using
> the Gaobot repair tool, but it comes up empty. What the file appears to do
> is use or create network shares, it's favorites so far have been WINNT and
> SYSTEM32, but it also uses print shares by creating a copy of an existing
> printing on the pc and creating a share for it. I've also seen where it
> creates a share on a user's My Documents folder, the C drive, and the
> SYSTEM32\SPOOL\DRIVERS. Here are the share names:
> C = C$ (default share set up by windows)
> WINNT = ADMIN$ (default share set up by windows)
> SYSTEM32\SPOOL\DRIVERS = print$
> My Document = My Document
> It will also create a randomly named service that shows up under Manage (ie.
> aerwse) that will either be set up as Manual run or Disabled which I've
> searched through the registry for and delete.
> It looks like the process is being run by user (pc name\Administrators or NT
> AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
> was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
> those to a more secure password, but I can't do anything with NT
> AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
> be happy to supply it and as always thanks in advance for any help.
August 11, 2004 12:02:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve,
I've tried all those instructions last week, but the systemdll.exe file
keeps coming back. I'm hoping that by increasing the user security as well
as applying the Windows Updates will help. I've often pushed the idea of
using nothing but secure passwords, but apparently nobody listened.
We have a few specialized PC's that run specific programs which may also be
causing problems, so I'll definately give TCPView a shot.
Thanks again for all your suggestions!

"Steven L Umbach" wrote:

> This is from SARC http://www.sarc.com/ and it sounds a lot like what you may have.
> The link also includes removal instructions.
>
> http://securityresponse.symantec.com/avcenter/venc/data...
>
> Your computers could becoming infected and reinfected from either the internet or
> infected computers on your network. Make sure your firewall is correctly configured
> and you can do a basic scan at http://scan.sygatetech.com/ . Be sure that you are
> using the latest virus definitions as of today from your vendors website. Tools such
> as TCPView from Sysinternals can help in determining what computer or computers are
> infecting other computers on the network.
>
> You should isolate infected computers by disconnecting them from the network, then
> repairing them, and patching them with the latest critical updates from Windows
> Updates. Being current on critical updates may have prevented your problem in the
> first place. Note that installing critical updates does not help an already infected
> computer and ideally a repaired computer would have the drive reformatted and a fresh
> install/image of the operating system but that is your call. It would also be best to
> not put repaired computers back on the network until all infected computers have been
> removed, though again that is your call and a properly patched computer may not get
> reinfected. A temporary solution to help protect computers on the network that do not
> offer shares [domain controllers do] to other computers is to use tcp/ip filtering on
> the network adapter to enable IP filtering for TCP permit only and add no ports to
> the list. Be sure to disable tcp/ip filtering when done as it will interfere with
> remote access to a computer for things like remote Computer Man.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798 -- tcp/ip filtering
>
> I guess you learned your lesson on not using any or weak passwords and the trouble
> that it can cause. It would be wise to enforce complex passwords on the network in
> Domain Security policy and also have an account lockout policy with a threshold of no
> less than ten bad attempts. This can go a long way to protecting your network. ---
> Steve
>
> http://www.microsoft.com/smallbusiness/gtm/securityguid... -- Microsoft
> security recommendations for small businesses.
>
> "Gary" <Gary@discussions.microsoft.com> wrote in message
> news:3462DC9C-F43E-46DC-8538-3D7D4725327F@microsoft.com...
> > We seem to have contracted a version of the Gaobot in our company. Some pc's
> > (interestingly enough, all Windows 2000) keep getting hit with a
> > systemdll.exe file by an unknown source. I've deleted the file from all the
> > found locations, did a search through the registry and deleted all instances.
> > Everything is fine for a while, but then it appears again. I tried using
> > the Gaobot repair tool, but it comes up empty. What the file appears to do
> > is use or create network shares, it's favorites so far have been WINNT and
> > SYSTEM32, but it also uses print shares by creating a copy of an existing
> > printing on the pc and creating a share for it. I've also seen where it
> > creates a share on a user's My Documents folder, the C drive, and the
> > SYSTEM32\SPOOL\DRIVERS. Here are the share names:
> > C = C$ (default share set up by windows)
> > WINNT = ADMIN$ (default share set up by windows)
> > SYSTEM32\SPOOL\DRIVERS = print$
> > My Document = My Document
> > It will also create a randomly named service that shows up under Manage (ie.
> > aerwse) that will either be set up as Manual run or Disabled which I've
> > searched through the registry for and delete.
> > It looks like the process is being run by user (pc name\Administrators or NT
> > AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
> > was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
> > those to a more secure password, but I can't do anything with NT
> > AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
> > be happy to supply it and as always thanks in advance for any help.
>
>
>
Anonymous
August 11, 2004 8:00:30 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Gary.

A search on Google shows that systemdll.exe is found in a number of very recent
virus/worms and parasites [shown as a keyboard logger in one site] . I would also
suggest running AdAware with the latest definitions and try a second virus removal
program. There are free ones online such as at SARC as shown below.

http://security.symantec.com/sscv6/default.asp?producti...

TCPView is free at SysInternals and they also provide other useful free tools such as
Process Explorer and Autoruns [shows startup programs in many places]. It might help
to also try and do repairs in safe mode. -- Steve

http://www.sysinternals.com/ntw2k/freeware/autoruns.sht...

"Gary" <Gary@discussions.microsoft.com> wrote in message
news:344EF6CB-BF29-4BBA-B2AA-CB104C0775E7@microsoft.com...
> Thanks Steve,
> I've tried all those instructions last week, but the systemdll.exe file
> keeps coming back. I'm hoping that by increasing the user security as well
> as applying the Windows Updates will help. I've often pushed the idea of
> using nothing but secure passwords, but apparently nobody listened.
> We have a few specialized PC's that run specific programs which may also be
> causing problems, so I'll definately give TCPView a shot.
> Thanks again for all your suggestions!
>
> "Steven L Umbach" wrote:
>
> > This is from SARC http://www.sarc.com/ and it sounds a lot like what you may
have.
> > The link also includes removal instructions.
> >
> > http://securityresponse.symantec.com/avcenter/venc/data...
> >
> > Your computers could becoming infected and reinfected from either the internet or
> > infected computers on your network. Make sure your firewall is correctly
configured
> > and you can do a basic scan at http://scan.sygatetech.com/ . Be sure that you are
> > using the latest virus definitions as of today from your vendors website. Tools
such
> > as TCPView from Sysinternals can help in determining what computer or computers
are
> > infecting other computers on the network.
> >
> > You should isolate infected computers by disconnecting them from the network,
then
> > repairing them, and patching them with the latest critical updates from Windows
> > Updates. Being current on critical updates may have prevented your problem in the
> > first place. Note that installing critical updates does not help an already
infected
> > computer and ideally a repaired computer would have the drive reformatted and a
fresh
> > install/image of the operating system but that is your call. It would also be
best to
> > not put repaired computers back on the network until all infected computers have
been
> > removed, though again that is your call and a properly patched computer may not
get
> > reinfected. A temporary solution to help protect computers on the network that do
not
> > offer shares [domain controllers do] to other computers is to use tcp/ip
filtering on
> > the network adapter to enable IP filtering for TCP permit only and add no ports
to
> > the list. Be sure to disable tcp/ip filtering when done as it will interfere with
> > remote access to a computer for things like remote Computer Man.
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798 -- tcp/ip
filtering
> >
> > I guess you learned your lesson on not using any or weak passwords and the
trouble
> > that it can cause. It would be wise to enforce complex passwords on the network
in
> > Domain Security policy and also have an account lockout policy with a threshold
of no
> > less than ten bad attempts. This can go a long way to protecting your
etwork. ---
> > Steve
> >
> > http://www.microsoft.com/smallbusiness/gtm/securityguid... --
Microsoft
> > security recommendations for small businesses.
> >
> > "Gary" <Gary@discussions.microsoft.com> wrote in message
> > news:3462DC9C-F43E-46DC-8538-3D7D4725327F@microsoft.com...
> > > We seem to have contracted a version of the Gaobot in our company. Some pc's
> > > (interestingly enough, all Windows 2000) keep getting hit with a
> > > systemdll.exe file by an unknown source. I've deleted the file from all the
> > > found locations, did a search through the registry and deleted all instances.
> > > Everything is fine for a while, but then it appears again. I tried using
> > > the Gaobot repair tool, but it comes up empty. What the file appears to do
> > > is use or create network shares, it's favorites so far have been WINNT and
> > > SYSTEM32, but it also uses print shares by creating a copy of an existing
> > > printing on the pc and creating a share for it. I've also seen where it
> > > creates a share on a user's My Documents folder, the C drive, and the
> > > SYSTEM32\SPOOL\DRIVERS. Here are the share names:
> > > C = C$ (default share set up by windows)
> > > WINNT = ADMIN$ (default share set up by windows)
> > > SYSTEM32\SPOOL\DRIVERS = print$
> > > My Document = My Document
> > > It will also create a randomly named service that shows up under Manage (ie.
> > > aerwse) that will either be set up as Manual run or Disabled which I've
> > > searched through the registry for and delete.
> > > It looks like the process is being run by user (pc name\Administrators or NT
> > > AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
> > > was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
> > > those to a more secure password, but I can't do anything with NT
> > > AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
> > > be happy to supply it and as always thanks in advance for any help.
> >
> >
> >
!