BigBendFishing.Net

We have only one WIN2003 server here and a hacker got into it and changed the registry setting for the Network Services If you have a 2003 server there, could you look and see what file should be executed from the registry setting "My Computer\HKEY_LOCAL_MACHINE\System\controlset001\services\netsrv" The SOB put a Trojan .exe in place of the real file

Google "netsrv.exe"

It is a trojan. Looks to be a little complicated to remove, but try avg antispyware trial.....I have had good luck with it.....

Beware, DO NOT go to one of the sites on google and download removers. You will get more than you bargained for!

Just read up on it...


Dubble

Don't have the netsrv.exe trojan I do have a network service that don't work do to him changing the registry to run a trojan in place of the network service I just can't find which file SHOULD be running instead of the one he put in place
PS: The server has been cleaned I just have to repair the damage now

I just checked 2 of my servers. They do not have that key in the registry at all. One is SBS 2003 and the other is 2003 R2.

So, I have no idea what file should be there. Sorry.

Dubble

Checked a few more and NONE of the servers have the Key "system" under ControlSet001.

All have just 4

Control
Enum
Hardware Profiles
Services

Dubble

Ours is 2003 standard edition with Exchange 2003 installed.
These where they major files he installed "through our firewall"
JAcheck.dll Generic BackDoor(Trojan)
psexec.exe RemAdm-PSKill(Remote Admin Tool)
csrms.exe ServU-Daemon(Trojan)
As well as some txt files that he used
I guess I'll just restore the hive "from backup" to a directory and see what it had in it before the intrusion

Dunno....they don't let me play with the servers...I know enough to either break them or fix them

Ahhhh....hmmmmm

What does your backup say

I'm an IDIOT I typed in system to many times
My Computer\HKEY_LOCAL_MACHINE\System\controlset001\services\netsrv

ah, now that could make a difference. Hang on, and I will look again....

Dubble

I think that key must been added by the trojan. The key "netsrv" is not under ControlSet001/Services on any of the 3 2003 servers I just looked at.

Try exporting the key netsrv, then delete it, and try that. You can reimport it if it does not work.

Oh, and remember you will have to reboot to check it.


Dubble

Chalk wrote:Dunno....they don't let me play with the servers...I know enough to either break them or fix them

Ahhhh....hmmmmm

What does your backup say

hehe, servers are fun. I love watching 25 people running around freaking out..........They look at you and say, "How can you be so calm. That is when you just keep quiet and don't tell them you already got it fixed. Just have a little fun and watch the action for another 10 minutes before putting them back online.....

Dubble

Oh yeah, keep a spray bottle of water handy, so you can look like you are sweating a little.....

Hey just call the tech guy, oh wait a minute thats you

I help manage a pretty complex system, keyword being manage

http://www.ctc.com/files/ctcVideos/DJC2_medium.wmv

The thing that REALLY freaks me out is our defense system being run on WINDOZS......


"Ok, Mr. President, we are launching a first strike to disable their missle system....Ahhhhh....waiiiaattt just a minute...the system just locked up, but it's ok we are reboo.......BOOOMMMMMMMMMM!!!!!



Dubble


PS, The virus that locked up the system came from Russia and China...