How can it be permanent? I mean if you delete all instances on harddisk and reg keys in safe mode when nothing is running,where the heck is it coming back from? I've always wanted to know. Also,how the heck does it get elevated privilges. I mean,if i'm running as joeuser,how is it getting local system rights? Without revealing specifics(I understand the need to not let everyone on this list become privy to a hacking windows how to). Does it need low level kernel access? can this be done via VB or does it have to be wriiten in a lower level language?
thanks. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 3:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] virus/worm Hi, I've noticed on several occasions that after a certain machine got raped by viruses, even when removed and the machine has all latest datfiles and critical patches, the viruses keep on coming on in and afflicting the same machine again and again and again. As stated, this happens even AFTER the previously infected machine has been cleaned and "protected" with updates and datfiles. I think, in summary, that sometimes the damage caused by virus infections is permanent, regardless of what you read on antivirus vendor's websites. A total software rebuild has been necessary on all occasions as described above. If the systems you mention have not had known virus infection and subsequent "fix" then ignore this email. But in my experience the antivirus vendors DO NOT TELL US EVERYTHING... Cheers and good luck. DDH > Hi all. I am having a serious issue with bot type worms that keep infecting my machines over and over. It doesn't matter that I'm fully patched and my virus defs are up to date. > I use Symantec Corporate Edition 9.0 in a win2k mixed mode AD enviroment. My machines all have the most up to date patches and hot fixes. > I have seen machines that are up to date in everything get reinfected time and time again. The worm is a varient of what Symantec calls Spybot.worm32. It usually creates a exe in system32 called Explorer.exe or 386.exe or svchosting.exe and no matter the defs it slips by Symantec. > > This is a posting perhaps better sent to a virus or Symantec list,but you guys seem really knowldgeable and I'd like to pick your collective brains about how to deal with this issue. > I assume its getting in via laptop users wh take their pc's home at nite or some of our traveling sales guys,but if my desktops are up to date and patched,they should'nt get infected. > No? > Am I being naive? > > > > Finally,we are a liqour distributor and alot of times we have suppliers from other companies come in with laptops that give powerpoint presentations and access our internet connection. These guys are from elsewhere so they don't have accounts in our domain and thus log in locally. > How can i protect myself against these guys? Management insits they be allowed to do their thing with their laptops on our network when they come in and since they don't log into our domain,I can't even push out a GPO and I'm at the mercy of these guys and what hteir IT dept did or did not do. > Help! > > > Thanks alot. If I can get a solution to just one of these 2 questions,I'll be a happy man. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/