RE: Dr. Watson (was New Virus / Worm??)
The same thing happened to me. It is Nimda. My box appears to be hosed. I was able to boot, but not log on. As soon as I logged on, and the desktop loaded, Doc Watson kept popping up. I booted the system, did not log on, mapped the C$ drive to a machine that had new signature files, and scanned the C$ drive. The Nimda virus came up in mmc.exe and the jetadmin.exe (go figure). The hosed box did not have an altered system.ini or load.exe anywhere. I think I'll be doing a fresh install in the near future. Will -Original Message- From: Randal, Phil [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 9:44 AM To: Exchange Discussions Subject: RE: Dr. Watson (was New Virus / Worm??) You stop the .eml files by getting all the (attacking?) PCs on your network virus scanned with up to date antivirus software with today's virus patterns. Also shut down your IIS services if you think they may have been compromised. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: Mike Omilian [mailto:[EMAIL PROTECTED]] > Sent: 19 September 2001 14:40 > To: Exchange Discussions > Subject: Dr. Watson (was New Virus / Worm??) > > > On my Exchange box, when I try to log on, I keep getting Dr. > Watson error > that says the following: > > Explorer.exe > Exception Access Violation (0xc005), Address:0x77f7d18e > > Everytime I close that down, another one pops up in about 5 seconds. > There isn't even enough time to open the Run command to run a latest > patch. The patch for Code Red was installed last month, but > I can't get > on to the server to install the latest one. Any ideas? This started > yesterday when the nimda virus came through. > > Has anyone figured out hoe to stop the creation of *.eml files on the > network too? > > NT 4 sp6a > Exchange 5.5 sp3 > > Mike > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Dr. Watson (was New Virus / Worm??)
> Explorer.exe > Exception Access Violation (0xc005), Address:0x77f7d18e the virus seems to do something in it's later stages of infection that causes the problem you describe. Removing the virus has no effect. We have two servers with the same problem, and have tried everything to correct it - if we don't hear of a fix soon it's going to be format time. some people are still unclear on this virus - check your processes in task manager, look for 'mmc.exe' - this is the virus masquerading as the management console. You have to use the kill utility to finish off the process. Then delete mmc.exe from the winnt directory. Get the latest AV definitions and do a scan to quarrantine all the nasty files. delete them. also get people display the 'view as web page' or whatever it is in 'folder options' - this is perpetuating the virus because you can start it off just by selecting the file in the folder. you may also find that your 'guest' account is now a member of the local administrators group! the virus propogates via email, network shares and an IIS backdoor. dan. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Dr. Watson (was New Virus / Worm??)
You stop the .eml files by getting all the (attacking?) PCs on your network virus scanned with up to date antivirus software with today's virus patterns. Also shut down your IIS services if you think they may have been compromised. Cheers, Phil - Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: Mike Omilian [mailto:[EMAIL PROTECTED]] > Sent: 19 September 2001 14:40 > To: Exchange Discussions > Subject: Dr. Watson (was New Virus / Worm??) > > > On my Exchange box, when I try to log on, I keep getting Dr. > Watson error > that says the following: > > Explorer.exe > Exception Access Violation (0xc005), Address:0x77f7d18e > > Everytime I close that down, another one pops up in about 5 seconds. > There isn't even enough time to open the Run command to run a latest > patch. The patch for Code Red was installed last month, but > I can't get > on to the server to install the latest one. Any ideas? This started > yesterday when the nimda virus came through. > > Has anyone figured out hoe to stop the creation of *.eml files on the > network too? > > NT 4 sp6a > Exchange 5.5 sp3 > > Mike > > _ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin:[EMAIL PROTECTED] > _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Dr. Watson (was New Virus / Worm??)
On my Exchange box, when I try to log on, I keep getting Dr. Watson error that says the following: Explorer.exe Exception Access Violation (0xc005), Address:0x77f7d18e Everytime I close that down, another one pops up in about 5 seconds. There isn't even enough time to open the Run command to run a latest patch. The patch for Code Red was installed last month, but I can't get on to the server to install the latest one. Any ideas? This started yesterday when the nimda virus came through. Has anyone figured out hoe to stop the creation of *.eml files on the network too? NT 4 sp6a Exchange 5.5 sp3 Mike _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]