# Network in Trouble



## ra_sriniketan (Jan 26, 2006)

We have a network in our college wit bout 120 computers in LAN running under WINDOWS 2000 SERVER.Suddenly one day while browsing the Internet all the mouse pointers in all the PCs got freezed also the keyboards stopped workin,although the CTRL+ALT+DEL button is workin.The NETSERVER subsequently stopped workin after manually restartin all the PCs.Formatted the NETSERVER but is unable to install any anti-virus software.Whenever we try to click on the setup icon,the anti-virus folder get closed n gets back to the desktop.Is this a virus?Although no virus alert is given.We r in big trouble.HELP.


----------



## phatratt (Jan 27, 2006)

yup,looks like a virus/trojan infestation.If u can access task manager by pressing ctrl+alt+del check if there are any .exe program with strange names.


----------



## ra_sriniketan (Jan 27, 2006)

Ok.Here r some more things that might give u guys some clues.Saw lots of zip files in the drives with strange names.Also the machines showing "low on virtual memory".While shutting down all the machines showing "winzip encountered an error".If i unplug the network the machines r runnin absolutely ok.Is there any patches to solve this prob?


----------



## mediator (Jan 27, 2006)

yup definitely some virus coz u said a lotta zip files with strange names!
This is what u can do..try it!
Share the whole hardisk of the iinfected pc's with both read/write enabled, connect to another non infected pc with a good updated antivirus. Now open the infected pc's hardisk from the clean pc and do a virus scan!  
You can scan the server first and then all the remaining pc's thru the server!


----------



## ra_sriniketan (Jan 27, 2006)

K will try but in most of the PCs the antivirus also got crashed.Usin Avast.Is it good enough?


----------



## digen (Jan 27, 2006)

ra_sriniketan said:
			
		

> *If i unplug the network the machines r runnin absolutely ok*.Is there any patches to solve this prob?


That sums up things for me.A virus/worm infection circulating in the network.

The first & foremost thing you should do is unplug any/all machines which are having internet access.This certainly minimizes the further risk or damage involved of a malicious program causing havoc or phoning home.

The next step would be to one by one scanning for virus,spyware & the likes.

Arent these machines running a AV ? Which OS are the host machines running?

Installing & scanning using a freebie AV like AVG would be good for a start.


----------



## ra_sriniketan (Jan 27, 2006)

OS-Windows 2k professional,Usin Avast but most of them got corrupted n r not able to reinstall it.Whenever tryin to install the anti-virus folder that contains the set up file shuts down automatically n gets back to the desktop,happenin in case of norton2003 too.


----------



## ra_sriniketan (Jan 28, 2006)

The dubious processes that r running r:
smss.exe,SMAgent.exe,csrss.exe,Smax4.exe,Smax4PNP,hellmsn.exe,winzip.exe.If I end the hellmsn and winzip the PCs seems to run OK for sometimes.Its creatin lots of zip files in the hdd.Can someone plz tell me wat is the name of this virus/trojan/worm n wats the remedy?If any1 wants to know bout all the processes i can write them down.Plz help its very urgent.


----------



## phatratt (Jan 28, 2006)

*Smax4.exe,hellmsn.exe*

these two exe's looks like some virus name.Try to boot in safe mode and ermove them from msconfig and try to search for the exe file by these above mention names and search,delete or rename it IF POSSIBLE.Its just an expirement i don't know weather it will work or not but just give a try.
 8) 

Also smss.exe and csrss.exe are critical tasks of winXP/2k u can't just open the task manager and kill them but these two files are easily targetted by worms and disguise themselves in these file names.


----------



## mehulved (Jan 28, 2006)

hellmsn.exe is the culprit. It is a trojan named trojan.win32.mytob.
Here's where I got the info from *www.processlibrary.com/directory/files/HELLMSN/
Here I got some information from symantec site about it.


----------



## ra_sriniketan (Jan 28, 2006)

Thanx mate for the confirmation with the trojan name,but is there any tool or patch with which i can kill it?cause i have already used the mytob patch from microsoft security bulletin,its not workin on this mytob varient.


----------



## mehulved (Jan 29, 2006)

Check it out on the symantec website they will most probably have the virus removal tool. Read the instructions in the link I provided you to the symantec site.


----------



## __Virus__ (Jan 29, 2006)

dont u use a good antivirus or what


----------



## mehulved (Jan 29, 2006)

A virus asking for an antivirus lol. BTW he has mentioned about using Avast and Norton anti-virus. But, dunno if he updated it often enough and kept it turned on or no. Or maybe he tried to dig a well when the house was on fire ie. tried to install anti-virus when his network was already infected.


----------



## ra_sriniketan (Jan 29, 2006)

Formatted the NETSERVER totally including all the drives as a stand alone machine.Updated the Avast anti-virus on 29.01.06.It caught a worm named:W32 VB-CD.worm,failed to repair it but deleted it.But it started to create winzip.tmp file in c drive and also some strange zip files in the other drives.Deleted them.Any solution?Cause it seems it might attack again.


----------



## __Virus__ (Jan 29, 2006)

As you mentioned u already formatted the server, seems its not the prob with it. May be a machine on ur lan is affected. As siri or some mod pointed out,  y dont we disconnect all the machines from internet as well as lan and give a through full system scan with a good antivirus ( i wud always suggest kaspersky, diff ppl have got diff views) so that might prolly help u out.


----------



## ra_sriniketan (Jan 29, 2006)

Almost all the machines r affected. Ok i'll give it a try.


----------



## __Virus__ (Jan 29, 2006)

Do keep us updated


----------



## mehulved (Jan 30, 2006)

Man this is gonna be major trouble if all the machines are affected. Also a good firewall with an anti-virus will help a lot.


----------



## ra_sriniketan (Jan 30, 2006)

Two virus/worms have affected the machines.Win32.Mytob & Win32.Blackmal(VB-CD).E.Downloaded the removal tools from Symantec site.All the machines got affected by the Win32.Blackmal one & bout 70% r affected by both.The tools r removing the viruses from the machines very effectively but after some times all the machines r gettin affected again.Main problem is the machines r not able to run any software which requires a lil bit of memory,like photoshop or even a scanner software and after i formatted the netserver i downloaded & installed the 29.01.06 update of Avast anti-virus.But today it got crashed & any anti-virus is gettin crashed in all the machines.After wiping out the Win32.Mytob worm the removin tool is givin a messege to download two patches from microsoft security bulletin one of which i have already installed with no effect on this mytob varient and the other one is for shared server 5.5.But no such patches for Win32.Blackmal.I have seperated bout 50 machines from the network & removed all the viruses for the running of all the softwares.Should I unplug n remove the viruses from all the machines and then log them back into the network?Is there any free anti virus for Windows 2000 server?I m totally confused & in a mess.Plz help.


----------



## mehulved (Jan 30, 2006)

You should surely disconnect the server from the network. You will have to clean off all the machines before you can connect the server again to the network. It will mean a lot of downtime but it will have to be done to wipe off the virus effectively.


----------



## ra_sriniketan (Jan 30, 2006)

Can someone confirm,is "blackmol" hits the WMF(Windows Meta File) vulnerability?


----------



## ra_sriniketan (Jan 30, 2006)

Is it the WMF vulnerability or Vulnerability in Embedded Web Fonts.Plz confirm.


----------



## ra_sriniketan (Feb 3, 2006)

Killed it.Its the famous Kamasutra/blackmal/CD-VB.If anyone gets infected by it heres the process to disinfect:
Download the virus removal tool for blackmal.e from Symantec.com.
Unplug the machines from the network.
Run the removal tool from CD ROM cause if anyone try to run it from a pendrive/floppy the virus will get into it and might corrupt the emoval tools.
This will clean up your machines completely from the virus.
Now install any good anti-virus with the latest update.I m using Norton.
Run a full system scan.
Plug into the network.
But remember to clean all the machines in the network if they get affected cause if a single machine contains it, it will run through the network like hell.
Facts:It will upgrade itself on every 3rd of the month, only if its already in ur machine.
Theres nothing to worry about while accesing the E-mail,just be careful not to download anything dubious,particularly .scr,.mim files,it might come from a friend's address of yours thats the way it spreads.
As far as I have seen it won't effect the files that r within the folders,only the open placed files r getting affected.
If the virous affects your PC u will see lots of zip files in your PC and a winzip.tmp file in C drive.
Thats it.
Cheers!


----------



## __Virus__ (Feb 4, 2006)

Ohhhhh the ongoing virus stuck u  well nice to know that u r out of it...welll thanks for the instructions


----------



## ra_sriniketan (Feb 4, 2006)

Any time mate


----------

