Network in Trouble

[ra_sriniketan]

We have a network in our college wit bout 120 computers in LAN running under WINDOWS 2000 SERVER.Suddenly one day while browsing the Internet all the mouse pointers in all the PCs got freezed also the keyboards stopped workin,although the CTRL+ALT+DEL button is workin.The NETSERVER subsequently stopped workin after manually restartin all the PCs.Formatted the NETSERVER but is unable to install any anti-virus software.Whenever we try to click on the setup icon,the anti-virus folder get closed n gets back to the desktop.Is this a virus?Although no virus alert is given.We r in big trouble.HELP.

 

[phatratt]

yup,looks like a virus/trojan infestation.If u can access task manager by pressing ctrl+alt+del check if there are any .exe program with strange names.

 

[ra_sriniketan]

Ok.Here r some more things that might give u guys some clues.Saw lots of zip files in the drives with strange names.Also the machines showing "low on virtual memory".While shutting down all the machines showing "winzip encountered an error".If i unplug the network the machines r runnin absolutely ok.Is there any patches to solve this prob?

 

[mediator]

yup definitely some virus coz u said a lotta zip files with strange names!
This is what u can do..try it!
Share the whole hardisk of the iinfected pc's with both read/write enabled, connect to another non infected pc with a good updated antivirus. Now open the infected pc's hardisk from the clean pc and do a virus scan!
You can scan the server first and then all the remaining pc's thru the server!

 

[ra_sriniketan]

K will try but in most of the PCs the antivirus also got crashed.Usin Avast.Is it good enough?

 

[digen]

If i unplug the network the machines r runnin absolutely ok.Is there any patches to solve this prob?

That sums up things for me.A virus/worm infection circulating in the network.

The first & foremost thing you should do is unplug any/all machines which are having internet access.This certainly minimizes the further risk or damage involved of a malicious program causing havoc or phoning home.

The next step would be to one by one scanning for virus,spyware & the likes.

Arent these machines running a AV ? Which OS are the host machines running?

Installing & scanning using a freebie AV like AVG would be good for a start.

 

[ra_sriniketan]

OS-Windows 2k professional,Usin Avast but most of them got corrupted n r not able to reinstall it.Whenever tryin to install the anti-virus folder that contains the set up file shuts down automatically n gets back to the desktop,happenin in case of norton2003 too.

 

[ra_sriniketan]

The dubious processes that r running r:
smss.exe,SMAgent.exe,csrss.exe,Smax4.exe,Smax4PNP,hellmsn.exe,winzip.exe.If I end the hellmsn and winzip the PCs seems to run OK for sometimes.Its creatin lots of zip files in the hdd.Can someone plz tell me wat is the name of this virus/trojan/worm n wats the remedy?If any1 wants to know bout all the processes i can write them down.Plz help its very urgent.

 

[phatratt]

Smax4.exe,hellmsn.exe

these two exe's looks like some virus name.Try to boot in safe mode and ermove them from msconfig and try to search for the exe file by these above mention names and search,delete or rename it IF POSSIBLE.Its just an expirement i don't know weather it will work or not but just give a try.
8)

Also smss.exe and csrss.exe are critical tasks of winXP/2k u can't just open the task manager and kill them but these two files are easily targetted by worms and disguise themselves in these file names.

 

[mehulved]

hellmsn.exe is the culprit. It is a trojan named trojan.win32.mytob.
Here's where I got the info from *www.processlibrary.com/directory/files/HELLMSN/
Here I got some information from symantec site about it.

 

[ra_sriniketan]

Thanx mate for the confirmation with the trojan name,but is there any tool or patch with which i can kill it?cause i have already used the mytob patch from microsoft security bulletin,its not workin on this mytob varient.

 

[mehulved]

Check it out on the symantec website they will most probably have the virus removal tool. Read the instructions in the link I provided you to the symantec site.

 

[__Virus__]

dont u use a good antivirus or what

 

[mehulved]

A virus asking for an antivirus lol. BTW he has mentioned about using Avast and Norton anti-virus. But, dunno if he updated it often enough and kept it turned on or no. Or maybe he tried to dig a well when the house was on fire ie. tried to install anti-virus when his network was already infected.

 

[ra_sriniketan]

Formatted the NETSERVER totally including all the drives as a stand alone machine.Updated the Avast anti-virus on 29.01.06.It caught a worm named:W32 VB-CD.worm,failed to repair it but deleted it.But it started to create winzip.tmp file in c drive and also some strange zip files in the other drives.Deleted them.Any solution?Cause it seems it might attack again.

 

[__Virus__]

As you mentioned u already formatted the server, seems its not the prob with it. May be a machine on ur lan is affected. As siri or some mod pointed out, y dont we disconnect all the machines from internet as well as lan and give a through full system scan with a good antivirus ( i wud always suggest kaspersky, diff ppl have got diff views) so that might prolly help u out.

 

[ra_sriniketan]

Almost all the machines r affected. Ok i'll give it a try.

 

[__Virus__]

Do keep us updated

 

[mehulved]

Man this is gonna be major trouble if all the machines are affected. Also a good firewall with an anti-virus will help a lot.

 

[ra_sriniketan]

Two virus/worms have affected the machines.Win32.Mytob & Win32.Blackmal(VB-CD).E.Downloaded the removal tools from Symantec site.All the machines got affected by the Win32.Blackmal one & bout 70% r affected by both.The tools r removing the viruses from the machines very effectively but after some times all the machines r gettin affected again.Main problem is the machines r not able to run any software which requires a lil bit of memory,like photoshop or even a scanner software and after i formatted the netserver i downloaded & installed the 29.01.06 update of Avast anti-virus.But today it got crashed & any anti-virus is gettin crashed in all the machines.After wiping out the Win32.Mytob worm the removin tool is givin a messege to download two patches from microsoft security bulletin one of which i have already installed with no effect on this mytob varient and the other one is for shared server 5.5.But no such patches for Win32.Blackmal.I have seperated bout 50 machines from the network & removed all the viruses for the running of all the softwares.Should I unplug n remove the viruses from all the machines and then log them back into the network?Is there any free anti virus for Windows 2000 server?I m totally confused & in a mess.Plz help.