Wednesday, October 12, 2005

Kansas Tech Consultants Blog

I have two servers at the same library with the exact same symptoms. When I try to do Windows Updates, IE stops responding. Symantec Corporate Edition has realtime protection disabled even though it is enabled in the settings. If I try to do a manual scan, it aborts before the window even opens, with the message aborted by user. When ever I try to go to an anti-virus website, IE stops responding. I downloaded the latest version of Stinger on another computer, copied it to the servers and ran it, it found nothing. Ad-aware and spybot have not found anything.

Booting into safe mode w/ network support, I was able to get the Panda online scanner to run, but it did not find anything. I was also able to do a Windows update, but it did not solve any problems. The hosts file only has one entry for local host - 127.0.0.1, I believe that is correct. The Symantec manual scan works in safe mode, but finds nothing. I tried to install baseline security analyzer in safe mode, but it will not run with out MS Installer, and in normal mode, it freezes when you try to open it.

Hijack this, doesn't find anything alarming. Is there something I am overlooking? Everything is working so far, but I just don't trust the system. I have a feeling that it may have been zombiefied, but I can't get any information out of it. Also, HKLM, and HKCU show only NAV products loading at startup.

Thanks for any suggestions.

2 Comments:

At 8:33 AM, Blogger twiggle said...

This sounds awful. It sounds like one of those undetectable rootkits for Windows 2000 that all the kids are gay for nowadays.

http://it.slashdot.org/article.pl?sid=05/09/28/1438213&tid=172

and
http://www.securityfocus.com/columnists/358

This may require a reinstall, esp. if you can't find the rootkit.

 
At 3:56 PM, Blogger Orcish said...

Yeah, we decided that we are going to do a reinstall. I am going to round up all the software and an extra drive to do a second backup, then just redo everything, and then make sure everything is updated and locked down before we redeploy.

Orc

 

Post a Comment

<< Home