VIRUS FOUND!!! PLZ HELP!!!

[UserXXXX]

I'm running a win2000 terminal server, and my Norton Antivirus has found a Trojan that I can't get rid of. Norton report:

Scan type: Scheduled Scan
Event: Virus Found!
Virus name: Backdoor.Winshell
File: C:\server.exe
Location: C:
Computer: CITRIX
User: SYSTEM
Action taken: Delete failed :Clean failed : Quarantine failed.

Even tried running Symantecs virus removal tools: Backdoor.winshell.50 & Backdoor.autoupder neither tool see this Trojan at all let alone removes it. Also recently discovered another virus/trojan
running port 8080 called Ringzero, this virus wasn't even seen by norton. But was picked up with
a online sygate scan. My first and foremost concern is the Backdoor.winshell trojan. Please be advised I can't wipe out this server and just start over, the cost is just too great. Any help anyone can offer would be greatly appreciated.

 

[Xemus]

Is the computer local to you? This may be harder if not, but:
1. Disable system restore.
2. Boot into safe mode.
3. Full updated scan with NAV
4. When it's clean, re-enable system restore.

Run an online virus scanner to verify that you're clean when it's done.

 

[John]

1. Disable system restore.

There isn't a system restore in Win 2K.

Do the manual removal

 

[Xemus]

Ok, so I was in a hurry. Sorry.
Everything else holds tho.

 

[lobadobadingdong]

www.housecall.trendmicro.com

 

[John]

Originally posted by: lobadobadingdong
www.housecall.trendmicro.com

That's an invalid URL. It should be http://housecall.trendmicro.com

 

[mechBgon]

Also figure out where you've left the door open for this type of thing to get in. In NAV, max out your heuristics, scanning within compressed files, and so forth. Allow no exemptions from scanning. Set your system to update its virus definitions frequently (for example, hourly). Have it deal with threats autonomously, not waiting for someone to OK the deletion of an infected file. An ounce of prevention... yeah. The first punch is the one that counts most, so make sure it's your server that gets to throw it.

 

[lobadobadingdong]

Originally posted by: mechBgon
Also figure out where you've left the door open for this type of thing to get in. In NAV, max out your heuristics, scanning within compressed files, and so forth. Allow no exemptions from scanning. Set your system to update its virus definitions frequently (for example, hourly). Have it deal with threats autonomously, not waiting for someone to OK the deletion of an infected file. An ounce of prevention... yeah. The first punch is the one that counts most, so make sure it's your server that gets to throw it.

almost being overkill, I leave it pretty much on defaults, but then again, there isn't much that even thinks about getting through my firewall.

 

[mechBgon]

Originally posted by: lobadobadingdong

Originally posted by: mechBgon
Also figure out where you've left the door open for this type of thing to get in. In NAV, max out your heuristics, scanning within compressed files, and so forth. Allow no exemptions from scanning. Set your system to update its virus definitions frequently (for example, hourly). Have it deal with threats autonomously, not waiting for someone to OK the deletion of an infected file. An ounce of prevention... yeah. The first punch is the one that counts most, so make sure it's your server that gets to throw it.

almost being overkill, I leave it pretty much on defaults, but then again, there isn't much that even thinks about getting through my firewall.

Yeah, I tend to be an antivirus nazi Out of curiosity, how did you guys fare against MyDoom? It hit fast enough that by the time McAfee had an EXTRA.DAT to tack on for protection against it, we had about three employees receive emails containing .ZIP files which turned out to be MyDoom. Thankfully, 1) they are well-trained and pretty smart, and didn't open the .ZIP files or their contents, and 2) McAfee had a full DAT update ready when the systems logged on in the morning (and I had ePolicy Orchestrator schedule an update 1 minute after log-on to make sure they grabbed it ASAP).

The other filetypes (pif, scr, etc) were blocked by the email server as routine policy, so that helped.