Thankyou to all who replied. I am recommending that the device be re-built - even before posting. Just needed to see if there was anything special going on. Well here is what I mean - we moved an (apparently) uninfected device into an isolated lan and infected it there. System was cleaned, including all back doors and reg. code. However it appears that the /d and /d affects of virtual rooting the IIS server remain persistent across boots - even though we cleaned them. I am suggestng to the team that the re-image the machein, however I found this very weird. Of all devices tested so far there are approx 6 that have this occur ( mostly French Version of Win2k - not sure if we have an english version that is affected this way ( yes it was patched withthe french patch )). Possible Causes: - decreasing liklihood 1) Another worm/virus 2) Weird interaction between HW/SW and patch ( plus any 3rd party sware ) 3) previously unseen sideffect of CRII 4) CRx Possible Resolution: 1) Check all of those damn "Run/RunOnce/RunExec" registry settings 2) Down the machine - reboot with NTFS capable boot disk - replace system.dat(/da0) and user.dat etc. 3) stop messing around and grab the backup CD. - R.E.L.O.A.D It will be interesting to see if anyone else experiences this problem though. ______________________________ Garreth J Jeremiah. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 10:56:05 PDT