M
Marcus Smaby
I am having a continuing problem that I can't seem to get a handle on.
Recently, someone hacked into one of our servers. Now, one or twice a day I
see either the file system.exe or netstats.exe appearing in the system32
folder and in the tasks list. At this point the network is brought to its
knees and it can take me 15 minutes to log into the affected server. I have
checked for references to these two files and I get a hit on system.exe as a
Trojan, but the only hits I get on netstats.exe is as a utility. I have
firewalls. I am at current patch levels on everything. I have Norton
Corporate AV running on all systems but still this continues. I cannot kill
these processes as they come back 'access denied'. My only recourse has been
to rename these files from a CMD prompt, clean out any references from the
registry and reboot. But within the hour, they are back!
1. Is there anyway to force a process to die? If I am domain admin, why
would I be denied access?
2. Is there any utility that would lock out a given program from starting?
3. How can I determine where this is coming from?
Thanks in Advance.
Marcus
Recently, someone hacked into one of our servers. Now, one or twice a day I
see either the file system.exe or netstats.exe appearing in the system32
folder and in the tasks list. At this point the network is brought to its
knees and it can take me 15 minutes to log into the affected server. I have
checked for references to these two files and I get a hit on system.exe as a
Trojan, but the only hits I get on netstats.exe is as a utility. I have
firewalls. I am at current patch levels on everything. I have Norton
Corporate AV running on all systems but still this continues. I cannot kill
these processes as they come back 'access denied'. My only recourse has been
to rename these files from a CMD prompt, clean out any references from the
registry and reboot. But within the hour, they are back!
1. Is there anyway to force a process to die? If I am domain admin, why
would I be denied access?
2. Is there any utility that would lock out a given program from starting?
3. How can I determine where this is coming from?
Thanks in Advance.
Marcus