Virus that causes a lot of traffic ?

Paul fpvt2 · Nov 27, 2004

Recently some of our servers received many traffic that
it caused the servers to go down. We have installed SP3
for SQL Server 2000, so I don't think it is related with
the W32/SQLSlammer.worm. We also installed Symantec
antivirus software in all our servers. Is there any other
viruses that would case a lot of traffic to your machine ?

Thank you.

Lanwench [MVP - Exchange] · Nov 27, 2004

Paul said:
Recently some of our servers received many traffic that
it caused the servers to go down. We have installed SP3
for SQL Server 2000, so I don't think it is related with
the W32/SQLSlammer.worm. We also installed Symantec
antivirus software in all our servers. Is there any other
viruses that would case a lot of traffic to your machine ?

Thank you.

Replied in m.p.windows.server.general. Please don't multipost - if you need
to post to multiple groups, it's best to crosspost instead, by posting a
single message to a handful of relevant groups (separate the NG names with
commas) so that everyone can follow the thread. This makes it easier for
everyone, including you.

David H. Lipman · Nov 27, 2004

You will have to use Ethereal or some other packet analysis tool and examine the traffic
to/from the server to see what's going on. In the mean time, I suggest performing the
following...

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt265.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report your results ! * * *

Dave

| Recently some of our servers received many traffic that
| it caused the servers to go down. We have installed SP3
| for SQL Server 2000, so I don't think it is related with
| the W32/SQLSlammer.worm. We also installed Symantec
| antivirus software in all our servers. Is there any other
| viruses that would case a lot of traffic to your machine ?
|
| Thank you.

Paul fpvt2 · Nov 27, 2004

Thank you very much for your reply. I will suggest that
to our network administrator.

My boss is convinced that we have SQL Slammer, but we
told him that we have installed SQL Server 2000 SP3 on
those machines that have a lot of traffic. I am wondering
if there is any other virus that can cause heavy traffic
to the server besides SQL Slammer, so that I can suggest
to them to look at other viruses, not only SQL Slammer.

Also, if we have 3 servers, 2 of them have SQL Server
2000 SP3 installed, and 1 does not have it, is it
possible the SQL Slammer comes from this 1 server and
cause the heavy traffic on the other 2 servers ?

Thank you.

-----Original Message-----
You will have to use Ethereal or some other packet

analysis tool and examine the traffic

to/from the server to see what's going on. In the mean time, I suggest performing the
following...

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt265.zip

Extract the contents of the ZIP file and place the

contents in the same directory as

sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.ht
m
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan

of your platform using the three

Paul fpvt2 · Nov 27, 2004

I am sorry. I will do that next time. Thank you for the
suggestion and sorry for the inconvenience.

Enkidu · Nov 27, 2004

Slammer also infests MSDE which you may have on some clients.

Cheers,

Cliff

David H. Lipman · Nov 27, 2004

Paul fpvt2 · Nov 27, 2004

Thank you very much.
I will suggest it to my office.

May I ask, is it correct that Adaware only look for
spyware type of viruses ?

Before I run Trend Sysclean, Stinger and Adaware, is it
necessary to boot in safe mode ?

What do you think of virus check from
http://housecall.trendmicro.com/housecall/start_corp.asp
compare to the Trend Sysclean Package ? Is Trend Sysclean
Package a free utility ?

Thanks again.

-----Original Message-----
Paul:

That's what Ethereal is for. Determination of what the

traffic is, what port and what is

David H. Lipman · Nov 27, 2004

Paul:

All viruses are malware but not all malware are viruses.

Adaware looks for non-viral malware (browser hijackers, adware, spyware, data miners, etc)
Stinger looks for some Trojans but mostly Internet worms.
Trend Sysclean is a broad-spectrum; virus, worm and Trojan cleaner.

Running the suggested utilities in Safe Mode increases the effectiveness of all the scanners
to both detect and to clean.

Trend Housecall is a web based scanner while Trend sysclean is a Command Line scanner and
they share the same Pattern Files. However, Sysclean it is not dependent upon a browser and
because it can run in Safe Mode it is more effective.

Yes, Trend Sysclean is free.

Dave

| Thank you very much.
| I will suggest it to my office.
|
| May I ask, is it correct that Adaware only look for
| spyware type of viruses ?
|
| Before I run Trend Sysclean, Stinger and Adaware, is it
| necessary to boot in safe mode ?
|
| What do you think of virus check from
| http://housecall.trendmicro.com/housecall/start_corp.asp
| compare to the Trend Sysclean Package ? Is Trend Sysclean
| Package a free utility ?
|
| Thanks again.
|
| >-----Original Message-----
| >Paul:
| >
| >That's what Ethereal is for. Determination of what the
| traffic is, what port and what is
| >the actual traffic.
| >
| >Dave
| >
| >
| >
| >
| in message
| >| >| Thank you very much for your reply. I will suggest that
| >| to our network administrator.
| >|
| >| My boss is convinced that we have SQL Slammer, but we
| >| told him that we have installed SQL Server 2000 SP3 on
| >| those machines that have a lot of traffic. I am
| wondering
| >| if there is any other virus that can cause heavy
| traffic
| >| to the server besides SQL Slammer, so that I can
| suggest
| >| to them to look at other viruses, not only SQL Slammer.
| >|
| >| Also, if we have 3 servers, 2 of them have SQL Server
| >| 2000 SP3 installed, and 1 does not have it, is it
| >| possible the SQL Slammer comes from this 1 server and
| >| cause the heavy traffic on the other 2 servers ?
| >|
| >| Thank you.
| >|
| >| >-----Original Message-----
| >| >You will have to use Ethereal or some other packet
| >| analysis tool and examine the traffic
| >| >to/from the server to see what's going on. In the
| mean
| >| time, I suggest performing the
| >| >following...
| >| >
| >| >1) Download the following four items...
| >| >
| >| > McAfee Stinger
| >| > http://vil.nai.com/vil/stinger/
| >| >
| >| > Trend Sysclean Package
| >| > http://www.trendmicro.com/download/dcs.asp
| >| >
| >| > Latest Trend Pattern File.
| >| >
| http://www.trendmicro.com/download/pattern.asp
| >| >
| >| > Adaware SE (free personal version v1.05)
| >| > http://www.lavasoftusa.com/
| >| >
| >| >Create a directory.
| >| >On drive "C:\"
| >| >(e.g., "c:\New Folder")
| >| >or the desktop
| >| >(e.g., "C:\Documents and Settings\lipman\Desktop\New
| >| Folder")
| >| >
| >| >Download Sysclean.com and place it in that directory.
| >| >Download the Trend Pattern File by obtaining the ZIP
| >| file.
| >| >For example; lpt265.zip
| >| >
| >| >Extract the contents of the ZIP file and place the
| >| contents in the same directory as
| >| >sysclean.com.
| >| >
| >| >2) Update Adaware with the latest definitions.
| >| >3) If you are using WinME or WinXP, disable System
| >| Restore
| >| >
| >|
| http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.ht
| >| m
| >| >4) Reboot your PC into Safe Mode
| >| >5) Using Trend Sysclean, Stinger and Adaware,
| >| perform a Full Scan of your
| >| > platform and clean/delete any
| >| infectors/parasites found.
| >| > (a few cycles may be needed)
| >| >6) Restart your PC and perform a "final" Full Scan
| >| of your platform using the three
| >| > utilities; Trend Sysclean, Stinger and
| Adaware
| >| >7) If you are using WinME or WinXP, Re-enable
| System
| >| Restore and re-apply any
| >| > System Restore preferences, (e.g. HD space to
| >| use suggested 400 ~ 600MB),
| >| >8) Reboot your PC.
| >| >9) If you are using WinME or WinXP, create a new
| >| Restore point
| >| >
| >| >
| >| >* * * Please report your results ! * * *
| >| >
| >| >Dave
| >| >
| >| >
| >| >
| >| >
| >| >
| >| >
| >| >"Paul fpvt2" <[email protected]>
| wrote
| >| in message
| >| >| >| >| Recently some of our servers received many traffic
| that
| >| >| it caused the servers to go down. We have installed
| SP3
| >| >| for SQL Server 2000, so I don't think it is related
| >| with
| >| >| the W32/SQLSlammer.worm. We also installed Symantec
| >| >| antivirus software in all our servers. Is there any
| >| other
| >| >| viruses that would case a lot of traffic to your
| >| machine ?
| >| >|
| >| >| Thank you.
| >| >
| >| >
| >| >.
| >| >
| >
| >
| >.
| >

Paul fpvt2 · Nov 28, 2004

Thank you very much.
Can I ask you another question ?

So, even though all of our servers already have Symantec
antivirus software installed (with the latest virus
definition), it might miss some viruses, that's why it's
a good idea to still run the Stinger, Adaware and Trend
Sysclean, right ?

So, even though all the servers have uptodate antivirus
software, if one of the clients connecting to it does not
have uptodate antivirus software, it is possible for the
client machine to infect the server and cause the
unusually heavy traffic to the servers ?

In my earlier posting, I mistakenly mentioned that
because of the unusually heavy traffic, some of the
server went down. I meant to say because of the unusually
heavy traffic, some of servers lost connection to the
internet. So, the servers did not go down where we needed
to reboot the machine, the machine were still up, except
it lost the internet connection.

Thank you.

-----Original Message-----
Paul:

All viruses are malware but not all malware are viruses.

Adaware looks for non-viral malware (browser hijackers,

adware, spyware, data miners, etc)

Stinger looks for some Trojans but mostly Internet worms.
Trend Sysclean is a broad-spectrum; virus, worm and Trojan cleaner.

Running the suggested utilities in Safe Mode increases

the effectiveness of all the scanners

to both detect and to clean.

Trend Housecall is a web based scanner while Trend

sysclean is a Command Line scanner and

they share the same Pattern Files. However, Sysclean it

is not dependent upon a browser and

David H. Lipman · Nov 28, 2004

Replies are inline...
| Thank you very much.
| Can I ask you another question ?
|
| So, even though all of our servers already have Symantec
| antivirus software installed (with the latest virus
| definition), it might miss some viruses, that's why it's
| a good idea to still run the Stinger, Adaware and Trend
| Sysclean, right ?

Yes. No AV software is 100% and you never know if you get infected prior to a signature for
the given infector was released. While there may be some detection by Symantec for
non-viral malware, it is not Symantec's intent. Adaware's intent is non-viral malware. The
use of the tools mentioned has a very broad coverage. Even still, they are not 100%
coverage. Trend sysclean is good, but als not good enough as there are infectors that I
know of that Sysclena will NOT detect. However, it is a "good start".

| So, even though all the servers have uptodate antivirus
| software, if one of the clients connecting to it does not
| have uptodate antivirus software, it is possible for the
| client machine to infect the server and cause the
| unusually heavy traffic to the servers ?

It's a possibility. So is an admin using the server as if it was a workstation and browsed
a couple of site and got infected with non-viral malware (aks; parasites).

| In my earlier posting, I mistakenly mentioned that
| because of the unusually heavy traffic, some of the
| server went down. I meant to say because of the unusually
| heavy traffic, some of servers lost connection to the
| internet. So, the servers did not go down where we needed
| to reboot the machine, the machine were still up, except
| it lost the internet connection.
|
| Thank you.

Sounds like non-viral parasitical action. Certainly not the Lovsan/Blaster as suggested in
the XP thread.

Dave

Paul fpvt2 · Nov 28, 2004

Thank you very much for all your help. I appreciate it.

-----Original Message-----
Replies are inline...
| Thank you very much.
| Can I ask you another question ?
|
| So, even though all of our servers already have Symantec
| antivirus software installed (with the latest virus
| definition), it might miss some viruses, that's why it's
| a good idea to still run the Stinger, Adaware and Trend
| Sysclean, right ?

Yes. No AV software is 100% and you never know if you

get infected prior to a signature for

the given infector was released. While there may be some detection by Symantec for
non-viral malware, it is not Symantec's intent.

Adaware's intent is non-viral malware. The

use of the tools mentioned has a very broad coverage. Even still, they are not 100%
coverage. Trend sysclean is good, but als not good

enough as there are infectors that I

know of that Sysclena will NOT detect. However, it is a "good start".

| So, even though all the servers have uptodate antivirus
| software, if one of the clients connecting to it does not
| have uptodate antivirus software, it is possible for the
| client machine to infect the server and cause the
| unusually heavy traffic to the servers ?

It's a possibility. So is an admin using the server as

if it was a workstation and browsed

a couple of site and got infected with non-viral malware (aks; parasites).

| In my earlier posting, I mistakenly mentioned that
| because of the unusually heavy traffic, some of the
| server went down. I meant to say because of the unusually
| heavy traffic, some of servers lost connection to the
| internet. So, the servers did not go down where we needed
| to reboot the machine, the machine were still up, except
| it lost the internet connection.
|
| Thank you.

Sounds like non-viral parasitical action. Certainly not

the Lovsan/Blaster as suggested in

Paul fpvt2 · Nov 30, 2004

Hi Dave,
Yesterday, our network administrator ran the Stinger and
Trend Housecall (albeit not in a safe mode) on our
Win2000 servers.

The following were the viruses that can not be cleaned.
Do you know the best way to clean these viruses ? Do we
need to reboot the machine in a safe mode, go to DOS
prompt, unhide the directory and files, and delete them ?

.. Bkdr./bounce.a. It is in c:\winnt\system32
\config\services.exe. Housecall can not clean it.
.. Troj SQLSpida.B. It is in c:\winnt\system32
\drivers\services.exe. This is a hidden file that was
only shown when when "Show all hidden files and
directories" in Windows explorer was selected. Housecall
can not clean it.
.. HTML_Netsky.P. It is in c:\program
files\..\..\RYGJYXY0* Layer2 nonamefl*. In Windows
explorer, even after "Show all hidden files and
directories" was selected, you still can not see this
directory. Housecall can not clean it.
.. IRC/Flood.ap Trojan at c:\winnt\system32
\OCXDLL.EXE\DLL32NT.HLP. Stinger can not clean this file.

The following were viruses that were successfully cleaned:
.. Malware.pe_parite.a
.. malware.worm_agobot-2
.. W32/Sdbot.worm.gen.T
.. W32/Sdbot.worm.gen.R

Do you think any of the malware that were found above
could cause the high bandwith traffic on the servers ?

Thanks again in advance.

-----Original Message-----
You will have to use Ethereal or some other packet

analysis tool and examine the traffic

to/from the server to see what's going on. In the mean time, I suggest performing the
following...

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt265.zip

Extract the contents of the ZIP file and place the

contents in the same directory as

sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.ht
m
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan

of your platform using the three

Dave · Nov 30, 2004

yes they can cause high bandwidth usage on your network and the rest of the
world by distributing themselves from your internet connection. if you have
all that stuff on your servers its best to unplug them completely and
rebuild from scratch making sure that all software is installed from clean
sources. do not expose them to your lan or the internet until they have all
patches and proper virus protection and firewalls. you will also probably
have to clean all the other machines on your network as they are likely also
infected at this point... note that if you leave one infected machine on the
network it will quickly reinfect any other machine that you clean up.

Paul fpvt2 · Nov 30, 2004

Thank you for your reply.
Earlier I failed to mention that those viruses were found
on more than 1 machines.
For ex: Bkdr./bounce.a. and Troj SQLSpida.B were found on
1 machine.
IRC/Flood.ap Trojan was on a different machine.
Malware.pe_parite.a was on a different machine.
malware.worm_agobot-2 was on a different machine.
W32/Sdbot.worm.gen.T was on a different machine.
W32/Sdbot.worm.gen.R was on a different machine.

I am just wondering how to best clean or delete those
viruses ?
We do have Symantec AV with the latest virus definition
installed, and we have it running on schedule every day.
It did not catch the viruses mentioned above. We also
have firewall.

Thanks a lot.

Leythos · Nov 30, 2004

Thank you for your reply.
Earlier I failed to mention that those viruses were found
on more than 1 machines.
For ex: Bkdr./bounce.a. and Troj SQLSpida.B were found on
1 machine.
IRC/Flood.ap Trojan was on a different machine.
Malware.pe_parite.a was on a different machine.
malware.worm_agobot-2 was on a different machine.
W32/Sdbot.worm.gen.T was on a different machine.
W32/Sdbot.worm.gen.R was on a different machine.

I am just wondering how to best clean or delete those
viruses ?
We do have Symantec AV with the latest virus definition
installed, and we have it running on schedule every day.
It did not catch the viruses mentioned above. We also
have firewall.

If Symantec didn't catch the above, all of which are old versions, then
you have not been doing your updates nightly and pushing them out to the
workstations.

If you want to know what those viruses/trojans do, go to Symantec's site
and enter their name in the search box - it will be clear what they do
and how to clean them.

David H. Lipman · Nov 30, 2004

Enkidu · Nov 30, 2004

Hi Dave,
Yesterday, our network administrator ran the Stinger and
Trend Housecall (albeit not in a safe mode) on our
Win2000 servers.

The following were the viruses that can not be cleaned.
Do you know the best way to clean these viruses ? Do we
need to reboot the machine in a safe mode, go to DOS
prompt, unhide the directory and files, and delete them ?

Paul, you will need to visit your Anti-Virus program vendor's web site
and look up the cleaning instructions from there.

Also, if you are distributing patches automatically, you need to check
that the patches are being applied. Norton Corporate Edition or
whatever it is called these days has a console from which you can
check the settings on all machines. When I was looking after such an
installation (NAV CE 7.5) I found that I had to check regularly,
because not all machines pulled down the virus definitions as
expected.

Cheers,

Cliff

Guest · Dec 2, 2004

Thank you very much for the offer to email you, Dave. I appreciate it.

They decided for now not to use this 1 machine that has the most viruses (.
Bkdr./bounce.a. and . Troj SQLSpida.B), but they told me to look at it when I
have a minute.
Another person in my company had deleted the 2 files (c:\winnt\system32
\config\services.exe and c:\winnt\system32\drivers\services.exe) in safe
mode. Then, he reran Housecall (not in safe mode) and it says no more
viruses. But, after that the high bandwidth traffic still happened, and as
soon as we disconnect this computer, everything was fine again.

So, my plan was to follow your suggestion to boot in safe mode and run
sysclean in safe mode. Shall I choose to boot in DOS or not ?
I will also run stinger in safemode.
I will post my result.
If I don't find anymore viruses, I will email you regarding ther other
Command Line
scanner.

Thanks a lot for your help.

David H. Lipman · Dec 2, 2004

You can boot DOS but... Only if the platforms uses FAT32, not NTFS. Otherwise you have to
use the Command Console. However, neither Trend Sysclean or Stinger will run in the Command
Console. The alternate scanner I will provide you information on *may* run in the Command
console as it is a multi-mode DOS/Win32/Win64 scanner.

Dave

| Thank you very much for the offer to email you, Dave. I appreciate it.
|
| They decided for now not to use this 1 machine that has the most viruses (.
| Bkdr./bounce.a. and . Troj SQLSpida.B), but they told me to look at it when I
| have a minute.
| Another person in my company had deleted the 2 files (c:\winnt\system32
| \config\services.exe and c:\winnt\system32\drivers\services.exe) in safe
| mode. Then, he reran Housecall (not in safe mode) and it says no more
| viruses. But, after that the high bandwidth traffic still happened, and as
| soon as we disconnect this computer, everything was fine again.
|
| So, my plan was to follow your suggestion to boot in safe mode and run
| sysclean in safe mode. Shall I choose to boot in DOS or not ?
| I will also run stinger in safemode.
| I will post my result.
| If I don't find anymore viruses, I will email you regarding ther other
| Command Line
| scanner.
|
| Thanks a lot for your help.
|
|
|
|
| "David H. Lipman" wrote:
|
| > YES !
| >
| > They would definitely bog down the Server -- No doubt.
| >
| > Please don NOT follow the "other" Dave's suggestion. You do not need to rebuild the
server
| > at this time.
| >
| > You need to run the utilities in Safe Mode ! This increases the effectiveness of both
| > finding infectors and removing them.
| >
| > You need to load the Task Manager and shutdown as many running processes as possible.
| >
| > Then run the utilities. I also suggest going back to Trend and downloading both the
latest
| > trend Pattern Files and Sysclean.com -- Both were updated Today.
| >
| > I also invite you to email me and I can provide you with information on another Command
Line
| > Scanner. I can't post the information in public due to licensing issues.
| >
| > Just remove ~nospam~.
| >
| > Dave
| >
| >
| >
| >
| > | > | Hi Dave,
| > | Yesterday, our network administrator ran the Stinger and
| > | Trend Housecall (albeit not in a safe mode) on our
| > | Win2000 servers.
| > |
| > | The following were the viruses that can not be cleaned.
| > | Do you know the best way to clean these viruses ? Do we
| > | need to reboot the machine in a safe mode, go to DOS
| > | prompt, unhide the directory and files, and delete them ?
| > |
| > | . Bkdr./bounce.a. It is in c:\winnt\system32
| > | \config\services.exe. Housecall can not clean it.
| > | . Troj SQLSpida.B. It is in c:\winnt\system32
| > | \drivers\services.exe. This is a hidden file that was
| > | only shown when when "Show all hidden files and
| > | directories" in Windows explorer was selected. Housecall
| > | can not clean it.
| > | . HTML_Netsky.P. It is in c:\program
| > | files\..\..\RYGJYXY0* Layer2 nonamefl*. In Windows
| > | explorer, even after "Show all hidden files and
| > | directories" was selected, you still can not see this
| > | directory. Housecall can not clean it.
| > | . IRC/Flood.ap Trojan at c:\winnt\system32
| > | \OCXDLL.EXE\DLL32NT.HLP. Stinger can not clean this file.
| > |
| > |
| > | The following were viruses that were successfully cleaned:
| > | . Malware.pe_parite.a
| > | . malware.worm_agobot-2
| > | . W32/Sdbot.worm.gen.T
| > | . W32/Sdbot.worm.gen.R
| > |
| > | Do you think any of the malware that were found above
| > | could cause the high bandwith traffic on the servers ?
| > |
| > | Thanks again in advance.
| > |
| > | >-----Original Message-----
| > | >You will have to use Ethereal or some other packet
| > | analysis tool and examine the traffic
| > | >to/from the server to see what's going on. In the mean
| > | time, I suggest performing the
| > | >following...
| > | >
| > | >1) Download the following four items...
| > | >
| > | > McAfee Stinger
| > | > http://vil.nai.com/vil/stinger/
| > | >
| > | > Trend Sysclean Package
| > | > http://www.trendmicro.com/download/dcs.asp
| > | >
| > | > Latest Trend Pattern File.
| > | > http://www.trendmicro.com/download/pattern.asp
| > | >
| > | > Adaware SE (free personal version v1.05)
| > | > http://www.lavasoftusa.com/
| > | >
| > | >Create a directory.
| > | >On drive "C:\"
| > | >(e.g., "c:\New Folder")
| > | >or the desktop
| > | >(e.g., "C:\Documents and Settings\lipman\Desktop\New
| > | Folder")
| > | >
| > | >Download Sysclean.com and place it in that directory.
| > | >Download the Trend Pattern File by obtaining the ZIP
| > | file.
| > | >For example; lpt265.zip
| > | >
| > | >Extract the contents of the ZIP file and place the
| > | contents in the same directory as
| > | >sysclean.com.
| > | >
| > | >2) Update Adaware with the latest definitions.
| > | >3) If you are using WinME or WinXP, disable System
| > | Restore
| > | >
| > | http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.ht
| > | m
| > | >4) Reboot your PC into Safe Mode
| > | >5) Using Trend Sysclean, Stinger and Adaware,
| > | perform a Full Scan of your
| > | > platform and clean/delete any
| > | infectors/parasites found.
| > | > (a few cycles may be needed)
| > | >6) Restart your PC and perform a "final" Full Scan
| > | of your platform using the three
| > | > utilities; Trend Sysclean, Stinger and Adaware
| > | >7) If you are using WinME or WinXP, Re-enable System
| > | Restore and re-apply any
| > | > System Restore preferences, (e.g. HD space to
| > | use suggested 400 ~ 600MB),
| > | >8) Reboot your PC.
| > | >9) If you are using WinME or WinXP, create a new
| > | Restore point
| > | >
| > | >
| > | >* * * Please report your results ! * * *
| > | >
| > | >Dave
| > | >
| > | >
| > | >
| > | >
| > | >
| > | >
| > | in message
| > | >| > | >| Recently some of our servers received many traffic that
| > | >| it caused the servers to go down. We have installed SP3
| > | >| for SQL Server 2000, so I don't think it is related
| > | with
| > | >| the W32/SQLSlammer.worm. We also installed Symantec
| > | >| antivirus software in all our servers. Is there any
| > | other
| > | >| viruses that would case a lot of traffic to your
| > | machine ?
| > | >|
| > | >| Thank you.
| > | >
| > | >
| > | >.
| > | >
| >
| >
| >

Excessive server traffic?	2	Jan 26, 2005
Outlook 2007 a lot traffic	1	Jul 14, 2009
Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping	9	Oct 16, 2017
Suspicious ICMP Traffic	1	Sep 9, 2003
Why so much ARP traffic?	9	Dec 31, 2006
Unwanted DNS traffic	7	Sep 29, 2003
Spontaneously reboots all over LAN	1	Mar 11, 2004
spontaneously reboots across network	2	Mar 10, 2004

Virus that causes a lot of traffic ?

Paul fpvt2

Lanwench [MVP - Exchange]

David H. Lipman

Paul fpvt2

Paul fpvt2

Enkidu

David H. Lipman

Paul fpvt2

David H. Lipman

Paul fpvt2

David H. Lipman

Paul fpvt2

Paul fpvt2

Dave

Paul fpvt2

Leythos

David H. Lipman

Enkidu

Guest

David H. Lipman

Ask a Question

Similar Threads