Gandalf (the white) was set up two weeks ago without anti-virus protection. So a worm (or two) moved in and started routing pirated files. This morning it started being so “loud” on the network it ground everything else to a halt.
I had to go make a personal call to perform surgery. Norton Anti-Virus found the following:
C:\WINNT\MSsrvs32.exe is infected with W32.Randex.gen
C:\WINNT\system32\MSsrvs32.exe is infected with W32.Randex.gen
C:\WINNT\system32\webchecks.dll is infected with W32.IRCBot
C:\WINNT\system32\dhcp\csrss.exe is infected with W32.IRCBot
C:\Documents and Settings\DoNotUse\payload.dat is infected with W32.Randex.gen
C:\Documents and Settings\Default User\Templates\winspsv.exe is infected with W32.Spybot.Worm
C:\Documents and Settings\Administrator\payload.dat is infected with W32.Randex.gen
I had to manually delete MSsrvs32.exe and webchecks.dll using a command line because Norton and Windows were “denied access.”
Removed two register entries that wanted to run MSsrv32.exe per Symantec’s step 5.
what is gandalf (the white)?