You're still infected; only a non-networked rebuild is safe. Don't plug the machine back in until you've applied the IIS patch. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Javier Gonzalez" <Javier@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, August 08, 2001 12:24 AM Subject: [isalist] RE: Code Red Sniffer http://www.ISAserver.org Hi, My machine is NT4 Sp6a and I've applied the MS patch in June. I've only found (last week) root.exe within c:\inetpub\scripts (only in this folder). I've deleted this file and restarted the server. Passing your vbs script I see this results: ************************************************ Code Red infection search for PDC on 8/8/01 8:56:02 AM ** Checking for the bad 'explorer.exe' and 'root.exe' files C:\explorer.exe - not found C:\inetpub\Scripts\Root.exe - not found C:\progra~1\Common~1\System\MSADC\Root.exe - not found E:\explorer.exe - not found E:\inetpub\Scripts\Root.exe - not found E:\progra~1\Common~1\System\MSADC\Root.exe - not found ** Checking for the bad Virtual Folders entries HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/C - not found HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\/D - not found ** Checking for the bad System File Checker entry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable - not found ** Checking for the rogue Explorer.exe Rogue Explorer process - found ** you've definitely been infected ! ** ** You have one or more definite indications of Code Red V2 on your system. ** You need to flatten this box and start over. DO NOT connect to a network ** until you have completely rebuilt the system AND installed the security ** patch from Microsoft. ******************************************************************** What can I do if this is true ? Javier Gonzalez Madrid (spain) -----Mensaje original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviado el: miércoles, 08 de agosto de 2001 08:45 Para: [ISAserver.org Discussion List] CC: CommuniGate Pro Discussions Asunto: [isalist] Code Red Sniffer Importancia: Alta http://www.ISAserver.org This is a multi-part message in MIME format.. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')