Thank you for this.. What we ended up doing so far is unplugging the machine from the network and then we are able to stop the x.exe process. Then we rename x.exe to x.exe.bad that the o file to o.bad. We plug back into the network and run all the critical windows updates that are out there. We do this because we did notice that our "newer" more updated pcs were not infected. Well that goes to show the problems with only 3 it people for 200 users spread out through 4 states can do for you. We are now starting the SUS evaluation process. Better late then never I guess. Bruce -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Trevor Fuson Sent: Tuesday, November 30, 2004 5:44 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: Worm Problem Get autoruns and process explorer. 1. First check all of the boxes under the view menu in autoruns, then delete all of the worm entries. 2. Go to process explorer, find the worm process and pause it. 3. Do a search on the worm file handles and manually close them. 4. Delete all of the worm files, or move them to a safe directory. 5. Kill the worm processes in process explorer. 6. Go back into autoruns (refresh) and clean out the any new entries. 7. Keep repeating until you get all of the worms out, if they keep returning you are missing a process that is spawning them. Use Filemon to find out what process is spawning the new worm processes if you can't determine which process is causing the spawning. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Bruce Jarrett-Norton Sent: Tuesday, November 30, 2004 1:22 PM We are having major problems all day with a worm here in our office. So far here is what we have: The user has to be a local admin because it needs access the WinNt folder (thus 98 machines are immune) It places a file named "o" with no extension on it in the c:\winnt\system32 folder O has the following in it: (ip address of previous machine) (random port number) User 1 1 Get x.exe On the systems in the c:\winnt\system32 folder there is an x.exe file Through out the users registry this file is not located and if you try to remove it it mutates to another file name. It is also now a system service. When the user reboots they get pop up after pop up for gay port sites and their home page is redirected. Running the updates from MS windows updating service stops the pop ups CA antivirus does not see it or sees x.exe but gets an open file error However, we are unable to remove the worm totally from a system. ******************************************************** This Weeks Sponsor Activaeon.com Reduce licensing costs with activAeon XA and get one month completely free. http://www.activaeon.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor Activaeon.com Reduce licensing costs with activAeon XA and get one month completely free. http://www.activaeon.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm