I'm by no means really knowledgeable on this subject but given my goodnatured paranoid character i came to toggling down this post.

The prequel to this post is here,

While investigating the nature of the issues i encountered i noticed the NT/2000 event/application-log showed a typical four consecutive symantec a-virus events.
All these events stated the bugbear@mm virus had been encountered, remove failed, isolation succeeded. Nothing to worry about i'd figure. From what i've read about this bugger this is one nasty virus though.

Now i'm wondering what could be the extent of Internet Explorer not being fully patched on the machines wich are behaving poorly. These are about one out of every three machines while a hundred total. Would it be possible that the combination of poorly implemented security (symantec-av can take it story) with the unpatched M.I.Explorer would allow bugbear to pierce thru the Avirus protection ?

Running the bugbear removal tool returns 'nothing found' so i figure not.

What would i be looking for if i wanted to find out Bugbear got around Symantec ?

Check you last post.

you will find all the details including reg settings and how it stops firewall on boot up here

http://www.sarc.com/avcenter/venc/data/w32...bugbear@mm.html

scan your system for the registed dll's it had deposited and remove if AV program have so far failed....also look at the stinger post in this forum section ..might help you to remove the problem.

http://www.governmentsecurity.org/forum/in...p?showtopic=368

Hi,

First of all thanks for your input allready, but ...

In the past i've managed a whole network mostly single-handedly with some help on the management part here and there. From my experience i'd say this situation is very likely originating from unknowledgable-administrators at work.

I am an (the) interim-employee here, needless to say i've been pretty stunned at moments what the internal situation is like overhere as well as the lack of expertise. Wich administrator would let any interim run as Domain Administrator fro day one ? And show them access to the firewall in the second week or so ?

Anyway. I've ran enough scans by now to realise even stinger won't find anything. There's something seriously wrong but i'm not in a situation to do any serious work but on the 'tampered' workstation of my colleague. Wich is not giving any results.

I've dismissed both the 'virus infection' and 'registry messed-up' theory for now and will be looking into the finer details of policy editing and publishing on a mixed NT/2K/XP environment. Hopefully this results in some clue because for the moment i'm out of them.


Thanks for your input, any further comments are most welcome.

I would put patch managment and virus control in two seperate categories, sometimes virusii take advantage of unpatched hosts but that is normally done by virusii's bigger cousin the worm. In any case, my first recomendation on your network (interim admin or not) would be to get all of your systems patched and up to date. Use Microsoft Update if you don't have anything else but get them patched. And of course make sure your virus control is up to date as well.

--j