From: "Glenn Meadows" 

Well, all indications are that the machine is now sound and secure.
HijackThis shows no extra open listening ports, I've run 4 Adware/malware
detection programs against the machine, as well as 3 separate Anti-Virus
programs, including an online from Trend Micro.

Adware/Malware:
Ad-Aware
Spybot Search-Destroy
eWido
CounterSpy.

Both CounterSpy and eWido are running with their active detection left on.

Anti-Virus:
Sophos
AVG
Trend

Sophos is left in active detect mode.  You can open the monitor panel, and
watch it look at each exe/dll file that's loaded, be scanned.  I was
"playing" with one of the trojan infected files, to zip it to
send to one of the AV firms, and Sophos caught every time I touched the
file, or it was accessed, and blocked any action with it.  Had to use a
restore with a file name change in the restore to destination window to be
able to do anything with the files.

NONE of the other computers in the office appear to have been affected.
None of the files on this computer show up on any of the other machines.

I'm actually quite thankful that both our NY office and Nashville offices
were "closed" this week.  The few people who came in, appear to
have avoided this problem, save for the salesman here in Nashville.  Thank
goodness for small favors.  I think that this exploit would have a larger
impact on our systems if everyone had been working all this week.

I had the production manager in the NY office put a physical notice on
everyone's monitor today detailing the virus potential problem, and giving
specific instructions that when they start their computers first thing
Tuesday, that before they open Outlook, or IE, that they open their AV
control panel, and do an immediate Live Update (NY uses Symantec Corporate
edition), but as I discovered today, each local system is globally set to
pull sig files from the Symantec server, NOT from the local AV server
. Got to get that re-configured.  I also discovered that the Live
Update was configured to check for updates once a week.  I've changed that
to be once a day now.  I'm also going to re-config each computer to pull
sig files from the local server, but the machines have to be on, so I can
Remote Desktop to them to re-configure them and verify that the changes
have been made.

--

Glenn M.
"John Beckett"  wrote
in message news:8q0cr1dnhpbfeuc637tb9qud0cvdhkrptu{at}4ax.com...
> "Glenn Meadows"  wrote in message
> news::
>> What would the magic incantation be using Knoppix, to allow me to DELETE
>> files on the Windows HD?
>
> I'm pretty sure that only very experimental versions of Linux include the
> ability to write to an NTFS partition. That is, Knoppix will NOT allow you
> to delete or rename files on NTFS.
>
> The best procedure to do this would (I think) be to purchase the tool from
> Sysinternals that allows you to boot from a CD and have write access to
> NTFS partitions. I have never tried it.
>
> However, the couple of times that I've had a look at a hosed system I have
> convinced myself that an amateur trying to outsmart a virus writer is a
> complete waste of time. Copy data files off the partition, then wipe it.
>
> John
>

--- BBBS/NT v4.01 Flag-5