dsa.msc modified? virus? backdoor?

[Guest]

Hell
I'm a beginner
I have w2000 adv server connected to internet via a proxy server
When i see the local area connection status i'm seeing a lot of packets sent when i do nothing. I supose i have a virus or backdoor
i found e:\winnt\iun6002.exe
i found too e:\winnt\system32\dsa.msc with modified date 03-16-200
and dompol.msc with modified date 02-27-200

These files modify themselves automatically
Can you help me please

 

[Steven L Umbach]

Those .mcs files are for MMC snapins to manage Active Directory, etc. I think you
first should make sure that your proxy server is set up correctly in that it blocks
all inbound traffic other than that specifically authorized if any. You can go to a
site like http://scan.sygatetech.com/ to do a basic selfscan and also make sure file
and print sharing is disabled on the network adapter connected to the internet.
Ideally your proxy server should be configured to block all outbound access other
than that authorized.

Since you suspect your server is compromised be sure to scan for viruses and trojans
and take steps to secure it including keeping current with critical updates, using a
virus scan that also scans all email, using complex passwords with an account lockout
policy, enabling auditing of logon events, and disabling unneeded services such as
telent, messenger, ftp, and www if enabled and not needed . The Microsoft Baseline
Security Analyzer can help with that and more. See the links below for more on what
to do to secure your computer and what to do if you suspect compromise. --- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx
http://www.microsoft.com/security/protect/
http://securityadmin.info/faq.asp#virustoc --- tips from the FAQ.

Hello
I'm a beginner.
I have w2000 adv server connected to internet via a proxy server.
When i see the local area connection status i'm seeing a lot of packets sent when i

do nothing. I supose i have a virus or backdoor.