Our 2003 Ent server was hacked with a dcom worm that continiues to create netsvcs services on this server with various names. I have noted services created under names like microsoft device manager and MS driver management service. The only method to disable these services was through safe mode. Is there a method to verify that I have successfully blocked this worm? Thanks Bob

Hi, Once a machine is infected by virus it could not be trusted no longer. Microsoft suggests reinstalling the system.If you are not willing to reinstall the system, I highly recommend you to scan for virus and malwares on both the server and client sides. For more information and support on virus issues, I would also like to suggest that you call Microsoft PC Safety telephone number, 1-866-727-2338 (1-866-PCSAFETY). This service offers no-charge assistance for virus-related issues or questions. Also, you can check Microsoft Security and Privacy Web site at: http://www.microsoft.com/security/ Regards, Wilson Jia This posting is provided "AS IS" with no warranties, and confers no rights. Please click "Mark as Answer" when you get the correct reply to your question.

hi bob we have the same problem in our company and we getting duplicated ip from the infected servers. and we are stuck... can you tell me the way you manage to remove the worm trhough safe mode ? did you found more information about how to remove this worm ?? thank you very much izek