I have multiple users trying to register their workstations names in DNS as ADMIN. This is not heir DNS, WINS or Netbios name. Once DNS returns an error, the stations go to WINS to register, WINS returns error, and the workstaions broadcast the network. Currently 200+ workstations are broadcasting the the network. I edited the hosts file on one WS to resolve ADMIN to lpbk address and broadcasts stopped. This looks like a DOS attack to me. Once users try to log in muliple times, their accounts get locked. I believe this due to WINS security measure. WS that do not have admin rights should not be trying to change names or register as ADMIN (WINS Type 00). I ran stinger and picked up nothing. HELP!!!!!!!!!!

Stinger will only pick up the select group of current prevailant threats as per the discription on the website.

It is not a substite for real AntiVirus protection software.

Look for some suspisious processes running on the ws's in question.

Do you think this is a virus? It apears that way to me. I have tried researching the symptoms to no avail.

Assuming you have Antivirus protection on those affected workstations and have scanned them, did they find nothing?

You could try this (it worked for another Sys Admin I know when the QHosts Trojan first came out and was not being detected by the AVs)

Go to one of the affected PCs and download *Hijack This!* http://www.tomcoyote.org/hjt/ or http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

With that log we can see what is running on that PC and come up with a fix for you.

Thank You, It was a form of blaster virus on one of the DC servers