Irc/Backdoor trojan

I'm running AVG & leave my W2KPro system on 7/24. This morning I had 2 messages

TRojan Horse IRC/Backdoor.flood infested

C:\WINNT\SYSTEM32\RUN32.EXE

and

Trojan Horse HideWindow infected


C:\WINNT\SYSTEM32\SYSCFG32.EXE

I followed the recommended action (similar to quarentine) I think.

I read the information at
www.kylelai.com/mIRC_Virus_Analysis.htm
which I found referenced at
http://www.computing.net/security/w...forum/2585.html

I followed the instructions to remove & found only 2 of the dastartdly files referenced MDM.exe and psexec.exe both in the system32 folder in WINNT (my windows folder)

I succesfully deleted MDM.exe & created a backupmdm.exe on another drive. I also created a backup of psexec.exe but get a sharing volation when trying to delete the original. I did not find the Register key referenced. I have not yet changed Admin password. I ran step 5 & restored the database. In step 6 I am missing the A) and G) user. Does this amtter?

There are no events in the security log.

I have run the Cleaner & find no trojans

Are there any other recommendations?

 

Sounds like you've done a good job so far. As a final precaution, I'd do an online virus scan at Housecall.

Daizy

 

Thnaks Daizy. Housecall found stuff that AVG didn't. How amny of these silly cleaners do U need to run????? I want to get some usefull work out of this thing, not be a Systems person my whole day.

 

Well Housecall found 4 infected with IRC ZCREWA and BAT ZCREWA. I can't fix them so have to delete them.


The infected files are

iiscache.dll
Secure.bat
w32driver.bat
web.swf


all in System32 folder

Will my W2KPro system work after I deleted these files??????

 

At the risk of sounding rude... ( I certainly don't mean to be) You would have only needed the one, had you kept your virus definitions and windows updates current.

Symantec

Daizy

 

Daizy, You are not rude, so no apology needed. I had run Symantec NAV2003 & keep the definitions up to date automatically (on DSL) & run a full scan daily. HOWEVER, I've found that AVG is superior to NAV, & is less invasive & does not take so much system resource to keep me clean.

NAV has not found Trojans & AVG has. I will now add Haousecall to me scanning tools & use regularly.


The bottom line is "you use what works for you" and you'd better use them regularly.

 

I now find that mfc.exe and MMS.exe have crept into my start folder. No idea where they came form so I believe they are part of the Trojan. So I'm deleting them.

 

hi pilotgal8

i've never seen a single lab test support that position. always the other way around... AVG fail, NAV pass

February 2003: Windows NT

November 2002 - Windows 2000