Need some help with IRC Trojan virus

I have Norton AV which has detected the IRC Trojan in \windows\system32\beta.exe. However, it is unable to either repair or quarantine this file.

Apparently this file is always locked when XP is running so that is why nothing can be done with it. Although that raises questions in my mind as to how it got infected in the first place (unless the virus itself has locked it).

Anyway, does anyone know what this file is and can I go into the recovery console and simply restore it from the install CD or a backup? Or do I simply delete it? TIA.

 

I already did that and there was nothing useful. However, after some looking it appears that this is not an XP file but I can't say it is not associated with some other product I've installed. I am tempted to use the recovery console to simply move it and see what breaks.

 

I removed beta.exe. When I start XP an error window tells me that file cannot be found and to check the spelling, etc. I looked through startup and didn't find anything that launches that but it could be hidden anywhere. In any case I haven't found anyting that doesn't work yet. If anyone knows what the file might be associated with or where I can look to find where it is launched, I would appreciate it.

 

Hi

I have looked but cannot find anything so far beta.exe

Perhaps you could download the trial of Anti-Trojan - it will scan & then tell you the best action to take with the results.

Anti-Trojan

The online scan may show something but it is best to use the software as it will help you to remove anything that may be left. Any lists I have looked at do not have this one / application.

Will be looking for more info. Will post back if I find anything

 

Thanks. I'll give it a try but beta.exe is now gone. The only remaing problem is where it is being launched on windows startup.

 

I ran the anti-trojan. Although it says there is one port (5000) that is a trojan (Blazer5), the final report says no trojans found. I'm back to square one.

 

HijackThis will show where it is attempting to start from.
When HijackThis starts, click on Config, then Misc Tools, then Generate Startuplist Log.
If confused on what to do after that, post the log here.

 

Cool. Thanks. That found it and seems to have fixed it. I won't know for a while if anything broke in the process.

 

Try running a program called Tauscan over your computer see if that helps here is the link to the home page if you wish to check it out.
http://www.agnitum.com/products/tauscan/

hope it solves it for u