A
Andy
I am working on a WIN 2k machine that had a couple of
backdoor trojans on it. More specific backdoor.sdbot,
IRC trojan, IRC.Zcrew, backdoor.DKangel, bat.trojan and
bloodhound. packed. Norton had found these and removed
them or so I thought. This started back in September. A
couple of months later the computer was infected again.
Not all of the trojans were found in September. This
client would call back and say Norton found more viruses
and was understandably getting upset. I have been
working on this computer for a couple of days and have
traced some interesting stuff. I found that one of the
trojans loaded Serv-U on the computer. I did some
research on Serv-U and found out that this is a FTP
server program and turned this computer into a FTP
server. Which explains why the computer is constantly
being infected. I have been able to remove the serv-U
files from the computer and now I am in the prossess of
cleaning the registry. I am familure with the registry
but I am not an expert. One area that Serv-U is located
is HKCU\software\microsoft\internet explorer\explorer
bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\filesnamedMRU.
I am not sure what the Files named MRU is. There are
several files from the trojan/Serv-U listed. What does
the Files named MRU registry entry load up? Is it safe
to just delete this entry all together?
Any help would be appreciated, Thanks
Andy
backdoor trojans on it. More specific backdoor.sdbot,
IRC trojan, IRC.Zcrew, backdoor.DKangel, bat.trojan and
bloodhound. packed. Norton had found these and removed
them or so I thought. This started back in September. A
couple of months later the computer was infected again.
Not all of the trojans were found in September. This
client would call back and say Norton found more viruses
and was understandably getting upset. I have been
working on this computer for a couple of days and have
traced some interesting stuff. I found that one of the
trojans loaded Serv-U on the computer. I did some
research on Serv-U and found out that this is a FTP
server program and turned this computer into a FTP
server. Which explains why the computer is constantly
being infected. I have been able to remove the serv-U
files from the computer and now I am in the prossess of
cleaning the registry. I am familure with the registry
but I am not an expert. One area that Serv-U is located
is HKCU\software\microsoft\internet explorer\explorer
bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\filesnamedMRU.
I am not sure what the Files named MRU is. There are
several files from the trojan/Serv-U listed. What does
the Files named MRU registry entry load up? Is it safe
to just delete this entry all together?
Any help would be appreciated, Thanks
Andy