Infected files in WINNT

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have just run a McAfee scan that found several IRC/Flood infections that Norton Antivirus has consistently missed. I cannot find any information about them or whether and how to remove the files that are infected. In WINNT\System 32, the files are G1R\fgr.bat, G1R\man.bat, H0ll\n.bat, H0ll\q.bat, moo.dat. In WINNT\winweb, the files are abc.dll and lsass.exe. I understand that lsass.exe is a legitimate and required program, but would appreciate any information about the others and what to do about them.
 
Robert said:
I have just run a McAfee scan that found several IRC/Flood infections
that Norton Antivirus has consistently missed. I cannot find any
information about them or whether and how to remove the files that
are infected. In WINNT\System 32, the files are G1R\fgr.bat,
G1R\man.bat, H0ll\n.bat, H0ll\q.bat, moo.dat. In WINNT\winweb, the
files are abc.dll and lsass.exe. I understand that lsass.exe is a
legitimate and required program, but would appreciate any information
about the others and what to do about them.
Click to expand...

Not to be funny but if McAfee can identify them, it can probably provide
instructions and help for removing them. Have you checked their website?

If this is an internet facing server then i'd worry that you've been hacked.
I'd strongly suggest disconnecting from both the internet and any internal
network and proceeding very cautiously.


--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.
 
In addition.

You seem to be concerned about affecting windows required files.

All the .bat files should be (obviously) deleted outright.
There is an lsass file that is an essential part of windows, but it does not
live in the winweb folder - I have never heard of this folder before, so any
action on any files on this folder should be 'safe'.

As Robert says follow mcafee's advice and given a choice I would delete
them.

If in doubt, research the virs by name using google and read up about how
the infection manifests itself, and what the clean actions should be.

-Tim
 
Back
Top