IRC Trojan horse removal

[Russ]

Folks,

Any help would be appreciated.

About two weeks ago, Norton Antivirus located and deleted a virus on
one of my networked Win 2000 pro machines. I paid no unusual amount
of attention to it, because I figured Norton took care of it.

However, I have had a fake mIRC window called "Update" with a MDI
child window called "System" inside execute on start up since the
deletion. Now, my machine constantly sends packets across the network
out to the internet.

I have checked for suspicious files and strange registry additions,
but I haven't found anything that points to the Trojan horse.

Help!

Russ

 

[Hindy]

Check your Norton logs for details of what virus it
detected, then visit symantec site and check for
instructions for removal.

 

[Justin Turner [MSFT]]

Hello Russ,

Use REGEDT32 to check the following registry keys for the mIRC entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce



HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce



Also check the following folders:

\Documents and Settings\All Users\Start Menu\Programs\Startup

\Documents and Settings\<username>\Start Menu\Programs\Startup

Thank you,

Justin Turner [MSFT]

--
Please do not send email directly to this alias. This
alias is for newsgroup purposes only.

This posting is provided "AS IS" with no warranties, and
confers no rights.

 

[Karl Levinson [x y] mvp]

This might also help:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

Someone might be remotely controlling your computer and viewing data files
or passwords from other systems on your network as I type this. I woudl
handle this seriously and consider pulling the network cable. When you get
a worm that contains remote access tools, trojans, password collectors and
keystroke loggers, simply running antivirus is arguably no longer a complete
security response.

Running a virus scan from another computer across the network could be
helpful if there was a windows root kit installed on the system to hide the
relevant files. [I doubt this is the case, if this is a worm, but I
mention this possibility just in case.]

Knowing the original virus name and looking it up on the virus encyclopedia
on the vendor's web site would be helpful, assuming these two things are
related.

Microsoft offers free phone support for virus related queries,
on 866-PCSAFETY

 

[Russ]

Thanks folks! I'll let you know how I fare! Appreciate the help!

 

[Russ]

Thanks folks! I'll let you know how I fare! Appreciate the help!