Solved

virus problem Mirc

Posted on 2006-07-18
5
213 Views
Last Modified: 2013-12-04
Hi guys!

I have a possible hacking problem.  I have a windows server 2003 (upgraded from 2000).

I have detected a folder in C:\WINNT\system32\Macromed\Flash\Microsoft\Data containing strange information with mIRC port, remote port, ....

There is a file in there Isass.exe (not the one in the SYSTEM32 forlder).  I'm unable to delete it (The file is in use).

What can I do?

Thanks!
0
Comment
Question by:polycorjsp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 2

Accepted Solution

by:
ch0wn earned 300 total points
ID: 17133502
Sounds like you have a Backdoor.Futro Trojan.  It usually opens TCP ports 666, 6665 and 6664.  

Is this a production webserver that cant be restarted?
Do you have a current Anti-Virus on the server?

Removal:
1 - You really need to have an Anti-Virus on the server with all of the current Windows updates.  
2 - Run a full scan of your updated Anti-Virus program.
3 - Backup your registry
4 - Delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
      Then click OK.
   3. Navigate to the key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   4. In the right pane, delete the value:
      "Isass" = "%System%\Isass.exe"
   5. Exit the Registry Editor.
5 - Restart the server and make sure infection is no longer present

Ch0wn
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 200 total points
ID: 17133539
You need to figure out where the malware is starting from, and disable it, then delete it.

Here is what I suggest:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) [Important] From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

If you can clearly identify the problem items, then un-check them and reboot. Then you should be able to delete the malware - though I would sugest saving them in a new folder temporarily for further study.

A better option might be to post the results of Autoruns here (after saving to a text file and copy-and-paste) so we can review what might be at fault.

AFTER everything is cleaned up, you should review all passwords for Admin accounts and make sure they are changed to something longer, plus run MBSA (http://www.microsoft.com/technet/security/tools/mbsahome.mspx) and follow the steps there to apply all patches.

0
 

Author Comment

by:polycorjsp
ID: 17133649
Why change admin password?  Do you think that they have been sent to someone?

Thanks!
0
 
LVL 32

Expert Comment

by:r-k
ID: 17134136
"Why change admin password?"

In this case we are not sure what means were used to hack your system. Compromised passwords is a real possibility. Changing them would make sense.

In my view it better to have long passwords (10 chars minimum) and not worry so much about using tricky combinations of case and letters. Just avoid proper names and dictionary words.
0
 
LVL 32

Expert Comment

by:r-k
ID: 17134153
Another common thing in such cases is for the hackers to create dummy user accounts which they can use to log-in later. Review all user accounts in case that happened.

Once you identify the time of the break-in, review all files created on your system since that time.

Another good program to run as a safelty measure is RootkitRevealer: http://www.sysinternals.com/Utilities/RootkitRevealer.html
in case they installed a rootkit.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question