Solved

virus problem Mirc

Posted on 2006-07-18
5
209 Views
Last Modified: 2013-12-04
Hi guys!

I have a possible hacking problem.  I have a windows server 2003 (upgraded from 2000).

I have detected a folder in C:\WINNT\system32\Macromed\Flash\Microsoft\Data containing strange information with mIRC port, remote port, ....

There is a file in there Isass.exe (not the one in the SYSTEM32 forlder).  I'm unable to delete it (The file is in use).

What can I do?

Thanks!
0
Comment
Question by:polycorjsp
  • 3
5 Comments
 
LVL 2

Accepted Solution

by:
ch0wn earned 300 total points
ID: 17133502
Sounds like you have a Backdoor.Futro Trojan.  It usually opens TCP ports 666, 6665 and 6664.  

Is this a production webserver that cant be restarted?
Do you have a current Anti-Virus on the server?

Removal:
1 - You really need to have an Anti-Virus on the server with all of the current Windows updates.  
2 - Run a full scan of your updated Anti-Virus program.
3 - Backup your registry
4 - Delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
      Then click OK.
   3. Navigate to the key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   4. In the right pane, delete the value:
      "Isass" = "%System%\Isass.exe"
   5. Exit the Registry Editor.
5 - Restart the server and make sure infection is no longer present

Ch0wn
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 200 total points
ID: 17133539
You need to figure out where the malware is starting from, and disable it, then delete it.

Here is what I suggest:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) [Important] From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

If you can clearly identify the problem items, then un-check them and reboot. Then you should be able to delete the malware - though I would sugest saving them in a new folder temporarily for further study.

A better option might be to post the results of Autoruns here (after saving to a text file and copy-and-paste) so we can review what might be at fault.

AFTER everything is cleaned up, you should review all passwords for Admin accounts and make sure they are changed to something longer, plus run MBSA (http://www.microsoft.com/technet/security/tools/mbsahome.mspx) and follow the steps there to apply all patches.

0
 

Author Comment

by:polycorjsp
ID: 17133649
Why change admin password?  Do you think that they have been sent to someone?

Thanks!
0
 
LVL 32

Expert Comment

by:r-k
ID: 17134136
"Why change admin password?"

In this case we are not sure what means were used to hack your system. Compromised passwords is a real possibility. Changing them would make sense.

In my view it better to have long passwords (10 chars minimum) and not worry so much about using tricky combinations of case and letters. Just avoid proper names and dictionary words.
0
 
LVL 32

Expert Comment

by:r-k
ID: 17134153
Another common thing in such cases is for the hackers to create dummy user accounts which they can use to log-in later. Review all user accounts in case that happened.

Once you identify the time of the break-in, review all files created on your system since that time.

Another good program to run as a safelty measure is RootkitRevealer: http://www.sysinternals.com/Utilities/RootkitRevealer.html
in case they installed a rootkit.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Flux question 2 112
Modify local Group Policy through powershell 5 73
risks of using YouSendIt & DropBox & GoogleDrive 12 90
default domain policy in AD exemptions 3 71
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question