Solved

virus problem Mirc

Posted on 2006-07-18
5
212 Views
Last Modified: 2013-12-04
Hi guys!

I have a possible hacking problem.  I have a windows server 2003 (upgraded from 2000).

I have detected a folder in C:\WINNT\system32\Macromed\Flash\Microsoft\Data containing strange information with mIRC port, remote port, ....

There is a file in there Isass.exe (not the one in the SYSTEM32 forlder).  I'm unable to delete it (The file is in use).

What can I do?

Thanks!
0
Comment
Question by:polycorjsp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 2

Accepted Solution

by:
ch0wn earned 300 total points
ID: 17133502
Sounds like you have a Backdoor.Futro Trojan.  It usually opens TCP ports 666, 6665 and 6664.  

Is this a production webserver that cant be restarted?
Do you have a current Anti-Virus on the server?

Removal:
1 - You really need to have an Anti-Virus on the server with all of the current Windows updates.  
2 - Run a full scan of your updated Anti-Virus program.
3 - Backup your registry
4 - Delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
      Then click OK.
   3. Navigate to the key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   4. In the right pane, delete the value:
      "Isass" = "%System%\Isass.exe"
   5. Exit the Registry Editor.
5 - Restart the server and make sure infection is no longer present

Ch0wn
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 200 total points
ID: 17133539
You need to figure out where the malware is starting from, and disable it, then delete it.

Here is what I suggest:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) [Important] From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

If you can clearly identify the problem items, then un-check them and reboot. Then you should be able to delete the malware - though I would sugest saving them in a new folder temporarily for further study.

A better option might be to post the results of Autoruns here (after saving to a text file and copy-and-paste) so we can review what might be at fault.

AFTER everything is cleaned up, you should review all passwords for Admin accounts and make sure they are changed to something longer, plus run MBSA (http://www.microsoft.com/technet/security/tools/mbsahome.mspx) and follow the steps there to apply all patches.

0
 

Author Comment

by:polycorjsp
ID: 17133649
Why change admin password?  Do you think that they have been sent to someone?

Thanks!
0
 
LVL 32

Expert Comment

by:r-k
ID: 17134136
"Why change admin password?"

In this case we are not sure what means were used to hack your system. Compromised passwords is a real possibility. Changing them would make sense.

In my view it better to have long passwords (10 chars minimum) and not worry so much about using tricky combinations of case and letters. Just avoid proper names and dictionary words.
0
 
LVL 32

Expert Comment

by:r-k
ID: 17134153
Another common thing in such cases is for the hackers to create dummy user accounts which they can use to log-in later. Review all user accounts in case that happened.

Once you identify the time of the break-in, review all files created on your system since that time.

Another good program to run as a safelty measure is RootkitRevealer: http://www.sysinternals.com/Utilities/RootkitRevealer.html
in case they installed a rootkit.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question