• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 222
  • Last Modified:

virus problem Mirc

Hi guys!

I have a possible hacking problem.  I have a windows server 2003 (upgraded from 2000).

I have detected a folder in C:\WINNT\system32\Macromed\Flash\Microsoft\Data containing strange information with mIRC port, remote port, ....

There is a file in there Isass.exe (not the one in the SYSTEM32 forlder).  I'm unable to delete it (The file is in use).

What can I do?

  • 3
2 Solutions
Sounds like you have a Backdoor.Futro Trojan.  It usually opens TCP ports 666, 6665 and 6664.  

Is this a production webserver that cant be restarted?
Do you have a current Anti-Virus on the server?

1 - You really need to have an Anti-Virus on the server with all of the current Windows updates.  
2 - Run a full scan of your updated Anti-Virus program.
3 - Backup your registry
4 - Delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
      Then click OK.
   3. Navigate to the key:
   4. In the right pane, delete the value:
      "Isass" = "%System%\Isass.exe"
   5. Exit the Registry Editor.
5 - Restart the server and make sure infection is no longer present

You need to figure out where the malware is starting from, and disable it, then delete it.

Here is what I suggest:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) [Important] From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

If you can clearly identify the problem items, then un-check them and reboot. Then you should be able to delete the malware - though I would sugest saving them in a new folder temporarily for further study.

A better option might be to post the results of Autoruns here (after saving to a text file and copy-and-paste) so we can review what might be at fault.

AFTER everything is cleaned up, you should review all passwords for Admin accounts and make sure they are changed to something longer, plus run MBSA (http://www.microsoft.com/technet/security/tools/mbsahome.mspx) and follow the steps there to apply all patches.

polycorjspAuthor Commented:
Why change admin password?  Do you think that they have been sent to someone?

"Why change admin password?"

In this case we are not sure what means were used to hack your system. Compromised passwords is a real possibility. Changing them would make sense.

In my view it better to have long passwords (10 chars minimum) and not worry so much about using tricky combinations of case and letters. Just avoid proper names and dictionary words.
Another common thing in such cases is for the hackers to create dummy user accounts which they can use to log-in later. Review all user accounts in case that happened.

Once you identify the time of the break-in, review all files created on your system since that time.

Another good program to run as a safelty measure is RootkitRevealer: http://www.sysinternals.com/Utilities/RootkitRevealer.html
in case they installed a rootkit.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now