Damn virus / trojan horse.. its back..

[The Stigenator]

i just reformatted my friends machine and its patched to the latest. It has ZoneAlarm running.. and yet the trojan horse EXPL32.exe is back..

We ran housecall.antivirus.com and it showed 23 infections..

by any chance you know where its coming from? I dont know if AOL 8.0 has an backdoor. He uses AOL for chatting, but he has a broadband connection thru charter..

I dont know where its coming from other than someone managing to put it thru teh system.

 

[MercenaryForHire]

Your friend sucks at the internet.

- M4H

 

[Yzzim]

tell him to stop downloading porn that is a *.exe file

 

[aux]

Did you use a clean copy of Windows and whatever software you installed on that machine?

 

[amnesiac]

ZoneAlarm != antivirus software.

Install a full time AV program, like AVG.

 

[cmf21]

I have zonealarm and avg but still got two nasty trojans last week. They were, backdoor.optix.12.b and backdoor.optix which apparently gave hackers access to my ocmputer. I couldn't delete the files or fix them. I tried downloading a couple of cleaners but they didn't work at all. After I was able to delete a few files, I rebooted to see if they were gone, new viruses appeared and I couldn't open any programs up or anything. I ended up having to format my system. I didn't have a clue where they came from because I don't download anything off the web I shouldn't and don't even use outlook.

They sure were nasty and I have download The Cleaner now to also scan my computer.

 

[The Stigenator]

Originally posted by: aux
Did you use a clean copy of Windows and whatever software you installed on that machine?

oh yeah, the OS is clean (its an original W2K cd) and as for other software cd's.. I dont know what he isntaleld. But I know it cant be anything i installed for him.

I got NAV running ont hat, it didnt catch it.. only housecall caught it.

The reason he knows its there is because it brings up this window just after you log in..

The trojan ( i have seen it in action before i formatted ) uses MIRC32 (the EXPL32.exe is an MIRC program).Its got a backdoor and stuff.

 

[Platypus]

What do you mean he gets broadband from a charter?

 

[The Stigenator]

Originally posted by: CorporateRecreation
What do you mean he gets broadband from a charter?

AOL isnt his ISP.. he just uses AOL 8.0 as his client..

 

[MercenaryForHire]

Tip of the day for May 14th, 2003:

Firewalls don't block STUPID.

- M4H

 

[Platypus]

Originally posted by: MercenaryForHire
Tip of the day for May 14th, 2003:

Firewalls don't block STUPID.

- M4H

Now that you've contributed nothing worthwhile twice to this thread....




Did you redownload mIRC? If so from where?
Also, when you formatted, did you just install over the old OS, or did you actually format the drive itself?

 

[Yossarian]

Originally posted by: The_good_guy
I dont know if AOL 8.0 has an backdoor.

Yes, enter AOL keyword "Joshua"

Mr. Potatohead, MR. POTATOHEAD!! Back doors are NOT secrets.

 

[OrByte]

try a port blocker yet?

you need to identify which port the trojan uses and just block it, then go about finding the .exe to delete.

I think anyway...or I could be talkin out my butt

/nick OrButt

good luck anyway!

 

[8WOOD]

Originally posted by: MercenaryForHire
Your friend sucks at the internet.

- M4H

Hey is that a nef post?

 

[Entity]

Originally posted by: The_good_guy

Originally posted by: aux
Did you use a clean copy of Windows and whatever software you installed on that machine?

oh yeah, the OS is clean (its an original W2K cd) and as for other software cd's.. I dont know what he isntaleld. But I know it cant be anything i installed for him.

I got NAV running ont hat, it didnt catch it.. only housecall caught it.

The reason he knows its there is because it brings up this window just after you log in..

The trojan ( i have seen it in action before i formatted ) uses MIRC32 (the EXPL32.exe is an MIRC program).Its got a backdoor and stuff.

Does it happen to have a blank admin password on his box? I know that many exploits use that in combo with MIRC, firedaemon and services.

Rob

 

[Platypus]

Check these out..

1
2
3

 

[MercenaryForHire]

Originally posted by: 8WOOD

Originally posted by: MercenaryForHire
Your friend sucks at the internet.

- M4H

Hey is that a nef post?

No, it's the truth. His friend does suck at teh intArweb.

Oh, and the Tip of the Day has value as well. But since everyone can't read between the lines, I'll spell it out.

Tell him to stop downloading random, untrusted crap from every website he visits. 98% of trojans don't just install themselves, you know.

Thank you.

- M4H

 

[MercenaryForHire]

Originally posted by: Entity

Originally posted by: The_good_guy

Originally posted by: aux
Did you use a clean copy of Windows and whatever software you installed on that machine?

oh yeah, the OS is clean (its an original W2K cd) and as for other software cd's.. I dont know what he isntaleld. But I know it cant be anything i installed for him.

I got NAV running ont hat, it didnt catch it.. only housecall caught it.

The reason he knows its there is because it brings up this window just after you log in..

The trojan ( i have seen it in action before i formatted ) uses MIRC32 (the EXPL32.exe is an MIRC program).Its got a backdoor and stuff.

Does it happen to have a blank admin password on his box? I know that many exploits use that in combo with MIRC, firedaemon and services.

Rob

IIRC, as of 2K SP3 and XP RTM, blank password accounts aren't allowed to login via network. I might be wrong though. Either that, or "password" is a really bad password.

- M4H

 

[GoingUp]

Im trying that site to scan my own computer for viruses.... and the damn program keeps erroring.... :|

 

[Entity]

Originally posted by: MercenaryForHire

Originally posted by: Entity

Originally posted by: The_good_guy

Originally posted by: aux
Did you use a clean copy of Windows and whatever software you installed on that machine?

oh yeah, the OS is clean (its an original W2K cd) and as for other software cd's.. I dont know what he isntaleld. But I know it cant be anything i installed for him.

I got NAV running ont hat, it didnt catch it.. only housecall caught it.

The reason he knows its there is because it brings up this window just after you log in..

The trojan ( i have seen it in action before i formatted ) uses MIRC32 (the EXPL32.exe is an MIRC program).Its got a backdoor and stuff.

Does it happen to have a blank admin password on his box? I know that many exploits use that in combo with MIRC, firedaemon and services.

Rob

IIRC, as of 2K SP3 and XP RTM, blank password accounts aren't allowed to login via network. I might be wrong though. Either that, or "password" is a really bad password.

- M4H

You may be right on that; however, I do know of many instances of people at work with laptops where before they get Windows update to SP3, their machine has already been hacked. This is at a university, though, so our boxes usually last 30min or less if we leave them passwordless.

Rob

 

[MercenaryForHire]

Originally posted by: Entity

Originally posted by: MercenaryForHire

Originally posted by: Entity

Originally posted by: The_good_guy

Originally posted by: aux
Did you use a clean copy of Windows and whatever software you installed on that machine?

oh yeah, the OS is clean (its an original W2K cd) and as for other software cd's.. I dont know what he isntaleld. But I know it cant be anything i installed for him.

I got NAV running ont hat, it didnt catch it.. only housecall caught it.

The reason he knows its there is because it brings up this window just after you log in..

The trojan ( i have seen it in action before i formatted ) uses MIRC32 (the EXPL32.exe is an MIRC program).Its got a backdoor and stuff.

Does it happen to have a blank admin password on his box? I know that many exploits use that in combo with MIRC, firedaemon and services.

Rob

IIRC, as of 2K SP3 and XP RTM, blank password accounts aren't allowed to login via network. I might be wrong though. Either that, or "password" is a really bad password.

- M4H

You may be right on that; however, I do know of many instances of people at work with laptops where before they get Windows update to SP3, their machine has already been hacked. This is at a university, though, so our boxes usually last 30min or less if we leave them passwordless.

Rob

30mins is pretty average for 2K.

Our average hack-time for unpatched NT4 at our university was fifteen minutes. And that's from zero to admin access.

- M4H

 

[The Stigenator]

i dont remember if we put a password on admin.. if not that might be somethign to look into. I thought i put the password for admin as "user" but if not its empty.. I dont remember though.. It was a fresh install, fully formatted drive.

As for the program location, its in a different area.. the program EXPL32.exe is actually MIRC.. run it, it load MIRC.. MIRC isnt installed on the system.. it was never installed. Originally teh program was in Winnt/help now its in winnt/driver cache/

I dont know if its got a pass.. but i do know from the past, the program had a keylogger and stuff. ...

this sucks though.. this trojan horse

 

[Platypus]

Originally posted by: The_good_guy
i dont remember if we put a password on admin.. if not that might be somethign to look into. I thought i put the password for admin as "user" but if not its empty.. I dont remember though.. It was a fresh install, fully formatted drive.

As for the program location, its in a different area.. the program EXPL32.exe is actually MIRC.. run it, it load MIRC.. MIRC isnt installed on the system.. it was never installed. Originally teh program was in Winnt/help now its in winnt/driver cache/

I dont know if its got a pass.. but i do know from the past, the program had a keylogger and stuff. ...

this sucks though.. this trojan horse

Did you see my links? It's in the registery that's why it came back. Also, answer my question about formatting.. You have aim?

 

[The Stigenator]

Originally posted by: CorporateRecreation

Originally posted by: The_good_guy i dont remember if we put a password on admin.. if not that might be somethign to look into. I thought i put the password for admin as "user" but if not its empty.. I dont remember though.. It was a fresh install, fully formatted drive. As for the program location, its in a different area.. the program EXPL32.exe is actually MIRC.. run it, it load MIRC.. MIRC isnt installed on the system.. it was never installed. Originally teh program was in Winnt/help now its in winnt/driver cache/ I dont know if its got a pass.. but i do know from the past, the program had a keylogger and stuff. ... this sucks though.. this trojan horse

Did you see my links? It's in the registery that's why it came back. Also, answer my question about formatting.. You have aim?

Check sig..

Yeah I checked those 3 links.. I have a feeling that the admin password was not secure or was absent.

 

[Joker81]

Was the whole drive formatted or only the windows partition? if he has more then 1 partition/harddrive the file might be on another one.

True story.
I was working in computer lab Where i installed machines from RIZ images, basically you install one copy of windows and all software and put it on a server. Once on the server you can install to any computer you want.

Well we set up this one computer with the just the basics. Our RIZ image doesn't have an admin password. Well we went out to lunch and by the time we got back someone had already remotly installed a trojan on the newly imaged machine. An easy fix by just reimaging the machine but kinda funny how quickly these people work.