IRC.Backdoor.Flood and HideWindow

Computing.Net > Forums > Security and Virus > IRC.Backdoor.Flood and HideWindow

IRC.Backdoor.Flood and HideWindow

Original Message

Name: heatz34
Date: April 16, 2003 at 09:52:25 Pacific
Subject: IRC.Backdoor.Flood and HideWindow
OS: Win 2K Pro
CPU/Ram: PII 450/ 128 MB

Comment:

We recently detected IRC.Backdoor.Flood and HideWindow trojans on several of our Win2K machines on our school network. Our anti-virus was able to remove the trojans. The problem is this: When the infected computers are booted, a program window opens. It is called "Explrr Windows Manager." (note the misspelling) I am having trouble removing this from the machines. Anyone else seen this, or have any ideas on how to remove from the computer? If more info needed, please post. Thanks.

Report Offensive Message For Removal

Response Number 1

Name: Matt
Date: April 24, 2003 at 09:56:11 Pacific
Subject: IRC.Backdoor.Flood and HideWindow

Reply: (edit)

Hi,
I am also having the same problem. If you have found a solution, please forward it to me when you have the time. Thanks so much,
Matt

Report Offensive Follow Up For Removal

Response Number 2

Name: pobocks
Date: May 5, 2003 at 23:12:27 Pacific
Subject: IRC.Backdoor.Flood and HideWindow

Reply: (edit)

I'm also having this problem... I had two of these windows running at startup, along with a copy of Explorer. Found one of the windows and Explorer in the registry, under "Local Machine\Software\Microsoft\Windows\Currentversion\Run"

Report Offensive Follow Up For Removal

Response Number 3

Name: pobocks
Date: May 6, 2003 at 10:05:00 Pacific
Subject: IRC.Backdoor.Flood and HideWindow

Reply: (edit)

Hey... Another piece of advice... The Explrr phony window managers on my system (I got the other one by using the "go to process" function of the task manager, which will tell you what process is running what the program selected) were named explore.exe, and services.exe, respectively. The explore.exe was easy to find, since the real system file has an 'r' on the end of it, and was contained in "C:\WINNT\Web\printers\images". The fake services.exe can be told from the real one by the fact that the real services.exe is in CAPITAL LETTERS, or by using the "Go To Process" trick. The "Go to Process" command is on the menu when you right-click a program in task-manager.

Report Offensive Follow Up For Removal

Response Number 4

Name: ahwong
Date: May 22, 2003 at 20:08:55 Pacific
Subject: IRC.Backdoor.Flood and HideWindow

Reply: (edit)

Go to search "services.exe" after finished what pobocks has instructed above.
The real "SERVICES.EXE" is 87K bytes. You may see a copy of "services.exe" is not in 87K bytes, that is our target! Remember the full path of this suspected "services.exe".
Then go to the registry, to search out this "full path", to see which registry value(s) are changed by this virus.
How to Clean:
1. Delete all changed registry. Normally, they exist in:
(a). HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
(b). HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

2. You also need to delete the fraud "services.exe". Please remember that this file's location is in random. Mostly, it is saved under system-direectory.
Hope it is useful.

Report Offensive Follow Up For Removal


Trojan horse IRC/BackDoor.Flood IRC/BackDoor.Flood virus found IRC/Backdoor.Flood help! Trojan horse IRC/BackDoor.Flood backdoor.flood trojan on win.exe	IRD\BackDoor. Flood IRC/backdoor.flood and win32/parite TROJAN HORSE IRC/Backdoor viruses and registry problems Backdoor.flood.bi virus help please

tracing or retracing an i...

mouse problems

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: IRC.Backdoor.Flood and HideWindow

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

Installing Win XP over Vista

Burning Boot Disk

faulty hdd?

Booting with a broken graphic card

Help with my DRAM:FSB Ratio

All Posts Awaiting Replies