Hello, I found a folder in my WINNT/System32 called RCTCFG, containing MIrc. The problem is, I've never installed MIrc in the first place! The scary part is, there's a txt file in this folder named "blah.txt" containing a fairly large list of Ips, with their respective User and Pass! Norton found a trojan called Backdoor-IRC-ZCrew, which I removed, but someone keeps reinstalling it! Obviously, someone is on my back... Anyone know a good way to mess with him, or tell him to stop? I figure if he's leaving so much behind, he's probably not the smartest of the bunch... Thank you, Ryan

Did you look at this site? http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.zcrew.html

Yes, that's the natural thing to do for whatever Norton finds, but this is the fourth time that I've removed it completely from my system...

What firewall are you using? Have you checked the settings, and any open ports by using the scans at PC Flank and Nanoprobe from Gibson Research websites?

free trojin scan http://www.trojanscan.com/trojanscan/scanner.htm panda scan http://www.pandasoftware.es/activescan/ housecall http://housecall.trendmicro.com/housecall/start_corp.asp d/l mcafee,s stinger http://vil.nai.com/vil/stinger/ test my sheilds grc https://nanoprobe.grc.com/x/ne.dll?bh0bkyd2 and d/l trojin remover http://www.simplysup.com/tremover/details.html

Ok, I've run them all. Shields Up! graded me as trustealth (thanks to Zonealarm). Housecall found two files in my "Recycled" folder, belonging to the ZCrew Trojan, which I took care of. Thing is, being the fourth time that this has happened, is there anyway to go back to the source? I mean, I could wait for the next time this person does it, and then compare the "date and time created" in the trojans' file properties with the date and time of intrusions detected through Zonealarm, use Neotrace, and call their ISP... But I would like to do something back to them, for all the time I wasted on this f---er... Like Dameware and LC4, or something like that?

I'm not an expert on these things but, if you keep getting reinfected with this thing, it suggests that your previous removals have been incomplete or you are letting something through your firewall on a regular basis. Did you try Trojan Remover www.simplysup.com I understand it is pretty good. Have you got a chat client like Trillian on your computer or do you file share. Lots of stuff can 'spoof' the identity of popular programs. As for getting back at whoever is doing this, don't waste the time and effort. Unless they are really dumb they will be doing this via one or more compromised machines whose owners probably don't even realise that its happening.