Hi, I discovered a few days ago a Trojan virus on my system, Optix Pro 1.2, and quarantined it. From research I've done, the person who was connected to it and my system could do all manner of things, including uploading and downloading files and taking live screen captures amongst many other things. I've also gather for them to know I was online, they would be notified either by email, IRC, ICQ or SIN. Whichever means they chose, it would provide a trail back to them. But what I can't discover is whether it's possible to examine the server I've quarantined, perhaps disassemble somehow to find the miscreant's notification details. Maybe it would be a job for a real expert, if so I'll gladly employ one. But if it's impossible I shan't proceed. If someone could enlighten me I'd be most obliged.

If the original trojan maker is using a system of computers, it will be very difficult to trace the source. It can be done, but I do not think it is worth the expense/effort. This is one of the problems the FBI, and other law enforcement agencies have. They have to weigh the cost (they claim $250,000 to investigate) vs the damage done. In the end it costs us all, because even a home user has to try to batten down the hatches, or try to, and it is not free! What is really troubling is that you can get the trojan packet on the net. This means that you do not have to be creative and computer literate any more, anyone can make life miserable for someone else. Take care and all the best!

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. Perform a forensic analysis and restore the computer using trusted media. Do not to open attachments unless you are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. 1. Update the virus definitions. 2. Do one of the following: Windows 95/98/Me: Restart the computer in Safe mode. Windows NT/2000/XP: Stop the Trojan process. 3. Run a full system scan, and delete all files that are detected as Backdoor.OptixPro.11. 4. Reverse the changes that the Trojan made to the registry. 5. (Windows 95/98/Me only) Restore the shell= line in the System.ini file, and restore the run= line in the Win.ini file. Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up. Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up. Windows NT/2000/XP To end the Trojan process: 1. Press Ctrl+Alt+Delete one time. 2. Click Task Manager. 3. Click the Processes tab. 4. Double-click the Image Name column header to sort the processes alphabetically. 5. Scroll through the list, and look for Win32loader.exe. 6. If you find the file, click it, and then click End Process. 7. Exit the Task Manager. To reverse the changes that the Trojan made to the registry: Because the Trojan modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension and then run that file. To make a copy of the Registry Editor: 1. Do one of the following, depending on which version of Windows you are running: Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section. Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section. Windows NT/2000: a. Click Start, and click Run. b. Type the following, and then press Enter: command A DOS window opens. c. Type the following, and then press Enter: cd \winnt d. Go on to step 2 of this section. Windows XP: a. Click Start, and click Run. b. Type the following, and then press Enter: command A DOS window opens. c. Type the following, and then press Enter after typing each one: cd\ cd \windows d. Proceed to step 2 of this section. 2. Type the following, and then press Enter: copy regedit.exe regedit.com 3. Type the following, and then press Enter: start regedit.com The Registry Editor opens in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window. 1. Navigate to and select the following key: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the \command subkey. Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey that is shown in the following figure: 4. Delete all text (on the shell=Explorer.exe line only) that is to the right of Explorer.exe. When you have finished, the line should read: shell=Explorer.exe 5. Click File, click Exit, and then click Yes when you are prompted to save the changes. 6. Click Start, and click Run. 7. Type the following and then click OK: edit c:\windows\win.ini The MS-DOS Editor opens. NOTE: If Windows is installed in a different location, make the appropriate path substitution. 8. In the [windows] section of the file, look for an entry similar to the following: run= 9. Delete all text (on the run= line only) that is to the right of run=. When you have finished, the line should read: run= 10. Click File, click Exit, and then click Yes when you are prompted to save the changes. I have blisters on me fingers! There yugo, RNM (I really hope this helps you out, ouch!)

Good job Redneck Man!!!