I am running win2k server with the service pack 2 installed. I installed all the latest patches. The server however was infected by Nimda virus before the patches were installed (2 months back). I cleaned up everything, applied the latest patches and have been updating the anti-virus software regularly since then. However, there is a trojan still left in the machine. Norton detects it as backdoor.trojan found in c:\winnt\system32\rpcmon\rpcmon.exe. The problem is the file is undeletable. I have ownership permissions but whenever I try to delete the file I get a message saying "source is in use". Any suggestions on how to get rid of it. Thanks, Ram.

http://www.moosoft.com Download "The Cleaner" or boot into DOS and delete it from within DOS.

right after the computer beeps on bootup hit the f8 key or When you see the white loading bar before the 2k splash screen this will bring up a menu one of the opptions is a command prompt others include safe mode and vga mode select comand prompt and if needed use the attrib command to see it it is a marked as hidden or a system file and change its properties if you can not properly acces theese options because of damage to the system go (using someoneelses computer) to bootdisk.com and download a win 98 boot disk pop it in and after boot up just coppy the attrib comand off the disk to your hard drive if you typpe just attrib - c:\attrib it will list all files hidden or otherwise and their attributes... for instance if the file has an h its hidden nonsense example.... file is lisete like below h a s test.exe h means hiden a archive s system to alter the properties you would type c:\attrib test.exe -h this would unhide it to hide it you use the + symbol

Hi, I had the same problem on my W2K server after the virus attack. I contacted Microsoft for support and they had me put the system in safe mode with no networking and delete the file. If you use Fat32 then you could delete using DOS but if you use NTFS as I do then you need to use safe mode.

Is rpcmon.exe a file that this trojan creates? I have sucessfully removed the file.