Re: IRC Packets being generated. Dont know where from...

From: Lawrence Abrams (grinler-AT=bleepingcomputer.com)
Date: 04/29/05 

Date: Fri, 29 Apr 2005 13:23:07 -0400

Its probably a new rbot or sdbot loading as the service:

Remote Administrator Service

Explorer.exe is always in the %WinDir% and not %System%. Can you submit
C:\WINNT\system32\explorer.exe for analysis at
http://www.bleepingcomputer.com/submit-malware.php for analysis? I am
pretty sure it is that file though.

Also for future use, those automated HJT scanners are not wise to use. They
give too many false positives. 

-- 
Lawrence Abrams
MS MVP Windows-Security
http://www.bleepingcomputer.com
"Scooter" <scott@serra.com> wrote in message 
news:1114553266.496005.284330@g14g2000cwa.googlegroups.com...
>I have a PC that is generating IRC Query packets on our network.
> I've turned off all the services it will let me and its still there.
> If I boot into Safe mode it does not send the packets.
> I've included a copy of the Packet and a HiJackThis Log...
>
> HELP!
>
> <snip>
> Thanks!
> Remote Administrator Service: "C:\WINNT\system32\explorer.exe" /service
> (autostart)
> <snip>