Re: 2 files titled Systray.exe? Worm maybe?

From: Meg (megarts@hotmail.com)
Date: 08/28/02 

From: "Meg" <megarts@hotmail.com>
Date: Wed, 28 Aug 2002 09:50:12 -0700

Thanks for the advice. You mentioned three programs I
haven't tried so I will work on that later today. The
Cleaner, Pest Patrol, Norton (online, only) and Swat It!
all came up with different files that were infected.The
installed version of Norton didn't find any infected files.

I installed a firewall over the weekend and there have been
attemtps to hack my system since then. So I hope Norton's
firewall is up to the task. From what I can tell the
hacking just went on for a few days.

Reinstalling Windows sounds way above my skill level. If I
have removed all of the backdoors (That's a big if, I
know.) and if I keep a firewall enabled at all times, am I
still at risk?

Again, thanks for your help.

Meg

>-----Original Message-----
>I'm not sure I would just delete it without trying to
understand what trojan
>it is, what it does, what other files might be there and
how it got there.
>If you just delete the file without taking other action,
you could be hacked
>again later. Try running a trojan scanner like
www.pestpatrol.com or
>www.sunbelt-software.com / www.gfi.com [free trial I
believe] to scan it.
>Pestpatrol.com has a free mini-scanner that looks for
common port numbers of
>some trojans, and fport from foundstone.com is also useful
in this way. You
>could try submitting it to your favorite antivirus or
anti-trojan vendor,
>there is a way to submit it probably within Norton
antivirus or by
>downloading a tool from www.symantec.com You might also
download and run
>Startup Cop [try searching www.google.com,
www.download.com, etc. to find
>it] to see some other places where suspicious files could
be launching at
>startup. If IIS web services are running on your
computer, you could open
>and read your IIS logs. You could also download and
install the free Sygate
>firewall to see if any trojans are sending out traffic to
the internet.
>
>[A search of coldlife on google indicates it could be an
IRC backdoor.]
>
>If a hacker compromised your computer and put this file
there, he or she
>might have put other back doors on your system. If this
is what happened,
>you can't be sure you've removed all the back doors that
allow future entry
>to your computer unless you format the system and
reinstall Windows and
>everything. [If the trojan came from an email attachment
or is not really a
>trojan, then this may not be necessary to do.]
>
>Either way, you want to be sure to secure your system by
installing all
>patches and using secure settings by following the
checklists to harden
>windows and IIS [if installed] which are all at
www.microsoft.com/security
>
>
>"Meg" <megarts@hotmail.com> wrote in message
>news:625901c24e47$d9cc88e0$9de62ecf@tkmsftngxs01...
>While scouring my system of Trojans, I found systray in two
>place in WINNT. WINNT\system\Systray.exe and
>WINNT\system32\systray.exe. The former looks like a worm
>with a bogus copyright, Copyright © 2002-2003
>Liv[e]viL/icmp & w4nk-h3r. The other has a Microsoft
>copyright. Can I delete the first one or will I lose
>valuable data? Is there something else I should do besides
>that? It does load a blank page when I boot the system with
>a faint tracing of Coldlife 5 on it. Scans with Norton
>Virus, Personal firewall and various other programs did not
>produce this file as a threat.
>
>TIA!
>
>Meg
>
>
>.
>

Loading