Re: Solution to mIRC and Secedit Virus Networking Problems

From: aladin (aladin168@hotmail.com)
Date: 09/25/02 

From: aladin168@hotmail.com (aladin)
Date: 25 Sep 2002 08:35:11 -0700

Alison,
I had a follow-up posting regarding the ocxdll.exe couple weeks ago.
You can follow the additional suggestions in that posting. Make sure
you use some Anti-Trojan software to detect and clean up your system.
Anti-Virus software does not pick up many IRC related trojans.

I like the Free Anti-Trojan software, SWAT-IT, by Lockdown Corp
(www.lockdowncorp.com.) Try it out. It should help you a lot in
terms of fighting trojans.

In terms of removing trojans, I definitely think you should rename the
suspected trojan file, and remove the registry entry "Adobea"

If possible, can you please send me the adobes.exe at kyle@kylelai.com
for analysis? Thanks!

Good luck!
/Kyle

Kyle Lai, CISSP, CISA, MCSE
Information Security Consultant
Kyle Lai Consulting
508-380-2022
kyle@kylelai.com

alison_taylor@canada.com (Alison Taylor) wrote in message news:<3c990e53.0209231129.45295f35@posting.google.com>...
> Many thanks to both Edward and Kyle for information on this virus. I
> have attempted to carry out all your suggestions since my computer was
> infected several days ago.
>
> I have some lingering problems and am wondering if anyone else has
> seen these and can suggest fixes. The most notable problem is that my
> computer reboots during bootup. The Win2000 login prompt comes up ok
> and I log in to my account (which has administrator privileges, dont
> know if that is relevant). Then the programs with incons in the
> taskbar launch. During the launching of these programs, or
> immediately after, the computer then reboots.
>
> Another thing I noted was in the registry. Under
> HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run there
> is an entry "Adobea" which was pointing to
> C:winnt\system32\adobes.exe, which Norton AntiVirus had identifies as
> and IRC Trojan. There does exist a file called Adobea.exe in the
> system32 directory, but I don't know whether it is also a
> trojan-created file or whether it needs to be there. I currently have
> the adobea entry pointing to a non-existent file till I have this
> sorted out.
>
> I am not familiar enough with all the services to know which should be
> disabled and which should be enabled. I am guessing that during my
> attempts to rollback the changes made by the virus I have messed up my
> services and registry settings, causing the crash on startup. I don't
> need to allow anyone to log in remotely or provide any services to
> remote users. Can anyone out there suggest a minimal list of services
> to run?
>
> Thanks for any replies,
>
> Alison
>
>
>
> aladin168@hotmail.com (aladin) wrote in message news:<bf0f8e77.0209050049.24860609@posting.google.com>...
> > Hi Edward Alfert,
> > I referenced the steps you wrote in my document. They are nice steps
> > and most importantly, it was tested and worked for many people. Great
> > job!
> >
> > Here is my analysis:
> >
> > Sorry guys if this is a repeat. I kind of need to make a correction
> > on the steps to restore security templates, and I just referenced
> > Edward Alfert's instructions:
> >
> > More Analysis on ocxdll.exe virus: v. 1.1
> >
> > Kyle Lai, CISSP, CISA
> > aladin168@hotmail.com
> >
> >