KFGH and MIRC

[Caldi]

HELP! I have recently discovered that my NT server has been taken over by an unscrupulous hacker, and has become a FTP server for them. I have deleted lots of exes, such as KFGH and Dameware, a couple of DLL's seem to be affected. I have also removed all occurences of KFGH, IRC and MIRC from the registery. The problem is that it keeps replicating itself when I restart the server, freezing upon login and is very slow, can anyone assist in cleaning up the server or recommend a virus removal tool

many thanks

 

[karmic]

If you're having that many problems getting rid of the virus, you've probably got one of the trojans on the market and they can be a pain to get rid of. Check out the link to SDBOT. It's only one variation but they are all very similar.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.f.html

Essentially, these virii hide from windows. They can only be found and deleted by looking manually in dos mode. Normally they hide under the winnt/system32 directory and the client (ftp server or mirc) is installed in the winnt/fonts directory. check your fonts directory and look for .exe's. Check your registry to find out what's loading and go to a cmd prompt and find it.

Check symantec's website if you find the virus name, they may have a special tool designed to find it.

Good luck.

~ The day I think I know it all, i'm changing careers ~