('binary' encoding is not supported, stored as-is) Sorry if this post seems remedial, but I'm pretty new to security. Last week out NT4 PDC detected a virus (Pinfi.a) and put it in quaentine as it should. While cleaning up the files, I noticed a new folder in the WINNT/System32 directory: rmtcfg. It was filled with several .exe and batch scripts. Evindetally, someone got in (with admin privledges) and tried to setup a IRC server using a IRC.Flood variant. Luckily, the virus protection kicked in before he could finish setting up the server. I ran handle.exe, listdlls.exe, pslist.exe, fport.exe, and netstat as directed in "Detecting and Removing Trojans and Malicious Code from Win2K." My question is, since the system was compromised and system files and the registry have been replaced/added too, am I just better off formatting the system partition and restoring from a good backup? Thanks, --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 08:32:45 PDT