Trojan called msrr !!

[Guest]

Archived from groups: microsoft.public.win2000.setup (More info?)

Hi,

Recently one of our servers was infected with some sort of Trojan
after our firewall collapsed. We installed the anti Trojan program
Trojan Hunter and after we ran this we started to get an unusual
dialogue message whenever someone logs on to the server , the message
we get is:

Could not execute the following command
c:\windows\system32\msrr\msrr.exe

Trojan Hunter seems to have renamed this file to msrr.exe.tcf to
prevent it from being executed I assume. My question is how do I stop
this message from popping up and should I just delete the files in the
msrr folder? I assume I have to edit or delete a registry entry?

Please could someone help, this is really irritating.

Any help would be greatly appreciated.

Rabi

 

[Guest]

Archived from groups: microsoft.public.win2000.setup (More info?)

Natively you can; Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys. (note that this windows is read-only so you must
manually navigate to the location below to edit or otherwise delete)

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.

or copy msconfig from Windows XP to the "windows" directory


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"rabi" wrote:
| Hi,
|
| Recently one of our servers was infected with some sort of Trojan
| after our firewall collapsed. We installed the anti Trojan program
| Trojan Hunter and after we ran this we started to get an unusual
| dialogue message whenever someone logs on to the server , the message
| we get is:
|
| Could not execute the following command
| c:\windows\system32\msrr\msrr.exe
|
| Trojan Hunter seems to have renamed this file to msrr.exe.tcf to
| prevent it from being executed I assume. My question is how do I stop
| this message from popping up and should I just delete the files in the
| msrr folder? I assume I have to edit or delete a registry entry?
|
| Please could someone help, this is really irritating.
|
| Any help would be greatly appreciated.
|
| Rabi

 

[Guest]

Archived from groups: microsoft.public.win2000.setup (More info?)

Thanks for your Help Patrick, really appreciated learn't something new!






"Dave Patrick" <mail@Nospam.DSPatrick.com> wrote in message news:<eT2AYhs1EHA.304@TK2MSFTNGP11.phx.gbl>...
> Natively you can; Start\Settings\Control Panel\Administrative Tools\Computer
> Management(Local)\System Information\Software Environment\Startup
> Programs|View|Advanced, then in the "Location" column, you'll find the path
> to the "Startup" location either in the "Startup" directories or from the
> registry's "Run" keys. (note that this windows is read-only so you must
> manually navigate to the location below to edit or otherwise delete)
>
> %ALLUSERSPROFILE%\Start Menu\Programs\Startup
> %USERPROFILE%\Start Menu\Programs\Startup
>
> You can delete the shortcuts that you no longer want to run.
>
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> HKCU\Software\Microsoft\Windows\CurrentVersion\Run
>
> You can delete the string value for the program you no longer want to run.
>
> or copy msconfig from Windows XP to the "windows" directory
>
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "rabi" wrote:
> | Hi,
> |
> | Recently one of our servers was infected with some sort of Trojan
> | after our firewall collapsed. We installed the anti Trojan program
> | Trojan Hunter and after we ran this we started to get an unusual
> | dialogue message whenever someone logs on to the server , the message
> | we get is:
> |
> | Could not execute the following command
> | c:\windows\system32\msrr\msrr.exe
> |
> | Trojan Hunter seems to have renamed this file to msrr.exe.tcf to
> | prevent it from being executed I assume. My question is how do I stop
> | this message from popping up and should I just delete the files in the
> | msrr folder? I assume I have to edit or delete a registry entry?
> |
> | Please could someone help, this is really irritating.
> |
> | Any help would be greatly appreciated.
> |
> | Rabi