Doonz,
they are usually located in \\PDC\netlogon share which shares the directory of c:\winnt\system32\repl\import\scripts directory..
..going back to your previous post..you've listed a file on there called tftp879.exe... Backdoornthack actually "phones home" to a host and downloads components so I think that might be a part of it...microsofts explanation is that the virus downloads the file called Dl.exe and runs install routine and installs a folder in hidden folder in C:\Winnt\System32\Os2\ folder ...You can also look in your process list for processes listed in ALL CAPS.. I would also recommend changing admin pwd. because its most likely they are stolen by now and ready to ship out....
I will keep up with this thread and keep an eye on new things for ya...
they are usually located in \\PDC\netlogon share which shares the directory of c:\winnt\system32\repl\import\scripts directory..
..going back to your previous post..you've listed a file on there called tftp879.exe... Backdoornthack actually "phones home" to a host and downloads components so I think that might be a part of it...microsofts explanation is that the virus downloads the file called Dl.exe and runs install routine and installs a folder in hidden folder in C:\Winnt\System32\Os2\ folder ...You can also look in your process list for processes listed in ALL CAPS.. I would also recommend changing admin pwd. because its most likely they are stolen by now and ready to ship out....
I will keep up with this thread and keep an eye on new things for ya...
