Posted 16 November 2006 - 12:08 PM
I am the administrator for a network with a Windows Server 2003, and Windows XP workstations, all on private IPs behind a router/firewall. A couple days ago we were stricken by a virus or trojan which AVG Antivirus calls Trojan Proxy.25.D and many other of its variants all recognized as "Trojan Proxy.xx.letter" where “xx” is a number and "letter" an alphabet letter. The infected files are detected and eliminated by the antivirus and they can also be eliminated manually, but the files reapear soon after over and over again. This trojan also spreads to all shares on all computers on the network. It drops a couple of files to all shares on the network, these files are “setup.exe” (38kb) and “autorun.inf” (1kb). On the server itself there are some other .exe files created in the current logged on user's temp folder along with text files containing domain list, first name list, and last name list. At some point there is a srvhosts process that kicks in and takes up almost all the CPU time considerably slowing down the server. It seem like an attempt to use my server as a relay. Other than AVG antivirus, I have ran Hijackthis, Microsoft’s Malicious Software Removal Tool, and Spybot S&D without finding anything that could be causing this to reinstall. Any body can tell me how to get rid of this for good.
Your Help is appreciated...