[mrBob]

winmgnt.exe usually is the hacked serv-u ftp server
so actually he has full control over your pc cuz he can upload/download and execute ANY file
and /ctcp [nick] PING means that you we're requesting a file from that nickname..

[SLiM577]

yea wingmt.exe is most likely serv-u dude

[mrBob]

btw, also found a servudaemon.ini in there?
and servustartuplog.txt

[UnDeRTaKeR]

As my friend said mrBob

Quote

btw, also found a servudaemon.ini in there?
and servustartuplog.txt

i wondered if he could execute the file..

[SlippyG]

First of all I'd like to thank the original poster for not referring to the Internet
Relay Chat service as 'mIRC' - Nice to know that some people still recognise
that IRC is an open protocol that predates the popular windows app. I still
shudder everytime someone asks about 'mIRC servers' ;)

mrBob, on Dec 6 2003, 07:08 PM, said:

winmgnt.exe usually is the hacked serv-u ftp server
so actually he has full control over your pc cuz he can upload/download and execute ANY file
and /ctcp [nick] PING means that you we're requesting a file from that nickname..

I'm not sure what you're trying to say here. The common command
/CTCP {nickname} PING|FINGER|VERSION|TIME|USERINFO|CLIENTINFO
is a well known IRC command despite not being documented in RFC1459.

I suggest you read the CTCP (Client to Client Protocol) specification which
will help clarify what these /CTCP messages mean, and how they are used.

To send these CTCP messages we (Or our IRC client) simply quotes them
into standard RFC1459 PRIVMSG's.

Heres what the CTCP specification says about its 'PING' messages:

Taken from CTCP documentation said:

PING
====
Ping is used to measure the time delay between clients on the IRC
network. A ping query is encoded in a privmsg, and has the form:

\001PING timestamp\001

where `timestamp' is the current time encoded in any form the querying
client finds convienent. The replying client sends back an identical
message inside a notice:

\001PING timestamp\001

The querying client can then subtract the recieved timestamp from the
current time to obtain the delay between clients over the IRC network.

To say that this 'means you we're requesting a file from' the user involved
doesn't make any kind of sense to me. Would you care to elaborate on
what you meant by this ?

Perhaps if you read RFC 1459 and the CTCP Spec it may remind you :rolleyes:

C'mon people - lets try to be accurate.


S.G.

[Travis]

I have a question.
What IRC Client were you using? What Version?

[KoStIsTR]

I'll make a suggestion but i'm not to sure about it.... Maybe this guy had a xdcc bot and as trigger had this one : /ctcp nickname PING ?? so when Hag4r typed the xdcc bot send him the file. For happening all of this though Hag4r you must had dcc autoget-file and the target folder was c:\RECYCLER\blabla , Or maybe that was a file that gave him somehow control to your pc and then he moved to c:\recy.... . That's just a suggestion so if i'm wrong i want to here your corrections.

KoStIsTR

[KoStIsTR]

lol so much replies for nothing :P Next time plz search a little bit more before asking something like that :)

[jonfinley]

If you check on Symantec's site, winmgnt "MAY" be the BackDoor.Hale trojan.

Symantec security responce

Jon

[x303]

Is it available to cut-off unwanted comands in mIRC?
So u can use it without worrieing about hacks, and so on?

[jubbly]

winmgnt.exe could be whatever you want it to be if your in charge of renaming your file :(

I suggest you look into the bat and dll file using a text editor incase they are renamed files to fool you. They may be renamed ini files or it'll give you some clue as to what they are and how to get rid of whatever it done.