Main Page 
PC Review
Forums
Newsgroups
Hardware
Anti-Virus
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!
Forums
Newsgroups
Hardware
Anti-Virus
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!
 |
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!! |
|
|
Thread Tools | Rate Thread |
22-06-2003, 04:11 PM
|
#1 |
|
Guest
Posts: n/a
|
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!
"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message news:<oprq43kv0ozpegei@nntp>...
> On 20 Jun 2003 07:59:36 -0700, Skipper <horac@excite.com> wrote: > > > When AVG finds 3 infected files, it asks if I want to heal them. I > > click okay and the get a report saing that there are still viruses on > > my system. When I run it again it always comes back to the same > > message as before. > > Have you tried running it in safe mode? > > Regards, Dave Hodgins. I'll try that next. I did try to scan each folder individually and AVG found a virus called TCPSVS.EXE in the WINNT\SYSTEM32\DDLCACHE32. The problem is that doesn't exist!. When I ran a search for the file I found nothing. The closet filet that matches is the WINNT\SYSTEM32\DDLCACHE\DDLCACHE33, but I scanned it and found nothing. I see what happens in safe mode. Thanks again Rich |
|
|
22-06-2003, 06:51 PM
|
#2 |
|
Guest
Posts: n/a
|
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!
On 22 Jun 2003 09:11:20 -0700, Skipper <horac@excite.com> wrote:
> "David W. Hodgins" <dhodgin1661@rogers.com> wrote in message news:<oprq43kv0ozpegei@nntp>... >> Have you tried running it in safe mode? > I'll try that next. I did try to scan each folder individually and AVG > found a virus called TCPSVS.EXE in the WINNT\SYSTEM32\DDLCACHE32. The > problem is that doesn't exist!. When I ran a search for the file I > found nothing. The closet filet that matches is the > WINNT\SYSTEM32\DDLCACHE\DDLCACHE33, but I scanned it and found > nothing. I see what happens in safe mode. If your talking about the start/find/files, this is not unusual. It will not find any files inside of a directory with the system attribute set. Regards, Dave Hodgins |
|
|
|
26-06-2003, 03:32 PM
|
#3 |
|
Guest
Posts: n/a
|
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!
"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message news:<oprq6mmug8zpegei@nntp>...
> On 22 Jun 2003 09:11:20 -0700, Skipper <horac@excite.com> wrote: > > > "David W. Hodgins" <dhodgin1661@rogers.com> wrote in message news:<oprq43kv0ozpegei@nntp>... > >> Have you tried running it in safe mode? > > I'll try that next. I did try to scan each folder individually and AVG > > found a virus called TCPSVS.EXE in the WINNT\SYSTEM32\DDLCACHE32. The > > problem is that doesn't exist!. When I ran a search for the file I > > found nothing. The closet filet that matches is the > > WINNT\SYSTEM32\DDLCACHE\DDLCACHE33, but I scanned it and found > > nothing. I see what happens in safe mode. > > If your talking about the start/find/files, this is not unusual. > It will not find any files inside of a directory with the system > attribute set. > > Regards, Dave Hodgins Dave, I have tried to remove this by going into Safe Mode and running the AVG, but it didn't find anything. When I went back into normal mode it is still seeing the infection. I have been able to identify that I have the abc.exe and abc.dat worm cloaners. I can see them, but can't remove them  Regards, Rich |
|
|
|
26-06-2003, 07:07 PM
|
#4 |
|
Guest
Posts: n/a
|
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!
On 26 Jun 2003 08:32:16 -0700, Skipper <horac@excite.com> wrote:
> I have tried to remove this by going into Safe Mode and running the > AVG, but it didn't find anything. When I went back into normal mode it > is still seeing the infection. I have been able to identify that I > have the abc.exe and abc.dat worm cloaners. I can see them, but can't > remove them We need more information. Run a full online scan, and see if it can come up with a name for the worm, not just a file name. I like http://www.ravantivirus.com/index.php To scan your entire pc, you have to use Internet Explorer, with activeX etc. turned on. From the page shown above, select Online scan in the menu on the left, then scan without registering... Regards, Dave Hodgins. |
|
|
|
27-06-2003, 03:42 AM
|
#5 |
|
Guest
Posts: n/a
|
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!
"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message news:<oprrd11vcszpegei@nntp>...
> On 26 Jun 2003 08:32:16 -0700, Skipper <horac@excite.com> wrote: > > > I have tried to remove this by going into Safe Mode and running the > > AVG, but it didn't find anything. When I went back into normal mode it > > is still seeing the infection. I have been able to identify that I > > have the abc.exe and abc.dat worm cloaners. I can see them, but can't > > remove them > > We need more information. > > Run a full online scan, and see if it can come up with a > name for the worm, not just a file name. > > I like http://www.ravantivirus.com/index.php > To scan your entire pc, you have to use Internet Explorer, > with activeX etc. turned on. From the page shown above, > select Online scan in the menu on the left, then scan without registering... > > Regards, Dave Hodgins. Dave, Here is the report: Scan started at 6/26/2003 10:43:33 PM Scanning memory... Scanning boot sectors... Scanning files... C:\mIRC\wgremote.mrc - IRC/Generic* -> Suspicious C:\My Documents\CCNA CHEATS\Download A\nt50.exe - Joke:Stript -> Infected C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->secure.bat - Backdoor:BAT/ServU-based* -> Infected C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abc.exe - Backdoor:IRC/Flood.BQ -> Infected C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abc2.dll - Backdoor:IRC/Cloner.O* -> Infected C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abcd.jpg - Backdoor:IRC/Bnc.H* -> Infected C:\WINNT\system32\dllcache\DLLCACHE33\abc2.dll - Backdoor:IRC/Cloner.O* -> Infected C:\WINNT\system32\dllcache\DLLCACHE33\secure.bat - Backdoor:BAT/ServU-based* -> Infected C:\WINNT\system32\dllcache\DLLCACHE33\temp - Trojan:IRC/Bounce* -> Infected C:\Zips\1stpage2.zip->setup.exe->(CABSfx)->\data1.cab->[ishld.445]->(SCRIPT0000) - JS/Loop* -> Infected Scanned ============================ Files: 69179 Directories: 4071 Archives: 6628 Size(Kb): 868231 Infected files: 9 Found ============================ Viruses found: 7 Suspicious files: 1 Disinfected files: 0 Mail files: 764 Is there a removal tool for these? Rich |
|
|
|
28-06-2003, 04:05 AM
|
#6 |
|
Guest
Posts: n/a
|
Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!
"David W. Hodgins" <dhodgin1661@rogers.com> wrote in message news:<oprres7ouuzpegei@nntp>...
> On 26 Jun 2003 20:42:44 -0700, Skipper <horac@excite.com> wrote: > > > Here is the report: > > > C:\mIRC\wgremote.mrc - IRC/Generic* -> Suspicious > > This appears to be used for auto playing of mp3 or wave files within mIRC. Although not a really good idea, not a definite problem. > > > C:\My Documents\CCNA CHEATS\Download A\nt50.exe - Joke:Stript -> > > Infected > > Avaliable from http://www.pms.no/fun/ > appears to be harmless. > > > C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->secure.bat - > > Backdoor:BAT/ServU-based* -> Infected > > dllcache33.exe is a file compressed with the PaquetBuilder utility. > The only info I can find on it is in chinese (on a Taiwan website). > > In safe mode, you should be able to rename dllcache33.exe to some > something like dllcache33.old. Delete it once you've confirmed > your system is working ok without it. > > > C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abc.exe - > > Backdoor:IRC/Flood.BQ -> Infected > > C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abc2.dll - > > Backdoor:IRC/Cloner.O* -> Infected > > C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abcd.jpg - > > Backdoor:IRC/Bnc.H* -> Infected > > The above three files are also stored in the dllcache33.exe file. > > > C:\WINNT\system32\dllcache\DLLCACHE33\abc2.dll - > > Backdoor:IRC/Cloner.O* -> Infected > > C:\WINNT\system32\dllcache\DLLCACHE33\secure.bat - > > Backdoor:BAT/ServU-based* -> Infected > > C:\WINNT\system32\dllcache\DLLCACHE33\temp - Trojan:IRC/Bounce* -> > > Infected > > C:\Zips\1stpage2.zip->setup.exe->(CABSfx)->\data1.cab->[ishld.445]->(SCRIPT0000) > > - JS/Loop* -> Infected > > You should be able to rename these four files in safe mode. > > These appear to all be trojans that are spread via file sharing > and/or weak/missing administrator account passwords. > > Just rename the files in safe mode, and once you've confirmed > that everythings ok without them, delete them. > > You must change the administrator account(s) passwords, and/or > tighten up which directories are available for file sharing. > > See http://www.claymania.com/safe-hex.html > for more info. If there's anything there you don't find > clear, ask again here. I'm not that familiar with w2k or xp, > so the help I can give on improving security on those platforms > is somewhat limited. > > Regards, Dave Hodgins Dave, I just wanted to thank you for all of your help. All instances of the IRC\Backdoor.Flood worm and its clones are gone. I have now put in Zone Alarm Fire Wall for added protection as well as new passwords for the administrator account. Thanks again, Rich Ackerman |
|
|
|
|
| Thread Tools | |
| Rate This Thread | |
|
|
