irc connected and downloading from me

[William Smith]

I noticed my dsl was very active even when i was not using it.

I looked at my lan connection and saw I was sending data out,
so I ran a command dos box and check netstat. I am connected to the
few usual connection plus I notice a connection to a
irc2.si.ualg.pt:6667 although I noticed that this irc connection
changes after a few reboots.

I believe that is the irc. I don;t have any irc clients installed and
have never been on the irc.

I have ran my anti virus program and a couple different trojan
programs but they find nothing. I can't find anything running
on my computer that looks suspect, but I am sure sending data
somewhere.

Anyone know anything that can help me. I am thinking of just
formating and reinstalling windows. This really bothers me.

thanks
William Smith

 

[Tom]

and you don't have any kids?


Tom

 

[William Smith]

and you don't have any kids?

yes, but he has his own gaming computer which is all his does on it
and doesn't use the irc either, he is only 12. And my wife also has
her own computer. Even with theirs turned off, there is still activity
on mine to the irc.

This is my personal/work computer. we all connect to dsl through a
network, but only this computers has the connection to the irc.

 

[Tom]

well, how do you have a irc service running then? Do you have dual accounts
on your PC. IRC is not just a service built into windows, IRC is a program
installed on your PC. IRC also doesn't just sign on you have to manuall
connect to a IRC server, so something is fishy there.

12 years old is not young. kids are resourceful and smart and actually can
use a PC a lot better than you think.

If you press CTRL ALT DEL, you should be able to see the IRC process
running.

Tom

 

[wojo]

If I can help you I will.
If you can help me thanks.
(e-mail address removed)
TO Email: Remove "SPAM" without the quotes
And you should also be able to uninstall it in Add/Remove Programs after you
shut it down in processes as Tom said.

Useful Links
AdAware:
www.lavasoftusa.com/software/adaware/
Spybot S & D:
www.safer-networking.org/
Check for Parasites/Worms:
www.gemal.dk/browserspy/parasites.html
Blaster Security Patch:
http://www.microsoft.com/security/incident/blast.asp
TweakUI and other PowerToys:
www.microsoft.com/windowsxp/pro/downloads/powertoys.asp

 

[Steve Nielsen]

There are viruses, worms and trojans that connect to an irc server. What
a/v product did you scan with? Also scan in safe mode as some of these
creeps can hide from an a/v scan.

Steve

 

[Helaman]

I have turned all startup items off and turn one back on
one at a time. I have found the item that starts sending out.
Its a file called iExplore.exe located in c:\windows\system32.

This is not to be confused with iexplore.exe

I don't see a copy of iExplore.exe in any of my other computers.
I am now trying to see if this a trojan of some sort.

It looks like it is starting from the registry but I can't find it in
there where the msconfig says it should be.

 

[Steve Nielsen]

http://securityresponse.symantec.com/avcenter/vinfodb.html

returns 32 hits for iExplore.exe

You've got some sort of trojan that uses irc to allow the attacker to
control your computer. Do the search, read the articles, one of them
will probably match your condition. Most trojans don't hit you
automatically, you have to do something like open an attachment in an
email. You and your family need to go over safe computing practices.

Steve

 

[dglock]

you also need a good firewall! not the nearly useless
firewall built into xp.
don

-----Original Message-----
http://securityresponse.symantec.com/avcenter/vinfodb.htm l

returns 32 hits for iExplore.exe

You've got some sort of trojan that uses irc to allow the attacker to
control your computer. Do the search, read the articles, one of them
will probably match your condition. Most trojans don't hit you
automatically, you have to do something like open an attachment in an
email. You and your family need to go over safe computing practices.

Steve

I have turned all startup items off and turn one back on
one at a time. I have found the item that starts sending out.
Its a file called iExplore.exe located in c:\windows\system32.

This is not to be confused with iexplore.exe

I don't see a copy of iExplore.exe in any of my other computers.
I am now trying to see if this a trojan of some sort.

It looks like it is starting from the registry but I can't find it in
there where the msconfig says it should be.

If I can help you I will.
If you can help me thanks.
(e-mail address removed)
TO Email: Remove "SPAM" without the quotes
And you should also be able to uninstall it in Add/Remove Programs after you
shut it down in processes as Tom said.

Useful Links
AdAware:
www.lavasoftusa.com/software/adaware/
Spybot S & D:
www.safer-networking.org/
Check for Parasites/Worms:
www.gemal.dk/browserspy/parasites.html
Blaster Security Patch:
http://www.microsoft.com/security/incident/blast.asp
TweakUI and other PowerToys:
www.microsoft.com/windowsxp/pro/downloads/powertoys.asp


well, how do you have a irc service running then? Do you have dual
accounts
on your PC. IRC is not just a service built into windows, IRC is a program
installed on your PC. IRC also doesn't just sign on you have to manuall
connect to a IRC server, so something is fishy there.

12 years old is not young. kids are resourceful and smart and actually can
use a PC a lot better than you think.

If you press CTRL ALT DEL, you should be able to see the IRC process
running.

Tom

 

[William Smith]

I used AVG7 to scan my system.

However, since I delete iExplore.exe and removed the reference from
my registry everything seem ok now.

BTW, here was the reg. ref.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Emigration Drivers 3.1"="iExplore.exe"

Looks legit but none of my other computer have anything like this in
their registry and I can't google anything on it.

What is a windows emigration driver?

thanks

 

[Steve Nielsen]

Agreed

Steve

you also need a good firewall! not the nearly useless
firewall built into xp.
don

-----Original Message-----
http://securityresponse.symantec.com/avcenter/vinfodb.htm
l

returns 32 hits for iExplore.exe

You've got some sort of trojan that uses irc to allow

the attacker to

control your computer. Do the search, read the articles,

one of them

will probably match your condition. Most trojans don't

hit you

automatically, you have to do something like open an

attachment in an

email. You and your family need to go over safe

computing practices.

Steve

Helaman wrote:


on

sending out.

c:\windows\system32.

computers.

can't find it in

Add/Remove Programs after you

you have dual

windows, IRC is a program

you have to manuall

smart and actually can

the IRC process

in message

 

[Steve Nielsen]

I have no idea what windows emigration driver is. Could be totally bogus
made up by the trojan writer to make it look legit.

So, are we to understand that your problem is now resolved? If so, great!

Steve

I used AVG7 to scan my system.

However, since I delete iExplore.exe and removed the reference from
my registry everything seem ok now.

BTW, here was the reg. ref.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Emigration Drivers 3.1"="iExplore.exe"

Looks legit but none of my other computer have anything like this in
their registry and I can't google anything on it.

What is a windows emigration driver?

thanks

There are viruses, worms and trojans that connect to an irc server. What
a/v product did you scan with? Also scan in safe mode as some of these
creeps can hide from an a/v scan.

Steve

William Smith wrote:

 

[William Smith]

Ya

I am good to go now.

Thanks for all the help.

I have no idea what windows emigration driver is. Could be totally bogus
made up by the trojan writer to make it look legit.

So, are we to understand that your problem is now resolved? If so, great!

Steve

I used AVG7 to scan my system.

However, since I delete iExplore.exe and removed the reference from
my registry everything seem ok now.

BTW, here was the reg. ref.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Emigration Drivers 3.1"="iExplore.exe"

Looks legit but none of my other computer have anything like this in
their registry and I can't google anything on it.

What is a windows emigration driver?

thanks

There are viruses, worms and trojans that connect to an irc server. What
a/v product did you scan with? Also scan in safe mode as some of these
creeps can hide from an a/v scan.

Steve

William Smith wrote:


I noticed my dsl was very active even when i was not using it.

I looked at my lan connection and saw I was sending data out,
so I ran a command dos box and check netstat. I am connected to the
few usual connection plus I notice a connection to a
irc2.si.ualg.pt:6667 although I noticed that this irc connection
changes after a few reboots.

I believe that is the irc. I don;t have any irc clients installed and
have never been on the irc.

I have ran my anti virus program and a couple different trojan
programs but they find nothing. I can't find anything running
on my computer that looks suspect, but I am sure sending data
somewhere.

Anyone know anything that can help me. I am thinking of just
formating and reinstalling windows. This really bothers me.

thanks
William Smith