Backdoor.irc.bot

[Manish Dewan]

My computer is infested with this Backdoor.irc.bot virus.
Although I could downlaod the Virus definitions and run a
Symantec Scan, I am unable to remove the virus. The
messge I get is that the WindowsSystem32.XXX file is
infested and the permissions are denied.

Also, as of yesterday, the Symantec website does not get
loaded and it takes to some vague sites.

How can I remove this virus and clean my system.

Thanks
Manish

 

[Jose Francisco]

Greetings,

You can try removing it with Trojan Remover, a program used to remove
trojans and viruses from your computer easily.

http://www.simplysup.com/

If the above doesn't work try removing the virus with a spyware remover
program:

Try these programs to check for any spyware that may be on your system:

Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://www.spywareinfo.com/~merijn/downloads.html

Try SpyWareBlaster to stop intrusions:

http://www.javacoolsoftware.com/spywareblaster.html

Also see the following links:

http://mvps.org/winhelp2002/unwanted.htm
http://www.microsoft.com/security/articles/spyware.asp



[Originally posted by a MVP]



Thanks and good luck!

 

[Manish]

Dear Jose,

Thanks for your reply. Due to the virus, I am unable to
get connected to any/most of the antivirus websites. I am
even unable to go to microsoft.com, hoping there would be
some patches.

The connecting process starts but gets terminated and
takes me to a vague website. After a few sessions I get
bombarded with porn site pop-ups ( 1 pop-up every 3
seconds).

Regards

Manish

-----Original Message-----
Greetings,

You can try removing it with Trojan Remover, a program used to remove
trojans and viruses from your computer easily.

http://www.simplysup.com/

If the above doesn't work try removing the virus with a spyware remover
program:

Try these programs to check for any spyware that may be

Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://www.spywareinfo.com/~merijn/downloads.html

Try SpyWareBlaster to stop intrusions:

http://www.javacoolsoftware.com/spywareblaster.html

Also see the following links:

http://mvps.org/winhelp2002/unwanted.htm
http://www.microsoft.com/security/articles/spyware.asp



[Originally posted by a MVP]



Thanks and good luck!


--
----------------------------------------------------
Jose Francisco
Owner of BetaConnect - Providing you a new way in technology
----------------------------------------------------
Still got problems? Email me!
chicofar at onvol dot com

My computer is infested with this Backdoor.irc.bot virus.
Although I could downlaod the Virus definitions and run a
Symantec Scan, I am unable to remove the virus. The
messge I get is that the WindowsSystem32.XXX file is
infested and the permissions are denied.

Also, as of yesterday, the Symantec website does not get
loaded and it takes to some vague sites.

How can I remove this virus and clean my system.

Thanks
Manish

.

 

[Jose Francisco]

Hey manish,

*Hmm* that seems the problem. You'll need to download security patches,
fixes, updates or any spy-removal software to do the job. Have you tried
taking your PC to a local technician, they might be able to remove the virus
for you with the software they have. Otherwise, you can't do anything when
your Internet Explorer isn't functionally well.

Thanks and good luck!

--
----------------------------------------------------
Jose Francisco
Owner of BetaConnect - Providing you a new way in technology
----------------------------------------------------
Still got problems? Email me!
chicofar at onvol dot com

Dear Jose,

Thanks for your reply. Due to the virus, I am unable to
get connected to any/most of the antivirus websites. I am
even unable to go to microsoft.com, hoping there would be
some patches.

The connecting process starts but gets terminated and
takes me to a vague website. After a few sessions I get
bombarded with porn site pop-ups ( 1 pop-up every 3
seconds).

Regards

Manish

-----Original Message-----
Greetings,

You can try removing it with Trojan Remover, a program used to remove
trojans and viruses from your computer easily.

http://www.simplysup.com/

If the above doesn't work try removing the virus with a spyware remover
program:

Try these programs to check for any spyware that may be

Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://www.spywareinfo.com/~merijn/downloads.html

Try SpyWareBlaster to stop intrusions:

http://www.javacoolsoftware.com/spywareblaster.html

Also see the following links:

http://mvps.org/winhelp2002/unwanted.htm
http://www.microsoft.com/security/articles/spyware.asp



[Originally posted by a MVP]



Thanks and good luck!


--
----------------------------------------------------
Jose Francisco
Owner of BetaConnect - Providing you a new way in technology
----------------------------------------------------
Still got problems? Email me!
chicofar at onvol dot com

My computer is infested with this Backdoor.irc.bot virus.
Although I could downlaod the Virus definitions and run a
Symantec Scan, I am unable to remove the virus. The
messge I get is that the WindowsSystem32.XXX file is
infested and the permissions are denied.

Also, as of yesterday, the Symantec website does not get
loaded and it takes to some vague sites.

How can I remove this virus and clean my system.

Thanks
Manish

.

 

[Malke]

Hey manish,

*Hmm* that seems the problem. You'll need to download security
patches, fixes, updates or any spy-removal software to do the job.
Have you tried taking your PC to a local technician, they might be
able to remove the virus for you with the software they have.
Otherwise, you can't do anything when your Internet Explorer isn't
functionally well.

Thanks and good luck!

You can check your hosts files, as follows:

1. In XP's Search preferences, set the files and folders handling to
Advanced, and then check the box that will make Search look in hidden
files/folders.
2. Now enter the search term "hosts" without the quotes.
3. You will get several hosts and lmhosts files. Double-click each one
to open it. When you do this, you'll get a Windows dialog box saying
that Windows cannot open this file, do you want to use the web or
select from a list to find the proper program. Choose "select from a
list" and highlight Notepad. Make sure the box to always use this
program to open this type of file is not checked.
4. Now carefully examine the file. Lines that begin with a # are
comments and don't count. Leave them alone. Unless you know you use a
proxy server to get to the Internet or you added entries yourself, the
only uncommented entry that should be there is:

127.0.0.1 localhost

If you see any other entries, delete them and Save the file. Make sure
you scroll all the way down to the bottom of the window if there is a
scrollbar. Do this for each file you found. Now you should be able to
get to antivirus and spyware-fighting websites.

If this doesn't solve the problem, then take your machine to the shop
and have them fix it for you. Then make sure you get a good antivirus
installed and keep it updated.

Malke

 

[Chuck]

My computer is infested with this Backdoor.irc.bot virus.
Although I could downlaod the Virus definitions and run a
Symantec Scan, I am unable to remove the virus. The
messge I get is that the WindowsSystem32.XXX file is
infested and the permissions are denied.

Also, as of yesterday, the Symantec website does not get
loaded and it takes to some vague sites.

How can I remove this virus and clean my system.

Thanks
Manish

Manish,

Sounds like you may have multiple infections, including a browser or dns hijack.

The hijack apparently interferes with your ability to access websites. You may
have to resolve the ip addresses manually to get the tools to find and remove
the infection.

All-NetTools and DNSStuff websites both help you resolve (lookup) addresses.

<http://www.all-nettools.com/toolbox> (Use NSLookup)
<http://216.92.207.177/toolbox>
<http://www.dnsstuff.com/> (Use Ping)
<http://69.2.200.183/>

Install and run Stinger.
<http://us.mcafee.com/virusInfo/default.asp?id=stinger>

Search your entire system drive, including hidden and system folders, for file
"hosts". There is one legit copy, in C:\WINDOWS\system32\drivers\etc\. The
others are possibly bogus, and part (but just part) of the problem. Examine the
contents of each copy found, using Notepad. (HINT: Scroll to the end of each
Hosts file, by hitting Ctrl-End, then back up to the top, page by page, before
deciding that the file is empty. Look out for blank lines at the beginning and
end of the file, after localhost, placed there by an exploit!)

Try one or more of these free online virus scans, which should complement NAV:
<http://www.bitdefender.com/scan/license.php>
<http://www.pandasoftware.com/activescan>
<http://www.ravantivirus.com/scan/>
<http://security.symantec.com/ssc/home.asp>
<http://housecall.trendmicro.com/housecall/start_corp.asp>

Now check for, and learn to defend against, additional problems. Have you
downloaded these programs before? Download them again, as the latest version
may be needed to keep up with the current level of malware being attempted
constantly - get the absolutely most current version of each product listed.
They're all free - and most pretty small, so they download quickly enough.

Start by downloading each of the following free tools:
AdAware <http://www.lavasoftusa.com/>
CWShredder <http://www.majorgeeks.com/download4086.html>
CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval
<http://www.majorgeeks.com/download4113.html>
HijackThis <http://www.majorgeeks.com/download.php?det=3155>
LSP-Fix and WinsockLSPFix <http://www.cexx.org/lspfix.htm>
Spybot S&D <http://www.safer-networking.org/index.php?page=download>

Create a separate folder for HijackThis, such as C:\HijackThis - copy the
downloaded file there. Spybot S&D has an install routine - run it. The other
downloaded programs can be copied into, and run from, any convenient folder.

Start by closing all Internet Explorer and Outlook windows, and running
CoolWebSearchSmartKillerMiniRemoval, then CWShredder. Have the latter fix all.

Next, run AdAware. First update it ("Check for updates now"), configure for
full scan (<http://www.lavahelp.com/howto/fullscan/>), then scan ("Start" - "Use
custom scanning options" - "Next"). When scanning finishes, select everything,
and hit Next again.

Next, run Spybot S&D. First update it ("Search for updates"), then run a scan
("Check for problems"). Trust Spybot, and delete everything ("Fix Problems")
that is displayed in Red.

Then, run HijackThis ("Scan"). Do NOT make any changes immediately. Save the
HJT Log.
<http://forums.spywareinfo.com/index.php?showtopic=227>

Finally, have your HJT log interpreted by experts at one or more of the
following security forums (and post it, or a link to your forum posts, here):
Aumha: <http://forum.aumha.org/index.php>
Net-Integration: <http://forums.net-integration.net/>
Spyware Info: <http://forums.spywareinfo.com/>
Spyware Warrior: <http://spywarewarrior.com/index.php>
Tom Coyote: <http://forums.tomcoyote.org/>
Wilders Security<http://www.wilderssecurity.com/>

If removal of any spyware affects your ability to access the internet (some
spyware builds itself into the network software, and its removal may damage your
network), run LSP-Fix and / or WinsockXPFIx.

And Manish, please don't contribute to the spread and success of email address
mining viruses. Learn to munge your email address properly, to keep yourself a
bit safer when posting to open forums. Protect yourself and the rest of the
internet - read this article.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.