BAT.Ircflood virus

Hello there,

If you have NAV you could try that out. Also what you might want to do is download the following programs to remove the virus.

Hijackthis - http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=lst-0-1
Adaware SE - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1
Spybot S&D - http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Get those 3 programs and run them on your computer. When you run hijackthis copy the results and post them here www.hijackthis.de and then press "analyse".

You should also turn off system restore before you run the programs. here is how you do it.

Right Click my computer
Properties
System Restore Tab
Put a check box in the "Turn Off System restore"

Hope this helps

when you are done everything and have gotten rid of the virus turn system restore back on.

I will give that a try. My question is -- is this a virus or spyware?
--Bert

It's a backdoor trojan:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090191

And Ewido should take care of that:

http://www.ewido.net/en/download/

Download, install and update.

Turn OFF System Restore (also explained above):

http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

And restart in Safe Mode:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&ExpandSection=3#_Section3

Start Ewido and click the "Scanner" button. Run a Complete System Scan and delete everything the scanner finds.

When finished restart in Normal Mode, turn ON System Restore and test.

Good luck,

Zee

I've tried all of the above, and I still have the problem.

I ran PestPatrol spyware, which specifically stated it would find and remove them. Their website also mentioned finding and removing the following files:

e7f7e8e76b5c2210706d21d13420911b.exe
exec.bat
ftp.bat
gg.bat
hack.bat
mmsql32.bat
set.bat

None of these files were on my PC. I wonder if I even have these two trojans. I ran Trojan Hunter and nothing was found. I ran SpySweeper and nothing. PestPatrol and nothing. The only thing I have left would be Symantec NAV. The only one that finds them is ZoneAlarm.

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

"The only one that finds them is ZoneAlarm"

Does ZoneAlarm tell you which file is trying to access the network?

I would have a go with the Panda online scanner and if negative...

Maybe ZoneAlarm is finding a false positive?

Zee

I will try all of the above. Actually ZoneAlarm isn't catching it from the standpoint of a firewall popup notifying me of a trojan trying to get out. I have ZoneAlarm with spyware and antivirus, and it is the one saying I have them -- during the antivirus run.

FYI: I have ZoneAlarm Pro as a firealarm on my PC (software) and we have a Cisco PIX-501 for a hardware firewall. I am thinking it would have a hard time getting out. Am I wrong?

Bert

Bert,

Again that points, IMO, to a false positive...

Zee

Here is the URL for Hijack:

http://www.hijackthis.de/logfiles/8343d5c57faadd08d3c9174c6828809e.html

I hope you are right blue_zee. What I may do later is run NAV either from my PC or from our corporate edition on the server.

Nothing very bad in the HJT log. I am assuming you're running Copernic because you want to?

It may help if ZoneAlarm tells you which is the suspect file....

Yes, I am running Copernic. It does tell me the files. It is running again. As soon as it finds the second, I will post the file. Should I post the path as well?

And why do certain malware programs not find it? I have had good luck in the past with TrojanHunter and PestPatrol (which I don't generally use) said it would find it but didn't.

bluezee,

Dumb question. Should I try to run more than one web scan at once or just settle for one at a time? Panda is running now.

Yes, name and folder location can both help, thanks.

I guess the answer to your question is that these trojans/malware keep mutating into new variants, not unlike spam email, so what was caught yesterday may be missed today :(

OK, very strange. But, good maybe? I ran ZoneAlarm again after doing several things. And, it can only find one virus now. But, if something worked, I don't know which one.

C:\Documents and Settings\My name\Local Settings\Temp\2x7mafly.exe>sup.bat

which when I brose to does show the file "malfy.exe" with an email icon next to it.

Can I just delete it or has it modified some registry files?

Spec01, blue_zee and r-k

Thanks for the help. I think I got it. Not sure, yet, but I will run ZoneAlarm overnight and see what turns up. When I went to the actual file and right-clicked and scanned it with NAV and Trojan Hunter it didn't do anything. But, a right-click and scan with ZoneAlarm, and whammo -- a virus. Maybe blue_zee is right, and it is a false positive. But, maybe it just seems to be more sensitive. I know I have run it for a while, and it has found zero viruses. Plus, I do remember doing something fairly stupid yesterday which would account for it. Live and learn.

Anyway, I think everyone helped. Hard to pinpoint the exact thing. r-k just happened to tell me to delete the dumb thing. Who knows. I hope the distribution of points was fair. I tried to make it that way.

I love Experts-Exchange, though, so I want to keep the experts happy.

BTW, the file did look very much like a virus. It felt good to delete the damn thing!

Thank you, and good luck!

Thanks, glad we managed helping you to some extent.
;-)

Zee

yw...kind of funny that I never thought of using System Restore to go one day. The files were dated less than 24 hours old.