Bert2005
asked on
BAT.Ircflood virus
This is embarrassing, but somehow I have two copies of BAT.Ircflood on my PC. I actually remember how I probably got them, which is embarrassing as well.
I have looked online for a removal tool or manual instructions since my AV software can't remove them. The other thing is it was discovered by ZoneAlarm. Do you think NAV would have a better chance of automatically removing them?
I have looked online for a removal tool or manual instructions since my AV software can't remove them. The other thing is it was discovered by ZoneAlarm. Do you think NAV would have a better chance of automatically removing them?
when you are done everything and have gotten rid of the virus turn system restore back on.
ASKER
I will give that a try. My question is -- is this a virus or spyware?
--Bert
--Bert
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's a backdoor trojan:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090191
And Ewido should take care of that:
http://www.ewido.net/en/download/
Download, install and update.
Turn OFF System Restore (also explained above):
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
And restart in Safe Mode:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&ExpandSection=3#_Section3
Start Ewido and click the "Scanner" button. Run a Complete System Scan and delete everything the scanner finds.
When finished restart in Normal Mode, turn ON System Restore and test.
Good luck,
Zee
ASKER
I've tried all of the above, and I still have the problem.
ASKER
I ran PestPatrol spyware, which specifically stated it would find and remove them. Their website also mentioned finding and removing the following files:
e7f7e8e76b5c2210706d21d134 20911b.exe
exec.bat
ftp.bat
gg.bat
hack.bat
mmsql32.bat
set.bat
None of these files were on my PC. I wonder if I even have these two trojans. I ran Trojan Hunter and nothing was found. I ran SpySweeper and nothing. PestPatrol and nothing. The only thing I have left would be Symantec NAV. The only one that finds them is ZoneAlarm.
e7f7e8e76b5c2210706d21d134
exec.bat
ftp.bat
gg.bat
hack.bat
mmsql32.bat
set.bat
None of these files were on my PC. I wonder if I even have these two trojans. I ran Trojan Hunter and nothing was found. I ran SpySweeper and nothing. PestPatrol and nothing. The only thing I have left would be Symantec NAV. The only one that finds them is ZoneAlarm.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
"The only one that finds them is ZoneAlarm"
Does ZoneAlarm tell you which file is trying to access the network?
Does ZoneAlarm tell you which file is trying to access the network?
I would have a go with the Panda online scanner and if negative...
Maybe ZoneAlarm is finding a false positive?
Zee
ASKER
I will try all of the above. Actually ZoneAlarm isn't catching it from the standpoint of a firewall popup notifying me of a trojan trying to get out. I have ZoneAlarm with spyware and antivirus, and it is the one saying I have them -- during the antivirus run.
FYI: I have ZoneAlarm Pro as a firealarm on my PC (software) and we have a Cisco PIX-501 for a hardware firewall. I am thinking it would have a hard time getting out. Am I wrong?
Bert
FYI: I have ZoneAlarm Pro as a firealarm on my PC (software) and we have a Cisco PIX-501 for a hardware firewall. I am thinking it would have a hard time getting out. Am I wrong?
Bert
Bert,
Again that points, IMO, to a false positive...
Zee
ASKER
ASKER
I hope you are right blue_zee. What I may do later is run NAV either from my PC or from our corporate edition on the server.
Nothing very bad in the HJT log. I am assuming you're running Copernic because you want to?
It may help if ZoneAlarm tells you which is the suspect file....
It may help if ZoneAlarm tells you which is the suspect file....
ASKER
Yes, I am running Copernic. It does tell me the files. It is running again. As soon as it finds the second, I will post the file. Should I post the path as well?
ASKER
And why do certain malware programs not find it? I have had good luck in the past with TrojanHunter and PestPatrol (which I don't generally use) said it would find it but didn't.
ASKER
bluezee,
Dumb question. Should I try to run more than one web scan at once or just settle for one at a time? Panda is running now.
Dumb question. Should I try to run more than one web scan at once or just settle for one at a time? Panda is running now.
Yes, name and folder location can both help, thanks.
I guess the answer to your question is that these trojans/malware keep mutating into new variants, not unlike spam email, so what was caught yesterday may be missed today :(
I guess the answer to your question is that these trojans/malware keep mutating into new variants, not unlike spam email, so what was caught yesterday may be missed today :(
ASKER
OK, very strange. But, good maybe? I ran ZoneAlarm again after doing several things. And, it can only find one virus now. But, if something worked, I don't know which one.
C:\Documents and Settings\My name\Local Settings\Temp\2x7mafly.exe >sup.bat
which when I brose to does show the file "malfy.exe" with an email icon next to it.
C:\Documents and Settings\My name\Local Settings\Temp\2x7mafly.exe
which when I brose to does show the file "malfy.exe" with an email icon next to it.
ASKER
Can I just delete it or has it modified some registry files?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Spec01, blue_zee and r-k
Thanks for the help. I think I got it. Not sure, yet, but I will run ZoneAlarm overnight and see what turns up. When I went to the actual file and right-clicked and scanned it with NAV and Trojan Hunter it didn't do anything. But, a right-click and scan with ZoneAlarm, and whammo -- a virus. Maybe blue_zee is right, and it is a false positive. But, maybe it just seems to be more sensitive. I know I have run it for a while, and it has found zero viruses. Plus, I do remember doing something fairly stupid yesterday which would account for it. Live and learn.
Anyway, I think everyone helped. Hard to pinpoint the exact thing. r-k just happened to tell me to delete the dumb thing. Who knows. I hope the distribution of points was fair. I tried to make it that way.
I love Experts-Exchange, though, so I want to keep the experts happy.
BTW, the file did look very much like a virus. It felt good to delete the damn thing!
Thanks for the help. I think I got it. Not sure, yet, but I will run ZoneAlarm overnight and see what turns up. When I went to the actual file and right-clicked and scanned it with NAV and Trojan Hunter it didn't do anything. But, a right-click and scan with ZoneAlarm, and whammo -- a virus. Maybe blue_zee is right, and it is a false positive. But, maybe it just seems to be more sensitive. I know I have run it for a while, and it has found zero viruses. Plus, I do remember doing something fairly stupid yesterday which would account for it. Live and learn.
Anyway, I think everyone helped. Hard to pinpoint the exact thing. r-k just happened to tell me to delete the dumb thing. Who knows. I hope the distribution of points was fair. I tried to make it that way.
I love Experts-Exchange, though, so I want to keep the experts happy.
BTW, the file did look very much like a virus. It felt good to delete the damn thing!
Thank you, and good luck!
Thanks, glad we managed helping you to some extent.
;-)
Zee
ASKER
yw...kind of funny that I never thought of using System Restore to go one day. The files were dated less than 24 hours old.
If you have NAV you could try that out. Also what you might want to do is download the following programs to remove the virus.
Hijackthis - http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=lst-0-1
Adaware SE - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1
Spybot S&D - http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1
Get those 3 programs and run them on your computer. When you run hijackthis copy the results and post them here www.hijackthis.de and then press "analyse".
You should also turn off system restore before you run the programs. here is how you do it.
Right Click my computer
Properties
System Restore Tab
Put a check box in the "Turn Off System restore"
Hope this helps