Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 537
  • Last Modified:

BAT.Ircflood virus

This is embarrassing, but somehow I have two copies of BAT.Ircflood on my PC. I actually remember how I probably got them, which is embarrassing as well.

I have looked online for a removal tool or manual instructions since my AV software can't remove them. The other thing is it was discovered by ZoneAlarm. Do you think NAV would have a better chance of automatically removing them?
0
Bert2005
Asked:
Bert2005
  • 13
  • 6
  • 5
  • +1
3 Solutions
 
Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

If you have NAV you could try that out. Also what you might want to do is download the following programs to remove the virus.

Hijackthis - http://www.download.com/HijackThis/3000-8022_4-10379544.html?tag=lst-0-1
Adaware SE - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1
Spybot S&D - http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

Get those 3 programs and run them on your computer. When you run hijackthis copy the results and post them here www.hijackthis.de and then press "analyse".

You should also turn off system restore before you run the programs. here is how you do it.

Right Click my computer
Properties
System Restore Tab
Put a check box in the "Turn Off System restore"

Hope this helps
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
when you are done everything and have gotten rid of the virus turn system restore back on.
0
 
Bert2005Author Commented:
I will give that a try. My question is -- is this a virus or spyware?
--Bert
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Will SzymkowskiSenior Solution ArchitectCommented:
From what I have read about it seems to be a type of spyware trojan. So definitely download those programs and they should get rid of it for you.
0
 
blue_zeeCommented:

It's a backdoor trojan:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453090191

And Ewido should take care of that:

http://www.ewido.net/en/download/

Download, install and update.

Turn OFF System Restore (also explained above):

http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

And restart in Safe Mode:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&ExpandSection=3#_Section3

Start Ewido and click the "Scanner" button. Run a Complete System Scan and delete everything the scanner finds.

When finished restart in Normal Mode, turn ON System Restore and test.

Good luck,

Zee
0
 
Bert2005Author Commented:
I've tried all of the above, and I still have the problem.
0
 
Bert2005Author Commented:
I ran PestPatrol spyware, which specifically stated it would find and remove them. Their website also mentioned finding and removing the following files:

e7f7e8e76b5c2210706d21d13420911b.exe
exec.bat
ftp.bat
gg.bat
hack.bat
mmsql32.bat
set.bat

None of these files were on my PC. I wonder if I even have these two trojans. I ran Trojan Hunter and nothing was found. I ran SpySweeper and nothing. PestPatrol and nothing. The only thing I have left would be Symantec NAV. The only one that finds them is ZoneAlarm.
0
 
blue_zeeCommented:

Have you tried an online virus scanner (run at least 2 of them)?

Panda ActiveScan
http://www.pandasoftware.com/activescan 

Bitdefender
http://www.bitdefender.com/scan/Msie/index.php 

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp 

Symantec Security Check
http://security.symantec.com/sscv6/ 

Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp 

PcPitstop
http://pcpitstop.com/antivirus/default.asp 

RAV
http://www.ravantivirus.com/scan/ 

Start with Panda, it also targets that trojan and hopefully wll clean it.

This version of SpySweeper may also help:

http://www.spywaredb.com/ssf-snr-a-setup3601.exe

Zee
0
 
r-kCommented:
Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
0
 
r-kCommented:
"The only one that finds them is ZoneAlarm"

Does ZoneAlarm tell you which file is trying to access the network?
0
 
blue_zeeCommented:

I would have a go with the Panda online scanner and if negative...

Maybe ZoneAlarm is finding a false positive?

Zee
0
 
Bert2005Author Commented:
I will try all of the above. Actually ZoneAlarm isn't catching it from the standpoint of a firewall popup notifying me of a trojan trying to get out. I have ZoneAlarm with spyware and antivirus, and it is the one saying I have them -- during the antivirus run.

FYI: I have ZoneAlarm Pro as a firealarm on my PC (software) and we have a Cisco PIX-501 for a hardware firewall. I am thinking it would have a hard time getting out. Am I wrong?

Bert
0
 
blue_zeeCommented:

Bert,

Again that points, IMO, to a false positive...

Zee
0
 
Bert2005Author Commented:
0
 
Bert2005Author Commented:
I hope you are right blue_zee. What I may do later is run NAV either from my PC or from our corporate edition on the server.
0
 
r-kCommented:
Nothing very bad in the HJT log. I am assuming you're running Copernic because you want to?

It may help if ZoneAlarm tells you which is the suspect file....
0
 
Bert2005Author Commented:
Yes, I am running Copernic. It does tell me the files. It is running again. As soon as it finds the second, I will post the file. Should I post the path as well?
0
 
Bert2005Author Commented:
And why do certain malware programs not find it? I have had good luck in the past with TrojanHunter and PestPatrol (which I don't generally use) said it would find it but didn't.
0
 
Bert2005Author Commented:
bluezee,

Dumb question. Should I try to run more than one web scan at once or just settle for one at a time? Panda is running now.
0
 
r-kCommented:
Yes, name and folder location can both help, thanks.

I guess the answer to your question is that these trojans/malware keep mutating into new variants, not unlike spam email, so what was caught yesterday may be missed today :(
0
 
Bert2005Author Commented:
OK, very strange. But, good maybe? I ran ZoneAlarm again after doing several things. And, it can only find one virus now. But, if something worked, I don't know which one.

C:\Documents and Settings\My name\Local Settings\Temp\2x7mafly.exe>sup.bat

which when I brose to does show the file "malfy.exe" with an email icon next to it.

0
 
Bert2005Author Commented:
Can I just delete it or has it modified some registry files?
0
 
r-kCommented:
Yes, I would just delete it. If future scans come up clean I think you can feel safe.

The HJT log does not indicate anything malicious in the Registry.

If you want to try one more thing, you can try Autoruns:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"

(4) This will give you a shorter, more meaningful list.

You can check that list for anything that doesn't belong. Post any suspicious items here, but I think you won't find anything bad.

0
 
Bert2005Author Commented:
Spec01, blue_zee and r-k

Thanks for the help. I think I got it. Not sure, yet, but I will run ZoneAlarm overnight and see what turns up. When I went to the actual file and right-clicked and scanned it with NAV and Trojan Hunter it didn't do anything. But, a right-click and scan with ZoneAlarm, and whammo -- a virus. Maybe blue_zee is right, and it is a false positive. But, maybe it just seems to be more sensitive. I know I have run it for a while, and it has found zero viruses. Plus, I do remember doing something fairly stupid yesterday which would account for it. Live and learn.

Anyway, I think everyone helped. Hard to pinpoint the exact thing. r-k just happened to tell me to delete the dumb thing. Who knows. I hope the distribution of points was fair. I tried to make it that way.

I love Experts-Exchange, though, so I want to keep the experts happy.

BTW, the file did look very much like a virus. It felt good to delete the damn thing!
0
 
r-kCommented:
Thank you, and good luck!
0
 
blue_zeeCommented:

Thanks, glad we managed helping you to some extent.
;-)

Zee
0
 
Bert2005Author Commented:
yw...kind of funny that I never thought of using System Restore to go one day. The files were dated less than 24 hours old.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 13
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now