Re: Unable to Remove IRC\Backdoor.Flood HELP!!!!!!!!!

[Skipper]

Have you tried running it in safe mode?

Regards, Dave Hodgins.

I'll try that next. I did try to scan each folder individually and AVG
found a virus called TCPSVS.EXE in the WINNT\SYSTEM32\DDLCACHE32. The
problem is that doesn't exist!. When I ran a search for the file I
found nothing. The closet filet that matches is the
WINNT\SYSTEM32\DDLCACHE\DDLCACHE33, but I scanned it and found
nothing. I see what happens in safe mode.

Thanks again

Rich

 

[David W. Hodgins]

I'll try that next. I did try to scan each folder individually and AVG
found a virus called TCPSVS.EXE in the WINNT\SYSTEM32\DDLCACHE32. The
problem is that doesn't exist!. When I ran a search for the file I
found nothing. The closet filet that matches is the
WINNT\SYSTEM32\DDLCACHE\DDLCACHE33, but I scanned it and found
nothing. I see what happens in safe mode.

If your talking about the start/find/files, this is not unusual.
It will not find any files inside of a directory with the system
attribute set.

Regards, Dave Hodgins

 

[Skipper]

If your talking about the start/find/files, this is not unusual.
It will not find any files inside of a directory with the system
attribute set.

Regards, Dave Hodgins

Dave,

I have tried to remove this by going into Safe Mode and running the
AVG, but it didn't find anything. When I went back into normal mode it
is still seeing the infection. I have been able to identify that I
have the abc.exe and abc.dat worm cloaners. I can see them, but can't
remove them

Regards, Rich

 

[David W. Hodgins]

I have tried to remove this by going into Safe Mode and running the
AVG, but it didn't find anything. When I went back into normal mode it
is still seeing the infection. I have been able to identify that I
have the abc.exe and abc.dat worm cloaners. I can see them, but can't
remove them

We need more information.

Run a full online scan, and see if it can come up with a
name for the worm, not just a file name.

I like http://www.ravantivirus.com/index.php
To scan your entire pc, you have to use Internet Explorer,
with activeX etc. turned on. From the page shown above,
select Online scan in the menu on the left, then scan without registering...

Regards, Dave Hodgins.

 

[Skipper]

We need more information.

Run a full online scan, and see if it can come up with a
name for the worm, not just a file name.

I like http://www.ravantivirus.com/index.php
To scan your entire pc, you have to use Internet Explorer,
with activeX etc. turned on. From the page shown above,
select Online scan in the menu on the left, then scan without registering...

Regards, Dave Hodgins.

Dave,

Here is the report:


Scan started at 6/26/2003 10:43:33 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\mIRC\wgremote.mrc - IRC/Generic* -> Suspicious
C:\My Documents\CCNA CHEATS\Download A\nt50.exe - Joke:Stript ->
Infected
C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->secure.bat -
Backdoor:BAT/ServU-based* -> Infected
C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abc.exe -
Backdoor:IRC/Flood.BQ -> Infected
C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abc2.dll -
Backdoor:IRC/Cloner.O* -> Infected
C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abcd.jpg -
Backdoor:IRC/Bnc.H* -> Infected
C:\WINNT\system32\dllcache\DLLCACHE33\abc2.dll -
Backdoor:IRC/Cloner.O* -> Infected
C:\WINNT\system32\dllcache\DLLCACHE33\secure.bat -
Backdoor:BAT/ServU-based* -> Infected
C:\WINNT\system32\dllcache\DLLCACHE33\temp - Trojan:IRC/Bounce* ->
Infected
C:\Zips\1stpage2.zip->setup.exe->(CABSfx)->\data1.cab->[ishld.445]->(SCRIPT0000)
- JS/Loop* -> Infected

Scanned
============================
Files: 69179
Directories: 4071
Archives: 6628
Size(Kb): 868231
Infected files: 9

Found
============================
Viruses found: 7
Suspicious files: 1
Disinfected files: 0
Mail files: 764


Is there a removal tool for these?

Rich

 

[Skipper]

Here is the report:

C:\mIRC\wgremote.mrc - IRC/Generic* -> Suspicious

This appears to be used for auto playing of mp3 or wave files within mIRC. Although not a really good idea, not a definite problem.

C:\My Documents\CCNA CHEATS\Download A\nt50.exe - Joke:Stript ->
Infected

Avaliable from http://www.pms.no/fun/
appears to be harmless.

C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->secure.bat -
Backdoor:BAT/ServU-based* -> Infected

dllcache33.exe is a file compressed with the PaquetBuilder utility.
The only info I can find on it is in chinese (on a Taiwan website).

In safe mode, you should be able to rename dllcache33.exe to some
something like dllcache33.old. Delete it once you've confirmed
your system is working ok without it.

C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abc.exe -
Backdoor:IRC/Flood.BQ -> Infected
C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abc2.dll -
Backdoor:IRC/Cloner.O* -> Infected
C:\WINNT\system32\dllcache33.exe->(PaquetBuilder)->abcd.jpg -
Backdoor:IRC/Bnc.H* -> Infected

The above three files are also stored in the dllcache33.exe file.

C:\WINNT\system32\dllcache\DLLCACHE33\abc2.dll -
Backdoor:IRC/Cloner.O* -> Infected
C:\WINNT\system32\dllcache\DLLCACHE33\secure.bat -
Backdoor:BAT/ServU-based* -> Infected
C:\WINNT\system32\dllcache\DLLCACHE33\temp - Trojan:IRC/Bounce* ->
Infected
C:\Zips\1stpage2.zip->setup.exe->(CABSfx)->\data1.cab->[ishld.445]->(SCRIPT0000)
- JS/Loop* -> Infected

You should be able to rename these four files in safe mode.

These appear to all be trojans that are spread via file sharing
and/or weak/missing administrator account passwords.

Just rename the files in safe mode, and once you've confirmed
that everythings ok without them, delete them.

You must change the administrator account(s) passwords, and/or
tighten up which directories are available for file sharing.

See http://www.claymania.com/safe-hex.html
for more info. If there's anything there you don't find
clear, ask again here. I'm not that familiar with w2k or xp,
so the help I can give on improving security on those platforms
is somewhat limited.

Regards, Dave Hodgins

Dave,

I just wanted to thank you for all of your help. All instances of the
IRC\Backdoor.Flood worm and its clones are gone. I have now put in
Zone Alarm Fire Wall for added protection as well as new passwords for
the administrator account.

Thanks again,

Rich Ackerman