PDA

View Full Version : MIRC?IRCFlood - Help!!!



EFFIGY
08-07-2007, 05:26 PM
It had to happen, my first ever virus! This one got through, mail guardian & E Trust, and I was dumb enough to think it was a genuine client.
I have checked on removals for it and can only find manual methods listing dlls to unregister and files to remove, but when I try using regsvr /u ... it cant find the library, and search cant find the files. I'm stumped! if I can't find them how can I remove them? Suggestions appreciated
I'm looking for the following.
dev.dll
flood.dll
timedinterp.dll
flood.ini
winconf.mrc

Speedy Gonzales
08-07-2007, 05:33 PM
Get trojan remover in my sig.

Download / install / update it. Then click on scan.

Then select all options under the utilities menu.

I think these files belong to Zapchast, which is an IRC trojan.

If youre in IRC now, get out of it.

EFFIGY
08-07-2007, 05:42 PM
I think these files belong to Zapchast, which is an IRC trojan.

If youre in IRC now, get out of it.[/QUOTE]

I would if I knew what IRC was...?

Speedy Gonzales
08-07-2007, 05:55 PM
I would if I knew what IRC was...?

Oh ok then. Dont worry about that bit then.

Just download trojan remover. Its in my sig below.

EFFIGY
08-07-2007, 08:07 PM
Just download trojan remover. Its in my sig below.[/QUOTE]

Did that - it didn't even find it! Wouldnt put too much faith in that one.
I have the directories from the various virus scans I have done, but when I follow them the files aren't visible.

Speedy Gonzales
08-07-2007, 08:23 PM
The first post u posted, when u went to unregister them did u type Regsvr or Regsvr32?? Its Regsvr32

Did u turn system restore OFF first, then:

Did u type:

regsrv32 /u dev.dll
regsrv32 /u flood.dll
regsrv32 /u timedinterp.dll

Then find and delete these files?

dev.dll
flood.dll
flood.ini
timedinterp.dll
winconf.mrc

EFFIGY
08-07-2007, 08:41 PM
Yep did all that, cant find the library. And I'm running in safe mode.

Speedy Gonzales
08-07-2007, 08:49 PM
Yep did all that, cant find the library. And I'm running in safe mode.

Umm, so if you go to start/search and type in the names of those dlls they dont appear??

Is show all files and folders selected?? (under tools/folder options / view tab).

In My computer?

Altho, I dont think it matters if its on dont show or show.

EFFIGY
08-07-2007, 09:21 PM
:waughh:Yes -no nothing and i ckecked show dnt show. However I'm now getting the strongest sense that this thing prevents downloads of anything that might want to hurt it. I cant access Trend site, E-trust PestPatrol downloaded but wont work, and several others either wont download or wont work. How can I manually search the registry?

Speedy Gonzales
08-07-2007, 09:30 PM
Ok what we'll try is get hijackthis in my sig below if u can.

Put it in its own folder. Run it click on scan and save a log. Copy and paste the log here.

We'll see whats in it.

EFFIGY
08-07-2007, 10:14 PM
Seems that it has the power to remove the accept conditions buttons from install agreements, preventing one from downloading.

Speedy Gonzales
08-07-2007, 10:25 PM
We'll fix that.

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HiJackThis.exe)

Put it in its own folder then run it then click on do a system scan and save a logfile.

Then copy and paste the log here.

If it doesnt work in normal windows, boot into safe mode then run and do the above.

EFFIGY
08-07-2007, 10:45 PM
Gah! Licence agreement, no accept button

Speedy Gonzales
08-07-2007, 10:50 PM
Gah! Licence agreement, no accept button

What? That should get the file directly. Did it download,or is that the prob??

I'll have to check this tomorrow. I'm off to bed.

EFFIGY
08-07-2007, 10:52 PM
It downloaded - thats the prob and yes I knackered too.

EFFIGY
08-07-2007, 10:52 PM
And many thanks, nite nite

beeswax34
09-07-2007, 12:00 AM
Tried getting and running HJT in safe mode?

kjaada
09-07-2007, 06:35 AM
If Speedy does not come up with a solution get a linux bootable CD and run it you then should be able to find and delete the files.I will watch with interest as this one seems very cunning.
Good luck

EFFIGY
09-07-2007, 10:32 AM
Morning All
Am presently running a new e-Trust deep scan to double check paths and directories.
So far looks like I need to deel with - <script.ini> <sup.bat> <sup.reg> in my Cache; and Postcard.jpg[1].exe <mirc.ini> <script.ini> <sup.bat> <sup.reg> in Content.IE5
More detail as i unearth it

Speedy Gonzales
09-07-2007, 10:39 AM
Well if u can get ccleaner (http://www.ccleaner.com)

It should remove the cache and temp files etc on your hdd.

If Effigy could get HJT to run Kjaada, that would most probably solve this prob.

At least it'll tell us whats on this system.

I dont know where this licence agreement is, because the link I gave, is the direct link to HJT.

There is no licence agreement in the download, or when you run hijackthis.

If hijackthis wont run in normal windows boot into safe mode. And run it then do a scan and then save the log, then reboot, then copy and paste the log here.

EFFIGY
09-07-2007, 10:41 AM
Found this Googling sup.bat
http://lists.sans.org/pipermail/list/2005-November/022934.html
getting out of my depth here but may help someone with more knowledge

Speedy Gonzales
09-07-2007, 11:05 AM
Ok, well the next thing to try is.

Get Stinger (http://download.nai.com/products/mcafee-avert/stinger.exe)

Download this and run it. See if it picks anything up.

If this doesnt work then:

Turn system restore off (if u have XP).

Then boot into safe mode.

Find these files (if they exist) and delete them in safe mode.

aliases.ini
away.txt
fullinfo.bat
fullinfo.lnk
fullinfo2.bat
fullinfo2.lnk
fullname.txt
hidewndw.exe
ident.txt
ipconf.bat
ipconf.lnk
memorat.txt
mirc.ini
netinfo.bat
netinfo.lnk
nicks.txt
postcards.jpg
procese.bat
procese.lnk
procese.txt
remote.ini
script.ini
servers.ini
servers2.ini
setup.lnk
sup.bat
sup.reg
sup2.bat
sup2.lnk
users.ini
winspector.exe
winspector.lnk

It looks like it puts these in the registry

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Winspector_s
<System>\drivers\shellz\sup2.lnk <-- This needs to be deleted

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Winspector
<System>\drivers\shellz\winspector.lnk <-- The bolded text needs to be deleted.

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\mIRC\
HKCU\Software\Microsoft\Microsoft Agent\

EFFIGY
09-07-2007, 11:15 AM
Yay! I've found a file in Firefox\Profiles\default.m5v\Cache\1025B224d01
does't have the <script.ini> <sup.bat> <sup.reg> but according to the scan path its there.
I'm in safe mode. should I delete it?

EFFIGY
09-07-2007, 11:16 AM
BTW Deep scan still running, dont dare do anything 'til it's finished

Speedy Gonzales
09-07-2007, 11:22 AM
Get ccleaner (http://www.filehippo.com/download/9838386a743262a2d7aaedfb3b432ae2/download/)

This is a direct link to ccleaner.

This will delete whats in the cache and temp files etc.

You'll have to close all browser/s, before u click on run ccleaner.

Untick the toolbar opption, you dont need it.

Speedy Gonzales
09-07-2007, 11:34 AM
If Trojan remover is still installed.

open My computer, click on local disk (C: ) right mouse and select scan with trojan remover as well.

Bantu
09-07-2007, 04:29 PM
EFFIGY Run a CMD window and type in netstat -a
this will show what/who is connected to your computer. IF it is an IRC trojan on your PC others can control your PC to flodd others and do other various things without your knowledge. Netstat might show up one or more sites connected.

EFFIGY
09-07-2007, 07:23 PM
EFFIGY Run a CMD window and type in netstat -a
this will show what/who is connected to your computer. IF it is an IRC trojan on your PC others can control your PC to flodd others and do other various things without your knowledge. Netstat might show up one or more sites connected.

Hey thanks, Maxnet have sent me notice that Im approaching datacap, not somethin that usually happens, but I have don a few downloads too.. worth a check.

Trojan Remover in its 3rd hour of scanning - is that normal?

EFFIGY
09-07-2007, 07:27 PM
EFFIGY Run a CMD window and type in netstat -a
this will show what/who is connected to your computer. IF it is an IRC trojan on your PC others can control your PC to flodd others and do other various things without your knowledge. Netstat might show up one or more sites connected.

Not showing anyone @ the moment..
but I'm hoping I've fixed it ...awaiting scan results

Speedy Gonzales
09-07-2007, 07:28 PM
Trojan Remover in its 3rd hour of scanning - is that normal?

3rd hour? No it isnt normal!

And did u do a scan in normal windows or in safe mode?

Your hdd is either 1/2 dead, or it needs to be defragged,or your system is like 1 mhz!

EFFIGY
09-07-2007, 08:17 PM
Now its showing:
TCP - 9 look fine
then there are these (Ive used #for my real name)
UDP ####:microsoft-ds *:*
UDP ####:isakmp *:*
UDP ####:1043 *:*
UDP ####:1063 *:*
UDP ####:1064 *:*
UDP ####:1095 *:*
UDP ####:4500 *:*
UDP ####:ntp *:*
UDP ####:netbios-ns *:*
UDP ####:netbiosdgm *:*
UDP ####:router *:*
UDP ####:1900 *:*
UDP ####:ntp *:*
UDP ####:1348 *:*
UDP ####:1900 *:*

Now since this means nothing at all to me beyond stuff I might need to learn, they may or may not be harmless.

Its the *:* bit under the foreign addreess column that bothers me - the first nine are quite specific, these are not.

EFFIGY
09-07-2007, 08:26 PM
3rd hour? No it isnt normal!

And did u do a scan in normal windows or in safe mode?

Safe Mode didnt show anything, so I thought I would try normal, Windows defender is off, but not firewall or av.

Your hdd is either 1/2 dead, or it needs to be defragged,or your system is like 1 mhz!

I could be quite offended there! But I have the hide of a rhino. Whilst not state of art its adequate and until this thoroughly capable & reliable, I defragged 2 weeks ago. I normally only do it every couple of months, its not used for gaming.
Pentium 4, 256ram, 40g hd

EFFIGY
09-07-2007, 08:56 PM
Here's something - Some of the virus directories lead to the recycler, now i am not allowed to delete
S-1-5-21-776561741-854245398-1060284298-1003 - It is being used by another person or programme? Its NOT write protected

Speedy Gonzales
09-07-2007, 08:59 PM
I could be quite offended there! But I have the hide of a rhino. Whilst not state of art its adequate and until this thoroughly capable & reliable, I defragged 2 weeks ago. I normally only do it every couple of months, its not used for gaming. Pentium 4, 256ram, 40g hd

Sorry bout that :) Umm, is Trojan remover still scannng now, or has it finished?

Did it find anything?

Did u get ccleaner and run it?? By the sounds of it, it sounds like there's a lot of temp files etc on your system. Why it took so long to scan..

Ccleaner may remove some of those files in the temp/cache folder.

I would install an AV program like Avast or AVG. They may do a better job of removing whatever you've got.

Speedy Gonzales
09-07-2007, 09:09 PM
Here's something - Some of the virus directories lead to the recycler, now i am not allowed to delete
S-1-5-21-776561741-854245398-1060284298-1003 - It is being used by another person or programme? Its NOT write protected

Those I think belong to system restore. Did u turn system restore off??

You cant normally get into these folder until u turn system restore off.

If you think this trojan is in the system restore folder/s you'll have to disable system restore.

And you may have to boot into safe mode, add yourself to the System Volume Information folder/s, before u can see whats in them and delete whats in them.

EFFIGY
09-07-2007, 09:49 PM
Well I think its gone!!!
As to Hdd 1/2 dead - you might be right. I should get it seen to... but it is raining, and the steps are slippery, I could easily slip taking it to the repair shop. Does insurance cover that?
I'll sleep on it. Goodnight, and thx again

Speedy Gonzales
09-07-2007, 09:54 PM
Does insurance cover a dead hard drive you mean?? How old is the hard drive??

It maybe under warranty.

What makes u think the hdd is 1/2 dead?? Is it making strange noises,or something?? Too slow?

Where r u ?? in NZ? somewhere else in the world??

EFFIGY
09-07-2007, 10:00 PM
NZ silly

EFFIGY
10-07-2007, 05:17 PM
IT'S FIXED!!!!!!:D

Speedy Gonzales
10-07-2007, 05:22 PM
Good to hear :thumbs: