mIRC Home    About    Download    Register    News    Help

Print Thread
Page 4 of 6 1 2 3 4 5 6
Re: malware.Bkdr_Ircflood.X #76450
13/04/04 08:54 PM
13/04/04 08:54 PM
Joined: Nov 2003
Posts: 2,327
T
tidy_trax Offline
Hoopy frood
tidy_trax  Offline
Hoopy frood
T

Joined: Nov 2003
Posts: 2,327
Trendmicro finds nothing on my computer, which is why i guessed it might not be a false positive.
why would it report detection on some computers if it's a false positive, i would say that it would detect it on all if it was.


New username: hixxy
Re: malware.Bkdr_Ircflood.X #76451
15/04/04 08:21 PM
15/04/04 08:21 PM
Joined: Apr 2004
Posts: 1
O
Ottergame Offline
Mostly harmless
Ottergame  Offline
Mostly harmless
O

Joined: Apr 2004
Posts: 1
Whenever I connect to MIRC, I find this virus as well when I run the online scanner. However, I also get about 50 connection attempts from 69.50.181.165 hitting different ports, wanna.see.a.massdeop.us, MAIL.ATRIVO.COM . If you open tha secondt website address, there's a bunch of pictures and a video of some sort of party... I don't know if the two are related, however for me they did appear around the same time.

Re: malware.Bkdr_Ircflood.X #76452
16/04/04 12:53 PM
16/04/04 12:53 PM
Joined: Apr 2004
Posts: 4
K
kbaumgar Offline
Self-satisified door
kbaumgar  Offline
Self-satisified door
K

Joined: Apr 2004
Posts: 4
i am also having this problem, been looking for a couple days now and there are still no answers but i have sound some links on the mirc website that could help.

http://forums.mirc.com/showflat.php?Cat=...amp;amp;fpart=1

this page has several links that seem like they could be pretty helpful. i would try them but im on a public computer right now, so someone tell me if anything worked or not...

Re: malware.Bkdr_Ircflood.X #76453
18/04/04 04:16 PM
18/04/04 04:16 PM
Joined: Apr 2004
Posts: 4
K
kbaumgar Offline
Self-satisified door
kbaumgar  Offline
Self-satisified door
K

Joined: Apr 2004
Posts: 4
IS TRENDMICRO EVEN TRYING TO FIGURE THIS OUT?!

Re: malware.Bkdr_Ircflood.X #76454
18/04/04 04:22 PM
18/04/04 04:22 PM
Joined: Jun 2003
Posts: 5,024
London, England
M
Mentality Offline
Hoopy frood
Mentality  Offline
Hoopy frood
M

Joined: Jun 2003
Posts: 5,024
London, England
Please read this post, it says just about everything that can be said at least from what I have seen.

There is however, no point in using caps (which is considered "shouting" on the Internet in general, including the IRC community) - Shouting at us is rude and uncalled for, no matter how frustrating something is smile - Especially when the answer lies in this very thread.

It was reported that Trendmicro's 'virus doctors' are looking into the matter - they may or may not have found an answer yet, these things can take time. There is little *WE* can do about the issue.

Happy chattin'.

Regards,


Mentality/Chris
Re: malware.Bkdr_Ircflood.X #76455
18/04/04 05:45 PM
18/04/04 05:45 PM
Joined: Apr 2003
Posts: 210
S
saxon Offline
Fjord artisan
saxon  Offline
Fjord artisan
S

Joined: Apr 2003
Posts: 210
Like other people i get this error. For instance, When mirc is not open it will detect and clean the virus (whilst "scanning system files"). Then with any further virus scans the virus will not be found. However if I open mIRC and then close it again, And then re-scan it finds the same virus, Very odd, I can't think what mIRC could be adding to my "system files" even if it is a false pos. ?

After the virus is cleaned it isn't detect again until mIRC has been re-opened. So if mIRC is still open after a clean, the virus is not detected by further scans. So It seems mIRC creates some kind of file when it opens which housecall doesn't like.

I also tried this on a copy of 6.03 which i have stored in a different folder (which excludes the possibility of that 1 copy of mIRC being genuinly infected on my system?), Same results.

Note: When I say virus scan I am ofcourse talking about TM's Housecall.


Last edited by saxon; 18/04/04 05:59 PM.
Re: malware.Bkdr_Ircflood.X #76456
18/04/04 09:37 PM
18/04/04 09:37 PM
Joined: Apr 2004
Posts: 1
S
spamla Offline
Mostly harmless
spamla  Offline
Mostly harmless
S

Joined: Apr 2004
Posts: 1
I too am one of those people unable to find IEEXEC.EXE and everything else Trend Micro lists to remove from the registry, etc., etc., but enough about that.

Maybe this was a coincidence (I'm not sure if wabbyyy was referring to the same thing) but prior to the first scan I ran, I had rebooted after installing the monthly Windows updates and my computer was painfully slow - it took about 30 minutes to get to my desktop. In task manager, my cpu load was at 98-100% before I had even run any programs. 24 hours later or so, it started running normally just like that. Anyone else have this problem? I found one other incident like this on Google but I'm not sure if it's related to BKDR_IRCFLOOD.X or just a mere coincidence.

Re: malware.Bkdr_Ircflood.X #76457
19/04/04 08:49 AM
19/04/04 08:49 AM
Joined: Apr 2004
Posts: 1
M
mudyfox Offline
Mostly harmless
mudyfox  Offline
Mostly harmless
M

Joined: Apr 2004
Posts: 1
I have the same problem like others that run mIRC. The "malware.BKDR_IRCFLOOD.X" is detected only with Trendmicro's software. Neither Norton, McAfee nor BitDefender found any traces of it. My mIRC client is currently version 6.14.

I have a question in regards to the "IEExec.exe" file. Is this file associated with Microsoft's .NET Framework?. These entries below are found along with the path pointing to the ieexec.exe file. These entries were found on two machines I have mIRC installed on. Seems like it does not like to be deleted. The file is copied back over as soon as it is deleted. Is it a windows protected system file? I assume booting into the recovery console to delete the file would work? Can someone confirm that "IEExec.exe" is a legitimate Microsoft .NET Framework file or not.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExec.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ieexec.exe.config.orig
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll

Re: malware.Bkdr_Ircflood.X #76458
19/04/04 06:37 PM
19/04/04 06:37 PM
Joined: Apr 2004
Posts: 1
A
Aurion Offline
Mostly harmless
Aurion  Offline
Mostly harmless
A

Joined: Apr 2004
Posts: 1
Well, I read through all the posts in this topic, and I decided to check something. Now, I'd first noticed this on my own computer sometime after I came back from spring break last month, and only Housecall was detecting (neither NAV nor BitDefender registered anything). Very confusing, since I tend to be fairly paranoid about what I do with my computer, and I'd never had it before. Thing was, I couldn't remember whether this was pre- or post-upgrade to 6.14. So, I just tested this on my office computer, which I know was clean before I tried. I had mIRC v6.12 on my office computer, checked it with Housecall, nothing. I then upgraded it to v6.14, checked it with Housecall again, I got a hit. To me, this suggests that there's some change in these two versions that is being mistakenly identified as malware by Housecall. Anyone else clean with 6.12 want to try this to see if this also occurs? I can't imagine that there would have been a drastic code change that would have created this, but I'm not that savvy when it comes to code.

Last edited by Aurion; 19/04/04 06:39 PM.
Re: malware.Bkdr_Ircflood.X #76459
19/04/04 08:35 PM
19/04/04 08:35 PM
Joined: Oct 2003
Posts: 51
istanbul, turkey
Z
zfr Offline
Babel fish
zfr  Offline
Babel fish
Z

Joined: Oct 2003
Posts: 51
istanbul, turkey
Please don't delete any files or registry entries.

This is simply a bug in housecall.

If none of the other antivirus programs detects it, then you are not infected.

Housecall pops up the same message to me. But it does that way before it started scanning. And at the and of the scan it doesn't detect any infected files. Normally, it displays a list of infected files and suggestion on how to deal with them.

Re: malware.Bkdr_Ircflood.X #76460
20/04/04 03:26 PM
20/04/04 03:26 PM
Joined: Apr 2004
Posts: 1
F
FaRgo Offline
Mostly harmless
FaRgo  Offline
Mostly harmless
F

Joined: Apr 2004
Posts: 1
norton found nothing and housecall did and for me its not just a bug.
I got a pm from a mate who had the ircflood and I clicked.
The same week I to started to pm people on my irc channels.
I searched al the google pages on malware.Bkdr_Ircflood.X and
Did not found the solution that fixt the problem.
I to have the IEExec.exe the config and the dll file thay always come back.
I hope virus directors are working on the ircflood and find a solution, now I cant use irc no more. confused



Re: malware.Bkdr_Ircflood.X #76461
20/04/04 03:39 PM
20/04/04 03:39 PM
Joined: Jun 2003
Posts: 384
D
DekuHaze Offline
Fjord artisan
DekuHaze  Offline
Fjord artisan
D

Joined: Jun 2003
Posts: 384
Quote:
...now I cant use irc no more.


Why not use another IRC client in the mean time? smile

Re: malware.Bkdr_Ircflood.X #76462
20/04/04 05:28 PM
20/04/04 05:28 PM
Joined: Apr 2004
Posts: 1
Germany
T
Togi24 Offline
Mostly harmless
Togi24  Offline
Mostly harmless
T

Joined: Apr 2004
Posts: 1
Germany
hi guys,

i´m new to this forum, i came here with the hope to find any solution for the BKDR_IRCFLOOD.X i caught up myself. Now i see u guys have either no solution. to me it happens the same way like to many of other guys in here as well. housecall found the trojan, i dont have IEEXEC.EXE nor any registry entries of it on my system. so the housecall "get rid" suggestions wont work for me. thats why i did some investigations on it

let me explain what i discovered so far. all started when i got pmed by a mate from a chan with a link inside what i clicked... dumbass me smile a couple of days later i wondered why i got scanned many times a day for Sokets de Trois v1, more then 20 times a day. my Norton Personal Firewall blocked them away, hopefully... by chance i found that housecall virus scan thingy and for pure curiosity i ran that scan and... BINGO, infected.
as i said above housecalls suggestions dont work for me so i started to investigate. i read several boards and such and found on that way this one here.
at first i noticed the Notepad.exe in my system32 folder which i dumped. after that i ran a registry cleaner which found 46!!! links related to notepad.exe in the system32 folder. i removed all of them and the system runs still solid. now i havent been scanned for Sokets de Trois v1 anymore. then i got HijackThis for informations on what is going on on my system. it detects anything what has been executed on the system. there were no suspects. probably u guys may be helped by it.
then i got Process Explorer which gives u infos on what is loaded. unfortunatly it wasnt any help for me but probably for u guys.

because i´m either not that trojan hunter crack, this is my first one, i thought why not to compare the HijackThis scans and probably we together are able to find that shitty thing.

this is my scan after starting mirc without doing the housecall clean up

Logfile of HijackThis v1.97.7
Scan saved at 19:26:41, on 20.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\Internet Security\Tmntsrv.exe
C:\Programme\Trend Micro\Internet Security\tmproxy.exe
C:\Programme\Norton Personal Firewall\NISSERV.EXE
C:\Programme\DU Meter\DUMeter.exe
C:\Programme\D-Tools\daemon.exe
C:\Programme\Norton Personal Firewall\IAMAPP.EXE
C:\Programme\Trend Micro\Internet Security\pccguide.exe
C:\Programme\Trend Micro\Internet Security\PCClient.exe
C:\Programme\Trend Micro\Internet Security\TMOAgent.exe
C:\Programme\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\WebWasher\wwasher.exe
C:\Programme\TuneUp Utilities\MemOptimizer.exe
C:\Programme\STK007\STK007M.exe
C:\Programme\ISDN Monitor\ISDNMO32.EXE
C:\Programme\Topdesk\TDeskDEU.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\mIRC\mirc.exe
C:\Programme\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freenet.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DU Meter] C:\Programme\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iamapp] C:\Programme\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Programme\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Programme\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WebWasher] C:\Programme\WebWasher\wwasher.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] C:\Programme\TuneUp Utilities\MemOptimizer.exe autostart
O4 - Startup: ISDN Monitor 32.lnk = C:\Programme\ISDN Monitor\ISDNMO32.EXE
O4 - Startup: TDeskDEU.lnk = C:\Programme\Topdesk\TDeskDEU.exe
O4 - Startup: Windows-Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: STK007 PNP Monitor.lnk = ?
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/software/expressview/webinstall/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.6180902778
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/de/techsupp/activedata/ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F49DA492-7B88-463F-B389-CA9A02F6DA76} - http://www.seagate.com/support/disc/asp/tools/de/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EB636CB-9E81-4A9E-8E36-3769378FD4E5}: NameServer = 213.148.129.10 213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{261BF471-5B25-4DE2-90B9-562280EE3F6B}: NameServer = 192.168.120.252,192.168.120.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4DB604B-581A-43A1-B664-34252880D5D4}: NameServer = 192.168.1.1


Togi

Last edited by Togi24; 20/04/04 05:50 PM.
Re: malware.Bkdr_Ircflood.X #76463
20/04/04 05:52 PM
20/04/04 05:52 PM
Joined: Dec 2002
Posts: 1,527
state of confusion
L
landonsandor Offline
Hoopy frood
landonsandor  Offline
Hoopy frood
L

Joined: Dec 2002
Posts: 1,527
state of confusion
Ok, I dont know how much of this will apply, but according to microsoft, THIS LINK says Win2k does this on install (2 copies of notepad.exe). Im not saying anybody is or is not affected by the all the viruses, just shedding more light on to the situation is all.

FYI, just replied to the LAST post so this is a general FYI smile


Those who fail history are doomed to repeat it
Re: malware.Bkdr_Ircflood.X #76464
21/04/04 12:28 AM
21/04/04 12:28 AM
Joined: Apr 2004
Posts: 4
K
kbaumgar Offline
Self-satisified door
kbaumgar  Offline
Self-satisified door
K

Joined: Apr 2004
Posts: 4
this is not just a bug in housecall, i am a paying customer of pccillin internet security as well as mcafee and pccillin continues to find this problem. it also continues to "clean" it and it is becoming very aggravating

i have emailed trendmicro about this and hopefully they will get back to me soon

Re: malware.Bkdr_Ircflood.X #76465
21/04/04 07:17 AM
21/04/04 07:17 AM
Joined: Jun 2003
Posts: 5,024
London, England
M
Mentality Offline
Hoopy frood
Mentality  Offline
Hoopy frood
M

Joined: Jun 2003
Posts: 5,024
London, England
I should imagine the general scanning process in Housecall and PCCillin are the same as they are both produced by Trendmicro.

Trendmicro have already been contacted, and as has been said before, they have said their 'virus doctors' are looking into it - if they haven't cured it by now, they probably won't do, but these things do take time.

-Generally speaking-

Sorry, but I have to wonder why people keep posting - everything that can be said has been said, and if people would just take a little time to browse this entire thread, every question possible related to this topic is answered. Grateful as I/we are for contributing technical details of the scan, to be blunt, it is of little use to us. Send it off to Trendmicro and let them analyse it. We cannot speak on behalf of Trendmicro. They must be contacted themselves, and we cannot come up with a cure for it!

Regards,


Mentality/Chris
Re: malware.Bkdr_Ircflood.X #76466
22/04/04 01:29 AM
22/04/04 01:29 AM
Joined: Apr 2004
Posts: 4
K
koei Offline
Self-satisified door
koei  Offline
Self-satisified door
K

Joined: Apr 2004
Posts: 4
i ran the trendmicro scanner and it said it found and cleaned it. It didn't do anything else. however whenever i try to open mirc i fail and when i run trendmicro again it finds the same virus.

Re: malware.Bkdr_Ircflood.X #76467
22/04/04 03:23 AM
22/04/04 03:23 AM
Joined: Dec 2002
Posts: 3,127
BratLand
P
ParaBrat Offline
Hoopy frood
ParaBrat  Offline
Hoopy frood
P

Joined: Dec 2002
Posts: 3,127
BratLand
Several ppl have reported it showing up again on trendmicro scans after opening mIRC. Regarding that, all we know is what is already said several times in this thread.

If your question was about why you "try to open mirc i fail", we need a bit more info. Do you mean you cant bring mIRC up when you click on the shortcut, or cant connect to a server or what? If you can tell us exactly what happens and any error msgs, we might be able to help.


ParaBrat @#mIRCAide DALnet
Re: malware.Bkdr_Ircflood.X #76468
22/04/04 04:12 AM
22/04/04 04:12 AM
Joined: Apr 2004
Posts: 4
K
koei Offline
Self-satisified door
koei  Offline
Self-satisified door
K

Joined: Apr 2004
Posts: 4
Ok here's what i get. I open up mirc. I don't connect to any servers. I run trendmicro and i get a msg saying it found and cleaned malware.bkdr_ircflood.x. Now i close mirc and i run trendmicro again and it doesn't find anything. Then i open mirc again and i don't connect to any servers. I run trendmicro and i get the msg that it found and cleaned malware.bkdr_ircflood.x. So everytime i open up mirc the virus comes back

Re: malware.Bkdr_Ircflood.X #76469
22/04/04 04:19 AM
22/04/04 04:19 AM
Joined: Jun 2003
Posts: 5,024
London, England
M
Mentality Offline
Hoopy frood
Mentality  Offline
Hoopy frood
M

Joined: Jun 2003
Posts: 5,024
London, England
In that case, read what ParaBrat said wink

"Several ppl have reported it showing up again on trendmicro scans after opening mIRC. Regarding that, all we know is what is already said several times in this thread."

Now, read my post a few of posts up from this one under the General part of it...we really can't say much more. There is not much use telling us Trendmicro has found the virus we can't do anything about it, and we already know there is an issue (as there over 70 replies in this thread).

Also, and I don't want to sound arrogant/big-headed, but I did attempt to ask 90% of questions possible by gathering information from the other posts in this thread - see this post earlier on. Since then, I have only seen 2-3 reasonable replies.

To be honest, it seems people are posting now just because it's a big thread, for no particular reason, and making no effort to get past the first few posts.

Regards,


Mentality/Chris
Page 4 of 6 1 2 3 4 5 6