mIRC Home    About    Download    Register    News    Help

Print Thread
Page 2 of 6 1 2 3 4 5 6
#76410 01/04/04 02:55 PM
Joined: Oct 2003
Posts: 16
Pikka bird
Offline
Pikka bird
Joined: Oct 2003
Posts: 16
"Good day!
I apologize for the inconvenience we are causing you. Please place the mIRC executable in the exception list to avoid the false detection:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=17323
In the meantime, we will inform our virus doctors regarding this problem so that they can analyze it.
Thank you for using Trend Micro for your computer protection software. Please do not hesitate to let us know if you have further inquiries. Other means of reaching our office are indicated below.
Regards,
Trend Micro, Inc.
John Lolin
Consumer Support Team"

wel ... ok ? confused dslreports


"ytytyt = a lamers' version of asdf"
#76411 01/04/04 06:32 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
thanks for the info, just saw it today myself. hopefully someone will keep us updated with what TrendMicro's further analysis comes up with.

Word of caution: its always best to thoroughly check for the items that are listed as being part of this or any virus to be on the safe side. Dont just assume anything found is a false positive until you are sure.


ParaBrat @#mIRCAide DALnet
#76412 02/04/04 08:21 AM
Joined: Sep 2003
Posts: 1
R
Mostly harmless
Offline
Mostly harmless
R
Joined: Sep 2003
Posts: 1
the soloution was great but only intended for trend 2004...i have an updated trend 2002 and still i get a series of dos attacks whenever i log on to mirc so i have to reboot again. i tried looking for the exception folder myself and found it and included the mirc folder but still after a few minutes logging in it..same result..dos attacks..then reboot. thanks for the info and i apologized for asking...i must accept im a newbie to pc security. good day! smile

#76413 03/04/04 03:10 AM
Joined: Apr 2004
Posts: 3
T
Self-satisified door
Offline
Self-satisified door
T
Joined: Apr 2004
Posts: 3
If you are re-installing mIRC from an executable that you have stored on a CD somewhere, then maybe that executable is infected - probably downloaded from a site other than those specified at www.mirc.com.

If those 3 files keep reapperaing even after a re-install, then I'd redownload the mIRC installation program from a reputable source!

#76414 03/04/04 07:13 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
wow there is still no fix for this? confused

#76415 04/04/04 08:00 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
Yes there is. After just a quick look, I believe that this is a false positive. At least I hope.

The solution to this "virus" appears to be to install version 5.7.

Something in the registry I think that was added in version 5.8 and above, or something appears to trigger the Trend Micro alarm. I'm not sure what this could be, perhaps it is the registry keys indicated in the previous post.

#76416 05/04/04 03:59 AM
Joined: Apr 2004
Posts: 4
J
Self-satisified door
Offline
Self-satisified door
J
Joined: Apr 2004
Posts: 4
I have this, too.

And I just got this yesterday night when I clicked on a link in a channel. It was from a person I know so, I didn't think it was fishy. Also, once you are infected w/ this, you advertise that link at certain intervals and only other ppl can see that link and not you, so you don't know about it.

I never had anything of this sort before so I _don't_ think this is a false positive.

I have also come to the following conclusion (like some before):

-it's a mirc backdoor.
-it doesn't self-re-install after booting your comp.
-it does that only after mirc.exe is executed.
-so far, only trend micro has picked this up.

*********************************

I went to this site for help, http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_IRCFLOOD.X (someone here posted it).

But, I am having some problems w/ their manual removal.

Quote:
Go to the directory where the file IEEXEC.EXE is located.
Open a command prompt in this location.
Type the following:
C:\ieexec.exe – uninstall
Press Enter to remove the application.


I can't find a file named "ieexec.exe."

Quote:
Open Registry Editor. Click Start>Run, type Regedit then hit Enter.
In the left panel, double click the following:
HKEY_CLASSES_ROOT>irc>Shell>open>command
In the right panel, locate the following entry:
(Default) = <current directory>\IEEXEC.EXE


Again, I didn't have ieexec.exe key in there. Although, my key had " -no connect" at the end. Does anyone know what that means? I removed. mIRC seems to be working fine so far.

Quote:
In the left panel, double-click the following: HKEY_CLASSES_ROOT>ChatFile>Shell>Open>Command


I don't have a key named "chatfile."

And similar problems w/ the rest of their solution.

I am actively seekying a resolution to this and will post when I find something new.

*sigh* frown

#76417 05/04/04 08:43 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
as i said in an earlier post, that trojan does exist in the wild, so its always possible some users are actually infected. Its only been happening recently with trendmicro's housecall that some ppl are being told they are infected with it but when they check, they dont have any of the files or registry changes noted as being dropped by that trojan. Trendmicro has said their virus doctors are investigating to see if there is something triggering a false postive. Until someone gets a response from them with the results of their analysis, we can only speculate.


ParaBrat @#mIRCAide DALnet
#76418 05/04/04 10:17 AM
Joined: Apr 2004
Posts: 1
O
Mostly harmless
Offline
Mostly harmless
O
Joined: Apr 2004
Posts: 1
Hi. I'm brand new to this board, but I've been on mIRC a good six years now. I know better than to accept files ppl send to me without my having asked for them. I know better than to click on url's posted by just anyone in a channel. I know better than to type whatever someone may say to type. I too am having the BKDR_IRCFLOOD.X problem with trend micro. This time though, I watched carefully (for once) and the message just said HouseCall had found a malware.BKDR_IRCFLOOD.X and had cleaned it. It didn't say where it was found or which file it was found in. So, I went back to mIRC, and connected to my favorite server, then disconnected, and sure enough, it happened again. So, again, I reconnected to mIRC and disconnected. Then I went through the regedit procedure, and lo and behold none of the items mentioned by Trend Micro (or HouseCall whichever they prefer to call themselves) were listed in the regedit area. Therefore, my conclusion is, yes it, in my case at least, is a false alarm. (I used to run Pc Cillen II years ago, back in the days when puters wore animal skins, and it gave a false positive on an animated card a friend of mine sent to about six of us. Everyone else was running Nortons or Macafees, but me, and their a/v proggies did not hit on that card as being a virus. It was the title that set it off for me (apparently PC Cillen was super sensitive back then?) I spent something like four hours online with a friend that night trying to figure out if I had been infected or not (I was a true newbie in those days). I have to wonder if all of us who are having this problem are using the same version of mIRC? I'm running 6.12. I d/l mine from the official website too. Perhaps we're the only ones affected and therefore it's some sort of a benign glitch in the mIRC program itself??? Any thoughts (afterall, I may have been around the block a few times on mIRC, but I'm no puter pro for sure). I've been hit with so many things, and luckily my e_trust program has pulled my fat out of the fire each time. Anyway, I've rambled on enough for the new kid on the block. And thanks to whoever it was that posted those links for other sites offering free online scans. I ran one of the spy bot checkers (whatever the tecchie term is), and I am free and clean of ickies like that too...thanks again!
ouizee grin

#76419 05/04/04 02:35 PM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
its only been happening recently, and reports from users say its happening on more than one version of mIRC. I use housecall regularly and checked for all the files and registry entries before using it this time. (last time i had no probs) None present. Had the same thing happen that you and others report using Housecall. Opened mIRC (didnt even bother to connect), checked again, ran the scan again. Same thing. While i am inclined to agree it is indeed a false positive for many ppl (especially since no one is more neurotic about avoiding potential for trojans than i am) until Trendmicro's virus docs figure out what's going on we're making educated guesses. Check it out, run a couple other things to be sure, and wait for them to let us know their findings. I'm sure if it is a false positive they will make the necessary tweaks.


ParaBrat @#mIRCAide DALnet
#76420 05/04/04 11:50 PM
Joined: Apr 2004
Posts: 1
7
Mostly harmless
Offline
Mostly harmless
7
Joined: Apr 2004
Posts: 1
I'm having the exact same problem as johnbull. I've run every free AV program I can get my hands on. I've also run Spybot and Ad-Aware, yet only trendmicro finds it, and my typical trendmicro run ends up with the same results as john's.

For the most part, I believe it is a false positive, yet for some reason I've been mysteriously k-lined from a server I very rarely join on plus the servers I idle on frequently, I tend to get nickserv killed and I get more software connection aborts. Before I noticed I had this malware.bkdr_ircflood.x on my computer, I hardly ever had any of these problems. Now they happen 1-2 times an hour.

I'm starting to get worried, because I have no clue where this trojan is at, if I do, in fact, have one. I hope someone finds an answer quick. frown

#76421 06/04/04 02:45 AM
Joined: Apr 2004
Posts: 4
J
Self-satisified door
Offline
Self-satisified door
J
Joined: Apr 2004
Posts: 4
I wouldn't mind at all if this was a false positive but, the thing is "Why now?"

I've been scanning my comp w/ trend micro for a long time and did couple of days before mirco caught it.

And another thing, right now, there are so many of these links running around rampant on mirc. I've never seen so many infected ppl (ppl advertising, which they can't see).

Now, if I am not infected w/ anything then why was I advertising the infection borne link?

My guess is that this is opening a port (obviously). It's only a matter of time when he installs a trojan through that port. So, what I do is this; scan after I connect to mirc (don't have to scan the whole hd just till MT removes this thing.)

#76422 06/04/04 05:22 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
AV constantly add things, i didnt have any problem a couple days before either. Its always possible someone is actually infected, but when none of the files or registry changes are present, ppl cant help but wonder if its a false positive. they do happen


ParaBrat @#mIRCAide DALnet
#76423 06/04/04 06:57 AM
Joined: Apr 2004
Posts: 2
P
Bowl of petunias
Offline
Bowl of petunias
P
Joined: Apr 2004
Posts: 2
Let me begin by saying I've read every post here and still am not sure what to believe

One thing you might find interesting is if I run a trendmicro scan while running mirc I get a different virus alert

the virus is worm_thrax.a

http://de.trendmicro-europe.com/enterpri...amp;amp;VSect=T is where more information of this can be found. When I run trendmicro when IRC is not running it detects Bkdr_Ircflood.X.


I'd really like any information about this.

Thank you for reading.

#76424 06/04/04 03:50 PM
Joined: Apr 2004
Posts: 4
J
Self-satisified door
Offline
Self-satisified door
J
Joined: Apr 2004
Posts: 4
Read this thread, http://www.esreality.com/?a=post&id=647799 , too.

Some of these guys ARE infected with a " wsz32.exe."

Again, I found nothing of the sort.

#76425 06/04/04 05:16 PM
Joined: Apr 2004
Posts: 1
V
Mostly harmless
Offline
Mostly harmless
V
Joined: Apr 2004
Posts: 1
simular but would like to add:
using xp pro

when i found that there was no 'chatfile' key in my registry, i did a system restore to a point before i had the virus and the chatfile key was there. kinda made me doubt that this is a false positive.... I then un-did the system restore and did the following.

a registry search [start-run-regedit-click edit-find-then type in the file name] for the IEEXEC.EXE file and found it along with BKDR_IRCFLOOD* and malware.BKDR_IRCFLOOD.* Next i removed those 'entrys' from my registry, just deleted the info and left the field blank.

Today i did the same registry search and the IEEXEC.EXE file is back but the other two files were not present.

During all of this i countiued to scan using trendmicro and the 'malware cleaned' pop up would occure every time even though i had removed the files from my registry.

if this is a false positive, it sure is an active one!!!


#76426 06/04/04 11:39 PM
Joined: Apr 2004
Posts: 1
S
Mostly harmless
Offline
Mostly harmless
S
Joined: Apr 2004
Posts: 1
I really do think this is a false positive for some. For those like me, (where during the "system file" search, which is prior to searching any files, it says "found and cleaned malware.Bkdr_Ircflood.X", but does not list any files, and then the check runs through all files on the hard drive and finds nothing. I checked on the page given earlier "http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=BKDR_IRCFLOOD.X" which lists details about the virus. Under my registry entry, the default points to mirc.exe like it should, and not ieexec.exe like the page says it does. Also, I think I know why everytime you restart mIRC it will re-find the virus and clean it again. On that same page it talks about many registry locations of "chatfile...". Well apparently, when you start up mIRC, all these entries are created. I checked them, and they all pointed to mirc.exe and not ieexec.exe, however, I believe that the trendmicro scanner is seeing these entries and assuming that it is the virus, and deletes those entries. Because after I run the virus scan and it says it cleaned it, I can no longer find any entries of "chatfile...". However, again if I close mIRC and restart it, those entries are back. I think this is where the false positives are coming from. Just a guess. Anyone care to comment on this? Please let me know, if you are like me, and have to same thing, with those reg entries reapearing everytime you start mIRC, but with them pointing to your mirc.exe and not an ieexec.exe. Thanks.

PS. This is not directed to any one person. Just to those that are having a similar situation where NO FILES are listed as infected, just during the "system file" scan at the beginning.

One final thing, just so someone can verify this for me. I have mIRC version 6.14 downloaded from mirc.com and installed. My mirc.exe has a MD5 Sum of: 31F010FCF0B67737B04F3B8F2C2639F5
If someone else who does NOT have this problem can check theirs and see if it matches mine, that would be great. Thanks.

#76427 07/04/04 01:03 AM
Joined: Apr 2004
Posts: 1
T
Mostly harmless
Offline
Mostly harmless
T
Joined: Apr 2004
Posts: 1
This is starting to really annoy me.. I've done everything I can to get rid of this. I've found nothing that housecall says I should find. No virus's trojans worms, nothing. Yet I still get this msg when I scan.. So is this something we can ignore?

#76428 07/04/04 01:04 AM
Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
Id say (after all this time) if trend still finds issue BUT when you follow their advice you see none of the harmful things (files/entries) that you should keep it in mind, but not worry about it as much as it (to me) SOUNDS like a false positive. I figure they'll figure this out soon and then we can be done with this once and for all lol


Those who fail history are doomed to repeat it
#76429 07/04/04 07:33 AM
Joined: Apr 2004
Posts: 1
B
Mostly harmless
Offline
Mostly harmless
B
Joined: Apr 2004
Posts: 1
im not to sure about this as i have had this deteced on my system, like everyone else i ran norton and it found nothing related to this virus but trend picked it up. the problem im having is that i found a file called NOTEPAD.exe so i deleted it, i also found loads of registry entries relating to it. And also found a funny entry in startup. the problem im having is that i cant get rid of it either but mine seems to be doing something, it wont let me speak to anyone on irc they cant hear me and i cant see any txt other than joins/quits in every channel, this is really annoying anyone else had this problem from the virus ???

Page 2 of 6 1 2 3 4 5 6

Link Copied to Clipboard