mIRC Home    About    Download    Register    News    Help

Print Thread
Page 5 of 6 1 2 3 4 5 6
Re: malware.Bkdr_Ircflood.X #76470 22/04/04 04:25 AM
Joined: Dec 2002
Posts: 3,127
P
ParaBrat Offline
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
your being unable to connect to a server may not have anything to do with this issue with trend. what msg are you getting when you try to connect? unable to connect? gline/kline? Are you sure that server is linked and working? (check on the networks website for a list of servers to try)

in your main mIRC window, type: (dont forget the /)
/server b0rk.uk.quakenet.org

if it doesnt connect, then try:
/server 213.221.165.248

if you cant connect, tell us the exact msg you see please


ParaBrat @#mIRCAide DALnet
Re: malware.Bkdr_Ircflood.X #76471 22/04/04 04:40 AM
Joined: Apr 2004
Posts: 4
K
koei Offline
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
i can connect to every server except for gamesurge. I was initally g-lined for having the virus. Since then it's been removed. Now here's what i'm doing. I open mirc. i try to connect to gamesurge and this is what i get:

* Connecting to irc.gamesurge.net (6667)
-
-irc.gamesurge.net- *** Looking up your hostname
-
-irc.gamesurge.net- *** Checking Ident
-
-irc.gamesurge.net- *** Couldn't look up your hostname
-
-irc.gamesurge.net- *** No ident response
-
Ping? Pong!
-
bots/clones #rofl.gov.
-
Closing Link: rtuyu by Geneva.CH.EU.GameSurge.net (G-lined)
-
* Disconnected

I've checked the gamesurge website and I currently have no g-line. I've also tried all of there servers and i get the same msg. I've posted on gamesurge's message boards and the admins say they removed my gline. But yet it still says i'm glined.

Any ideas?

Re: malware.Bkdr_Ircflood.X #76472 22/04/04 04:45 AM
Joined: Jun 2003
Posts: 5,024
M
Mentality Offline
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
That's down to GameSurge's administration I'm afraid - they must have missed the g-line, or they have checked an incorrect IP address. If you browse the web through a proxy that would produce an incorrect IP/hostname. There's nothing we can do I'm afraid, you'll have to walk through the process with them.

The reason you get it on all servers is because a g-line is a global ban - set on all servers.

Best of luck smile

Regards,


Mentality/Chris
Re: malware.Bkdr_Ircflood.X #76473 22/04/04 11:18 AM
Joined: Apr 2004
Posts: 3
W
Wiggy Offline
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
"By opening that link (clanbase hacked, blablabla..), your browser gets redirected to sh0ut3tb34ts,tk. This URL points your browser to a page containing some malicious code. Using the security holes of some browsers, the worm will then download another file. After being executed automatically, this file will install a hidden mIRC-client on your PC. This client automatically connects to a certain IRC server and joins a certain channel. By typing some commands in this channel, that guy could get full control over your PC. For example, he could see any file on your computer. The script even contains a special command which reads your CD-Keys for Half-Life, Battlefield 1942 + Vietnam, UT 2004 and Quake 3 from your registry and sends them directly to him."

Thats what i'v heard about this virus, anyone knows if its true? I have also been infected and cant remove it. Everytime i start nnscript (mIRC) it somehow comes back. confused

Tried to delete the extra notepad.exe and all that.. makes no diffrence though. mad

Re: malware.Bkdr_Ircflood.X #76474 22/04/04 11:57 AM
Joined: Apr 2004
Posts: 841
Sat Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2004
Posts: 841
The shoutedbeats-tk trojan is only one of the many versions of mIRC-based trojans going around at the moment.

If you've been infected with that specific trojan, you could try this remover program (warning: use at your own risk!). However, please note that if you have been infected, the attacker has had full control over your system, so this remover tool is only the first step - you should definitely use recently updated anti-virus software as well (and that's always a good idea anyway, you might already have other infections on your system).


Saturn, QuakeNet staff
Re: malware.Bkdr_Ircflood.X #76475 22/04/04 01:00 PM
Joined: Apr 2004
Posts: 3
W
Wiggy Offline
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
I tried that Q-fix, it said im all clear.. still housecall finds that virus everytime i restart mIRC, Panda and Norton Antivirus 2004 cant find anything though.. dont know which one of them to trust confused

Re: malware.Bkdr_Ircflood.X #76476 22/04/04 01:07 PM
Joined: Apr 2004
Posts: 841
Sat Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2004
Posts: 841
Please make sure you have read the previous posts in this thread...


Saturn, QuakeNet staff
Re: malware.Bkdr_Ircflood.X #76477 22/04/04 01:38 PM
Joined: Apr 2004
Posts: 3
W
Wiggy Offline
Self-satisified door
Offline
Self-satisified door
W
Joined: Apr 2004
Posts: 3
i have.. not helping me much since noone really knows how to remove the virus, atleast not yet.. i'll just have to wait i guess.. or maybe its time for a format c:

Re: malware.Bkdr_Ircflood.X #76478 22/04/04 03:17 PM
Joined: Apr 2004
Posts: 4
K
koei Offline
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
has anyone else tried formatting or going back to system restore before the virus? I know a few ppl have and said that it didn't work

Re: malware.Bkdr_Ircflood.X #76479 22/04/04 03:28 PM
Joined: Apr 2003
Posts: 210
S
saxon Offline
Fjord artisan
Offline
Fjord artisan
S
Joined: Apr 2003
Posts: 210
No it doesnt work... You'll notice that Housecall cleans the virus, Until you open mIRC again and it's reinstated.

Housecall detects it whilst scanning system files, Whatever mIRC is adding there I don't know, As Housecall doesn't inform you what or where the infected object is.

Re: malware.Bkdr_Ircflood.X #76480 22/04/04 04:28 PM
Joined: Jun 2003
Posts: 5,024
M
Mentality Offline
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Quote:

not helping me much since noone really knows how to remove the virus, atleast not yet..


As I have said in previous posts as have others, this is an mIRC help board - we're not virus experts (specifically) and the people to handle it must be the people who are qualified to. We're simply volunteer helpers who know little more than you do - everything "we" do know is explained in this thread.

Information and manual removal information is posted around the Internet, look through this thread and you'll find a link that explains Trendmicro's method of removal - if you've followed those steps and don't find what it suggests or do actually follow the instructions and remove said files, then the chances are you're not infected anymore.

If your issue is not with malware.Bkdr_Ircflood.X then it does not relate to this thread. You will need to use 2-3 virus scanners, as you have done, and if one is finding an infection and 2 are not, use another 2 virus scanners. If neither of them find it either, the chances are you are not infected.

Fact is, we have no/little chance of being able to directly help you, we don't know your computer setup, or know about every single virus (there are hundreds/thousands). All we can do is to provide you with a link that explains the infection and how to remove it. You can find that yourself though using Google.

This thread isn't here to help with viruses in general, it was started to report a possible false positive in Trendmicro. Trendmicro have said their virus doctors are looking into it, we cannot say anymore because we don't actually know anymore!

Good luck smile

Regards,


Mentality/Chris
Re: malware.Bkdr_Ircflood.X #76481 23/04/04 11:53 PM
Joined: Apr 2004
Posts: 1
E
Emma261 Offline
Mostly harmless
Offline
Mostly harmless
E
Joined: Apr 2004
Posts: 1
I have the BKDR_IRCFLOOD.X malware on my computer too and am unable to connect to Dalnet .. I get akilled with the following message:
[1:38am] * Connecting to powertech.no.eu.dal.net (7000)
-
[1:38am] Local host: homebase (198.77.157.106)
-
[1:38am] ••• You are banned from connecting to this server ("You have been autokilled.")
-
[1:38am] -powertech.no.eu.dal.net- *** You are not welcome on this network.
-
[1:38am] -powertech.no.eu.dal.net- *** autokilled for [AKILL ID:1082727678K-a] [exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information. (2004/04/23 16.49)
-
[1:38am] -powertech.no.eu.dal.net- *** Your IP is 62.243.15.65
-
[1:38am] -powertech.no.eu.dal.net- *** For assistance, please email kline@dal.net and include everything shown here.
-
[1:38am] ••• Error: Closing Link: 0.0.0.0 ([AKILL ID:1082727678K-a] [exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information. (2004/04/23 16.49))
-
[1:38am] * Disconnected

I know that BKDR_IRCFLOOD.X is a dropper program that creates a folder (which I can' find) and creates an autorun registry entry that allows it to execute on every system startup.
It probably comes with mIRC 6.14 somehow and I have no idea how to get rid of it except go to housecall which finds that particualr file but not the rest of the files it drops. So every time I reboot, I have the same problem.

The files it drops are BKDR_IRCFLOOD.X .. BAT_IRCFLOOD.X and IRC_IRCFLOOD.X

It supposedly creates this folder (which I don't have)
C:\%Windows%\Microsoft.NET\Microsoft:NET\Framework\v1.0.3705\

When I do a search for BAT_IRCFLOOD.X the search comes up with 2 files .. lpt$vpn.867 and vptnfile.867 both are in C:\WINNT

I run Windows 2000 server and have no idea what to do.

Re: malware.Bkdr_Ircflood.X #76482 24/04/04 12:03 PM
Joined: Aug 2003
Posts: 1,831
I
Iori Offline
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
"C:\%Windows%\Microsoft.NET\Microsoft:NET\Framework\v1.0.3705\" I think should be "C:\%Windows%\Microsoft.NET\Framework\v1.0.3705\" - "Microsoft:NET" is invalid in a path. On a Win 2000 system, that will expand to C:\WinNT\Microsoft.NET\Framework\v1.0.3705\ (Assuming windows is installed on C drive and uses the default 'winnt' directory)

lpt$vpn.867: According to http://security.uwo.ca/antivirus/patches.html this is a pattern file for detection|removal of WORM_MSBLAST.A & VARIANTS

The url "http://kline.dal.net/exploits/akills.htm#os" Does not mention any particular trojan. There are many many such worms out there.

I suggest you download a couple of the trojan removers listed in this post, update them and scan. The shareware versions will mostly give you thirty days of full usage to try them out.

Re: malware.Bkdr_Ircflood.X #76483 27/04/04 09:42 PM
Joined: Apr 2004
Posts: 4
K
kbaumgar Offline
Self-satisified door
Offline
Self-satisified door
K
Joined: Apr 2004
Posts: 4
i may have found a solution for some of us:

my circumstances were the so called "sleeper" trojan and i emailed trend micro about it and this is what i was told to do and i have not had any problems since:

1. Create a temporary folder in a location that you're familiar with (ie: Desktop, C:\, My Documents etc.). To create a folder, right click on your target location and select New > Folder. Rename the folder as 'system cleaner'.

2. Download sysclean.com here: http://www.trendmicro.com/ftp/products/tsc/sysclean.com
** Make sure to save sysclean.com to the 'system cleaner' folder created earlier, otherwise the scanning will not work.

3.You'll also need to download the latest pattern file. Sysclean.com will use the algorithms in this file to detect and clean viruses. Please download the latest virus pattern here: http://www.trendmicro.com/download/pattern.asp
** Once again, make sure to save the LPTxxx.zip file to the 'system cleaner' folder created earlier.

4. Once the virus pattern file download has been completed, you'll need to extract its contents to the 'system cleaner' folder. You'll need WINZIP to extract the contents of the file. Please visit our knowledgebase for the instructions.

5. Check the 'system cleaner' folder for the following files: sysclean.com & lpt$vpn.xxx. Once the files are present, please restart your computer and access Windows SAFE MODE.
1. Restart your computer
2. After the memory test and BEFORE the Windows' loading screen appears press F8 repeatedly
3. If successfully performed, a menu will be displayed. Choose 'Start Windows in Safe Mode' or 'Safe Mode'

6. Once in Safe Mode, simply double left click on the sysclean.com. It should start the scanning process and wipe out/clean viruses detected.

worked for me... if it doesn't work for anyone else than idk. just try it

Re: malware.Bkdr_Ircflood.X #76484 30/04/04 09:20 PM
Joined: Dec 2002
Posts: 23
R
R1pl3y Offline
Ameglian cow
Offline
Ameglian cow
R
Joined: Dec 2002
Posts: 23
OK here is my problem with the whole situation, its been about 27 days since ytytyt first received an email respose from Trend. To not have any real answers on this subject almost a month later really iritates me (with Trend).
Does Khaled/mIRC not feel any obligation to hasten communications with Trend? I know if it were my program that was in this situation I would be communicating with them every day and informing people of any real information/answers that come out. Maybe he already has and nothing relevant can be posted publicly yet.
For it to take this long seems to me that nothing is being done (by Trend) because they probably think its a false positive. Then again I may be quite wrong as I dont know any history with other viruses and how long new and/or possibly troublesome, difficult viruses take to be rssolved and fixes found for.
*wonders if ytytyt has yet received any response from Trend...* confused
Can anyone tell me a tool to use to see when/if a malicious mIRC is being operated from my computer and the traffic it would produce?
Sorry but it really makes me MAD when someone/something prevents me from using mIRC to connect to IRC for almost 30 days! mad

(I have since formatted and am back on mIRC)


R趏ł„
Re: malware.Bkdr_Ircflood.X #76485 30/04/04 09:38 PM
Joined: Jun 2003
Posts: 5,024
M
Mentality Offline
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
"Does Khaled/mIRC not feel any obligation to hasten communications with Trend? I know if it were my program that was in this situation I would be communicating with them every day and informing people of any real information/answers that come out."

Whilst Khaled is a famous guy on IRC, in the grand scheme of things he's not an A-List superstar. Him emailing Trendmicro may hold a little more salt with them as they've no doubt heard of mIRC due to it's use in infecting other people, but they probably won't feel hastened to answer him anymore than you or me emailing them.
Plus, me, you, or anyone here doesn't know whether Khaled actually has contacted them about the issue or not. Who knows what Trendmicro are doing..

By the way, Khaled's life is made a little more hectic due to what I can only assume is the thousands of emails he receives per day, and that's with all the junk mail excluded - and real life too, plus Arnie takes a lot of his time up wink

"Can anyone tell me a tool to use to see when/if a malicious mIRC is being operated from my computer and the traffic it would produce?"

This page has some good ideas on what to do and as you may have heard already (as it has been mentioned several times in this thread) - this post has many resources to get yourself uninfected.

Best of luck.

Regards,


Mentality/Chris
Re: malware.Bkdr_Ircflood.X #76486 30/04/04 11:31 PM
Joined: Aug 2003
Posts: 27
S
shy_and_quiet Offline
Ameglian cow
Offline
Ameglian cow
S
Joined: Aug 2003
Posts: 27
I'm really sorry to be another person adding to this thread, but I am really at a loss as to what do do, and I have been experiencing things that, after reading through all 5 pages of posts, no one else seems to have touched upon.

- I run AVG antivirus on my computer, which scans daily for me, and is updated weekly. A few days ago I started getting this message in relation to my AVG program:

Quote:
avgcc32.exe - Application Error
The Instruction at "0s5f4012a1" referenced memory at "0x00000004". The memory could not be "read".
Click on OK to terminate the program


So, I would click OK, and my AVG would shut down. When I would restarted AVG I would
a) get that same message again, and it would immediately shut down - THEN
b) I would manually launch AVG, get that same message again, and it did not shut down AVG, but when AVG launched, it showed the "Control Center" as not beng active and functional. Attempting to activate it sometimes worked, and sometimes caused AVG to shut down again.

- In an attempt to find out what was wrong, i tried to go to AVG's website at www.grisoft.com but always got the "this page could not be found" message.

- I tried other common/major antivirus websites, but was unable to access those as well, although all other websites loaded fine.

- I thought my problem was with AVG, so I uninstalled it, had a friend download the install file for me (as I was unable to access the website) and send me the install file. After reinstalling AVG, I was still getting the same error message.

- I then called a tech friend of mine, who suggested this:
a) deactivate system restore
b) Use Trend Mirco's online scanner to check for viruses.

I discovered I was unable to access Trend Micro's Homepage, but was able to access House Scanner page.

- I ran a scan using TM's House scan, and as it was doing the initial system scan, got the following message:

Quote:
Houseware has found and cleaned a malware.BKDR_IRCFLOOD.x


So, I clicked okay, and it then scanned my computer and found the following file:

Virus: DOS AGOBOT.HM
Scan result: Non Cleanable
File: c:\windows\system32\drivers\etc\hosts

Since it was not cleanable, I deleted the file.

- I then used TM's House scan once again, and it found nothing in the initial system scann and no viruses detected.

- After doing this, I found I was then able to access antivirus websites once again, Including te ones at Trend Micro and Grisoft that I had previously not been able to access.

- I thought I had solved my problem, so I reacvtivated system retore, and rebooted my computer.

- after my computer rebooted AVG tried to launch, and I got the same error message again. Was able to open it manually and then manually active the "Control Center"

- I then launched all the programs I typically run on my computer, including two instances of mIRC (one for me, one for my bot), and several instant messaging programs.

- I found I was once again NOT able to access anti virus website. I was not able to access Grisoft nor Trend Micro's homepage.

- I once again found my way to Trend Micro's house scanner, and used it to can my computer. I found:
a) on the initial system scan "malware.BKDR_IRCFLOOD.x" was there once again
b) it once again found "DOS AGOBOT.HM" in the same location as before.

- I then found my way here and read through all 5 pages of posts, and found that no one else seemed to have experienced the same things as I have.

I'm not a very technical person, and I don't understand things about "registry's" or "keys" and i can't really understand all the things you all have said to look for and try.

Has anyone else found these same problems? Does anyone have any suggestion that can be made simple for someone who is a technical dummy?

Thank you, and I appoligize once again for adding to this already long thread.

shy


~~~

I'm a Scripting Newbie, please forgive my questions, and have patience with me. Thanks!
Re: malware.Bkdr_Ircflood.X #76487 30/04/04 11:47 PM
Joined: Nov 2003
Posts: 2,327
T
tidy_trax Offline
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
At least I can help at least one person in this thread grin

the virus found in:
c:\windows\system32\drivers\etc\hosts
is most likely the reason why you cannot access those websites, the hosts file can be used to change where urls point to.
find:
c:\windows\system32\drivers\etc\hosts
and edit it to so only the following is in it:

127.0.0.1 localhost

the lines that start with an '#' are actually comments, so they are not important, you don't need to delete those lines.

Hope this helps a little bit smile

Edit: i'm guessing that AGOBOT (aka GAOBOT) will just change the hosts file back, but it's a temporary solution.

Last edited by tidy_trax; 30/04/04 11:49 PM.

New username: hixxy
Re: malware.Bkdr_Ircflood.X #76488 01/05/04 01:06 AM
Joined: Aug 2003
Posts: 1,831
I
Iori Offline
Hoopy frood
Offline
Hoopy frood
I
Joined: Aug 2003
Posts: 1,831
You should use a dedicated trojan cleaning program such as PestPatrol and/or TrojanRemover (or one of the others listed in this post) to get rid of Agobot.

Re: malware.Bkdr_Ircflood.X #76489 01/05/04 06:55 AM
Joined: Dec 2002
Posts: 1,527
L
landonsandor Offline
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,527
FWIW, kbaumgar post (like 7 or 8 above this one in the thread) worked for me with the virus of the title of the thread. It ALSO worked for a friend of mine with other viruses she had so maybe give that a try (for those who have NOT yet done so AND are experiencing problems or getting trojan message alerts).


Those who fail history are doomed to repeat it
Page 5 of 6 1 2 3 4 5 6