Re: Backdoor.irc.bot

• Previous message: Manish: "Re: Backdoor.irc.bot"
• In reply to: Chuck: "Re: Backdoor.irc.bot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 5 Jul 2004 09:13:39 -0700

Chuck,

I will try this out.

Thanks

>-----Original Message-----
>On Mon, 5 Jul 2004 06:26:49 -0700, "Manish Dewan"
<dewanmanish@yahoo.com> wrote:
>
>>My pc is infested with this backdoor.irc.bot.
>>I am unable to get connected to Symatec website.
>>This is for Windows XP home System.
>>The infetested file is WindowsSystem32.*** file. Hence
>>the Sysmaten Anitivirus is denied permission.
>>
>>How can I remove this virus?
>>
>>Thanks
>>
>>Manish
>
>Manish,
>
>Sounds like you may have multiple infections, including
a browser or dns hijack.
>
>The hijack apparently interferes with your ability to
access websites. You may
>have to resolve the ip addresses manually to get the
tools to find and remove
>the infection.
>
>All-NetTools and DNSStuff websites both help you resolve
(lookup) addresses.
>
><http://www.all-nettools.com/toolbox> (Use NSLookup)
><http://216.92.207.177/toolbox>
><http://www.dnsstuff.com/> (Use Ping)
><http://69.2.200.183/>
>
>Install and run Stinger.
><http://us.mcafee.com/virusInfo/default.asp?id=stinger>
>
>Search your entire system drive, including hidden and
system folders, for file
>"hosts". There is one legit copy, in C:\WINDOWS\system32
\drivers\etc\. The
>others are possibly bogus, and part (but just part) of
the problem. Examine the
>contents of each copy found, using Notepad. (HINT:
Scroll to the end of each
>Hosts file, by hitting Ctrl-End, then back up to the
top, page by page, before
>deciding that the file is empty. Look out for blank
lines at the beginning and
>end of the file, after localhost, placed there by an
exploit!)
>
>Try one or more of these free online virus scans, which
should complement NAV:
><http://www.bitdefender.com/scan/license.php>
><http://www.pandasoftware.com/activescan>
><http://www.ravantivirus.com/scan/>
><http://security.symantec.com/ssc/home.asp>
><http://housecall.trendmicro.com/housecall/start_corp.asp
>
>
>Now check for, and learn to defend against, additional
problems. Have you
>downloaded these programs before? Download them again,
as the latest version
>may be needed to keep up with the current level of
malware being attempted
>constantly - get the absolutely most current version of
each product listed.
>They're all free - and most pretty small, so they
download quickly enough.
>
>Start by downloading each of the following free tools:
>AdAware <http://www.lavasoftusa.com/>
>CWShredder <http://www.majorgeeks.com/download4086.html>
>CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval
><http://www.majorgeeks.com/download4113.html>
>HijackThis <http://www.majorgeeks.com/download.php?
det=3155>
>LSP-Fix and WinsockLSPFix
<http://www.cexx.org/lspfix.htm>
>Spybot S&D <http://www.safer-networking.org/index.php?
page=download>
>
>Create a separate folder for HijackThis, such as
C:\HijackThis - copy the
>downloaded file there. Spybot S&D has an install
routine - run it. The other
>downloaded programs can be copied into, and run from,
any convenient folder.
>
>Start by closing all Internet Explorer and Outlook
windows, and running
>CoolWebSearchSmartKillerMiniRemoval, then CWShredder.
Have the latter fix all.
>
>Next, run AdAware. First update it ("Check for updates
now"), configure for
>full scan (<http://www.lavahelp.com/howto/fullscan/>),
then scan ("Start" - "Use
>custom scanning options" - "Next"). When scanning
finishes, select everything,
>and hit Next again.
>
>Next, run Spybot S&D. First update it ("Search for
updates"), then run a scan
>("Check for problems"). Trust Spybot, and delete
everything ("Fix Problems")
>that is displayed in Red.
>
>Then, run HijackThis ("Scan"). Do NOT make any changes
immediately. Save the
>HJT Log.
><http://forums.spywareinfo.com/index.php?showtopic=227>
>
>Finally, have your HJT log interpreted by experts at one
or more of the
>following security forums (and post it, or a link to
your forum posts, here):
>Aumha: <http://forum.aumha.org/index.php>
>Net-Integration: <http://forums.net-integration.net/>
>Spyware Info: <http://forums.spywareinfo.com/>
>Spyware Warrior: <http://spywarewarrior.com/index.php>
>Tom Coyote: <http://forums.tomcoyote.org/>
>Wilders Security<http://www.wilderssecurity.com/>
>
>If removal of any spyware affects your ability to access
the internet (some
>spyware builds itself into the network software, and its
removal may damage your
>network), run LSP-Fix and / or WinsockXPFIx.
>
>And Manish, please don't contribute to the spread and
success of email address
>mining viruses. Learn to munge your email address
properly, to keep yourself a
>bit safer when posting to open forums. Protect yourself
and the rest of the
>internet - read this article.
>http://www.mailmsg.com/SPAM_munging.htm
>
>BTW, please read this article about Cross-Posting vs
Multi-Posting:
>http://www.uwasa.fi/~ts/http/crospost.html
>
>Cheers,
>Chuck
>Paranoia comes from experience - and is not necessarily
a bad thing.
>.
>

• Previous message: Manish: "Re: Backdoor.irc.bot"
• In reply to: Chuck: "Re: Backdoor.irc.bot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]