Re: Backdoor.irc.bot

From: Manish (anonymous_at_discussions.microsoft.com)
Date: 07/05/04

  • Next message: Jupiter Jones [MVP]: "Re: about blank"
    Date: Mon, 5 Jul 2004 09:13:39 -0700
    
    

    Chuck,

    I will try this out.

    Thanks

    >-----Original Message-----
    >On Mon, 5 Jul 2004 06:26:49 -0700, "Manish Dewan"
    <dewanmanish@yahoo.com> wrote:
    >
    >>My pc is infested with this backdoor.irc.bot.
    >>I am unable to get connected to Symatec website.
    >>This is for Windows XP home System.
    >>The infetested file is WindowsSystem32.*** file. Hence
    >>the Sysmaten Anitivirus is denied permission.
    >>
    >>How can I remove this virus?
    >>
    >>Thanks
    >>
    >>Manish
    >
    >Manish,
    >
    >Sounds like you may have multiple infections, including
    a browser or dns hijack.
    >
    >The hijack apparently interferes with your ability to
    access websites. You may
    >have to resolve the ip addresses manually to get the
    tools to find and remove
    >the infection.
    >
    >All-NetTools and DNSStuff websites both help you resolve
    (lookup) addresses.
    >
    ><http://www.all-nettools.com/toolbox> (Use NSLookup)
    ><http://216.92.207.177/toolbox>
    ><http://www.dnsstuff.com/> (Use Ping)
    ><http://69.2.200.183/>
    >
    >Install and run Stinger.
    ><http://us.mcafee.com/virusInfo/default.asp?id=stinger>
    >
    >Search your entire system drive, including hidden and
    system folders, for file
    >"hosts". There is one legit copy, in C:\WINDOWS\system32
    \drivers\etc\. The
    >others are possibly bogus, and part (but just part) of
    the problem. Examine the
    >contents of each copy found, using Notepad. (HINT:
    Scroll to the end of each
    >Hosts file, by hitting Ctrl-End, then back up to the
    top, page by page, before
    >deciding that the file is empty. Look out for blank
    lines at the beginning and
    >end of the file, after localhost, placed there by an
    exploit!)
    >
    >Try one or more of these free online virus scans, which
    should complement NAV:
    ><http://www.bitdefender.com/scan/license.php>
    ><http://www.pandasoftware.com/activescan>
    ><http://www.ravantivirus.com/scan/>
    ><http://security.symantec.com/ssc/home.asp>
    ><http://housecall.trendmicro.com/housecall/start_corp.asp
    >
    >
    >Now check for, and learn to defend against, additional
    problems. Have you
    >downloaded these programs before? Download them again,
    as the latest version
    >may be needed to keep up with the current level of
    malware being attempted
    >constantly - get the absolutely most current version of
    each product listed.
    >They're all free - and most pretty small, so they
    download quickly enough.
    >
    >Start by downloading each of the following free tools:
    >AdAware <http://www.lavasoftusa.com/>
    >CWShredder <http://www.majorgeeks.com/download4086.html>
    >CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval
    ><http://www.majorgeeks.com/download4113.html>
    >HijackThis <http://www.majorgeeks.com/download.php?
    det=3155>
    >LSP-Fix and WinsockLSPFix
    <http://www.cexx.org/lspfix.htm>
    >Spybot S&D <http://www.safer-networking.org/index.php?
    page=download>
    >
    >Create a separate folder for HijackThis, such as
    C:\HijackThis - copy the
    >downloaded file there. Spybot S&D has an install
    routine - run it. The other
    >downloaded programs can be copied into, and run from,
    any convenient folder.
    >
    >Start by closing all Internet Explorer and Outlook
    windows, and running
    >CoolWebSearchSmartKillerMiniRemoval, then CWShredder.
    Have the latter fix all.
    >
    >Next, run AdAware. First update it ("Check for updates
    now"), configure for
    >full scan (<http://www.lavahelp.com/howto/fullscan/>),
    then scan ("Start" - "Use
    >custom scanning options" - "Next"). When scanning
    finishes, select everything,
    >and hit Next again.
    >
    >Next, run Spybot S&D. First update it ("Search for
    updates"), then run a scan
    >("Check for problems"). Trust Spybot, and delete
    everything ("Fix Problems")
    >that is displayed in Red.
    >
    >Then, run HijackThis ("Scan"). Do NOT make any changes
    immediately. Save the
    >HJT Log.
    ><http://forums.spywareinfo.com/index.php?showtopic=227>
    >
    >Finally, have your HJT log interpreted by experts at one
    or more of the
    >following security forums (and post it, or a link to
    your forum posts, here):
    >Aumha: <http://forum.aumha.org/index.php>
    >Net-Integration: <http://forums.net-integration.net/>
    >Spyware Info: <http://forums.spywareinfo.com/>
    >Spyware Warrior: <http://spywarewarrior.com/index.php>
    >Tom Coyote: <http://forums.tomcoyote.org/>
    >Wilders Security<http://www.wilderssecurity.com/>
    >
    >If removal of any spyware affects your ability to access
    the internet (some
    >spyware builds itself into the network software, and its
    removal may damage your
    >network), run LSP-Fix and / or WinsockXPFIx.
    >
    >And Manish, please don't contribute to the spread and
    success of email address
    >mining viruses. Learn to munge your email address
    properly, to keep yourself a
    >bit safer when posting to open forums. Protect yourself
    and the rest of the
    >internet - read this article.
    >http://www.mailmsg.com/SPAM_munging.htm
    >
    >BTW, please read this article about Cross-Posting vs
    Multi-Posting:
    >http://www.uwasa.fi/~ts/http/crospost.html
    >
    >Cheers,
    >Chuck
    >Paranoia comes from experience - and is not necessarily
    a bad thing.
    >.
    >


  • Next message: Jupiter Jones [MVP]: "Re: about blank"