backdoor flood

T Boy · Nov 5, 2002

I have a backdoor flood virus with the file "WHVLXD" I delete it and it's back on startup . an Idea's

cnm · Nov 5, 2002

What antivirus and antitrojan programs do you have? Won't either of them remove it?

LowWaterMark · Nov 6, 2002

Yes, please tell us what program you are using that told you that you have "backdoor flood". The right package should be able to help you with this problem. Can you give us additional information on your particular situation?

You can read about "Backdoor.IRC.Flood" at Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.html

controler · Nov 6, 2002

Are you using an OS like Windows ME or XP with restore turned on?
The file maybe appears to the OS to be a system file and therefore
is restored on boot. If it is really a trojan and not a system file, try turning off restore.

Pieter_Arntz · Nov 6, 2002

Hi controler,

Excuse my butting in like this, but I'm not sure what you mean. I was under the impression System Restore files only became active when the user chooses to go back to an older system state. This can be compared to re-installing a registry backup.
Did you mean another kind of restore or are there other ways to initiate System Restore that I'm not aware of?

Regards,

Pieter

Ghost · Nov 6, 2002

I think they mean that the detection re-occurs during a full scan when you've got SystemRestore active - not that the files "became active" again.

See http://service1.symantec.com/SUPPORT/ent-security.nsf/3d2a1f71c5a003348525680f006426be/365d4251002f832085256b4300675d39?OpenDocument

Pieter_Arntz · Nov 6, 2002

Ahaaa, I see.

Primrose found a link about disabling System Restore for XP with naked pictures and all (j/k about the naked part)
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

Regards,

Pieter

T Boy · Nov 6, 2002

Norton 2002 on xp but it dose not want to fix or Quarintine it.

LowWaterMark · Nov 6, 2002

T Boy,

Can you look at the Symantec link I posted above and see if you have any of the files noted there? Also, can you check to see if the file that NAV identified is running on your system (look in the process list of the Task Manager by doing a Ctrl - Alt - Del and look for the named file).

If that file is running, NAV might not be able to delete it. You can do an End Process on it from the Task Manager and then run a full scan as noted in the Symantec link.

As for System Restore, a safe way to clean that would be to disable it, reboot, re-enable System Restore and reboot. This should wipe all contents of the System Restore folders.

Are you comfortable using Regedit to scan for any Run or RunServices keys related to this trojan?

pin · Nov 6, 2002

what a great system restore tip, i never knew about that!!

T Boy · Nov 6, 2002

Yep, ............... I don't mind being in the registry

LowWaterMark · Nov 6, 2002

quoting: T Boy link=board=30;threadid=4677;start=0#30739 date=1036627642]Yep, ............... I don't mind being in the registry
Click to expand...

Well then, at the very least, go into the registry and find out if any auto startup keys were set in the various Run keys and remove them, that's a big step forward in killing off the malware. Reboot and recheck for the keys (see if they came back). If not, make sure NAV defs are up to date and run a FULL scan again and see what it does.

TonyKlein · Nov 6, 2002

It ought to start up from the HKLM run key, and it can usually just be unchecked on Msconfig's Startup tab.

But do this, and we'll have a look:

Go to http://www.spywareinfoforum.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and please post the contents here.

Gavin - DiamondCS · Nov 6, 2002

Take a look in the folder where this trojan file was found - there should be a bunch of other files related to it.. there should be lots of INI and TXT files, and at least 2 or 3 EXE files. Common names for these files are

mirc.ini
mirc2.ini
mirc3.ini
mirc4.ini
remote.ini
gates.txt
27374.txt
temp.exe (with the mIRC icon)
temp2.exe
temp.scr
temp2.scr

Usually the whole folder is created with the files in it, if the files are installed somewhere like the Windows folder or you are unsure about the contents of files you can email me, gavin@diamondcs.com.au and I will let you know what is safe to delete.

Primrose · Nov 7, 2002

You might want to take a look at these threads for your situation.

irc.trojan virus found!!!

IRC Flood>>>>
http://www.dslreports.com/forum/remark,4893805~root=security,1~mode=flat

IRC virus, how to find the registry keys
http://www.dslreports.com/forum/remark,4920694~root=security,1~mode=flat

Why Norton AntiVirus cannot repair files that are infected by a Trojan or a worm
http://www.dslreports.com/forum/remark,4944303~root=security,1~mode=flat

For it seems like you have the same or similar exploit.

Log in or Sign up

backdoor flood

T Boy Registered Member

cnm Spyware Expert

LowWaterMark Administrator

controler Guest

Pieter_Arntz Spyware Veteran

Ghost Guest

Pieter_Arntz Spyware Veteran

T Boy Registered Member

LowWaterMark Administrator

pin Registered Member

T Boy Registered Member

LowWaterMark Administrator

TonyKlein Security Expert

Gavin - DiamondCS Former DCS Moderator

Primrose Registered Member

Log in or Sign up

backdoor flood

T Boy Registered Member

cnm Spyware Expert

LowWaterMark Administrator

controler Guest

Pieter_Arntz Spyware Veteran

Ghost Guest

Pieter_Arntz Spyware Veteran

T Boy Registered Member

LowWaterMark Administrator

pin Registered Member

T Boy Registered Member

LowWaterMark Administrator

TonyKlein Security Expert

Gavin - DiamondCS Former DCS Moderator

Primrose Registered Member

Useful Searches