I have a backdoor flood virus with the file "WHVLXD" I delete it and it's back on startup . an Idea's
Yes, please tell us what program you are using that told you that you have "backdoor flood". The right package should be able to help you with this problem. Can you give us additional information on your particular situation? You can read about "Backdoor.IRC.Flood" at Symantec: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.html
Are you using an OS like Windows ME or XP with restore turned on? The file maybe appears to the OS to be a system file and therefore is restored on boot. If it is really a trojan and not a system file, try turning off restore.
Hi controler, Excuse my butting in like this, but I'm not sure what you mean. I was under the impression System Restore files only became active when the user chooses to go back to an older system state. This can be compared to re-installing a registry backup. Did you mean another kind of restore or are there other ways to initiate System Restore that I'm not aware of? Regards, Pieter
I think they mean that the detection re-occurs during a full scan when you've got SystemRestore active - not that the files "became active" again. See http://service1.symantec.com/SUPPORT/ent-security.nsf/3d2a1f71c5a003348525680f006426be/365d4251002f832085256b4300675d39?OpenDocument
Ahaaa, I see. Primrose found a link about disabling System Restore for XP with naked pictures and all (j/k about the naked part) http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml Regards, Pieter
T Boy, Can you look at the Symantec link I posted above and see if you have any of the files noted there? Also, can you check to see if the file that NAV identified is running on your system (look in the process list of the Task Manager by doing a Ctrl - Alt - Del and look for the named file). If that file is running, NAV might not be able to delete it. You can do an End Process on it from the Task Manager and then run a full scan as noted in the Symantec link. As for System Restore, a safe way to clean that would be to disable it, reboot, re-enable System Restore and reboot. This should wipe all contents of the System Restore folders. Are you comfortable using Regedit to scan for any Run or RunServices keys related to this trojan?
Well then, at the very least, go into the registry and find out if any auto startup keys were set in the various Run keys and remove them, that's a big step forward in killing off the malware. Reboot and recheck for the keys (see if they came back). If not, make sure NAV defs are up to date and run a FULL scan again and see what it does.
It ought to start up from the HKLM run key, and it can usually just be unchecked on Msconfig's Startup tab. But do this, and we'll have a look: Go to http://www.spywareinfoforum.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section). Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more. Go to Edit > select all, copy it and please post the contents here.
Take a look in the folder where this trojan file was found - there should be a bunch of other files related to it.. there should be lots of INI and TXT files, and at least 2 or 3 EXE files. Common names for these files are mirc.ini mirc2.ini mirc3.ini mirc4.ini remote.ini gates.txt 27374.txt temp.exe (with the mIRC icon) temp2.exe temp.scr temp2.scr Usually the whole folder is created with the files in it, if the files are installed somewhere like the Windows folder or you are unsure about the contents of files you can email me, gavin@diamondcs.com.au and I will let you know what is safe to delete.
You might want to take a look at these threads for your situation. irc.trojan virus found!!! IRC Flood>>>> http://www.dslreports.com/forum/remark,4893805~root=security,1~mode=flat IRC virus, how to find the registry keys http://www.dslreports.com/forum/remark,4920694~root=security,1~mode=flat Why Norton AntiVirus cannot repair files that are infected by a Trojan or a worm http://www.dslreports.com/forum/remark,4944303~root=security,1~mode=flat For it seems like you have the same or similar exploit.