bkdr_ircflood.x

Discussion in 'adware, spyware & hijack cleaning' started by Sella, May 9, 2004.

Thread Status:
Not open for further replies.
  1. Sella

    Sella Guest

    Hi. I'm not sure if this is something you guys can help me with (although I REALLY hope so because I have no idea where else to get any help. :S). It takes me 20 minutes to get any server to work for irc (whether I'm using mIRC or Trillian), and when I get on I can only stay on for a couple minutes and then I get disconnected again. I don't understand. Anyway... my firewall just found a trojan/backdoor called 'bkdr_ircflood.x' and I found out more about it and it's a file called IEExece.exe or something. I deleted it and did my best to get rid of it but I have no idea if it's still on my pc.

    Do any of you know anything about this? Any help is greatly appreciated, thanks.

    -Sella
     
  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hi, since we don't really know much about your system, start by doing this:

    Take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/virusinfo/virusscan.aspx.

    The 'bkdr_ircflood.x' does affect irc and it may allow outside access to your system. I would change all passwords and if you ave any financial data on your computer, I would alert your bank and/or credit card companies that your information may have been stolen.
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_IRCFLOOD.x


    Then follow the steps listed here: https://www.wilderssecurity.com/showthread.php?t=15913 there may well be other pests on your sytem.
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    with any IRC backdoor I would always run a specialised anti trojan who are better at detecting such pests than a standard antivirus

    run the online antiviruses first but check afterwards with an antitrojan


    lists of such applications here
    http://www.wilders.org/anti_trojans.htm

    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
     
  4. Sella

    Sella Guest

    Thank you! I tried scanning my pc with my firewall (pc-cillin) and the online scan at Symatec.. ( forgot the spelling ). Both found nothing. I deleted the files EEXEC.exe and the files that seemed to be associated with it.. It seems as if it's not on my pc anymore but I still am not able to connect to IRC (using Trillian). I don't understand why it does this.

    I am able to connect to a server for the first time fairly quickly, then after a few minutes that I'm online I am disconnected. I try another server and same thing, then when I've used up all the servers for "the first time" - I am unable to reconnect unless I wait 10-15 minutes before trying again. It's really frustrating.

    Since the virus is called ircflood I am assuming that maybe it is flooding the irc servers - which is why I can't reconnect immediately.

    I am getting so sick and tired of all these trojans n spyware >=(
     
  5. Sella

    Sella Guest

    This is what TDS 3 found:

    Scan Control Dumped @ 23:07:52 09-05-04
    Suspicious Filename: Dual extensions
    File: c:\documents and settings\rosanna\my documents\programs\trillian-v0.74h.exe



    What's dual extensions?
     
  6. Sella

    Sella Guest

    Ah... now I see. like "bla.jpg.exe" ... well other than that it didn't find anything else. Any suggestions/ideas/comments? :S
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    You can safely ignore that entry it's legit

    let's have a hjt log so we can see what else might be running

    go to http://www.thespykiller.co.uk and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  8. Sella

    Sella Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 12:04:19 AM, on 5/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.1\System32\smss.exe
    C:\WINDOWS.1\system32\winlogon.exe
    C:\WINDOWS.1\system32\services.exe
    C:\WINDOWS.1\system32\lsass.exe
    C:\WINDOWS.1\system32\svchost.exe
    C:\WINDOWS.1\System32\svchost.exe
    C:\WINDOWS.1\system32\spoolsv.exe
    C:\WINDOWS.1\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\PROGRA~1\PHILIP~1\VProperty.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINDOWS.1\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Rosanna\Desktop\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = "x"
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.1\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS.1\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - Startup: Trillian.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38097.6685648148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This has been turning up in afew logs recently and I don't know what it is
    C:\PROGRA~1\PHILIP~1\VProperty.exe

    I think it's something to do with a Philips digicam or similar, but I can't find out for definite

    so please find that file , right click it and see what it's properties tab says please.

    Have you installed a camera or scanner or whatever recently ?
     
  10. Sella

    Sella Guest

    No not recently, but yes it's a program that comes in the cd with my webcam
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  12. Sella

    Sella Guest

    Thanks I think I got rid of it...

    Take a look here:


    Logfile of HijackThis v1.97.7
    Scan saved at 8:23:17 PM, on 5/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS.1\System32\smss.exe
    C:\WINDOWS.1\system32\winlogon.exe
    C:\WINDOWS.1\system32\services.exe
    C:\WINDOWS.1\system32\lsass.exe
    C:\WINDOWS.1\system32\svchost.exe
    C:\WINDOWS.1\System32\svchost.exe
    C:\WINDOWS.1\system32\spoolsv.exe
    C:\WINDOWS.1\System32\svchost.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\WINDOWS.1\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\PROGRA~1\PHILIP~1\VProperty.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.exe
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Documents and Settings\Rosanna\Desktop\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = "x"
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.1\System32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS.1\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - Startup: Trillian.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38097.6685648148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com


    What are those ?
    I'm afraid to go to www.dcsresearch.com ....
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The first entry is Sun Java which is nothing to worry about

    www.dcsresearch.com is an old site of ours, TDS-3 sets a HOSTS entry to redirect you to our NEW forum site :) Nothing to worry about either, as long as you leave that entry in place.

    Your log looks clean, are you still having the problems ? If you are, you can email me, gavin@diamondcs.com.au and I'll try to help
     
Thread Status:
Not open for further replies.