bkdr_ircflood.x

Sella · May 9, 2004

Hi. I'm not sure if this is something you guys can help me with (although I REALLY hope so because I have no idea where else to get any help. :S). It takes me 20 minutes to get any server to work for irc (whether I'm using mIRC or Trillian), and when I get on I can only stay on for a couple minutes and then I get disconnected again. I don't understand. Anyway... my firewall just found a trojan/backdoor called 'bkdr_ircflood.x' and I found out more about it and it's a file called IEExece.exe or something. I deleted it and did my best to get rid of it but I have no idea if it's still on my pc.

Do any of you know anything about this? Any help is greatly appreciated, thanks.

-Sella

Nick · May 9, 2004

Hi, since we don't really know much about your system, start by doing this:

Take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/virusinfo/virusscan.aspx.

The 'bkdr_ircflood.x' does affect irc and it may allow outside access to your system. I would change all passwords and if you ave any financial data on your computer, I would alert your bank and/or credit card companies that your information may have been stolen.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_IRCFLOOD.x

Then follow the steps listed here: https://www.wilderssecurity.com/showthread.php?t=15913 there may well be other pests on your sytem.

dvk01 · May 9, 2004

with any IRC backdoor I would always run a specialised anti trojan who are better at detecting such pests than a standard antivirus

run the online antiviruses first but check afterwards with an antitrojan

lists of such applications here
http://www.wilders.org/anti_trojans.htm

the antitrojan that I use for dealing with them is

TDS3 from http://tds.diamondcs.com.au/

download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

sit back with a cup of coffee and watch what it finds

NOTE:

Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

post back with the tds log after running please, just copy & paste the entries from the scandump.txt

Sella · May 10, 2004

Thank you! I tried scanning my pc with my firewall (pc-cillin) and the online scan at Symatec.. ( forgot the spelling ). Both found nothing. I deleted the files EEXEC.exe and the files that seemed to be associated with it.. It seems as if it's not on my pc anymore but I still am not able to connect to IRC (using Trillian). I don't understand why it does this.

I am able to connect to a server for the first time fairly quickly, then after a few minutes that I'm online I am disconnected. I try another server and same thing, then when I've used up all the servers for "the first time" - I am unable to reconnect unless I wait 10-15 minutes before trying again. It's really frustrating.

Since the virus is called ircflood I am assuming that maybe it is flooding the irc servers - which is why I can't reconnect immediately.

I am getting so sick and tired of all these trojans n spyware >=(

Sella · May 10, 2004

This is what TDS 3 found:

Scan Control Dumped @ 23:07:52 09-05-04
Suspicious Filename: Dual extensions
File: c:\documents and settings\rosanna\my documents\programs\trillian-v0.74h.exe

What's dual extensions?

Sella · May 10, 2004

Ah... now I see. like "bla.jpg.exe" ... well other than that it didn't find anything else. Any suggestions/ideas/comments? :S

dvk01 · May 10, 2004

You can safely ignore that entry it's legit

let's have a hjt log so we can see what else might be running

go to http://www.thespykiller.co.uk and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Sella · May 10, 2004

Logfile of HijackThis v1.97.7
Scan saved at 12:04:19 AM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rosanna\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = "x"
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.1\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS.1\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - Startup: Trillian.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38097.6685648148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

dvk01 · May 10, 2004

This has been turning up in afew logs recently and I don't know what it is
C:\PROGRA~1\PHILIP~1\VProperty.exe

I think it's something to do with a Philips digicam or similar, but I can't find out for definite

so please find that file , right click it and see what it's properties tab says please.

Have you installed a camera or scanner or whatever recently ?

Sella · May 10, 2004

No not recently, but yes it's a program that comes in the cd with my webcam

dvk01 · May 10, 2004

only other thing left to fix is this entry that HJT is unable to fix
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
the fix is here
https://www.wilderssecurity.com/showthread.php?t=30668

Sella · May 10, 2004

Thanks I think I got rid of it...

Take a look here:

Logfile of HijackThis v1.97.7
Scan saved at 8:23:17 PM, on 5/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\PHILIP~1\VProperty.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Rosanna\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = "x"
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.1\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS.1\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - Startup: Trillian.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38097.6685648148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com

What are those ?
I'm afraid to go to www.dcsresearch.com ....

Gavin - DiamondCS · May 10, 2004

Sella said:

Thanks I think I got rid of it...

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com

What are those ?
I'm afraid to go to www.dcsresearch.com ....
Click to expand...

The first entry is Sun Java which is nothing to worry about

www.dcsresearch.com is an old site of ours, TDS-3 sets a HOSTS entry to redirect you to our NEW forum site Nothing to worry about either, as long as you leave that entry in place.

Your log looks clean, are you still having the problems ? If you are, you can email me, gavin@diamondcs.com.au and I'll try to help

Log in or Sign up

bkdr_ircflood.x

Sella Guest

Nick Registered Member

dvk01 Global Moderator

Sella Guest

Sella Guest

Sella Guest

dvk01 Global Moderator

Sella Guest

dvk01 Global Moderator

Sella Guest

dvk01 Global Moderator

Sella Guest

Gavin - DiamondCS Former DCS Moderator

Log in or Sign up

bkdr_ircflood.x

Sella Guest

Nick Registered Member

dvk01 Global Moderator

Sella Guest

Sella Guest

Sella Guest

dvk01 Global Moderator

Sella Guest

dvk01 Global Moderator

Sella Guest

dvk01 Global Moderator

Sella Guest

Gavin - DiamondCS Former DCS Moderator

Useful Searches