Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Win32/IRCbot.8275

Status
Not open for further replies.
rsunra

rsunra

IS-IT--Management
Sep 30, 2003
53
AU
G'day

I'm having a problem with a Win2000 machine.

I keep getting an popup from my real time virus scan that says
G'day

I'm having a problem with a Win2000 machine.

I keep getting an popup from my real time virus scan that says

The Win32/IRCbot.8275!Worn virus was detected in C:\windows\system32\.exe.

The Virus scanner than deletes the file.

I ran scans with adware and the virus software (eTrust InoculateIT) with the latest updates and every 20 - 30 min I get the warning message.

What can I try?


Logfile of HijackThis v1.99.1
Scan saved at 1:29:18 PM, on 30/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\LVComS.exe
S:\transfer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cucrh.uwa.edu.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C349520-FD84-43C0-8627-E3CDA80BCE70}: Domain = uwa.edu.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uwa.edu.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uwa.edu.au
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
 
Sort by date Sort by votes
Delete the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

Also, go to the following:

housecall.trendmicro.com/ and run this...

Also, download Ewido:


Update it and run it...

Let us know.

Erik
 
Upvote 0 Downvote
Also, if it's not actually deleting them, try running the tools in Safe Mode (hit the F8 key repeatadly while powering on the system).
Run the tools from within there and it should clean it up.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

javierdlm001
  • Locked
  • Question
"Win32.Downloader.gen" found as Malware by Spybot
Replies
3
Views
167
2ffat
2ffat
crackoo
  • Locked
  • Question
Encrypted files by Win32.Mabezat.A
Replies
2
Views
134
crackoo
crackoo
reporting
  • Locked
  • Question
fhexj6825097.exe Trojan Masquerades as Win32.Netsky.Q 1
Replies
10
Views
115
stormsurge
stormsurge
dvk1
  • Locked
  • Question
Win32/Heur Trojan --- How do I get rid of this thing?
Replies
3
Views
71
cmeagan656
cmeagan656
aastratech
  • Locked
  • Question
WIN32/PePatch virus
Replies
2
Views
75
aastratech
aastratech

Part and Inventory Search

Sponsor

Back
Top