1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan/Virus W32/IRCBot-xx Keeps Coming Back

Discussion in 'Virus & Other Malware Removal' started by 3 Shoes, Sep 20, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. 3 Shoes

    3 Shoes Thread Starter

    Joined:
    Sep 20, 2007
    Messages:
    5
    Hello I am new to your forum, computers and the internet so please bear with me

    Here is my problem, the other day while I was on msn messenger live I had clicked on to a link that was actually some sort of trojan/virus that was hidden in a file.

    My Msn box started to dance all around my screen, and to my suprise, this trojan/virus started to send out the same file to others that where my contacts and had there Msn Live messenger box on at the same time I had, posing it self off as me sending it

    Next I did a full scan with my Norton IS 2007 and it picked something up called serviser.exe & [email protected] being as a virus, then it proceeded to clean it out of my system

    I then used my Spysweeper and it came up stating I was Infected with W32/IRCBot-xx, I Quarantine such, cleaned out my Quarantine and then proceeded to do more scans how ever after each additional Spysweeper scan was done, this W32/IRCBot-xx would show back up again

    Now there after seeing that, I was more then a little upset, so I made a few phone call's to my Grandsons friends, whom are more knowledgeable with computers than I am, they all suggested to me that I should do such scans in safe mode so I did

    That did not help either because this darn W32/IRCBot-xx keps coming back and showing up In my Spysweeper

    I would like to know if some one here can give a Old Man a tad of a little guidance please with regard to my problem

    I have done many scans and cleaning with Norton IS 2007, Spy Sweeper, Bit Defender and the "FREE" CA Trust, Trend Micro and so on, being new to the computer I have thrown everything that i can think of at it, but this damn W32/IRCBot-XX just keeps showing back up in my comp, the fricking thing is like a Timex watch, It takes a beating and still keeps on ticking lol

    Any way, some help from any one of the computer wizzards here would be much appreciatted by me

    I will give you a log that I just did :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:38:50 PM, on 9/20/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Washer\WasherSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "khg"
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/ca/en/securityadvisor/pestscan/pestscan.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188256354828
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/ca/en/securityadvisor/virusinfo/webscan.cab
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

    --
    End of file - 7029 bytes


    Thnk you
     
  2. 3 Shoes

    3 Shoes Thread Starter

    Joined:
    Sep 20, 2007
    Messages:
    5
    I read that some one other then me may have the same problem so I just downloded combofix.exe from http://forums.techguy.org/malware-removal-hijackthis-logs/600851-help-win32-ircbot-trojan.html

    Here is the log of it :

    ComboFix 07-09-20.1 - "khg" 2007-09-20 16:51:13.1 - NTFSx86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.799 [GMT -5:00]
    .

    ((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
    .

    2007-09-20 16:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-09-20 14:52 <DIR> d-------- C:\WORK 1
    2007-09-20 11:45 <DIR> d-------- C:\WINDOWS\system32\xircom
    2007-09-20 01:01 <DIR> d-------- C:\Program Files\CCleaner
    2007-09-18 21:23 51,200 -r-hs---- C:\WINDOWS\system32\servicer.exe
    2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
    2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
    2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
    2007-09-12 19:16 <DIR> d-------- C:\DOCUME~1\khg\Contacts
    2007-08-31 19:28 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
    2007-08-31 16:28 <DIR> d-------- C:\Program Files\Norton Internet Security
    2007-08-31 16:27 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-08-31 16:27 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-08-31 16:26 <DIR> d-------- C:\Program Files\Symantec
    2007-08-31 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
    2007-08-20 08:20 172 --a------ C:\WINDOWS\system32\status_giveio.bat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-09-20 12:56 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-09-20 12:56 10676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-09-20 12:29 --------- d-------- C:\Program Files\Common Files\Symantec Shared
    2007-09-19 09:33 --------- d-------- C:\Program Files\Windows Live Safety Center
    2007-09-18 14:44 1430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
    2007-09-18 14:44 1421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
    2007-09-18 14:44 1415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
    2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
    2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
    2007-09-18 14:44 10658 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
    2007-09-18 05:45 --------- d-------- C:\Program Files\PokerStars.NET
    2007-09-14 21:45 --------- d-------- C:\Program Files\TuneUp Utilities 2007
    2007-09-12 19:16 --------- d-------- C:\Program Files\MSN Messenger
    2007-09-08 12:54 --------- d-------- C:\Program Files\Common Files\Webroot Shared
    2007-09-08 12:54 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
    2007-09-05 15:43 69960 --a------ C:\WINDOWS\Unwash6.exe
    2007-08-21 16:40 --------- d-------- C:\Program Files\Winamp
    2007-08-12 23:31 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
    2007-08-12 23:16 --------- d-------- C:\DOCUME~1\khg\APPLIC~1\EAST Technologies
    2007-08-07 19:30 --------- d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
    2007-08-07 16:44 --------- d-------- C:\Program Files\ABBYY FineReader 6.0
    2007-08-07 16:44 --------- d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
    2007-08-07 16:43 --------- d--h----- C:\Program Files\InstallShield Installation Information
    2007-08-07 16:43 --------- d-------- C:\Program Files\FaxTools
    2007-08-07 16:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
    2007-08-07 10:24 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
    2007-08-07 10:23 --------- d-------- C:\Program Files\Webroot
    2007-08-07 10:18 --------- d-------- C:\DOCUME~1\khg\APPLIC~1\Webroot
    2007-08-07 01:25 --------- d-------- C:\Program Files\Abexo
    2007-08-07 01:25 --------- d-------- C:\DOCUME~1\khg\APPLIC~1\Abexo
    2007-08-07 00:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-08-04 23:56 --------- d-------- C:\Program Files\Trend Micro
    2007-07-31 02:02 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-30 20:21 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
    2007-07-19 22:54 1521464 --a------ C:\WINDOWS\WRSetup.dll
    2007-07-19 22:42 23864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
    2007-07-19 22:42 21816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
    2007-07-19 22:42 20280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
    2007-07-19 22:42 163128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
    2007-06-26 21:25 69689 --a------ C:\WINDOWS\UNZIP.DLL
    2007-06-26 21:25 208896 --a------ C:\WINDOWS\PATCH.EXE
    2007-06-26 21:25 1142784 --a------ C:\WINDOWS\TMUPDATE.DLL
    2007-02-21 16:59 476752 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\pswi_preloaded.exe
    2007-02-21 21:39:28 8 --sh--r C:\WINDOWS\system32\BED0B1F426.sys
    2007-02-21 21:58:30 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Logitech Utility"="Logi_MwX.Exe" [2002-11-08 04:50 C:\WINDOWS\LOGI_MWX.EXE]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-14 22:10]
    "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "WUAppSetup"=C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoViewOnDrive"=0 (0x0)

    R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
    R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
    R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
    R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe
    R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
    R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
    S3 ATITUNEP;ATI WDM TV Tuner (Microsoft Corporation);C:\WINDOWS\system32\DRIVERS\atintuxx.sys
    S3 ativraxx;ATI WDM Rage Theater Audio (Microsoft Corporation);C:\WINDOWS\system32\DRIVERS\atinraxx.sys
    S3 ATIXSAudio;ATI WDM TV Audio (Microsoft Corporation) Crossbar (Microsoft Corporation);C:\WINDOWS\system32\DRIVERS\atinxsxx.sys

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-14 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
    - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
    "2007-09-20 21:56:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    "2007-09-18 07:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - khg.job"
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
    .
    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-09-20 16:56:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-09-20 16:59:14 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-09-20 16:58
    .
    --- E O F ---

    I will now wait for some 1 to reply back in this thread to help me out if possible

    I Kindly thank you In advance

    3 Shoes
     
  3. 3 Shoes

    3 Shoes Thread Starter

    Joined:
    Sep 20, 2007
    Messages:
    5
    I have also downloaded Superantispyware (SAS) free home version that being a few minutes ago, and I then followed these Instructions given by another member here on your forum to some one else :

    Install it and double-click the icon on your desktop to run it.

    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.

    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:

    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others as they were.
    o Click the Close button to leave the control center screen.

    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.

    · After the scan is complete a summary box will appear. Click OK.

    · Make sure everything in the white box has a check next to it, then click Next.

    · It will quarantine what it found and if it asks if you want to reboot, click Yes.

    · To retrieve the removal information for me please do the following:

    o After reboot, double-click the SUPERAntispyware icon on your desktop.

    o Click Preferences. Click the Statistics/Logs tab.

    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.

    · Click close and close again to exit the program.

    Here Is my Superantispyware (SAS) Scan Log as per Instructions given above :

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/20/2007 at 06:08 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3310
    Trace Rules Database Version: 1314

    Scan type : Complete Scan
    Total Scan Time : 00:39:51

    Memory items scanned : 463
    Memory threats detected : 0
    Registry items scanned : 6791
    Registry threats detected : 0
    File items scanned : 42250
    File threats detected : 1

    Unclassified.Unknown Origin/System
    C:\WINDOWS\SYSTEM32\SERVICER.EXE

    There after the above noted scan was finnished & that being prior to my comp rebooting, my SpySweeper Alert came back on to notify me that It too had found the W32/IRCBot-XX back In my system as well placing It In Quarantine

    I then proceeded again to rescan using SpySweeper, and the results after doing so are : VIRUS FOUND W32/IRCBot-XX to which I have now DELETED AGAIN from my SpySweeper Qaurantine

    Here's My SpySweeer Log :

    6:55 PM: Removal process completed. Elapsed time 00:00:04
    6:55 PM: Informational: Virus infected file c:\documents and settings\khg\application data\superantispyware.com\superantispyware\quarantine\quarantine - 09-20-2007 - 18-10-12\{1dc78cbd-065b-4cf9-bc65-89994b2495cf} not cleaned.
    6:55 PM: Quarantining All Traces: W32/IRCBot-XX
    6:55 PM: Removal process initiated
    6:55 PM: Traces Found: 1
    6:55 PM: Full Sweep has completed. Elapsed time 00:37:43
    6:55 PM: File Sweep Complete, Elapsed Time: 00:34:21
    6:51 PM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
    6:51 PM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb6c592fd-1d05-4f7a-a033-4bacb286a588.tmp]
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms99e5ff3d-8773-475c-b612-cd36c2d1129d.tmp]
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7c33a92d-d010-4f1e-915b-c03e1cd8c7ff.tmp]
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3fa022e0-4b4e-4a4b-8533-6865fd0f5830.tmp]
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms054e2ecb-642d-41db-b1d9-dda47df0041e.tmp]
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms09869d76-279f-4783-a2e1-24c92183ed1e.tmp]
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms52a2cbd9-e5f8-469e-8563-eeaf06b14030.tmp]
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4c13524d-7766-48f5-b4da-6a55453c528a.tmp]
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb6c592fd-1d05-4f7a-a033-4bacb286a588.tmp". The operation completed successfully
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms99e5ff3d-8773-475c-b612-cd36c2d1129d.tmp". The operation completed successfully
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7c33a92d-d010-4f1e-915b-c03e1cd8c7ff.tmp". The operation completed successfully
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3fa022e0-4b4e-4a4b-8533-6865fd0f5830.tmp". The operation completed successfully
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms054e2ecb-642d-41db-b1d9-dda47df0041e.tmp". The operation completed successfully
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms09869d76-279f-4783-a2e1-24c92183ed1e.tmp". The operation completed successfully
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms52a2cbd9-e5f8-469e-8563-eeaf06b14030.tmp". The operation completed successfully
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4c13524d-7766-48f5-b4da-6a55453c528a.tmp". The operation completed successfully
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5f566d40-2867-4e31-aad6-b6684e059dcd.tmp]
    6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9e3c93ed-871e-4dfe-8bd7-f11c7874f3b8.tmp]
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5f566d40-2867-4e31-aad6-b6684e059dcd.tmp". The operation completed successfully
    6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9e3c93ed-871e-4dfe-8bd7-f11c7874f3b8.tmp". The operation completed successfully
    6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms6309fba1-05ce-4983-b93d-afdc9bf1ea73.tmp]
    6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\networkservice\ntuser.dat]
    6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\default]
    6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\pagefile.sys]
    6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\software]
    6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4d16c4d3-a03b-4752-b368-1150b0f229c3.tmp]
    6:47 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse1413e7c-d9b0-4d79-a770-3e0f824296b5.tmp]
    6:47 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\system]
    6:46 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsabc94ed4-c107-4b95-b52b-a854755268ee.tmp]
    6:45 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms355a1cbc-d288-4e61-8c3c-f6ae1ed58733.tmp]
    6:45 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsdb0b59d4-6cf0-49ed-a982-90ce35f1d02f.tmp]
    6:45 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse55a60fd-7b49-41f5-a3a7-c35d42d669d1.tmp]
    6:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\ntuser.dat]
    6:40 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms301d2d51-9d40-4897-a131-5a05565a2424.tmp]
    6:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\khg\ntuser.dat]
    6:38 PM: ApplicationMinimized - EXIT
    6:38 PM: ApplicationMinimized - ENTER
    6:35 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb1ac944b-c248-4038-8ff3-c91644dd5504.tmp]
    6:29 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5c7e5051-70c2-4885-ab81-9b81b753001f.tmp]
    6:27 PM: ApplicationMinimized - EXIT
    6:27 PM: ApplicationMinimized - ENTER
    6:24 PM: ApplicationMinimized - EXIT
    6:24 PM: ApplicationMinimized - ENTER
    6:21 PM: C:\Documents and Settings\khg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 09-20-2007 - 18-10-12\{1DC78CBD-065B-4CF9-BC65-89994B2495CF} (ID = 0)
    6:21 PM: Found W32/IRCBot-XX: W32/IRCBot-XX
    6:20 PM: Starting File Sweep
    6:20 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
    6:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
    6:20 PM: Starting Cookie Sweep
    6:20 PM: Registry Sweep Complete, Elapsed Time:00:00:06
    6:20 PM: Starting Registry Sweep
    6:20 PM: Memory Sweep Complete, Elapsed Time: 00:03:05
    6:17 PM: ApplicationMinimized - EXIT
    6:17 PM: ApplicationMinimized - ENTER
    6:17 PM: Starting Memory Sweep
    6:17 PM: Start Full Sweep
    6:17 PM: Sweep initiated using definitions version 993
    Keylogger: On
    E-mail Attachment: On
    6:14 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
    6:14 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites: On
    Hosts File Shield: On
    Internet Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    File System Shield: On
    Execution Shield: On
    System Services Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: On
    6:14 PM: Shield States
    6:14 PM: License Check Status (0): Success
    6:14 PM: Spyware Definitions: 993
    6:14 PM: Informational: Loaded AntiVirus Engine: 2.49.1; SDK Version: 4.21E; Virus Definitions: 9/20/2007 5:22:48 PM (GMT)
    6:13 PM: Spy Sweeper 5.5.7.48 started
    6:13 PM: Spy Sweeper 5.5.7.48 started
    6:13 PM: | Start of Session, Thursday, September 20, 2007 |
    ***************

    Thank you

    3 Shoes
     
  4. 3 Shoes

    3 Shoes Thread Starter

    Joined:
    Sep 20, 2007
    Messages:
    5
    Ok I have now used :

    Norton IS 2007
    Webroot SpySweeper
    Super Anti Spy Ware
    ComboFix
    MsnCleaner
    Vundo Fix
    CwShredder
    About Buster

    And this darn W32/IRCBot-XX Is still coming back, It's starting to really tick me off

    So can some one here PLEASE tune In on this thread of mine with a reply and a little HELP !!!

    I would appreciate a tad bit of guidance as to why I have not solved the problem as of yet

    Thank you

    3 Shoes
     
  5. 3 Shoes

    3 Shoes Thread Starter

    Joined:
    Sep 20, 2007
    Messages:
    5
    Ok you can ad to the above list :

    AVG Anti Spy
    &
    Bit Defender

    This W32/IRCBot-xx likes to spread and replicate it self, and I must say it ticked me off to no end

    How ever I have now managed to clean the darn thing out my computer with no recurrence of W32/IRCBot-xx or any variant of such !!!

    My next question Is, why has NOT 1 person replied back In this thread at all out side of me??? :mad:
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/626740

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice