Trojan/Virus W32/IRCBot-xx Keeps Coming Back

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

3 Shoes

Thread Starter
Joined
Sep 20, 2007
Messages
5
Hello I am new to your forum, computers and the internet so please bear with me

Here is my problem, the other day while I was on msn messenger live I had clicked on to a link that was actually some sort of trojan/virus that was hidden in a file.

My Msn box started to dance all around my screen, and to my suprise, this trojan/virus started to send out the same file to others that where my contacts and had there Msn Live messenger box on at the same time I had, posing it self off as me sending it

Next I did a full scan with my Norton IS 2007 and it picked something up called serviser.exe & [email protected] being as a virus, then it proceeded to clean it out of my system

I then used my Spysweeper and it came up stating I was Infected with W32/IRCBot-xx, I Quarantine such, cleaned out my Quarantine and then proceeded to do more scans how ever after each additional Spysweeper scan was done, this W32/IRCBot-xx would show back up again

Now there after seeing that, I was more then a little upset, so I made a few phone call's to my Grandsons friends, whom are more knowledgeable with computers than I am, they all suggested to me that I should do such scans in safe mode so I did

That did not help either because this darn W32/IRCBot-xx keps coming back and showing up In my Spysweeper

I would like to know if some one here can give a Old Man a tad of a little guidance please with regard to my problem

I have done many scans and cleaning with Norton IS 2007, Spy Sweeper, Bit Defender and the "FREE" CA Trust, Trend Micro and so on, being new to the computer I have thrown everything that i can think of at it, but this damn W32/IRCBot-XX just keeps showing back up in my comp, the fricking thing is like a Timex watch, It takes a beating and still keeps on ticking lol

Any way, some help from any one of the computer wizzards here would be much appreciatted by me

I will give you a log that I just did :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:50 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "khg"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/ca/en/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188256354828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/ca/en/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7029 bytes


Thnk you
 

3 Shoes

Thread Starter
Joined
Sep 20, 2007
Messages
5
I read that some one other then me may have the same problem so I just downloded combofix.exe from http://forums.techguy.org/malware-removal-hijackthis-logs/600851-help-win32-ircbot-trojan.html

Here is the log of it :

ComboFix 07-09-20.1 - "khg" 2007-09-20 16:51:13.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.799 [GMT -5:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-20 to 2007-09-20 )))))))))))))))))))))))))))))))
.

2007-09-20 16:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-20 14:52 <DIR> d-------- C:\WORK 1
2007-09-20 11:45 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-09-20 01:01 <DIR> d-------- C:\Program Files\CCleaner
2007-09-18 21:23 51,200 -r-hs---- C:\WINDOWS\system32\servicer.exe
2007-09-18 14:43 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 14:43 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 14:43 278,576 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-12 19:16 <DIR> d-------- C:\DOCUME~1\khg\Contacts
2007-08-31 19:28 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-08-31 16:28 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-31 16:27 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-31 16:27 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-31 16:26 <DIR> d-------- C:\Program Files\Symantec
2007-08-31 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-20 08:20 172 --a------ C:\WINDOWS\system32\status_giveio.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 12:56 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-20 12:56 10676 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-20 12:29 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-19 09:33 --------- d-------- C:\Program Files\Windows Live Safety Center
2007-09-18 14:44 1430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 14:44 1421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 14:44 1415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 14:44 10662 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 14:44 10658 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 05:45 --------- d-------- C:\Program Files\PokerStars.NET
2007-09-14 21:45 --------- d-------- C:\Program Files\TuneUp Utilities 2007
2007-09-12 19:16 --------- d-------- C:\Program Files\MSN Messenger
2007-09-08 12:54 --------- d-------- C:\Program Files\Common Files\Webroot Shared
2007-09-08 12:54 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-09-05 15:43 69960 --a------ C:\WINDOWS\Unwash6.exe
2007-08-21 16:40 --------- d-------- C:\Program Files\Winamp
2007-08-12 23:31 --------- d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-12 23:16 --------- d-------- C:\DOCUME~1\khg\APPLIC~1\EAST Technologies
2007-08-07 19:30 --------- d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-08-07 16:44 --------- d-------- C:\Program Files\ABBYY FineReader 6.0
2007-08-07 16:44 --------- d-------- C:\Program Files\ABBYY FineReader 5.0 Sprint
2007-08-07 16:43 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-07 16:43 --------- d-------- C:\Program Files\FaxTools
2007-08-07 16:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software
2007-08-07 10:24 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-07 10:23 --------- d-------- C:\Program Files\Webroot
2007-08-07 10:18 --------- d-------- C:\DOCUME~1\khg\APPLIC~1\Webroot
2007-08-07 01:25 --------- d-------- C:\Program Files\Abexo
2007-08-07 01:25 --------- d-------- C:\DOCUME~1\khg\APPLIC~1\Abexo
2007-08-07 00:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-04 23:56 --------- d-------- C:\Program Files\Trend Micro
2007-07-31 02:02 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-30 20:21 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Talkback
2007-07-19 22:54 1521464 --a------ C:\WINDOWS\WRSetup.dll
2007-07-19 22:42 23864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-19 22:42 21816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-07-19 22:42 20280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-07-19 22:42 163128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-06-26 21:25 69689 --a------ C:\WINDOWS\UNZIP.DLL
2007-06-26 21:25 208896 --a------ C:\WINDOWS\PATCH.EXE
2007-06-26 21:25 1142784 --a------ C:\WINDOWS\TMUPDATE.DLL
2007-02-21 16:59 476752 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\pswi_preloaded.exe
2007-02-21 21:39:28 8 --sh--r C:\WINDOWS\system32\BED0B1F426.sys
2007-02-21 21:58:30 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 04:50 C:\WINDOWS\LOGI_MWX.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-03-14 22:10]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 02:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 22:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"WUAppSetup"=C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe
R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys
S3 ATITUNEP;ATI WDM TV Tuner (Microsoft Corporation);C:\WINDOWS\system32\DRIVERS\atintuxx.sys
S3 ativraxx;ATI WDM Rage Theater Audio (Microsoft Corporation);C:\WINDOWS\system32\DRIVERS\atinraxx.sys
S3 ATIXSAudio;ATI WDM TV Audio (Microsoft Corporation) Crossbar (Microsoft Corporation);C:\WINDOWS\system32\DRIVERS\atinxsxx.sys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 22:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-09-20 21:56:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-09-18 07:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - khg.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 16:56:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-20 16:59:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-20 16:58
.
--- E O F ---

I will now wait for some 1 to reply back in this thread to help me out if possible

I Kindly thank you In advance

3 Shoes
 

3 Shoes

Thread Starter
Joined
Sep 20, 2007
Messages
5
I have also downloaded Superantispyware (SAS) free home version that being a few minutes ago, and I then followed these Instructions given by another member here on your forum to some one else :

Install it and double-click the icon on your desktop to run it.

· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.

· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:

o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others as they were.
o Click the Close button to leave the control center screen.

· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.

· After the scan is complete a summary box will appear. Click OK.

· Make sure everything in the white box has a check next to it, then click Next.

· It will quarantine what it found and if it asks if you want to reboot, click Yes.

· To retrieve the removal information for me please do the following:

o After reboot, double-click the SUPERAntispyware icon on your desktop.

o Click Preferences. Click the Statistics/Logs tab.

o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.

· Click close and close again to exit the program.

Here Is my Superantispyware (SAS) Scan Log as per Instructions given above :

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/20/2007 at 06:08 PM

Application Version : 3.9.1008

Core Rules Database Version : 3310
Trace Rules Database Version: 1314

Scan type : Complete Scan
Total Scan Time : 00:39:51

Memory items scanned : 463
Memory threats detected : 0
Registry items scanned : 6791
Registry threats detected : 0
File items scanned : 42250
File threats detected : 1

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\SERVICER.EXE

There after the above noted scan was finnished & that being prior to my comp rebooting, my SpySweeper Alert came back on to notify me that It too had found the W32/IRCBot-XX back In my system as well placing It In Quarantine

I then proceeded again to rescan using SpySweeper, and the results after doing so are : VIRUS FOUND W32/IRCBot-XX to which I have now DELETED AGAIN from my SpySweeper Qaurantine

Here's My SpySweeer Log :

6:55 PM: Removal process completed. Elapsed time 00:00:04
6:55 PM: Informational: Virus infected file c:\documents and settings\khg\application data\superantispyware.com\superantispyware\quarantine\quarantine - 09-20-2007 - 18-10-12\{1dc78cbd-065b-4cf9-bc65-89994b2495cf} not cleaned.
6:55 PM: Quarantining All Traces: W32/IRCBot-XX
6:55 PM: Removal process initiated
6:55 PM: Traces Found: 1
6:55 PM: Full Sweep has completed. Elapsed time 00:37:43
6:55 PM: File Sweep Complete, Elapsed Time: 00:34:21
6:51 PM: Warning: SweepDirectories: Cannot find directory "f:". This directory was not added to the list of paths to be scanned.
6:51 PM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb6c592fd-1d05-4f7a-a033-4bacb286a588.tmp]
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms99e5ff3d-8773-475c-b612-cd36c2d1129d.tmp]
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7c33a92d-d010-4f1e-915b-c03e1cd8c7ff.tmp]
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3fa022e0-4b4e-4a4b-8533-6865fd0f5830.tmp]
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms054e2ecb-642d-41db-b1d9-dda47df0041e.tmp]
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms09869d76-279f-4783-a2e1-24c92183ed1e.tmp]
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms52a2cbd9-e5f8-469e-8563-eeaf06b14030.tmp]
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4c13524d-7766-48f5-b4da-6a55453c528a.tmp]
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb6c592fd-1d05-4f7a-a033-4bacb286a588.tmp". The operation completed successfully
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms99e5ff3d-8773-475c-b612-cd36c2d1129d.tmp". The operation completed successfully
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms7c33a92d-d010-4f1e-915b-c03e1cd8c7ff.tmp". The operation completed successfully
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3fa022e0-4b4e-4a4b-8533-6865fd0f5830.tmp". The operation completed successfully
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms054e2ecb-642d-41db-b1d9-dda47df0041e.tmp". The operation completed successfully
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms09869d76-279f-4783-a2e1-24c92183ed1e.tmp". The operation completed successfully
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms52a2cbd9-e5f8-469e-8563-eeaf06b14030.tmp". The operation completed successfully
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4c13524d-7766-48f5-b4da-6a55453c528a.tmp". The operation completed successfully
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5f566d40-2867-4e31-aad6-b6684e059dcd.tmp]
6:51 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9e3c93ed-871e-4dfe-8bd7-f11c7874f3b8.tmp]
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5f566d40-2867-4e31-aad6-b6684e059dcd.tmp". The operation completed successfully
6:51 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms9e3c93ed-871e-4dfe-8bd7-f11c7874f3b8.tmp". The operation completed successfully
6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms6309fba1-05ce-4983-b93d-afdc9bf1ea73.tmp]
6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\networkservice\ntuser.dat]
6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\default]
6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\pagefile.sys]
6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\software]
6:50 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms4d16c4d3-a03b-4752-b368-1150b0f229c3.tmp]
6:47 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse1413e7c-d9b0-4d79-a770-3e0f824296b5.tmp]
6:47 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\windows\system32\config\system]
6:46 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsabc94ed4-c107-4b95-b52b-a854755268ee.tmp]
6:45 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms355a1cbc-d288-4e61-8c3c-f6ae1ed58733.tmp]
6:45 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsdb0b59d4-6cf0-49ed-a982-90ce35f1d02f.tmp]
6:45 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmse55a60fd-7b49-41f5-a3a7-c35d42d669d1.tmp]
6:44 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\ntuser.dat]
6:40 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms301d2d51-9d40-4897-a131-5a05565a2424.tmp]
6:38 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\khg\ntuser.dat]
6:38 PM: ApplicationMinimized - EXIT
6:38 PM: ApplicationMinimized - ENTER
6:35 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsb1ac944b-c248-4038-8ff3-c91644dd5504.tmp]
6:29 PM: Warning: AntiVirus engine for IFO returned [Access Denied] on [c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms5c7e5051-70c2-4885-ab81-9b81b753001f.tmp]
6:27 PM: ApplicationMinimized - EXIT
6:27 PM: ApplicationMinimized - ENTER
6:24 PM: ApplicationMinimized - EXIT
6:24 PM: ApplicationMinimized - ENTER
6:21 PM: C:\Documents and Settings\khg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 09-20-2007 - 18-10-12\{1DC78CBD-065B-4CF9-BC65-89994B2495CF} (ID = 0)
6:21 PM: Found W32/IRCBot-XX: W32/IRCBot-XX
6:20 PM: Starting File Sweep
6:20 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
6:20 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:20 PM: Starting Cookie Sweep
6:20 PM: Registry Sweep Complete, Elapsed Time:00:00:06
6:20 PM: Starting Registry Sweep
6:20 PM: Memory Sweep Complete, Elapsed Time: 00:03:05
6:17 PM: ApplicationMinimized - EXIT
6:17 PM: ApplicationMinimized - ENTER
6:17 PM: Starting Memory Sweep
6:17 PM: Start Full Sweep
6:17 PM: Sweep initiated using definitions version 993
Keylogger: On
E-mail Attachment: On
6:14 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
6:14 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
6:14 PM: Shield States
6:14 PM: License Check Status (0): Success
6:14 PM: Spyware Definitions: 993
6:14 PM: Informational: Loaded AntiVirus Engine: 2.49.1; SDK Version: 4.21E; Virus Definitions: 9/20/2007 5:22:48 PM (GMT)
6:13 PM: Spy Sweeper 5.5.7.48 started
6:13 PM: Spy Sweeper 5.5.7.48 started
6:13 PM: | Start of Session, Thursday, September 20, 2007 |
***************

Thank you

3 Shoes
 

3 Shoes

Thread Starter
Joined
Sep 20, 2007
Messages
5
Ok I have now used :

Norton IS 2007
Webroot SpySweeper
Super Anti Spy Ware
ComboFix
MsnCleaner
Vundo Fix
CwShredder
About Buster

And this darn W32/IRCBot-XX Is still coming back, It's starting to really tick me off

So can some one here PLEASE tune In on this thread of mine with a reply and a little HELP !!!

I would appreciate a tad bit of guidance as to why I have not solved the problem as of yet

Thank you

3 Shoes
 

3 Shoes

Thread Starter
Joined
Sep 20, 2007
Messages
5
Ok you can ad to the above list :

AVG Anti Spy
&
Bit Defender

This W32/IRCBot-xx likes to spread and replicate it self, and I must say it ticked me off to no end

How ever I have now managed to clean the darn thing out my computer with no recurrence of W32/IRCBot-xx or any variant of such !!!

My next question Is, why has NOT 1 person replied back In this thread at all out side of me??? :mad:
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top