How to kill "Backdoor.IRCBot.nw"

Viruses and worms
1

hi,

according to my Ewido’s report there is a “Backdoor.IRCBot.nw” that doesn’t let him be kicked out.
Does anyone had this Pb before and does it exist a tool?
thanks

ewido anti-malware - Scan report

  • Created on: 9:36:49 PM, 3/8/2006

  • Report-Checksum: 8166B930

  • Scan result:

    [1024] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [1272] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [1900] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [2316] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [2380] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [2772] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [2784] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [3460] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    C:\WINDOWS\system32__delete_on_reboot__netf.dll → Backdoor.IRCBot.nw : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt → TrackingCookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt → TrackingCookie.Doubleclick : Cleaned with backup

::Report End

2

Hi estyl,

Looks like maybe Ewido cleaned it on a reboot.

Try scanning again and see if it still turns up.

Scanning in safe mode may help, if it’s still there.

3

Hi Frank,

i did it already many times and i have always the same report , will try it in safe mode
thanks

4

This may be a HackTool.Rootkit infection, in which case scanning in safe mode won’t help.

You could try Trend Micro Sysclean:

If you are not a Trend Micro customer please download the following file.

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

5

I wish I had seen this thread before responding to your other thread about the same thing.

6

Programs which claim to remove rootkits are:

UnHackMe: http://www.greatis.com/unhackme/

and

BlackLight http://www.f-secure.com/blacklight/

Please post the report file if you do run Sysclean: this may give more clues about the rootkit.

7

hi

during the installation of sysclean Avast found a virus called “sysclean.exezz” and declared like Virus/Worm Malware type. Should i continue and/or change the extensions (cause all sysclean file’s extensions finish with a “z”) or stop the installation?

8

It’s just a false positive.

Run Sysclean in safe mode and you won’t have this problem.

(Tap F8 while rebooting.)

9

:slight_smile: Hi Estyl :

  To "investigate" the possibility that you may have a
  rootkit, seems  best to start by using the FREE
 "RootkitRevealer" from www.sysinternals.com/Utilities/
  rootkitrevealer.html . You will need to unzip it before
  running it AND cleaning ALL Temporary Internet Files.
  This program CANNOT get rid of any found rootkit, but
  will give a name, which you could then do a google
  search to find "Removal Tool(s)" or use one of Frank's
  recommendations. The "Unhack" me costs & the Blacklight
  is a "beta" ( use at your own risk ).
10

UnHackMe has a free working trial. :wink:

11

First of all i would like to thank you all for the support.

I made most of the things that you asked me to do and i think that I’m better now.
As you can see in tyhe following reports “Backdoor.IRCBot.nw” doesn’t appear in the reports anymore, and my emailer-bot (that was the origin of this tread) seems to be not inactif anymore (ZA’s report doesn’t mentione any 49exmodulap.exe file system trying to connect in the internet, check here http://forum.avast.com/index.php?PHPSESSID=f4e7334c36adb56aa9bb9029617902e7&topic=19798.0).

My new problem is that my email is now blok for spamming and I have this email coming everytime I try to send any email:

551 Mail from your IP address is currently blocked based on RBL listing

My IP advices me to wait a few days and i will be unblock, I checked my IP (84.115.153.146) on www.openrbl.org and … i’m listed ???

ewido anti-malware - Scan report

  • Created on: 1:01:53 PM, 3/10/2006

  • Report-Checksum: EC54CE74

  • Scan result:

    C:\WINDOWS\system32\AdCache → Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_0_0_445900.htm → Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_0_0_446000.htm → Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_1_0_448500.gif → Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_1_0_448600.gif → Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_2_0_814200.htm → Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_2_0_815600.htm → Adware.Cydoor : Cleaned with backup
    C:\WINDOWS\system32\AdCache\B_434_2_0_815900.htm → Adware.Cydoor : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt → TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt → TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt → TrackingCookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@microsofteup.112.2o7[1].txt → TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt → TrackingCookie.Zedo : Cleaned with backup

::Report End

RootkitReveal

HKLM\S-1-5-21-682003330-1078145449-725345543-1003\Software\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath 12/17/2005 9:43 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 3/10/2006 12:27 PM 0 bytes Hidden from Windows API.

UnHackme

No trojan has been found

Spybot

Congratulation
No immediate threat was found

12

Hi estyl,

Glad to hear your computer is better.

I’m sure your ISP will unblock you soon as your computer is not sending out spam emails anymore.

Can you confirm you have DaemonTools on your computer? This is probably responsible for the hidden entry in Rootkit Revealer.

Two of the most popular CD emulation utilities are Alcohol and Daemon Tools and they both use rootkits.

http://www.sysinternals.com/blog/2006/02/using-rootkits-to-defeat-digital.html

13

yes frank you’re right i have it (dam… man you’re good!)

:wink:

Estyl

14

I just Googled the name of the service detected by Rootkit Revealer and some info came up pretty easily.

As you are using DaemonTools, the presence of the hidden registry key is normal, as Mark’s Sysinternals Blog mentions.

Hope everything is still running smoothly,

FwF