Win32.mIRC.62 need help :(

Hi I am using Avast home 4.7 and some days ago I had a problem with a virus.
After fixing the problem I run a check with Kaspersky Online Scanner and it found this - C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 .
I ignored it because it sais it is not a virus but today when I ran a new check I got this - C:\System Volume Information_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP385\A0502340.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 .
Why is it multiplying, what should I do ???

If a virus is replicant (coming and coming again), you should disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again.

It won’t hurt if you run an avast boot time scanning too.

Welcome to avast forums 8)

You don’t say what detected it in the C:\System Volume Information folder, but I assume not avast as it didn’t detect anything in the C:\Program Files\mIRC\mirc.exe, assuming that this is one and the same file.

There is a possiblilty that it was a fasle positive detection by Kaspersky.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. I don’t believe you will be able to test the one in the restore point as that will be protected (or should) by windows.

Once you have done that post the results here.

I assume you have this mIRC program ?

I don’t think it is multiplying, if something is deleted (and I know you say you ignored it) from the system folders and system restore is enabled it will create a restore point to allow for restoration. This is done by the system restore function and not malware creating a fake restore point in a windows protected area.

I detected it with Kaspersky online scanner.

Sunday, April 08, 2007 4:15:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/04/2007
Kaspersky Anti-Virus database records: 292519

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Statistics
Total number of scanned objects 56026
Number of viruses found 1
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 00:24:55

C:\System Volume Information_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP385\A0502340.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped

C:\System Volume Information_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP390\A0502749.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped

Is it a virus or not ???

Btw I uninstalled Mirc two hours ago.

Is it a virus or not ???

The only way to tell is by confirmation (using a multi-engined scan) and that is going to be almost impossible since you have uninstalled it before you even posted here.

Unless you reinstalled it or uploaded the installation file to virustotal, etc. to be scanned I doubt we will ever know.

However, the not-a-virus: prefix in the malware name (not-a-virus:Client-IRC.Win32.mIRC.62) could indicate that it is a tool which could be used for alternative purposes and Kaspersky is saying it is riskware, if you installed it then the purpose is less of a risk.

A google search for not-a-virus:Client-IRC.Win32.mIRC.62 returns many hits

The results of virus total on the installation file:
AhnLab-V3 2007.4.7.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.08.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.06.2007 no virus found
AVG 7.5.0.447 04.08.2007 no virus found
BitDefender 7.2 04.08.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 no virus found
ClamAV devel-20070312 04.08.2007 no virus found
DrWeb 4.33 04.08.2007 no virus found
eSafe 7.0.15.0 04.07.2007 no virus found
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.08.2007 no virus found
FileAdvisor 1 04.08.2007 Not analyzed yet
Fortinet 2.85.0.0 04.08.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.08.2007 no virus found
Ikarus T3.1.1.3 04.08.2007 not-a-virus:Client-IRC.Win32.mIRC.62
Kaspersky 4.0.2.24 04.08.2007 not-a-virus:Client-IRC.Win32.mIRC.62
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.08.2007 no virus found
NOD32v2 2173 04.07.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.08.2007 no virus found
Prevx1 V2 04.08.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.08.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.07.2007 no virus found
VirusBuster 4.3.7:9 04.07.2007 no virus found
Webwasher-Gateway 6.0.1 04.08.2007 no virus found

Btw yesterday Kaspersky Online Scanner found this - C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\45UVSPEZ\mc2[1].js Infected: Trojan.JS.Agent.b .
Today it does not find it anymore ;D
I’m begining to doubt the relyability of Kaspersky :slight_smile:

On contrary, they could have corrected a false positive.
They worked correctly and fast. It tells in favor of Kaspersky, not in contrary.

On contrary, they could have corrected a false positive. They worked correctly and fast. It tells in favor of Kaspersky, not in contrary.

Yeah, I couldn’t rest all night thinking I have a virus that is not detected by Avast and suddenly the next day it “magicly” disappears ;D
I used Kaspersky once but when I uninstalled it I found 3 trojans with Avast :o
So Avast rules as always 8)

Btw after disabling system restore I get no more detections from Kaspersky about Client-IRC.Win32.mIRC.62 :smiley:

Thanx alot guys :slight_smile:

That’s exactly it.

mIRC can be installed and used by trojans to open a backdoor so if you hadn’t installed it yourself it would need further investigation.

I doubt that detection rates of Kaspersky are lower than avast… maybe I can’t get biased on this point: avast does not have the best detection rates in the antivirus market.

I installed mIRC myself.
But I was planing to uninstall it anyway until I got this weird results from kaspersky :-\

Btw could the files of Avast get infected themselves?

Themselves… well, avast files could be infected as any other, but, of course, avast does not infect its own files by itself…

I don’t mean to infect itself, I suffered heavily some days ago by a trojan infestation so I found that the file ashavast was infected and a bak folder appeared in the avast directory ???
I just wondered if the antivirus can become a virus itself?

No problem glad we could help, welcome to the forums.

Disabling system restore and rebooting clears ALL restore points infected or otherwise, so nothing to detect. Re-enabling system restore will create a current restore point.

Re avast getting infected, yes that is possible,avast has an integrity check which should I would hope detect the changes and hopefully the infection and it may well be possible using the repair function to cecover from that. avast 5 is I believe going to include a self protection capability.

That could be an indication of an AWF infection.

Download [url=http://noahdfear.geekstogo.com/FindAWF.exe]FindAWF, save it and run it.

Then post the log it creates.

I have a computer for a 9 months now so I’m a bit uneducated about PC stuff :wink:
So thanks for all the help :smiley:

Btw avast sometimes after scan tels me that some files are damaged and cannot be scaned.
Can they be infected?

That could be an indication of an AWF infection.

Download FindAWF, save it and run it.

Then post the log it creates.

I reinstalled avast since then, so do I still have to check it?

Find AWF report by noahdfear ©2006

bak folders found



Directory of C:\PROGRA~1\DAEMON~1\BAK

09.11.2005 Ј.  01:00           128я920 daemon.exe
             1 File(s)        128я920 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04.08.2004 Ј.  03:56            15я360 ctfmon.exe
             1 File(s)         15я360 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

16.02.2005 Ј.  17:15            81я920 issch.exe
16.06.2004 Ј.  07:03           221я184 isuspm.exe
             2 File(s)        303я104 bytes

Directory of D:\CLONECD\BAK

28.09.2006 Ј.  22:21            57я344 CloneCDTray.exe
             1 File(s)         57я344 bytes


Duplicate files of bak directory contents
128920 Nov  9 2005 "C:\Program Files\DAEMON Tools\bak\daemon.exe"
157592 Sep 14 2006 "D:\DAEMON Tools\daemon.exe"
 15360 Aug  4 2004 "C:\WINDOWS\system32\ctfmon.exe"
 15360 Aug  4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
 81920 Feb 16 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jun 16 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
 57344 Sep 28 2006 "D:\CloneCD\bak\CloneCDTray.exe"

end of report

Generally not. These files that can’t be scanned could have some packing trouble (or are packed in a different way), or are being used, or are password protected by their program themselves, etc.

What do you mean with ‘check it’?

I suggest you send all bak folders and files to avast Chest during avast scanning…

Why ???
I think they are clean.