Cleaning out a W32.IRCBot

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Hi Dawg,

 

Just to be sure, you followed the steps detailed below, right?

 

http://www.symantec.com/security_response/writeup.jsp?docid=2002-070818-0630-99&tabid=3

 

What was the result? 

I did.  I've got Live Update on Automatic.  And there is no "\Winapii" file in the registry anywhere.

 

I also deleted all the Temporary files from both browsers. 

 

The report after the system scan indicates this is located in an unsupported file, that the attempt to remove it failed, and the only option given to me is "Review".  There's no location information and no option to quarantine.

 

Any ideas?

I don’t think we need to worry about it.

Can you manually find the file?

1 Like

No, and that’s the problem.  Of course, it occurs to me that I might be searching for the wrong thing.  I’m open to suggestion.

Please download malwarebytes

update

run scan

It appears that may have done it.  It found 2 and removed 2.

 

I'm going to run a full system scan with my Norton and see in the morning if it finds anything.

 

Thanks very much!

 

 

You're welcome.

Just let us know how things are going now 

OK - I'm feeling a little frustrated.  The Malwarebytes software found and deleted the two files; I found the duplicates on my backup drive and deleted those.  Malwarebytes now says I'm clean.

 

Norton says they're still there.  I get the identical report I've been getting for a couple of weeks.

 

Yes, I ran the update on Malwarebytes before I ran the last scan.

 

Any other ideas? 

 

I do appreciate the help. 

 

 

How are you scanning with your Norton product? Are you given any removal options? After removal, when you scan again, it shows that the same two files are on your system? Are you scanning in Safe Mode? I apologize for the additional questions, I just want to make sure I understand the problem completely. Thanks!

Tony, I'm just doing what I always do, once a week.  I run LiveUpdate on automatic, and a full system scan overnight every Friday night.  I've manually run a full system scan on a daily basis lately, though.

 

I'm not in Safe Mode, either.

 

I've been getting the same report for the last couple of weeks.  It names the trojan as located in an "unsupported file", twice.  It also notes that automatic removal failed.  The only option I'm given is "Review"; there is no other removal/fix/ignore option given.

 

Based on the recommendation here, I ran the malwarebyte scan, and it found two instances of a "virus agent".  It says it successfully quarantined and removed it.  I physically went looking and the identified files are no longer on my drives.  A malwarebyte scan then came back clean, no hits.

 

But when I run a Norton system scan, I still get the same report as before.

 

And no need to apologize - I really do appreciate the help!

 

 

It might be a good idea to run the Full Scan in Safe Mode. You might also want to try Norton AntiBot. Below is a link to a free trial:

 

http://shop.symantecstore.com/store/symnahho/en_US/ContentTheme/ThemeID.106300/pbPage.Trialware_en_US

 

Thanks! 

Usually when a detected file cannot be removed because it is inside another file, it is usually inside a compressed file. This also most often mean that you do not have any registry values to delete nor any running processes to kill. 

 

What you need to try and find out are the details about the threat. You should get the window with details if you click on the name of the threat after the scan has found it. Otherwise you can go into the history (located on the left side of the main window if you have a 2008 product) and check if you can find the threat listed in the recent history. If it is not there, check under "unsolved". It will take three clicks to get the info you want once you find the threat in the list. More details > Show riskdetails > Details.

 

These places should show the location of the file unless there is something wrong with the installation of your product.

Thanks, jAW.

 

Can you tell me what it means when it says "[Restricted item (permission required)]" in that final detail? 

Tony, I've downloaded the AntiBot software, but it apparently doesn't see the existing issue.

 

And, frankly, I'm beginning to wonder if there is an existing issue.  The only thing seeing a problem is the Norton anti-virus, and it can't identify where it is. 

Did you try a alternative online scan from another vendor? And see if that sees something?

Actually, Stu, I did.  Twice.

 

The first time was the MalwareByte product recommended in this thread and noted above.  It found two "Trojan Agent" threats and eliminated them.  Norton still came back with the same report.


Today I also had one of the Semantec long-distance techs come in and check out my system.  He examined the MalwareByte report, deleted temp files, and started the system scan, saying that the threats had been removed and the final report should be clear.   However, according to my Norton anti-virus, I've still got the threats.

 

Tonight I downloaded the beta version of PC Tools Spyware Doctor - and it found tons of tracking cookies and adware Norton apparently can't see. It did not, however, find the W32.IRCBot or other "Trojan Agents".

 

To say I'm feeling less than happy right now would be fairly accurate.  I discover Norton - a product I've trusted for years - isn't telling me about a bunch of stuff I've got on my machine I don't want, and may very well be telling me I've got a problem I don't have, all at the same time.

 

I've got to get this resolved.  Do any of you Norton gurus have any more ideas for me? 

Please try this scan. http://www.bitdefender.com/scan8/ie.html

 

If this can't find it than it must be gone

Stu:

 

Thank you.  Another product which finds things apparently invisible to Norton.

 

Uncle Dawg is not a happy camper, boys and girls, and the more time I have to spend on this issue the less happy I'm getting.  Money was paid and a promise was made - to keep my computer as threat-free as possible - yet it does not report such minor things as tracking cookies, and cannot keep its own files clean (yes, there were several hidden trojans in the Semantec files).

 

After spending several days on this project (days I can't really afford to spend), I am now fairly confident that my computer is relatively clean - no thanks to Norton Anti-Virus (and I rather suspect I've still got some lurkers tucked away in some corner or other).  Still, just for fun, I'm going to run another system scan to see if this particular bot still shows up.

 

I'll let you know about that.

 

My sincere thanks to you, Stu, for providing me with both of those sites.  If you have any other suggestions, I would welcome them.