Cleaning out a W32.IRCBot

Good to hear things went well for you.

That another vendor finds something doesn't mean that they are better that Symantec.  It works the otherway round as well. Symantec will find things other can't.

 

That's just the hard plain truth. What we can do is contribute to make Symantec even better than it is.  

That can be done by the community like this and offcourse submitting all the malware samples we can find 

I have to laugh, Stu.  Norton still says I have this bot in 2 files.

 

But it did find a tracking cookie this time.

 

I no longer know what to think.  Do I actually have it, or is the report just parroting something it couldn't resolve before? 

 

Now, there's a question - can I re-set my system scan to make it start from scratch?  I'll have to look at that. 

Hi Dawg,

Sorry to hear that you are having problems removing this threat. I went over the writeup for this Trojan and it looks like it is a nasty one. Some variants can be spread via network shares. If you have a variant that can be spread that way, then It is possible that you are being reinforced after each scan. Also,since it is a Trojan horse with backdoor access, there is no way to tell what has happened on your system if the system has actually been hacked.

 

Because of this, it is important that you follow these steps.  ( I am assuming that you have the 2008 version of the product. If not, let me know your version since the steps will be a bit different for a different version.)

1. Download the latest virus definitions via the Symantec Web site (these definitions are the most current) 


Title: 'How to update virus definition files for Norton 2008 product using Intelligent Updater'
Document ID: 2007090100014179
> Web URL: http://service1.symantec.com/SUPPORT/norton2008.nsf/docid/2007090100014179

 

2 Start your Norton program.
3 On the Norton product tab, click Settings, 
4 Under Basic Security, click AutoProtect and then click Configure.
5 Check Load Auto-Protect during system startup.
6 Click Apply.
7 In the left pane, click Exclusions.
8 In the left pane, click Low Risk Exclusions.
9 Under "How to respond when a low security risk is found", click Automatically remove low-risk items.

10. Click Apply and then click OK.

11. Unplug your network cable or your wireless modem. You should not be connected to the Web during this process to avoid re-infection via network shares.

12. Restart in Safe mode and run a Full System Scan (not a Quick Scan!!)

12. Restart in Normal. AP will scan on startup.

13. Open your Norton program and run one more Full System Scan. If the program detects an infected file, this is usually an indicator that this may be a new variant. Locate and quarantine the file and submit the file to Symantec via https://submit.symantec.com/websubmit/retail.cgi

14. If nothing is detected, plug your network cable back in or start your wireless modem.

 

This is the full meal deal of scans. If nothing is detected at this point, then you can be confident that all is well. If something continues to be detected then it is very important that the detected files be submitted for review.

 

Thanks,

RichC

Sorry for my misspelling… I meant “Some variants can be spread via network shares. If you have a variant that can be spread that way, then It is possible that you are being re-infected after each scan.”

Rich, thank you.  I followed your directions.

 

The full system scan under the safe mode came out clean.  When I rebooted and ran it in normal mode, the bot showed up again.  Once again, though, there was nothing identifying the file it was in or any way to find it.

 

So I sat staring at my monitor for a half hour or so as the scan continued into my backup drive - I figured I was getting two hits because one was on my C drive and the other on the backup - and I was right.  I paused the scan when the second hit popped up.  I wasn't able to identify the individual file, but I was able to identify the folder it was in.  So I went into that folder on both drives and just deleted everything I wasn't sure of (or needed to keep).  I ran another full system scan overnight, and it came out clean.

 

I rather suspect the bot was in a patch for an ftp program I'd downloaded several months ago that I couldn't get to work.   But I'm not going to sound the all-clear until my regularly scheduled full-system scan runs tomorrow (Friday) night and it comes back clean.

 

But this is the most promising point I've been at in weeks.  Thanks for your help, and I'll let you know Saturday if the issue really is resolved.

 

Thanks again. 

Rich:

 

The problem has been resolved.  The full-system scan comes out clean.

 

As I said, I do not know for absolutely certain which file contained the bot.  I suspect it was in that ftp program patch, but I downloaded it several months ago, long before the Norton report started showing the infection.

 

Anyway, thanks very much for the help.

 

Dawg