Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
1,481 Posts
Discussion Starter #1
I upgraded my sis-in-laws IBM notebook from 98 to 2000 using a clean copy of W2K (leagle)...the install went smooth...short of a perfomance issues which will be handeled by memory...make a long story short...about a month later -after getting road runner cable accesse...when she boots mIRC come up and tries to connect to a host ( the troubleshooting is over the phone I will not have the system in front of me till the holidays). There is no mIRC in add remove programs and it would be to hard to handel registery editing over the phone...there are no OBVious folders...I found advice on installing the newer version of mIRC and it will then appear in the Add & Remove...which it did but after uninstalling it and rebooting its (mIRC) is back...A Norton scan with updated pattern ...says the system is clean...but we know otherwise -a clean system will not install rouge programs-- I had her install Zonealarm and she says that Zonealarm is telling her ....that her task manager is trying to go to the internet...and calling itself...mIRC...she has me lost there but she had the right folder for taskmanager so I am not sure how they are connected...any advice on what comprmised the machine and on how to uncomprimise it???
 

·
Premium Member
Joined
·
1,611 Posts
Doonz, sorry I didnt catch this post sooner, had some time off work , LOL :)

well, my first concern would be her cable service. Always on an if she doesnt have a firewall of some sort (did she have zone alarm from the beginning ? ), its an open invitation, but Im sure you know the ropes... how does she know its mIRC ?
If she didnt install it herself, it might be something else posing as mIRC...as you might know, IRC works on a client-server basis. Nothing better to copy and mask as mIRC, which one of the most popular IRC chat clients. It can be also used to fool some firewalls showing itself as a legitimate service. If the task manager is being called up, it might be whoever is connecting to her machine might be trying to see if the firewall is running and possibly shut it down. It might even not be someone connecting...Some trojans have capability to rifle through the system, call up the task manager and hunt down the firewall or antivirus that might be running. its Nprotect or Zapro in the task list for norton and zone alarm btw. If you can, post more details or if you find some interesting reg. entries post back....
 

·
Registered
Joined
·
1,481 Posts
Discussion Starter #3
Thanks...

First thanks for the reply....

Second...You dont have to add the as you knows...I have my strong points and I have my weak points...but I am always willing to learn something new....even if I knew it..sometimes its nce to hear it form a diffrent angel...and not that I am patronizing you but I thought I knew my virus stuff till you got on the board...

enough of this mushy stuff:winkgrin:

How do I know Its mIRC....If she maximizes the bar on the task bar she gets a white screen with blue lettering saying attmemting to contact host on port XX failed and this goes on with difrent port numbers...she can close it at that time or go to the about option and the splash screen calls itself an out dated Version od mIRC with a picture of some ugly white guy:angry2:

Zone Alarm...No I pulled one of my many brain farts and forgot to install Zone Alarm till ater the fact....was too busy getting W2K to play nice...so it was open for a while..:no: ...dumb dumb dumb..... It appears that nortons is running fine, has not been tamered with and not flagging anything suspicous....

Items running in Task Manager....She has the free download for zonealarm ...will ZApro still be what it is called...Nprotect should be running...the reson I think it is with out checking is I can open system works, run live update and scan the system....

Are the reg files in W2K the same as W98 were it come to start up ...What Trojan dector or bug remover do you suggest?? Seeing that I have time before I get the system in my hands....what other advice do you have for beting this bugger??

I might have some screen shot form an old email at home so Ill post them if I didnt delete them yet...
 

·
Premium Member
Joined
·
1,611 Posts
its nce to hear it form a diffrent angel
HEY !!! you're calling me an angel ? what kind of mushy stuff are you getting into, Doonz ? you're going soft on me dude ... LOL j/k of course.... :tongue2: :tongue2: :tongue2: ....yeah, Im always willing to learn too...cant get enough of it.

anyways, here is something I found on IRC and security. Might help.

http://www.irchelp.org/irchelp/security/irc-backdoor.txt
http://www.theregus.com/content/4/26226.html
http://worms.help.quakenet.org/list.php?worm_id=15
http://securityresponse.symantec.com/avcenter/venc/data/trojan.nullbot.html
http://www.megasecurity.org/Scanners.html
http://www.blackcode.com/trojans/details.php?id=810
http://www.blackcode.com/trojans/details.php?id=809


what she might of seen is something like this :

http://www.teamos2.org.pl/odin/jpegs/mirc.jpg

[edit] and of course, forgot to put in my 2 cents.

my problem with mIRC is its script based. Prog. itself can be used as a malicious tool. You can use so called "bots" to try to connect different servers and do whatever they're programmed to do. For example, they can call up the list of the IP's stored on the machine (gates.txt) for ex. and connect to hackers remote. The problem is, they can use a legitimate list to "hide" the bot from detection. You said she saw it trying to connect to different ports ? it might of been a bot trying to connect to diferrent legitimate IRC servers and trying to flood the regular channels with junk so the legitimate users get booted off.
as for the cleaners, not sure what to recommend really, because we're not even sure this is what we think it is, but, since these things usually try to go through some UDP ports, you can try
http://www.hackerwacker.com
http://www.twc-hvc.com/freestuff/cleaners.html
 

·
Registered
Joined
·
1,481 Posts
Discussion Starter #5
By goerge Angel ...I mean Wizard you come thourgh again...

the last link is it to a tee....I think it is even the same ugly white guy...Does the trojan have a name....??? So it can point me in the right direction...

Do you trust Black code as a reputable website or a hacker haven...??

Ill try the removal features tonight over the phone and see how it works out...thanks for your help and feel free to add anything else...
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top