W32.IRCBot Trojan detected

[powerMarkymark]

I have Nod32 and I get a warning that "Event occured on a new file created by C:\program Files\Internet Explorer\iexplore.exe. The file was moved to quarantine. You may close this window.

Basically I get this warning every time I open Internet Explorer, which is seldom as I use Firefox.

How can I rid myself of this trojan as Nod32 dosen't seem to get rid of it

TIA

M@rc

 

[mechBgon]

Have you run an exhaustive full scan of the computer recently? If not, update NOD32 and configure it for maximum detection (using heuristics, scanning inside archives & compressed files). Then reboot into Safe Mode, and run a full scan. Simultaneous pizza consumption optional

 

[powerMarkymark]

Originally posted by: mechBgon
Have you run an exhaustive full scan of the computer recently? If not, update NOD32 and configure it for maximum detection (using heuristics, scanning inside archives & compressed files). Then reboot into Safe Mode, and run a full scan. Simultaneous pizza consumption optional

Yeah I did the full scan after an Nod32 update but not in safe mode.

Is that why it did not catch it?


M@rc

 

[mechBgon]

Originally posted by: powerMarkymark

Originally posted by: mechBgon
Have you run an exhaustive full scan of the computer recently? If not, update NOD32 and configure it for maximum detection (using heuristics, scanning inside archives & compressed files). Then reboot into Safe Mode, and run a full scan. Simultaneous pizza consumption optional

Yeah I did the full scan after an Nod32 update but not in safe mode.

Is that why it did not catch it?


M@rc

I don't know. Does NOD32 give any specifics about the exact file, and where it is located? It could be that NOD32 is treating the symptoms, but not the disease. Another idea is to try a bunch of online virus scanners to see if one of them can find the root of the problem. Here's some, if you want to try that. Use IE since they're ActiveX-based:

F-Secure online scanner
Microsoft online scanner
TrendMicro online scanner
Panda online scanner

You might want to disable System Restore too, in case some of this is hiding in your SR files. And it might help to run CCleaner: download CCleaner.

 

[powerMarkymark]

Thanks, I will give them a try.

M@rc

 

[powerMarkymark]

Well none of those online scanners worked!

So I purchased XoftspySE and after a scan and clean, no more trojan.

Cool, I was just about to reformat an reinstall so it saved me the trouble.

Cheers.

M@rc

 

[mechBgon]

Xoftspy was on the rogue antispyware apps list, so although it's currently delisted, I'm not sure if I should be saying "congratulations" here

 

[powerMarkymark]

Originally posted by: mechBgon
Xoftspy was on the rogue antispyware apps list, so although it's currently delisted, I'm not sure if I should be saying "congratulations" here

Therfore could you sugest a better software solution?

 

[mechBgon]

I'd ask John for recommendations on good antispyware software, since he removes spyware for a living. Here's his spyware-removal guide, which will probably tip you off to what he'll recommend: http://www.elitekiller.com/malware.htm

For spyware prevention, I personally use the built-in capabilities of Windows XP Pro: a Limited account, combined with a disallowed-by-default Software Restriction Policy. This combo, combined with routine patching, is very powerful prevention AS LONG AS the user doesn't abandon his common sense, bypass his own security measures, and start installing questionable junk that he shouldn't be touching with a ten-foot pole. :evil:

My approach assumes you start with a clean system and NEVAR break the chain of trust. So if you wanted to use my approach, the first thing you'd do would be to back up your important data, then burn your Windows installation to the ground, reinstall from authentic Microsoft media, and keep your new Windows installation 100% squeaky-clean.

Most people don't want to do that, so whatever. But it works great.

 

[John]

powerMarkymark, by any chance did you downloaded NOD32 from somewhere other than NOD32's website? I have seen that exact file come up after installation on several occasions. If that's not the case we'll chalk it up as a coincidence.