Win32-IRCBot-CNE[Trj]

Hi,

I have SATA X64.

I picked up a trojan, Win32-IRCBot-CNE[Trj]. I've run Avast, Trend Micro Housecall, Panda Software Antivirus ActiveScan, Spybot - Search & Destroy, and SUPERAntiSpyware Professional. None of the programs could get rid of it.

Can I just delete the file?

 

These are the last 3 screenshots.

 

LOL Chaslang . . . thanks. Just what I need . . . Hahahahaaa

Avenger gave me a message that said that it's only used for Windows 2000, XP and Vista.

I tried using some of the tools in the Read Me one other time but most of them didn't support X64.

I formatted my pc about 2 months ago because of a few things that kept bothering me, nothing serious, so if there were any virus, trojans or anything else at the time, they were wiped out.

My pc has been running fine since then but not really properly. None of the instructions that I had said that risers were to be placed under the motherboard and I installed it without them, which caused all of the problems. Everything except the hard drive, the motherboard and the case are new. I just bought a new mobo and video card and I'm sure it'll fix the speed problem but I won't be installing it until next week. I won't turn on any of my ext hdds until I rid my pc of the trojan. If worse comes to worse, I'll have to format it again.

Not sure what you meant by

This program came from a trustworthy person. I don't think he knows that it contains a trojan. It's a slippery and strong trojan if Avast couldn't get rid of it or even put it in the chest.

 

I didn't try running it. As soon as I downloaded it, Avast picked it up as a trojan.

It might show twice because the first time I tried to put it in the chest and when that didn't work, I tried to delete it, but that didn't work either.

I messed up with the screenshots. The first screenshot isn't there that showed the path. I somehow put the second screenshot up 2 times. The full path was to my incoming folder, D:\WDownloads. D is a partition on my internal hdd.

Keymaker was inside the .rar file. Avast detected it as soon as I downloaded it so I never opened the .rar file.

I've never seen anything called "Recovery Console." I went into Safe Mode and ran Avast again, hoping that because it was in Safe Mode, it would be able to delete the trojan but it couldn't. I ran the other programs while I was in Safe Mode also.

When none of them found anything, I went into Safe Mode with Networking. Trend Micro Housecall installed its program but it couldn't run it, probably because it can run on a x64 os. The same thing happened with Panda.

X64 really needs more programs written/adapted for it. There are some but they're slow in coming.

I decided that the best thing to do with the .rar file was to delete it. Hopefully, since it was never opened, the trojan didn't get into my system. I'll find out in time.

 

I was writing when you were writing so I didn't address the items that you brought up in your edit but I think that I answered all your questions. I didn't delete the .rar file in Safe Mode . . . I didn't think of it. I deleted in normal mode and rebooted. I haven't noticed any abnormalities yet, so hopefully they'll be none.

 

Sure, I'll give GRK64.bat a try.

I'm going to also run another Avast scan . . . thanks for the suggestion.

I guess x64 was one of Microsoft's bombs.

I still have my Windows 2000XP Pro disk. Will it work with the rest of the components in my pc? Dual core cpu, SATA hdd, etc?

It's time for my head to hit the pillow now. I'll catch up with you tomorrow.

 

I just performed several Avast scans. The first one was in Regular Mode and the scan found 2 trojans. The first one was similar to the trojan that it found yesterday. Instead of putting it in my chest, I deleted it, which I should have done. I can't remember the name of the second trojan. I decided to go into in Safe Mode and delete it. It's hard for me to get into Safe Mode because my pc freezes up and it can 3 or 4 tries to get into Safe Mod. By the time I got into Safe Mode, I forgot the name of the file that I was going to delete so I performed another scan. There were no results. I disconnected my pc from the telephone line and opened hidden files and system files. I performed another test and it found nothing. I came back into regular mode, performed another scan with hidden files and system files unchecked. The scan found nothing.

 

I decided to repair Windows. I went into setup and made the DVD ROM drive the first in startup sequence. I put the disk in the drive, booted, and a screen came up, asking me if I wanted to Install Windows or Repair Windows. I chose R for Repair. It loaded a lot of files and another screen came up and basically asked me the same question, but Enter for exit and 1 for Repair. I chose 1 and I was asked for my Administrators password which gave me another C prompt. There were no instructions or options. The C prompt remained. I typed exit and it restarted and I tried it again, making sure that I didn't read anything the wrong way. The same thing happened so I can't Repair Windows. When I get the new motherboard installed, I'll do a complete format.

 

The trojan came back again. I spent the day running all the virus scan programs that I have and I downloaded AVG and it was just finished running when Avast popped up with the alert that the trojan was found. AVG didn't find anything, nor did the other programs that I ran.

Before I could try to put it in the chest or delete it, the warning closed when AVG closed.

I'm attaching a copy of the Avast warning. I searched in hidden and protected folders for the trojan by its name and I looked for it with hidden and protected folders turned off but the file wasn't there. The path stops at \$7 . . .

Okay! :hyper . . . I caught the little bugger . . . check out the screenshot . . . I'm gooood, uh-huh . . . uh-huh!

 

I only have Avast running. I have AVG set on demand. It doesn't run in the background. I stopped it in Services and put it on Manual.

So this little bugger is still running around in my pc? Is that what you're saying?

Just a couple of months ago, I had the x64 disk in my DVD ROM drive. I was in the middle of a format when there was a loud snap and everything stopped. I opened the DVD ROM drive and the x64 Windows disk was broken into multiple pieces. I checked out my brand new BenQ and saw that a nib that keeps DVD's in place had broken off. So I bought a new DVD ROM drive and a new x64 disk. Everybody that I had spoken with told me that x64 was around to stay and that Vista was just a stepping stone to x64, so I bought it again.

I don't have two os in my pc, just x64, but I still have my old 2000 XP Pro disk that I used on my old pc. I was thinking of formatting my pc with my 2000 XP Pro disk when I install the new motherboard. Right now, everything I purchased for this pc was geared for x64 and SATA. Would 2000 XP Pro be compatible with the x64 and SATA parts?

You burst my bubble . . . Is that trojan still in my pc as far as you can tell?
.

 

Isn't having it just sitting in my pc until I want to use it to scan my pc the same as having SpyBot or AdAware? All of its features are stopped and on manual in Services so it shouldn't do anything until I call it up. I trust your judgment but I always like to know the hows and whys of things, so my questions aren't meant to challenge your advice, just to understand and learn more.

No, I had meant the trojan but you said that it's gone from my pc so I'm just as happy.


I have a Windows XP Pro disk that I installed in my old pc. I'll check with the software and hardware forums about installing it in my new pc.


I haven't forgotten about running that program. I spent almost all day yesterday making sure that the trojan wasn't in my pc. I also had a terrible 3 hour dentist appt on Thursday with a dentist who must've gotten his license from a CrackerJack box.


I bought x64, as I said, because everyone told me it was the up and coming os. They said that Vista was going to fade out after more advances are made to make more x64 more compatible with hardware and software. I'm used to it and the only time I'm bothered by it is when I can't find an x64 program for my needs, which isn't very often. At this point, I don't see any other difference working with x64 that I did working with Windows XP Pro, but I'm disappointed that a lot of forums have a topic for Vista but none for x64.
.

 

ok, I'll uninstall AVG. I didn't think of registry conflicts. The more I learn, the more I see that I have more to learn. I don't know how the average Joe can know all this and it's no wonder that they have problems with their computers, me included, but I know enough to ask questions.

Don't you think that the "non-existant" trojan was a trojan at one time since it's in my temp folder? I thought that only things that existed and/or was in use showed up in the temp folder. It could've been there because I followed the path and deleted it. But it no longer matters since it's gone. I want to learn so much about computers . . . if I had some bucks, I'd take a few courses.

When my first disk broke in the brand new BenQ (and broked the BenQ while it was at it, or the other way around), I thought long and hard about switching to Vista, but the advice I got that said that Vista was basically just a stepping stone made me decide to buy another x64 version.

Ok, I gabbed long enuf and I know you guys and gals help a lot of people here so your time is needed elsewhere too.

AVG will be out and GRK64 within a few days.

Thanks for all your help Chaslang.
.

 

That was what I meant. The point that I was trying to make was, that since the trojan was in my temp file, it had to have existed in my pc at one time. So that's cleared up for me, thanks.


I ran GRK64. I received 2 reports. I have the Get Run Key report and a report that has a black background with white printing, like DOS, but there was no way to save the file, so I took some screenshots. Most of the report is there, beginning, middle and end. If you want more of that report, I'll make sure that I get a screenshot of the entire report.

 

The 3 parts of the second report.

 

The trojan was there before I downloaded and installed AVG. The only reason that I installed AVG was to see if it could delete it because Avast couldn't delete it.


I'll run GRK64 again.


It's now named H:\DownloadedFiles. Thanks for the tip )

 

I'm doing some processing which should end tomorrow night at the latest and I'll run the program according to the directions. I missed that part of what you asked me to do the first time around.

 

Hi,

I read the ReadMe and used the short method. I went into msconfig and checked Normal Startup. In Control Panel > Folder Options, I unchecked the boxes to hide system and hidden folders. I ran Advanced Windows Care and Disk Cleanup. CCleaner removes files that x64 needs so I didn't install and run it. I also ran AdAware and cleaned out some cookies.

I then created a folder C:\MGTools. I downloaded MGTools and placed it in the MGTools folder. I downloaded GRK64 and placed it in the MGTools folder. I ran MGTools to extract its contents and I then ran GRK64.

 

Ya know? Those instructions in the readme needs to be much more clear. You understand what they're asking for but they befuddle most non-technical minds. You told me to read the readme. I read the readme and followed its directions. grrrrrrrrrr. . . . Wording needs to be very clear

How does one save MGtools.exe to C:MGtools.exe? Did you mean MGTools folder? You see, I'm a MajorGeek (don't know why) but I've gone thru that readme a couple of times before and it really is confusing at times, to me, at least.

Okie-Dokie . . . the MGlobs.zip is attached. However, I didn't tell it where to put the file; no option for me to tell it where to put it. It wasn't placed in the MGTools folder. It was placed in the root C: drive. I've attached it. If it's no good, I'll try again.

 

I don't want conflicting interpretations beating this to death. I'll try to give you what you ask for. I named a folder MGTools, as requested and placed MGTools.exe in it.

I attached the GRK64.zip file.

I also got this report but I couldn't make a file of it so I copied and pasted it here: If you want anything else or need me to give you more info, feel free to ask.

******************************************************************************
* GetLogs.Bat - (c) 10/02/2006 By Chaslang *
* This version supports Win2K, XP and Vista *
* This small batch file is just used to automatically run GetUnKey.bat, *
* analyes.exe (HijackThis), GetRunKey.bat, ShowNew.bat and processDLL.exe. *
* It is automatically run by MGtools.exe during installation and can be run *
* at anytime there after to create a full set of logs. *
* 12/15/2007 Version 2.08 Put version info into history.txt *
******************************************************************************

Microsoft Windows [Version 5.2.3790]
updating: GetUnKey.txt (188 bytes security) (deflated 84%)
The image file C:\MGTools\ltime.exe is valid, but is for a machine type other th
an the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
NOTE: Ignore any error messages about not finding registry keys!
Just wait for the program to finish running!!
C:\MGTools\temp\xtmpsysccs.txt
C:\MGTools\temp\xtmpsyscs1.txt
C:\MGTools\temp\xtmpsyscs2.txt
1 file(s) copied.

C:\MGTools\temp\xrkey01.txt



C:\MGTools\temp\xrkey02.txt



C:\MGTools\temp\xrkey03.txt



C:\MGTools\temp\xrkey05.txt



C:\MGTools\temp\xrkey06.txt



C:\MGTools\temp\xrkey07.txt



C:\MGTools\temp\xrkey09.txt



C:\MGTools\temp\xrkey10.txt



C:\MGTools\temp\xrkey11.txt



C:\MGTools\temp\xrkey12.txt


updating: runkeys.txt (188 bytes security) (deflated 82%)
The image file C:\MGTools\ltime.exe is valid, but is for a machine type other th
an the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
Scanning please Wait.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
The image file C:\MGtools\locate.com is valid, but is for a machine type other t
han the current machine.
============= Finding copies of beep.sys ================= Please be patient
The system cannot find the file specified.
File Not Found
============= Finding copies of ctfmon.exe =============== Please be patient
The system cannot find the file specified.
============= Finding copies of explorer.exe ============= Please be patient
The system cannot find the file specified.
============= Finding copies of svchost.exe ============== Please be patient
The system cannot find the file specified.
============= Finding copies of ip6fw.sys ================ Please be patient
File Not Found
============= Finding copies of ndis.sys ================= Please be patient
File Not Found
============= Finding copies of winlogon.exe ============= Please be patient
The system cannot find the file specified.
File Not Found
============= Finding copies of ws2_32.dll ============== Please be patient

Checking for .COM files to Delete. They will only print if deleted!
Looking for new Vundo type infection. Be patient while scan runs!!

The image file C:\MGTools\ltime.exe is valid, but is for a machine type other than the current machine.
updating: newfiles.txt (188 bytes security) (deflated 83%)

The C:\MGTools\temp\GRKflag.txt exists. Deleting it!
Zipping hijackthis.log
updating: hijackthis.log (188 bytes security) (deflated 66%)
lsass
iexplore
wmiprvse
aswUpdSv
jusched
svchost
services
svchost
rundll32
alg
explorer
aawservice
ashMaiSv
nvsvc64
svchost
cmd
svchost
spoolsv
MGtools
ashWebSv
ProcessDll
ctfmon
smss
wmiprvse
winlogon
UnlockerAssistant
ashDisp
Webshots.scr
csrss
LSSrvc
svchost
ashServ
svchost
ctfmon
System
soundman
BitComet
Idle
1 file(s) copied.
Zipping procdll.txt
updating: procdll.txt (188 bytes security) (deflated 90%)


*** Scanning complete - Your log file is C:\MGlogs.zip ***


Hitting any key will close this command prompt window
Press any key to continue . . .

 

ok, put GRK64 in root drive C. It generated these reports.

 

1. I download the current version of MGtools.exe to my C drive and ran it (D drive is a partition of the drive)
2. I ran MGtools.exe
3. I downloaded GRK64.zip to my root drive and extracted it to MGTools folder
4. I double-clicked on the GRK64.bat file
5. It created a runkeys.txt log
6. Other logs in the MGTools folder are: GetUnKey.txt, history.txt, newfiles.txt and procdll.txt
7. I have been attaching the file MGlogs.zip to my posts but it seems that you're not getting them. I didn't attach GRK64 to the last couple of posts.

I'm attaching MGlogs.zip and runkeys.txt. If you want me to attach any of the other files in the MGTools folder, please let me know.

 

I'm happy to hear that you got the info you needed. I'll be all to happy to help for all the help I was given at MajorGeeks. I'm also happy that no malware was found in my pc, so I got something in return too

 

Hi Chaslang,

Would you compare this MGlogs.zip file with the one that I gave you earlier, especially the hijackthis log. I had Avast blowing its whistles and ringing it's bells a couple of hours ago and it couldn't fix one of the trojans that is said had come into my pc. My pc has been crawling along ever since.

 

Hi Chaslang,

Thanks for the info.

Avast found 3 within a minute's time. They all started with Win32. Avast was able to delete the first 2 but it couldn't delete the last one or put it in the chest. I shut off all my external hdds, hoping that it didn't move to one of them.

Right now, I'm on my daughter's computer. I'm installing the new motherboard (with risers), and then I'm going to format it again. If the trojan is on the C drive, it'll be deleted. I should be finished with it by this tomorrow (dentist today) and I'll let you know how it goes.

 

Edit to last post . . .

 

I got the pc back together again and it's up and running with no problems. I'm going to reformat it because if that trojan is on my hard drive, I want to get rid of it. I couldn't follow the path because the path was too long and it said something like C:\Programs \... Win32(name), or something like that. Avast really is an excellent anti-virus/trojan program. I get updates almost every day, sometimes twice a day.

So I'll be available to help you with the SN64.bat version of ShowNew.bat if you need it.

Thanks for letting me know that I should remove J2SE Runtime Environment 5.0 Update 3 and Java(TM) 6 Update 3.