Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
HELP! Downloaded a file from Kazaa, yes, should have known this one would come back to bite me in the rear.
****Since I rarely have these annoying incidents, obviously it was a self extracting file that said the file so and so in the Kazaa Lit My shared folder called CERT was infected with the IRC TROJAN. The problem, my dat files are very much up to date so Norton should have quarantined this file and I am puzzled as to why it didn't!!!!!!!!!!!!!!!! Instead it gave me the read box, shut everything off, when I caught it as I was in the other room watching t.v. at the time, the red box was on the screen and the internet disconnected, but the red box stated the file was infected with the IRC TROJAN.
I immediately pulled the plugs (phone wires) did a Norton scan of the folder and voila it caught it an I manually quarantined it.
Please help as to what it is being IRC, I am not fond of the sound of this, how much info the culprits got, etc., and what registry steps and files to delete, Norton said it could not be repaired.
Should I delete after quarantine and what is the payload/steps to remedy.
Thanks.
"DO NOT DELETE ANY FILES" until you write the name of the files and where they are down that Norton identified. The removal instructions for this are very detailed, so you really need to go to the symantec website and use the virus definitions area to find them. Hopefully you caught it before any significant damage happened. Kazaa gets so many unwary people in trouble. You will have earned an A+ after this experience. Get a firewall to check any outgoing traffic, and scan every file or program download without exception. Take care and all the best!
0 
The only place it was was in the quarantined area.
I looked for the following info see below for removal instructions and no sign of same was found.
Symantec's online scan was totally normal as was subsequent scan offlinewith Norton. My dat files are updated daily!!!!!!!!!!!!!!
The file has been submittedto SARC. I do believe this file was self extracting on download but didn't get passed Norton's extremely good protection on installation/ the opening of files.
Here is the antedote, although my machine didn't show a trace of same!!!!!!
IRC Trojan is a general detection that is used by Norton AntiVirus when detecting Trojans that target systems that have Internet Relay Chat (IRC) installed. In these cases, a general detection is used because it provides protection against many IRC Trojans that share certain characteristics.
Threats that are detected as IRC Trojan will try to get access to your system through an IRC server. They will typically attempt to open a hidden connection from your computer to an IRC server. Once this happens, the hacker can send commands to the hidden IRC connection to steal system information or any other information that they program the IRC Trojan to obtain. They can also do things that other Trojan Horse programs do, such as delete a file, open the CD-ROM drive tray, shut down the system, and so on.
Removal instructionsTo remove IRC Trojan you need to do the following:
Run LiveUpdate to make sure that you have the most recent definitions.
Run a full system scan, making sure that Norton AntiVirus (NAV) is set to scan all files. Delete any files infected with IRC Trojan.
Remove any references to the infected files that have been added to the Windows registry.
Remove any references to the infected files that have been added to the Win.ini and System.ini files (Windows 95/98/Me).For detailed instructions, see the sections that follow.
NOTE: The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.
To run LiveUpdate:
1. Start Norton AntiVirus.
2. Click LiveUpdate, and follow the prompts. For detailed instructions, see the document How to run LiveUpdate.To scan with NAV
1. Start NAV and run a full system scan, making sure that NAV is set to scan all files. For detailed instructions, see the document What to do if you suspect that your computer is infected with a virus, worm, or Trojan.
2. If NAV detects any files as IRC Trojan, write down the name and location of the file before you allow NAV to delete it. You will need this information in the sections that follow.NOTE: As an alternative, you can print a copy of the Norton AntiVirus Activity log; the log contains information on what was detected, the location of the file, and what was done to it. To do this:
1. With NAV still open, click Reports.
2. Double-click "View the log of Norton AntiVirus activities."
3. Click Print.To edit the registry:
CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. Refer to the list of infected files that you created while following the instructions in the previous section. In the right pane, look at the entries in the Name and Data columns.
5. If you find an entry that refers to a file that was detected as infected, select the entry, press Delete, and then click Yes to confirm.
6. Navigate to and select the following key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
7. Refer to the list of infected files that you created while following the instructions in the previous section. In the right pane, look at the entries in the Name and Data columns.
8. If you find an entry that refers to a file that was detected as infected, select the entry, press Delete, and then click Yes to confirm.
9. Exit the Registry Editor.Edit Windows startup files
NOTES:
The instructions in this sections apply only to Windows 95/98/Me. It is not necessary to do this if you are running Windows NT/2000/XP.
(For Windows Me users only) Due to the file-protection process in Windows Me, there is a backup copy of the file you are about to edit in the C:\Windows\Recent folder. We recommend that you delete this file before you continue with the steps in this section. To do so using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.
1. Click Start, and click Run.
2. Type the following, and then click OK.edit c:\windows\win.ini
The MS-DOS Editor opens.
NOTE: If Windows is installed in a different location, make the appropriate path substitution.
CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. The Trojan can add lines such as load=c:\windows\temp\pkg2350.exe or run=hpfsched msrexe.exe. (In this example, hpfsched is a legitimate program, but msrexe.exe is part of the Trojan.)
If you are sure that the text contained in these lines is for programs that you normally use, then we suggest that you do not remove it. If you are not sure, but the text does not refer to the file names that you wrote down earlier, then you can prevent the lines from loading by placing a semicolon in the first character position of the line. For example:
3. Locate the load= line within the [windows] section of the Win.ini file; it is usually located near the top of the file.
4. Position the cursor immediately to the right of the equal (=) sign.
5. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
6. Repeat steps 3 to 5 for the run= line, which is usually beneath the load= line.
7. Click File, click Exit, and then click Yes when you are prompted to save the changes.
8. Click Start, and click Run.
9. Type the following, and then click OK.edit c:\windows\system.ini
The MS-DOS Editor opens.
NOTE: If Windows is installed in a different location, make the appropriate substitution.
10. Locate the shell=explorer.exe line within the [boot] section of the System.ini file; it is usually located near the top of the file.
11. Position the cursor immediately to the right of explorer.exe.
12. Press Shift+End to select all of the text to the right of explorer.exe and then press Delete.NOTE: Some computers may have an entry other than explorer.exe after shell=. If this is the case, and you are running an alternate Windows shell, then change this line to shell=explorer.exe for now. You can change it back to your alternate shell after you have finished this procedure.
13. Click File, click Exit, and then click Yes when you are prompted to save the changes.
This completes the removal part of the process. Even though you did so previously, start NAV and run another full system scan. Delete any files found to be infected with IRC Trojan. When finished, restart the computer.
0
I hope you did NOT think up-to-date NAV would protect against KAZAA or KAZAA LITE or any other file sharing crap.
I guess after you solve this problem, you're back on Kazaa having fun.
0
Did not know the general feel of the public and have heard talk on this forum now and then from passers by of file sharing. I have only started about a month.
Thought most people were into MP3s, and thought since the closing of one major file sharing place, but I understand of the reopening of it for a fee that most people were akind to it.
I would gladly pay a fee and can not understand why they r not shut down or reopened with a fee as they r far more intense than the one that closed a couple of years ago.
Didn't mean to offend anyone and I would gladly pay a fee for use if they get shut down and reopened.
File sharing has been around for a long time and I cannot solve the worlds problems and do get caught up within the trends of people far worse than myself.
0
Xena, if you use the search feature above for Kazaa in the security area you will see the all the problems that users have experienced using it. I know it is by far the most popular peer to peer program. The company provides what I consider no security filters or support to its users. It has worms and trojans that are specific to Kazaa, because the program is so easy to abuse. If they at least issued warnings and offered its users a list of steps to take to be safe, and emphasized how important those steps were, my opinion might change. Bottom line you can use it, but you have to be very careful. You are the only trusted friend you have on the internet. Take care and all the best!
0
Thanks, I do believe my antivirus caught this file in the opening file extraction state as no registry or other stated files were found.
I do use the utmost in firewalls and antivirus and the date files were up to date and are on a daily basis.
Thanks.
0
I recently used kazaa lite and I knew I would be downloading at my own risk I didnt have a antivirus installed wich was even worse one of the first 3 files I downloaded had a couple backdoor trojans and viruses in it. I didnt check till a friend of mine said norton had opened up a infected file wich i had sent him. I then installed an av it found a few infected files. then i tried another av wich found more then i tried norton av2003 wich seemed to work pretty good. I installed zapro and was getting alot of alerts so I thought I may still be infected I ran ad aware and spycop etc looking for stuff. I ended up formatting anyways since I didnt like the idea of people snooping around on my comp. anyways after that I started reading more on security/hacking pages etc and it kinda makes you more paranoid. software firewalls are overated.and your average computer home users are easy targets never knowing anyones been on there system.I use to never really wory about if someone was on my system I didnt really have any info or anything to steal on it and I still don't.I figure if they really want in they will get in somehow.
since I reinstalled my firewall attack alerts has dropped I still get some but I asume that normal cause I imagine theres alot of people scanning ports all the time.If you use any port monitors test them out at places that run scans because some actually open ports on your system such as nukenabber does. tcpview and iptools has a monitor and they dont seem to open ports. tcpview is basically a nstat command for windows.
0
Thanks, did a Panda scan and had suspicious files. Ended up doing the equivalent of a format as I reloaded Ghost images to my hard drive on bootable cds. which took about 10 minutes.
But, as I understand it guys, we have to do the windows updates and that is probably what happened, the "hidden holes" due to lack of maintenance on our part.
My suspicious file was from a very popular download site and the name was don't laugh "fruity loops" which was supposed to be a midi player.
One of the most critical is the MIME header email fixer in which a virus is allowed to self extract itself, equivalent to an attachment just opening itself, all because updates were not done!!!!!!!!!!!!!!
Shame on me.
Thanks guys, sorry so late in posting a thx.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
