I am running AVG and it detected two infected file both infected with the same virus, Trojan horse IRC/BackDoor.Flood It only, however; healed one of the files and left the other one infected and I cannot figure out how to make AVG fix it. The name of the app is ocxdll.exe and i found it in, C:\\winnt\system32 That's basically all the info I have and it's makign me very nervous so if anyone can tell me the best way to deal with it it'd be much appreciated.

Click Start > Run > type msconfig and click OK
Click the startup tab. Locate the entry for
ocxdll.exe and uncheck it.
Reboot.

Do a find files for ocxdll.exe and delete it.

You might want to try this:-

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run

In the right panel, locate and delete the entry:

"LASS"="%current directory%\LASS.exe"

Still in the registry editor, in the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Uninstall\mIRC

In the right panel, locate the entry:

“UninstallString”,"" %current directory%\
lexplore.exe" -uninstall"

NOTE: If you have not installed the mIRC application prior to infection, delete this entry.
Modify the above entry to this, if you have installed mIRC prior to infection:

“UninstallString”,""c:\mirc\mirc32.exe" -uninstall"

Close Registry Editor.

I have found this virus on my computer in the exact circomstance as the initial message discribed. The infected file is identified as C:\WINNT\SYSTEM32\ocxdll.exe:\winhp32.exe
While I do OK with understanding my operating system and navagating through it the previous two responses are way over my head. Could someone e-mail me to explain what these two methods of dealing with this are doing.

And another question, What if I just delete the file C:\WINNT\SYSTEM32\ocxdll (an application file that was "created" about 22 days ago - when I first started seeing this virus)??? will this not Work? Also is there any risk of triggering the virus if I open or otherwise mess with this file??

Your input is much appriciated.

Me again, I could not get "msconfig" to run (from response 1) nor could I locate "LASS"="%current directory%\LASS.exe" or "Uninstall\mIRC " in HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion> (from response 2)

All you need to do is delete the OCXDLL.exe file. This will get rid of it until you install better protection on your machine. If you can't delete it in normal operating mode then delete it in safe mode.

Then you can scan your machine with virus software and verify it is gone.

I found the same virus 20 days ago, but in the file c:\winnt\system32\mdm.exe. I don't know what is this file for. Can I delete this file? Thans in advance for any reply.

I have the exact same Trojan Horse, only the file is named botsetups.exe

The full filepath is:
C:\WINNT\system32\botsetups.exe

Any ideas for this one?

Hi I have updated the AVG Antivirus on my Win2000 system but everytime I run the antivirus, the IRC/BackDoor.flood virus is detected but its unable to be cleaned, please assist me, its very frustrating. I happen to be running morpheus for downloading music and I suspect this virus orginated from it.

I have gone through a few rounds now, but I don't seem to have had any damage done to my computer. Here is a summary of what I've learned based on my experience of dealing with this virus. note that I'm no computer por, just a guy that hates that virus message as much as everyone else:

I run AVG to scan and fix viruses. twice now I've had this virus. I suspect that my computer contracted it through file sharing which I do for music (via Win MX). AVG first detects two corrupt files, then heald one but not the other. after the first time AVG deals with the virus, it will always tel you you have 1 infected file, but not remove it to the vault, nor heal it. If you run AVG while in windows explorer you can more accuratly identify the infected file. typically the file is in c:\winnt\system32
right click on this folder, and select Scan with AVG. identify, then find the infected file. Scan the specific file you hunt down so that you're aure you've got it. Then deleate that file. This can be scary if, like me, you don't have any idea what any of the files in this folder do, but I've done this twice now, and have had no system problems. I suspect that the virus installs this file in this folder. further I think that the file AVG did heal was an important file for this virus, and that it doesn't work so well as only one file. (Again, I don't really know what I'm talking about, this is just a feeling based on what I've observed.
Any way, run AVG again after deleating this file to see if it's gone. This has worked for me twice. Good Luck and happy downloading.
Since dealing with this, I've set up all my filesharing to use the My Recieved Files folder, and I scan it before I move any files out of it. So far so good. It's a crazy world full of crazy people.

OCXDLL.EXE, TASKMNGR.EXE, TASK32.EXE, MDM.EXE, these are all indications of a mIRC trojan.

I wrote 2 parts of analysis on Google discussion group back in late Aug. and early Sept., which you can find the links at www.kylelai.com/mIRC_Virus_Analysis.htm.

Astalavista.com has published my trojan analysis in a nice format at:
http://www.astalavista.com/trojans/library/trojans/analysis/mirc_trojan_analysis.shtml

You can also find an article talking about where trojans can reside inside your computer. http://webpages.charter.net/klai168//trojan_paper.htm

A discussion group I am still helping out is at newbie.org under the topic "taskmngr.exe." http://www.newbie.org/help/messages/2553.html

Base on the discussion at newbie.org, many people are still suffering from this trojan, and it has spread several times. People who has been infected more than once should change their administrator passwords right away to something hard to guess!

Good Luck,
/Kyle
Kyle Lai Consulting
kyle@kylelai.com
www.kylelai.com