Heeeeeeeeelp ! :/

[Jika]

Okay, thing is ... I know its the wrong place but ..
I am n00b about PC's and shit .. so
2 days ago I clicked to some link on irc and it opened some new server and DL'd some shit ><
Now after I rebooted, some mirc.exe DLL shit started to spam :x only way out was reboot .. Then I deleted irc etc and chked, if it was about it .. but noo .. if I try to open any .txt document it creates mirc.exe, mirc.dll and some other files to c: .. also I cant open F-secure, but f-secure keeps spamming that some QQ file found mirc.exe and is renamed to mirc.0xe
Now I DL'd norton trialware and scanning with it - found nothing, did 1 online scan also (trent micro) and it found 5 infected files .. system sound ... smth and 1 in mirc.exe .. all were same TROJ NATALIA :x so I clicked to DELETE and it deleted ze files, but still every time I open .txt document it creates mirc.exe and mirc.dll again :x .. Cant log in to irc also, caus it tries to connect to some QQ server and crashes all the time ..
and as I said I am fucking noob ..
WHAT TO DO ?!? :/

and I also want to apologize infront of Fame and his grp that I left his grp like that 2 days ago, I just wasnt able to log in to irc or ingame , sorry

 

[Sheph]

There is a free scanning tool @ pandas site.

Try it!

www.pandasoftware.com i fink!

 

[Thaadi_]

c:/windows/temp think the virus is there

 

[Jika]

the one that Sheph gave found 0, so as Norton and F-secure ..
Only antivirus that finds anything is Trend Micro PC-cillin ..
and again found 3 files TROJ NATALI.A in
C:\System Volume Information\_restore(a lot of numbers and letters here).exe .. deleted the files, but I think its still there, caus I deleted same files last time also :x

and cleared temp also

chked google for that virus troj natali.a and trojan natali.a .. only found some nas nas pages or italian ones about that virus ;p

 

[Jika]

also I read on forums that this irc trojan is easiliy removable, but no1 say how or so ;x .. and also a lot say that no AV companies know anything about it, I think thats why non of them found anything, except 1

 

[Kalid]

It's a "application" called wsz32.exe that causes teh problem.
At teh moment (last I heard) the trojan is not detected by Norton, PC-cillin, Mcafee, Panda, etc.. Kaspersky does detect it.

http://www.kaspersky.com/

Easy fix:

1) Close mIRC NOW!

2) Do [CTRL]-[SHIFT]-[ESC] and 'End Task' the process "wsz32.exe"

3) Go into your windows system folder (C:\windows\system, c:\windows\system32) and delete the "wsz32.exe" file.

If you don't find it this way you can goto Start, Search and search for "wsz32.exe" and delete it.

4a) Open your registry editor.

4b) Make a backup of your registry first. - File, Export, name it, choose "All", hit [Save]

4c) Search and delete the 'wsz32' keys. - Edit, Find, type in 'wsz32' and press [Find], delete the key.

4d) Keep searching. - Edit, Find Next.. or you can press [F3]

5) once all the keys are removed, Reboot the PC.

This should take care of your problem.



So what have we learned today? NEVER EVER click unknown links on irc.

 

[Vodkafairy]

c:/windows/temp think the virus is there

did you check this jika? any files there?

 

[Kalid]

Taken from another site:

New IE exploit (notepad.exe/mirc.exe trojan)
Yesterday on IRC, myself and a number of other people had our systems infected with a trojan after clicking on a URL disguised as a jpg. (If only I hadn't clicked so fast I would've seen the "DON'T CLICK VIRUS" warning!) I was using Internet Explorer.

This is what it did:

1. Uploaded new notepad.exe (about 220KB) into c:\windows\system32 directory (under WinXP).

2. Extracted the notepad.exe file (which was a WinRAR exe) and put the following files into c:\windows\temp directory: lol.bat, lol.lnk, mirc.exe

3. The lol.bat file executed mirc.exe, a backdoor IRC client which connected to IRC and then attempted to spread itself on channels by posting the fake jpg link.

4. It activates itself when notepad.exe is accessed. I don't think you have to even load notepad though. Even right clicking on file associated with notepad will activate it. (I think.)

However, I'm not sure if it worked properly on my machine as I kept getting windows popping up saying that mirc.exe could not load due to an error. I do not use MIRC as my IRC client so I don't know if it also needs a fully installed MIRC. Or it might be because I've disabled a lot of unnecessary processes, one or more of which the trojan may have required. When I brought up task manager there were dozens of instances of "mirc.exe" - it kept feeling up slowing down my computer so I had to reset.

I ran multiple virus scanners and nothing was detected.

* How to clean up (AS FAR AS I KNOW) *

1. Delete the fake notepad.exe (220KB) from c:\windows\system32 directory. Just to be safe I searched for all notepad.exe files and erased them all. (You'll have to grab a good copy from your WinXP disk or get one from a friend/web site.) The original one in the Windows directory seems ok though.

2. Go into c:\windows\temp and delete lol.bat, lol.lnk and mirc.exe files

That should remove the trojan. It doesn't appear to be malicious as far as I can tell - just annoying. But who knows? Hope to find out more information later. The only other mention I've found of it is on Usenet:

»groups.google.ca/groups?selm=406c3945...

Play safe! Be careful clicking on IRC links! I've switched over to FireFox since I hear it doesn't have this exploit.

 

[Kalid]

Arggggh having a hangover ain't good for thinking...

You said it was found also in "C:\System Volume Information\_restore".
You can't have AV software modifying it without turning off system restore.

On Windows XP you can do this by right clicking on "My Computer" icon then choose Properties, System Restore and check the box: "Turn off System Restore on all drives", hit apply, restart the system and then scan/remove the infected files.

 

[Jika]

I had it under system volume information\_restore ..
but I managed to remove it from there etc and PC Cilling was the only1 that found it .. BUT
I still got the prob that I cant open .txt files (notepad, caus I dont have word etc ;p)

 

[Jika]

Taken from another site:

New IE exploit (notepad.exe/mirc.exe trojan)
Yesterday on IRC, myself and a number of other people had our systems infected with a trojan after clicking on a URL disguised as a jpg. (If only I hadn't clicked so fast I would've seen the "DON'T CLICK VIRUS" warning!) I was using Internet Explorer.

This is what it did:

1. Uploaded new notepad.exe (about 220KB) into c:\windows\system32 directory (under WinXP).

2. Extracted the notepad.exe file (which was a WinRAR exe) and put the following files into c:\windows\temp directory: lol.bat, lol.lnk, mirc.exe

3. The lol.bat file executed mirc.exe, a backdoor IRC client which connected to IRC and then attempted to spread itself on channels by posting the fake jpg link.

4. It activates itself when notepad.exe is accessed. I don't think you have to even load notepad though. Even right clicking on file associated with notepad will activate it. (I think.)

However, I'm not sure if it worked properly on my machine as I kept getting windows popping up saying that mirc.exe could not load due to an error. I do not use MIRC as my IRC client so I don't know if it also needs a fully installed MIRC. Or it might be because I've disabled a lot of unnecessary processes, one or more of which the trojan may have required. When I brought up task manager there were dozens of instances of "mirc.exe" - it kept feeling up slowing down my computer so I had to reset.

I ran multiple virus scanners and nothing was detected.

* How to clean up (AS FAR AS I KNOW) *

1. Delete the fake notepad.exe (220KB) from c:\windows\system32 directory. Just to be safe I searched for all notepad.exe files and erased them all. (You'll have to grab a good copy from your WinXP disk or get one from a friend/web site.) The original one in the Windows directory seems ok though.

2. Go into c:\windows\temp and delete lol.bat, lol.lnk and mirc.exe files

That should remove the trojan. It doesn't appear to be malicious as far as I can tell - just annoying. But who knows? Hope to find out more information later. The only other mention I've found of it is on Usenet:

»groups.google.ca/groups?selm=406c3945...

Play safe! Be careful clicking on IRC links! I've switched over to FireFox since I hear it doesn't have this exploit.

and tnx a lot m8, I think that was it, not tested yet, but PC aint lagging anymore ;D