IRC.Botnet

Last week I was blocked by Rogers High Speed (ISP here in Toronto) because of some sorta 'Denial of Service' attack. I ran a Symantec antivirus scan and found some trojans, and I thought that was the end of the matter.

But two days later, I was blocked at the University also, which displayed the error message stating that I was blocked because of an "IRC.botnet". I tried another antivirus program (AVG) and found a couple more and again just thought that maybe the first antivirus wasn't good enough. But sure enough, 2/3 days after that I got blocked from Rogers again, so this time I just brought it to the technicians at school. They scanned all my ports, looked through my computer and insisted that everything was fine and even reconnected me to the school's network. Given the assurance from these guys, I got my internet with Rogers restored with the warning that if it was to happen again, I'd be banned for days or a week or be fined.

But earlier today with only 3 web browser windows open (facebook, digg, and some soccer forum) sent packets once again started rising really quickly while received stayed consistent (everytime I get blocked sent is really high compared to received) so I shut off my internet quickly ... looks like I still have some sort of problem. Do you guys have any idea what the problem could be, I really don't want to reformat.

 

you will need to reformat. you obviously have a virus that has embedded itself into your system and will be almost impossible to remove.

things like avg and symantec are generally good at protecting you from viruses in the first place, but if they miss one, its almost impossible for them to get rid of it after the fact. the idea is that they will detect the virus before it embeds itself in your computer and prevent it from doing so.

the problem with every lock is that a person is holding the key. a lock can be infinitely strong, but eventually the person holding the key becomes the limiting factor in lock strength.

if you run an executable file, it doesn't matter how much virus protection you have; you are giving that exe access to your system. if you don't know exactly where it came from or what it does, you could get a virus.

similarly, using internet explorer and browsing around the web is dangerous. opening a website that you aren't familiar with can open your system to that website enough that it could conceivably take advantage of a hole in internet explorer and implant a file on your system.

use firefox to remedy that problem.

 

Well yea, I am using firefox.

Well, sounds like I am going to have to reformat. My friend keeps telling me to use Linux instead maybe ill try it out.

 

Root kits are very very very hard to get rid of. They are imbeded so deep in the OS files and are design to prevent detection. And reinstall them self when they are removed. It highly possiable that it has over 10 installers scattered on you HD.

Knowing the name of the rootkit helps. You may try running Hijackthis from merijn.org or http://www.castlecops.com/t165203-IceSword_Instructions_in_English_Illustrated.html.

Delete all temp files, cache, cookies before running scanners. Sometimes it better to boot into safe mode, but some removal tools will not run under safe mode.

But you will find it a lot easier to backup your data. And do a clean install (doing a full format), install your AV and malware detection programs. Scan your data files with everything you can get you hands on, before copying back to you HD. Otherwise you will be doing it agian.

 

Oh and btw the people at the University scanned all the ports and didn't find anything either. Does that mean anything or no?

 

That just means the virus/rootkit is smarter than they are.

I'd reformat tell you the truth, and change your browsing habits and not go to sites of dubious quality/origins.

 

Rootkits can be revealed, although they are usually hidden very well. Use F-Secure Blacklight to scan for rootkits.

I don't recommend using HijackThis because you'll probably won't know what to do even if HijackThis reveals running processes and so forth. AV programs are usually rendered useless once your computer has been infected by a decently created virus, so those will not really help at this time. Like the others mentioned, just reformat. It'll save you alot of work.

 

Also try spybotsd see if find anything

also if you do use hijackthis post logs file to fourm or screen shot what find we can tell you what to get rid of or if they any bad entrys