Spy Sweeper: 2 "infections" (???) found [Spy Sweeper Log]

I scanned my computer this morning with Spy Sweeeper [version 4.5.9 (Build 709), latest definitions: v 702] and Spy Sweeper reported as follows:

[FONT= "Courier New"]10:20 AM: | Start of Session, Tuesday, June 20, 2006 |
10:20 AM: Spy Sweeper started
10:20 AM: Sweep initiated using definitions version 702
10:20 AM: Starting Memory Sweep
10:25 AM: Starting Registry Sweep
10:25 AM: Memory Sweep Complete, Elapsed Time: 00:00:00
10:25 AM: Found Trojan Horse: trojan-backdoor-flood.mirc
10:25 AM: HKCR\chatfile\ (15 subtraces) (ID = 1505519)
10:25 AM: HKCR\irc\defaulticon\ (1 subtraces) (ID = 1505536)
10:25 AM: HKCR\irc\shell\open\command\ (1 subtraces) (ID = 1505540)
10:25 AM: HKLM\software\classes\chatfile\defaulticon\ (1 subtraces) (ID = 1505553)
10:25 AM: HKLM\software\classes\irc\defaulticon\ (1 subtraces) (ID = 1505564)
10:25 AM: HKLM\software\classes\irc\shell\ (11 subtraces) (ID = 1505566)
10:25 AM: Registry Sweep Complete, Elapsed Time:00:04:33
10:25 AM: Starting Cookie Sweep
10:25 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:25 AM: Starting File Sweep
10:57 AM: Found System Monitor: potentially rootkit-masked files
10:57 AM: gen.dll (ID = 0)
10:57 AM: liveupdate.exe (ID = 0)
10:57 AM: g20060322_0800.trf (ID = 0)
10:57 AM: g20060331_0444.trf (ID = 0)
10:57 AM: g20060409_1917.trf (ID = 0)
10:57 AM: g20060417_1740.trf (ID = 0)
10:57 AM: g20060422_1609.trf (ID = 0)
10:57 AM: g20060429_0134.trf (ID = 0)
10:57 AM: g20060504_0530.trf (ID = 0)
10:57 AM: g20060510_1522.trf (ID = 0)
10:57 AM: g20060520_0846.trf (ID = 0)
10:57 AM: g20060528_2029.trf (ID = 0)
10:57 AM: g20060606_0904.trf (ID = 0)
10:57 AM: cumulative20060322.trf (ID = 0)
10:57 AM: g20060612_2002.trf (ID = 0)
10:57 AM: settings.ini (ID = 0)
10:57 AM: liveupdate.ini (ID = 0)
10:57 AM: m20060322_0800.trf (ID = 0)
10:57 AM: updatelist.txt (ID = 0)
10:57 AM: Warning: Unhandled Archive Type
10:57 AM: Warning: Unhandled Archive Type
10:57 AM: Warning: Unhandled Archive Type
10:57 AM: Warning: Unhandled Archive Type
10:57 AM: Warning: Unhandled Archive Type
10:57 AM: Warning: Unhandled Archive Type
10:57 AM: Warning: Unhandled Archive Type
10:57 AM: Warning: Unhandled Archive Type
10:59 AM: Warning: Unhandled Archive Type
10:59 AM: Warning: Unhandled Archive Type
10:59 AM: Warning: Unhandled Archive Type
10:59 AM: Warning: Unhandled Archive Type
10:59 AM: Warning: Unhandled Archive Type
10:59 AM: Warning: Unhandled Archive Type
10:59 AM: liveupdate.lnk (ID = 0)
10:59 AM: File Sweep Complete, Elapsed Time: 00:33:54
10:59 AM: Full Sweep has completed. Elapsed time 00:38:28
10:59 AM: Traces Found: 56
11:32 AM: Removal process initiated
11:32 AM: Quarantining All Traces: trojan-backdoor-flood.mirc
11:32 AM: Removal process completed. Elapsed time 00:00:00[/FONT]

I added the bold/color to my Spy Sweeper log.

Before I allowed Spy Sweeper to quarantine the "trojan horse" registry keys, I viewed the keys and they all appeared normal mIRC stuff as far as I can tell. (I have mIRC version 6.16 installed.)

Some of the registry keys were as follows:

HKCR\irc\defaulticon\ "C:\Program Files\mIRC\mirc.exe "
HKCR\irc\shell\open\command\ "C:\Program Files\mIRC\mirc.exe" -noconnect
HKLM\software\classes\chatfile\defaulticon\ "C:\Program Files\mIRC\mirc.exe "
HKLM\software\classes\irc\defaulticon\ "C:\Program Files\mIRC\mirc.exe "
HKLM\software\classes\irc\shell\open\

• command\ "C:\Program Files\mIRC\mirc.exe" -noconnect
• ddeexec\ REG_SZ %1
  • Application mIRC
  • ifexec REG_SZ %1
  • Topic REG_SZ Connect

The ddeexec subkey info shown above is the same as the subkey info in the HCKR\irc\shell\open key.

I Googled "trojan-backdoor-flood.mirc" and came up with only 2 related forum threads (one in German, which I translated to English via Google). Neither of those resources was very helpful.

Do other users here who have mIRC and Spy Sweeper installed get the same results when you scan your system with Spy Sweeper?

Is this "Found Trojan Horse: trojan-backdoor-flood.mirc" a false positive?

The 2nd "infection" references files located in my C:\Program Files\Trojan Hunter 4.5\ directory/subdirectories and Spy Sweeper says these files are hidden from Windows. I suspect that is also a false-positive as I have Trojan Hunter 4.5 installed. I'm guessing Trojan Hunter intentionally "hides itself from Windows" as a defense against malware (although I can view the C:\Program Files\Trojan Hunter 4.5\ directory and subdirectories in Windows Explorer).

Do other users here with Trojan Hunter 4.5 and Spy Sweeper installed get the same results as mine?

Is this "Found System Monitor: potentially rootkit-masked files" a false positive?

 

Whoever moved this thread, thanks. I apologize for apparently posting in the wrong forum. I'll remember to always post anything with a log in the Removing Spyware & Viruses forum.

I did some poking around and found some info related to Spy Sweeper's "Found System Monitor: potentially rootkit-masked files" stuff. I searched The Trojan Hunter forums for "Spy Sweeper" and ran across a thread that indicates it is likely a false-positive.

I haven't downloaded the workaround that Magnus posted in that thread. I may just be patient and wait for the next official TH build release.

=====

The mIRC-related stuff in my Spy Sweeper log so far remains puzzling for me. Using Google to search for "chatfile" I ran across a Sophos page that has me wondering.

I haven't used mIRC for a few months so I may just go ahead and uninstall it. However, before I do, I'll wait for comments from others who may have mIRC v6.16 installed.

I noticed when I ran mIRC earlier today (after my Spy Sweeper scan), the suspect registry keys were recreated...and subsequently redetected in another Spy Sweeper scan.

Here are a couple hash values for my mirc.exe in case anyone else here wants to compare my hash values with their copy of mIRC v6.16.

[FONT= "Courier New"]Karen's Hasher v2.2.1
http://www.karenware.com

Date: 6/20/2006 11:11:20 PM
Files Hashed: 1

File Name: C:\Program Files\mIRC\mirc.exe
MD5 Hash: 0471108D25398E9F200FD7C580082A8E
SHA-1 Hash: 12C7E3B5F76035E57AA73226263EE19A92766476
[/FONT]

My next step in this investigation seems to be to check for hash values at an official mIRC site. If I can't find any, I may try uninstalling my current mIRC and then downloading/installing mIRC v6.17 (new version) from an official mIRC site.

(I thought the copy of mirc.exe I have was from an official mIRC site but I suppose some malware could have modified it.)

 

Hi mailman
You could download and run rootkitrevealer and see what comes up.
If anything is found you could post it here for someone to look at.
Geri

I have spy sweeper but not the other programs
Geri

 

Thanks, Geri.

I ran SysInternals' RootkitRevealer v1.7 and the scan didn't turn up anything that concerns me. I also ran F-Secure's Blacklight Beta (latest release) and that turned up negative. Therefore, I'm no longer concerned about the Trojan Hunter LiveUpdate-related part of my Spy Sweeper scan.

I'll still wait a bit for someone to pipe up about the mIRC-related registry key alerts and/or hash value for their mirc.exe v6.16 file. Since the deleted keys stay away (unless I run mIRC), I might experiment a bit with mIRC in the meantime.

Might be interesting to see if those keys get created with a clean install of version 6.17 (or even the version 6.16 install file I already have).

 

HI Mailman
I got Mirc v6.17 and spysweeper v4.5.9 build ( 709 ) installed,
spy definition v711 , and have exactly the same problem as you have !

madelen24

 

trojan-backdoor-flood.mic.....problem is solve !

hi

Problem : " When scanning with Spysweeper V 4.5.9 ( Build 709 ) , the
following spy : trojan-backdoor-flood . mirc , is detect , when
using Mirc v6.16 or 6.17 "

Solution :

Your problem is actually related to a bug with Spy Sweeper's new method for updating the definitions -- the items being detected by the program aren't actually present on your computer.

This problem has a pretty easy fix. All you need to do is open Spy Sweeper, click the Home button, then hold down the Ctrl and Alt keys on your keyboard while double-clicking the Spy Sweeper icon. Doing so will bring up a small menu of additional support buttons. One of these buttons is labeled Download Full definitions. Click this button and let the definitions fully download. After doing this, you should be able to successfully sweep your system again.

 

Thanks, madelen24.

I wasn't aware of such a Ctrl-Alt-doubleclick feature in Spy Sweeper (which indeed does bring up the support buttons you mentioned).

Where did you find that solution/fix described?

 

Hi mailman

The solution cames from Brian R of Webroot ( spysweeper ) .

He gives me this solution after looking a set of files i send to him
to fix my problem .
Hope it helps you too !

madelen24

P.S : Sorry for my English , i am more familiar with French !

 

Thanks again, madelen24.

Actually, I didn't apply the fix since I downloaded and installed Spy Sweeper version 5.0.5.1286 last night (and I haven't run mIRC yet since I deleted those registry keys). I will keep the fix in mind the next time I run mIRC.

However, I'm curious about what the other support buttons actually do. I tried the "Reset Application" button and that removed my registration code information from Spy Sweeper. I had to re-enter my registration code to get Spy Sweeper working normally again.

For people who are curious about the buttons, they are named as follows:

• Reset KS List
• Reset Application
• Reset Settings
• Reset 'Don't Show' Setting
• Download Full Definitions
• Turn SPS Off

I Googled the phrase "Reset KS List" and didn't come up with anything. Likewise for "Reset 'Don't Show' Setting ". The "Turn SPS Off" phrase produced two results but they were unrelated to Spy Sweeper.

Apparently, those support buttons are not very well understood or discussed outside of the Webroot/Spy Sweeper staff.

 

Here is a Private Message (PM) someone recently sent me that I thought I'd share so all may benefit.

Here is my obfuscated reply.

Thanks for your suggestion, ******. I have been going without Spy Sweeper the last few weeks (even though I recently purchased 2 years worth of updates eligibility because SpySweeper continues to score well in anti-spyware tests...including test results reported in either the August or September 2006 issue of Consumer Reports magazine).

I have become somewhat disenchanted with Spy Sweeper. SpySweeper has had troubles dealing with large HOSTS files for a looooong time and the apparent software conflicts that produced the incessant popup windows was the straw that broke the camel's back, as far as I'm concerned. If I can't use SpySweeper with all options enabled, I'll continue using other realtime anti-spyware apps.

Thanks again for your tip. I'll keep your PM to refer to if/when I feel like playing with SpySweeper again. I can at least use the SPS button to enable me to kill the process and perhaps use it as an on-demand scanner only.

It may be a month or two befrore I give Spy Sweeper another shot. Perhaps, by then, they'll have an update that addresses its issues.

 

The latest version os SS is indeed a huge improvement and I don't think there have been any complaints with with it.

Give it a shot, it's version 5.0.7 build 1605

 

Wow! Thanks, TeMerc!

Did they fix the large HOSTS file issue too???

Ya got my hopes up! I'm about to download it and give it a try in the near future.

 

Hosts file issue is still not addressed. It is limited to 600 entries, just disable both shields and you're good to go.