Author Topic: Win32.mIRC.62 need help :(  (Read 53100 times)

0 Members and 1 Guest are viewing this topic.

bug_master

  • Guest
Win32.mIRC.62 need help :(
« on: April 08, 2007, 02:46:07 PM »
Hi I am using Avast home 4.7 and some days ago I had a problem with a virus.
After fixing the problem I run a check with Kaspersky Online Scanner and it found this - C:\Program Files\mIRC\mirc.exe  Infected: not-a-virus:Client-IRC.Win32.mIRC.62 .
I ignored it because it sais it is not a virus but today when I ran a new check I got this - C:\System Volume Information\_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP385\A0502340.exe  Infected: not-a-virus:Client-IRC.Win32.mIRC.62 .
Why is it multiplying, what should I do  ???

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67203
Re: Win32.mIRC.62 need help :(
« Reply #1 on: April 08, 2007, 02:55:28 PM »
If a virus is replicant (coming and coming again), you should disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again.

It won't hurt if you run an avast boot time scanning too.

Welcome to avast forums 8)
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87647
  • No support PMs thanks
Re: Win32.mIRC.62 need help :(
« Reply #2 on: April 08, 2007, 03:11:46 PM »
You don't say what detected it in the C:\System Volume Information folder, but I assume not avast as it didn't detect anything in the C:\Program Files\mIRC\mirc.exe, assuming that this is one and the same file.

There is a possiblilty that it was a fasle positive detection by Kaspersky.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. I don't believe you will be able to test the one in the restore point as that will be protected (or should) by windows.

Once you have done that post the results here.

I assume you have this mIRC program ?

I don't think it is multiplying, if something is deleted (and I know you say you ignored it) from the system folders and system restore is enabled it will create a restore point to allow for restoration. This is done by the system restore function and not malware creating a fake restore point in a windows protected area.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #3 on: April 08, 2007, 03:16:23 PM »
I detected it with Kaspersky online scanner.

Sunday, April 08, 2007 4:15:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/04/2007
Kaspersky Anti-Virus database records: 292519

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Statistics
Total number of scanned objects 56026
Number of viruses found 1
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 00:24:55

C:\System Volume Information\_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP385\A0502340.exe  Infected: not-a-virus:Client-IRC.Win32.mIRC.62  skipped 
 
C:\System Volume Information\_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP390\A0502749.exe  Infected: not-a-virus:Client-IRC.Win32.mIRC.62  skipped 

Is it a virus or not ???

Btw I uninstalled Mirc two hours ago.
« Last Edit: April 08, 2007, 03:18:26 PM by bug_master »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87647
  • No support PMs thanks
Re: Win32.mIRC.62 need help :(
« Reply #4 on: April 08, 2007, 03:35:15 PM »
Quote
Is it a virus or not ???

The only way to tell is by confirmation (using a multi-engined scan) and that is going to be almost impossible since you have uninstalled it before you even posted here.

Unless you reinstalled it or uploaded the installation file to virustotal, etc. to be scanned I doubt we will ever know.

However, the not-a-virus: prefix in the malware name (not-a-virus:Client-IRC.Win32.mIRC.62) could indicate that it is a tool which could be used for alternative purposes and Kaspersky is saying it is riskware, if you installed it then the purpose is less of a risk.

A google search for not-a-virus:Client-IRC.Win32.mIRC.62 returns many hits
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #5 on: April 08, 2007, 03:52:37 PM »
The results of virus total on the installation file:
AhnLab-V3 2007.4.7.0 04.06.2007  no virus found
AntiVir 7.3.1.48 04.08.2007  no virus found
Authentium 4.93.8 04.06.2007  no virus found
Avast 4.7.936.0 04.06.2007  no virus found
AVG 7.5.0.447 04.08.2007  no virus found
BitDefender 7.2 04.08.2007  no virus found
CAT-QuickHeal 9.00 04.06.2007  no virus found
ClamAV devel-20070312 04.08.2007  no virus found
DrWeb 4.33 04.08.2007  no virus found
eSafe 7.0.15.0 04.07.2007  no virus found
eTrust-Vet 30.7.3549 04.06.2007  no virus found
Ewido 4.0 04.08.2007  no virus found
FileAdvisor 1 04.08.2007  Not analyzed yet
Fortinet 2.85.0.0 04.08.2007  no virus found
F-Prot 4.3.1.45 04.04.2007  no virus found
F-Secure 6.70.13030.0 04.08.2007  no virus found
Ikarus T3.1.1.3 04.08.2007 not-a-virus:Client-IRC.Win32.mIRC.62
Kaspersky 4.0.2.24 04.08.2007 not-a-virus:Client-IRC.Win32.mIRC.62
McAfee 5003 04.06.2007  no virus found
Microsoft 1.2405 04.08.2007  no virus found
NOD32v2 2173 04.07.2007  no virus found
Norman 5.80.02 04.05.2007  no virus found
Panda 9.0.0.4 04.08.2007  no virus found
Prevx1 V2 04.08.2007  no virus found
Sophos 4.16.0 04.06.2007  no virus found
Sunbelt 2.2.907.0 04.07.2007  no virus found
Symantec 10 04.08.2007  no virus found
TheHacker 6.1.6.085 04.04.2007  no virus found
VBA32 3.11.3 04.07.2007  no virus found
VirusBuster 4.3.7:9 04.07.2007  no virus found
Webwasher-Gateway 6.0.1 04.08.2007 no virus found


Btw yesterday Kaspersky Online Scanner found this - C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\45UVSPEZ\mc2[1].js  Infected: Trojan.JS.Agent.b .
Today it does not find it anymore  ;D
I'm begining to doubt the relyability of Kaspersky  :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67203
Re: Win32.mIRC.62 need help :(
« Reply #6 on: April 08, 2007, 04:02:30 PM »
Today it does not find it anymore  ;D
I'm begining to doubt the relyability of Kaspersky  :)
On contrary, they could have corrected a false positive.
They worked correctly and fast. It tells in favor of Kaspersky, not in contrary.
The best things in life are free.

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #7 on: April 08, 2007, 04:11:03 PM »
Quote
On contrary, they could have corrected a false positive.
They worked correctly and fast. It tells in favor of Kaspersky, not in contrary.

Yeah, I couldn't rest all night thinking I have a virus that is not detected by Avast and suddenly the next day it "magicly" disappears  ;D
I used Kaspersky once but when I uninstalled it I found 3 trojans with Avast  :o
So Avast rules as always  8)

Btw after disabling system restore I get no more detections from Kaspersky about Client-IRC.Win32.mIRC.62  :D

Thanx alot guys  :)

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #8 on: April 08, 2007, 04:22:45 PM »
However, the not-a-virus: prefix in the malware name (not-a-virus:Client-IRC.Win32.mIRC.62) could indicate that it is a tool which could be used for alternative purposes and Kaspersky is saying it is riskware, if you installed it then the purpose is less of a risk.
That's exactly it.

mIRC can be installed and used by trojans to open a backdoor so if you hadn't installed it yourself it would need further investigation.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67203
Re: Win32.mIRC.62 need help :(
« Reply #9 on: April 08, 2007, 04:26:08 PM »
I used Kaspersky once but when I uninstalled it I found 3 trojans with Avast  :o
So Avast rules as always  8)
I doubt that detection rates of Kaspersky are lower than avast... maybe I can't get biased on this point: avast does not have the best detection rates in the antivirus market.
The best things in life are free.

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #10 on: April 08, 2007, 04:28:12 PM »
I installed mIRC myself.
But I was planing to uninstall it anyway until I got this weird results from kaspersky  :-\

Btw could the files of Avast get infected themselves?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67203
Re: Win32.mIRC.62 need help :(
« Reply #11 on: April 08, 2007, 04:30:44 PM »
Btw could the files of Avast get infected themselves?
Themselves... well, avast files could be infected as any other, but, of course, avast does not infect its own files by itself...
The best things in life are free.

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #12 on: April 08, 2007, 04:35:28 PM »
Themselves... well, avast files could be infected as any other, but, of course, avast does not infect its own files by itself...

I don't mean to infect itself, I suffered heavily some days ago by a trojan infestation so I found that the file ashavast was infected and a bak folder appeared in the avast directory  ???
I just wondered if the antivirus can become a virus itself?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87647
  • No support PMs thanks
Re: Win32.mIRC.62 need help :(
« Reply #13 on: April 08, 2007, 04:37:09 PM »
No problem glad we could help, welcome to the forums.

Disabling system restore and rebooting clears ALL restore points infected or otherwise, so nothing to detect. Re-enabling system restore will create a current restore point.

Re avast getting infected, yes that is possible,avast has an integrity check which should I would hope detect the changes and hopefully the infection and it may well be possible using the repair function to cecover from that. avast 5 is I believe going to include a self protection capability.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #14 on: April 08, 2007, 04:41:21 PM »
I don't mean to infect itself, I suffered heavily some days ago by a trojan infestation so I found that the file ashavast was infected and a bak folder appeared in the avast directory  ???
That could be an indication of an AWF infection. 

Download FindAWF, save it and run it.

Then post the log it creates.