Well, I guess I got duped pretty good.
Dunno where I got it from, but, something is trying to use an mIRC client to either download from an FTP or upload some data from my comp.
I don’t know the limitations of mIRC and its scripting language, but from the files that keep regenerating in a folder in my fonts folder, and what I can understand of what’s coded in them is that I have a script that is attempting to contact and outside host for data transfer purposes.
It’s very annoying. Not only in that it’s there, but it tries to run every time I open a program that can use the internet. Thankfully, Zonealarm has stopped all attempts for the program to contact the outside world, at least, I think it has.
So, I come to you, my brethren, and ask for assistance. I will give what meager details I have found in my half-hour to an hour of trying to get this virus out of my system.
So, what I know:
-It regenerates from a source that I cannot locate.
-It has with it a program that can view all background programs and make them visible (“Power Meter” “Magnify Feature” “Multimedia Keyboard”). It’s labeled Temp2.exe and has a window title of “HideWindow”.
-There is a file that while not responsible for the regeneration, at least I think not, is always executed whenever I open an internet related program. “undelete.exe” It is a self-extracting zip made by SFX Maker.
-mIRC script coded into a file labeled tight.txt I understand none of it other than the fact that it wants to communicate outside of my system and I beleive it is attempting to retrieve the status of my ports.
-The directory contains a “temp.scr” that I am not going to open.
-Directory also contains “shiver.exe”. Run from Dos prompt it appears to be some type of attack or some such. To quote “usage: /WINDOWS/FONTS/TBA1/SHIVER.EXE <victem> <size>” Also has a link to: http://www.nuclearwinter.com
-File “servers.txt” invludes one line (edited for content):
fckmein.myftp.org 6667
-File “script.ini” includes the lines (edited for content):
n4=%uplocation http://192.41.43.73/chicks/Sys32.exe
n5=%connect.server fckmein.myftp.org 6667
and
n7=%connect.chan #tba1
n8=%max.load 3
n9=%connect.count 1
n10=%script.pass fearme
n11=%xyz fckmein.myftp.org #tba1
and
n14=%finalbtch fuckmein.myftp.org-6667-#tba1
-File “mirc.ini” contains general information about my system, such as location of browser and email client executables as well as a process to extract server variable from the main mIRC client.
-Also contained in directory are the files “gu.exe” and “cygwin1.dll”. An attempt to extract both files is made when opening a program that can connect to the internet.
So, as you can see, I don’t really know that much. That’s why I came here, and posted here. I hope that one of you has the knowledge that can rid my computer of this evil. Please, oh please help me!
(and geez, it’s 3AM already, I should be asleep, not trying to solicite the help that might be found in the great collective wisdom here at the SDMB.)