Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Stubborn Rbot Trojan


  • Please log in to reply

#1
NakatomiVeteran

NakatomiVeteran

    New Member

  • Member
  • Pip
  • 5 posts
I noticed a suspicious task running, the infamous p2pnetworking.exe. I googled it, checked a thread here, followed therock247uk's steps for removing it, and to my dismay, it was still there on reboot. After googling some more, I learned that this Rbot variant is IRC-controlled, creates phoney regedit.com, cmd.com, etc. files in C:\WINDOWS\system32\, and leaves two registry keys. I uploaded C:\xz.exe to the Kaspersky online virus scanner, and as I thought, it was p2pnetworking.exe's puppeteer. So I killed the registry keys, deleted the phoney .com files, and deleted xz.exe and p2pnetworking.exe. The task didn't resurface, so I thought I'd won. But I didn't. It was, again, there on reboot. I download Kaspersky's trial AV, and it detects two keyloggers and our favorite backdoor trojan couple right off the bat. It can't delete p2pnetworking.exe or xz.exe, so it eventually decides to try and delete them both on startup the next time I boot, but it CAN get rid of the keyloggers. At least I'm not being keylogged.

What tipped me off to the virus first was getting kicked off of various programs and being dragged back to viewing the desktop. It was getting annoying, which prompted me to start digging. I even downloaded Pocket Killbot and deleted everything through it, and it still regenerated. iSafer detects occasional attempts to use IE, and considering I only use Firefox, this is more than a little suspicious to me. I've forbidden access to the IP it was trying to contact, and I hope that impedes its progress.

I disobeyed the prime directive and downloaded both Kaspersky's AV and ClamWIN AV, and since ClamWIN didn't detect either the trojan pair or the keyloggers, I think I'll stick with Kaspersky's. Spybot and Ad-Aware didn't detect a thing. Help!

Update: The phoney .com files regenerate too. Grand.

Edited by NakatomiVeteran, 03 August 2005 - 10:48 PM.

  • 0

Advertisements


#2
darth_ash

darth_ash

    Member 1K

  • Member
  • PipPipPipPip
  • 1,382 posts
Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE .

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP