I noticed a suspicious task running, the infamous p2pnetworking.exe. I googled it, checked a thread
here, followed therock247uk's steps for removing it, and to my dismay, it was still there on reboot. After googling some more, I learned that this Rbot variant is IRC-controlled, creates phoney regedit.com, cmd.com, etc. files in C:\WINDOWS\system32\, and leaves two registry keys. I uploaded C:\xz.exe to the Kaspersky online virus scanner, and as I thought, it was p2pnetworking.exe's puppeteer. So I killed the registry keys, deleted the phoney .com files, and deleted xz.exe and p2pnetworking.exe. The task didn't resurface, so I thought I'd won. But I didn't. It was, again, there on reboot. I download Kaspersky's trial AV, and it detects two keyloggers and our favorite backdoor trojan couple right off the bat. It can't delete p2pnetworking.exe or xz.exe, so it eventually decides to try and delete them both on startup the next time I boot, but it CAN get rid of the keyloggers. At least I'm not being keylogged.
What tipped me off to the virus first was getting kicked off of various programs and being dragged back to viewing the desktop. It was getting annoying, which prompted me to start digging. I even downloaded Pocket Killbot and deleted everything through it, and it still regenerated. iSafer detects occasional attempts to use IE, and considering I only use Firefox, this is more than a little suspicious to me. I've forbidden access to the IP it was trying to contact, and I hope that impedes its progress.
I disobeyed the prime directive and downloaded both Kaspersky's AV and ClamWIN AV, and since ClamWIN didn't detect either the trojan pair or the keyloggers, I think I'll stick with Kaspersky's. Spybot and Ad-Aware didn't detect a thing. Help!
Update: The phoney .com files regenerate too. Grand.
Edited by NakatomiVeteran, 03 August 2005 - 10:48 PM.