does avast kill W32/Cuebot-I aka Backdoor.Win32.IRCBot.es aka WORM_IRCBOT.CM ?

hi,

my laptop seems to be infected by the worm
W32/Cuebot-I aka Backdoor.Win32.IRCBot.es aka WORM_IRCBOT.CM.

i guess that because hijackthis shows a registry entry that wants to install the file
c:\windows\system32\rpcsvc.exe
that file itself is missing (seems to be a result of running several virus scanners), but the registry entry is restored as soon as i remove it via hijackthis! >:(
moreover the windows xp firewall cannot be activated (options are grey), so there must be an active component of that worm still left alive -
can avast (or anyone else) help here??

regards
joerg

Info here:

http://www.sophos.com/virusinfo/analyses/w32cueboti.html

This malware is installed as a service which you would need to disable and deregister, and there are indeed registry entries which disable Windows firewall.

I’d recommend you run a scanner which checks for malware entries in the registry- such a scanner should remove the worm for you. You could try Trend Micro Sysclean:

If you are not a Trend Micro customer please download the following file.

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

For the TSC package to be effective, you must download and use the latest pattern file. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

Also Ewido anti-Trojan:

http://www.ewido.net/en/

You will also need to update your operating system to prevent futher infection. Go to the Window’s update site and download all critical updates.

Since there is no standardisation in virus naming that can be hard to say for sure, but a search of the avast database for IRCBOT returns 309 hits so I believe it should, see image.

Windows firewall is only half a firewall as it doesn’t provide outbound protection, I suggest you get Zone A larm free, there are others.

thx very much for your help !!!

the worm was killed using these programs.
however, the windows firewall still could not be activated because the evel registry entries were not removed / corrected. i did that manually by comparing the reg folders mentioned on the sophos website with the infected PC’s registry.
now the windows firewall could be activated!
i know it is not the optimum but i did not want to leave the pc in a state where the WFW could not be activated because it is not MINE but a buddy’s pc ;o)

of course i updated XP (was still SP1!) and installed avast as permanent virus protection. hope that will do for a while… ;o)
moreover i disabled all services that are not needed so that new worms cannot get in via port scans.

regards
joerg

The windows firewall under normal circumstances is good at stealthing your system against inbound attack. The problem comes when something gets on to the system, it can easily connect to the internet with your personal data and download more of the same. Recommend to your buddy that they download and install a full software firewall as an urgent priority.

Welcome to the forums.