I am looking for a new antivirus software since my hubby contracted Qakbot / _qbot.dll during perfectly ordinary web surfing and well-used sites. My AV did not detect it. Seems many AVs do not detect this (by searching virus databases). The WebGuard and Network watching features, not to mention the script blocker, may be just what I need for him as I cannot convince him to switch to Firefox with NoScript.
However, I was dismayed that this was not listed on Avast’s Virus removal tool page, nor could I find any mention in the database. The only mention I found on avast.com was an OLD forum post where oldtimer helped someone infected with this. However, it is possible my search was somehow incomplete.
So, I’m asking - does Avast include detection for Qakbot / _qbothome / PinkSlipBot / qbotinj.exe ?
If not, please add it at once! It is very nasty, though apparently limited in occurrences.
I would additionally be very grateful if it was added to your Removal tool!
The problem with quoting malware names, is that there is no common naming standard so the malware name may be different from one AV to another, called an alias. The same is true of a file name, AVs don’t detect based on the file name as it could contain anything. Those two malware names aren’t in the database but as I said that doesn’t really mean much.
The latest threat of sites being hacked and redirected to run malicious scripts, the avast web shield is very hot on these and of all of these that I have check on the viruses and worms forum, all have proved to be good detections
Well, yes, I do have a sample of the file(s). However, I am still waiting for more help at malwareremoval.com and so far no one has advised me how to SAFELY transfer a copy of these files to USB and then to my clean laptop (which I am using now) and then how to upload them. Would you care to tell me?
A google search for _qbot* will find several references, though most are ‘incomplete’. I gave the folder name, the dll name, and the executable name, as well as the only 2 names I found that other AV companies have called this.
If you are personally interested in this issue, a google search for PRG and _qbot should find my posts on a few forums with explanations and links to resources I have found.
I am personally appalled that so few AV’s list this as it has been around for years, and it is NASTY.
You can send the files to the Avast chest, and from there select them to be emailed to Avast.
To do this, open the chest via starting the program, select “user files”, right click in the chest, select “add”, and navigate to where the file/s are. After that is done, select “email to Avast”. This will occur with the next database update.
Thanks for the suggestion, tarq. Unfortunately, the AV installed on the infected laptop is not Avast, so that won’t work. I’m sure those files will be deleted before I install Avast (as I am 95% sure I will end up choosing).
However, you look to be being well looked after in the malwareremoval.com topic you posted as it appears that this backdoor to be backed up by a rootkit. The avast anti-virus includes an anti-rootkit module which interestingly is based on the GMER anti-rootkit (I believe Alwil bought it out) mentioned in your last post at malwareremoval.com.
It would only confuse issues for all concerned (flipping between forums, etc.) to try and give advice when you are being actively helped in that forum, so I would suggest sticking with that certainly for now.
Send the sample/s to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible undetected malware (as we don’t know if avast does actually detect them) in the subject.
Yes, I agree that flipping back and forth would not be helpful. My main goal here on this forum was to try and find out if Avast has _qbot in their database, and if not, to advise them to add it. Avast’s features look to me as if I can relax without convincing my hubby to give up IE (a nearly impossible task).
I have only had one other malware, and that was Klez several years ago. The fact that it could morph and hide with each removal done by tools specifically designed to remove it makes me very “respectful” of malware. I had to remove it myself and it took quite a while before I was lucky enough to “catch” it while it was loading using Ctl-Alt-Del during boot-up. So… I’m not entirely certain what these programs might be able to do or not do - the “rules” I learned long ago about you have to run a program before it can run seem to not quite apply, as somehow programs are executed “behind the scenes” without the user having any control.
So, in sum - it is safe to zip up a folder full of files, and password protect the zip file, and transfer it on USB and via email? They have not yet discovered a way to transfer an infection if one does that? Even using WinZip (you know, a Windows program)? Just right click and choose “add to zip”? I don’t recall if/when there is an option to password protect. Is there a “standard” password to choose?
I would like to send this to Avast, just in case they don’t have it. Reports of its incidence seem to be very low, but that might be due to lack of detection… maybe…
It should be ‘reasonably’ safe to zip password protect and transfer to USB. Notice the word reasonably as infected system are always at risk and in the case of a trojan backdoor it could have downloaded more malware. This could try to infect the USB stick (autorun.inf infections) this could then possibly cross contaminate the clean system.
If the clean system is fully op to date with MS Security Updates it should be less vulnerable to these autorun.inf infections.
You can check the infected system looking for autorun.inf files in the root folder of hard disk partitions. These are most likely to be hidden and marked as system files to stop you seeing them, you can however, change the folder settings to see these. If none of these autorun.inf files aren’t present then you are less likely to have the USB stick infected.
Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
It is possible to password protect winzip files, but I’m not familiar with that program, I do know that it isn’t an intuitive interface to make it easy to password protect archives. I use 7zip and it is one of the options in the initial creation of the archive (real easy)
AhA! I think I now understand why the USBnoRisk.exe looked for autorun.inf… So, do you know if it was clever or useless of me to try and protect my USB drive by creating a blank text file, renaming it autorun.inf and marking it read only on by USB drive? I have since deleted it as it may have been why my laptop wouldn’t let me browse the USB drive. I was guessing, based on SpywareBlaster principles, and the tiny bits of info about USB infections I ran across, that that might be a “pre-emptive strike”.
Thanks for talking to me, BTW - it’s helping my anxiety and curiosity and need to do SOMETHING quite a bit, but feel free to say “bug-off” if I’m taking too much of your time. I’m not used to waiting so long to fix something.
Clever and useless (in a small way), clever in that if it finds the file on hard disk partitions it is an indication of infection (this file should only legitimately appear on removable media, CD/DVD, etc), useless in simply creating a blank file and marking read only, isn’t very effective (as it would be no great issue to change it from read only or simply delete it and replace it).
There is a better tool, which creates a folder of the same name and by convention windows won’t let you create a file with the same name and if it did allow that, the folder would take precedence (like in trumps).
Flash Drive Disinfector
Information and Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done. Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.
Ah - the same “pre-emptive strike” thinking, but one step better. Is there anything special about the folder this creates, or could I effectively do the same thing myself? And what about the malware deleting the folder?
Yes, it is a little special as it can’t easily be deleted as it is also protected (I don’t believe you could protect it from deletion in the same way).
Thank you very much for that USB protection tip - now I feel I can breathe a bit easier using the USB to transfer logs. When Avast is done (60% after about 3 hours), then that will download, and I can see about sending those virus files, as you suggested. Maybe Avast will add it to their removal tool PDQ
Update - I uploaded the _qbothome folder (zipped) to VirusTotal as suggested.
Most detected this infection, though I can’t tell WHEN they started. My anti-virus that did NOT protect us at the time of infection identified it via VirusTotal - perhaps they have added it since 27 April 09, or perhaps their detection routine is lacking in some way. Needless to say, I am still annoyed to have been infected by a 2+ year old thing with no alert from my AV. Note, I was not using Avast!
The annoying thing is that the AV companies call it various things. Avast calls it Win32:Trojan-gen (Other) and provides no link to any further information when I search Avast on that name. The other annoying thing is that most AV companies don’t seem to provide a useful knowledge base for what malware is observed to do, such as registry keys or file names - the kind of things a person might search for. The companies that seem to provide info are the ones I think very little of otherwise. If I go to my AV company’s site and search for the specific name they give it, it still brings up nothing from their virus encyclopaedia. So… I can’t find out when they added this to their definition files.
No wonder the malware removal forums have grown so - there is very little publicly searchable information for people to be able to help themselves - even those with the skills to do so.
Uploading the zipped folder to virustotal will only find one detected file as that can’t report on multiple files, so there is no certainty which of the files was detected.
However, the results would tend to indicate that this group would be detected, but the only way to be truly sure is to upload individual files, a pain, yes, but the only way to know 100%.
That is the problem there is no common naming convention and there are likely to be many aliases, the other issue is you don’t know which file within the zip was detected by what AV, so there is an added level of confusion.
The other thing some AVs use generic signatures for some detections so you will see a generic rather than specific malware name. The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So there will be no specific information for the detection.
VirusTotal just provides a scanning service to basically confirm or deny a detection, it doesn’t give links to further information.
I’m a wee bit afraid to take a file out of the zip. There logically shouldn’t be any way that an exe or a dll can do anything just from being copied though, right?
Nevertheless, I got the answer I was seeking, I think - Avast can detect this infection, and hasn’t been “sleeping” for 2+ years.
My reference to links to further information was from searching for the specific detection names on the specific AV vendor sites. Symantec provides a pretty complete description of this malware (files, folder, some actions), but I still suspect a trigger file located elsewhere than the main folder, and as yet unidentified.
I am not utterly happy with what malwareremoval asked me to do
If there is something that you aren’t happy about say so and ask for more advice/information about what you aren’t happy about or don’t do it.
Whilst I have no formal malware removal training, I felt they were a little quick to initially decide you needed to format, to me and many others that is a measure of last resort, which seems to have passed.
I’m mostly unhappy about rebooting without removing the identified malware and registry entry that I pointed out in my initial post. I thought the delay might have been because Combofix was being updated to remove this, so I downloaded a fresh copy and ran it. I really very badly want to run the identifying/scanning tools to see if we can ID the “trigger file” I suspect must exist. I worry that it has probably now moved. My assumptions and worries are based on my battle with Klez, and so may not apply. However, I noted a new file noted near the bottom of the new HJT which also says it’s missing now.
My experience with Klez was that with each removal and each reboot it moved and renamed itself. There was also a random file that loaded with each boot, and could not be located by any means until/unless I “caught” it loading (with Ctl-Alt-Del during boot) and terminated it (and its siblings) successfully. That’s why I think it might have been what they call a root kit now. No removal tool fixed it despite claiming to, it just changed from -d to -e to -g, etc. The removal tools didn’t find the “trigger”.
I don’t really want to get involved in on-going clean-up in another forum for obvious reasons.
However, since a file is missing the registry entry is effectively inert, but should the file get restored the registry entry would be valid. Though whatever could restore it could also recreate the registry entry, but it won’t hurt to fix it, now.
Presumably this is the one you are on about ?
O23 - Service: ZCBF - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\ZCBF.exe (file missing)
Whilst I found nothing on that file name at systemlookup.com as I did with your previous post, I also found no meaningful info on the file name and I’m always suspicious of files running from the Temp folder/s.
This one also looks suspect to me and a google search on it shows other forums saying it should be fixed:
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}