win32:Rbot-ANG

system · October 29, 2005, 4:27pm

Can anyone tell me how to get rid of this trojan. it originally appeared C:\WINDOWS\system32\winlog.exe and then C:SystemVolumeInformation_Restore{lots of numberes}.exe and now in C:\programFiles\winsupdater\winsupdater.exe file. i moved it to chest yesterday but after a scan now it is again in the winsupdater.exe file
i use windows xp with avast and zone alarm
marie

Lisandro · October 29, 2005, 4:47pm

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Besides this, disable System Restore and then enable it again to clean it.
Start > Control Panel > System > System restore > Disable
Click Apply
Enable it again
Click Ok

FreewheelinFrank · October 29, 2005, 5:30pm

If a boot time scan fails, try this disinfector:

http://www.sophos.com/support/disinfection/rbotek.html

Do you have a good firewall? Download a good free one like Zone Alarm if you haven’t. Install it after you have cleaned the infection.

And then go straight to the Microsoft Update site and download all the critical updates, or you will easily be infected again.

http://windowsupdate.microsoft.com/

system · October 29, 2005, 5:44pm

You may have other malware on your computer !? Do you
use an antiSPYWARE program and if yes, what does its
“Full” scan results show ? Should also consider using the
good & FREE Ewido from www.ewido.net/en ; this program
“specializes” in detecting and removing trojans, worms,
dialers, etc . “Winsupdater” sounds like a spyware I have
seen “dealt” with on various antispyware forums !?

system · October 29, 2005, 7:37pm

AVAST can remove but you need to update your windows.

Win32:Rbot-ANG [Trj]

system · October 30, 2005, 9:18am

only just logged on again so have not yet done a boot time scan. we use adaware, spybot search and destroy, trend micro anti spywear - intenet expolrer is up to date on updates and so is zone alarm, nothing has picked this up on a scan only avast .
i will do a boot time scan and let you know
marie

Lisandro · October 30, 2005, 11:54am

Anyway, it does not seem a false positive but a real infection… :-
After scanning with avast (archive option checked), try online spyware scanning at http://www.spywareguide.com/txt_onlinescan.html
and one of the online virus scanning at http://www.security-ops.tk/

You can submit the files to Jotti and let us know the results, i.e., if it is or not a false positive.

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus (at) avast.com.
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see About avast: right click avast icon) will also help.

polonus · October 30, 2005, 1:34pm

Hello marieandgordon,

There is a whole array of Rbot viruses, worms all used to prey on innocent users by hackers or industrial hackers. They were build to put more functionality to these worms. Some can even look into the bedroom (so turn you webcam off or patch your OS).
For removal instructions, I second FwF, look here:
http://www.sophos.com/support/disinfection/rbotek.html

Get this worm from your machine soon, lots of success, and welcome to the web forum,

polonus

system · October 31, 2005, 10:36pm

right, i have run spybot, ad aware, ewido, trend micro and avast anti virus, i have done a boot scan and done the disinfection thing on sophos, nothing showed up, does this mean it has gone or is it lurking somehere?
All my windows updates are up to date i checked and zone alarm is up to date
Marie

system · October 31, 2005, 10:39pm

Did you try autoruns to se if some other programs that loads on startup?

system · October 31, 2005, 10:41pm

sorry what are autoruns? how do i do that, i know it is probably something very simple…

DavidR · October 31, 2005, 10:53pm

Autoruns is a program to check what runs on start-up. You can check this in windows though, Start, Run, type msconfig and click enter. Then check the Startup Tab and see what is in there.

Lisandro · October 31, 2005, 11:40pm

If I`m not wrong, check www.sysinternals.com 8)

system · November 1, 2005, 4:22am

Marie :

  Since you have Ad-Aware, I would suggest you ask the
  Ad-Aware Experts on the forums at www.landzdown.com
  for help !? They know of "special instructions" to be used
  with Ad-Aware to get rid of serious spyware, etc .

FreewheelinFrank · November 1, 2005, 7:57am

Can you post a HijackThis! log please?

http://www.bleepingcomputer.com/forums/tutorial42.html

polonus · November 1, 2005, 2:08pm

Hello Mr. Babis,

If you recommend autoruns, why don’tyou recommend silent runners as well. See: http://www.silentrunners.org .
This is a script, that actually does a very very deep scan on whats running. Worth mentioning as well. Did you have experience with it as well? StartupList is also a very welcome analyzing tool, as is StartDreck. I always check with these once in a while and keep the scanning results in my log for comparison.
There are various stones to kill the bird,

greetings,

polonus

Lisandro · November 1, 2005, 4:50pm

What does it do?
Why it is downloaded as a txt file and not a vbs?

polonus · November 1, 2005, 7:37pm

Hi Tech,

What it does you can find here:
http://www.silentrunners.org/sr_thescript.html.
You can use it for a very deep inspection of all start-up items.
It is a VSB script. Do you have VSB scripting disabled?

greets,

polonus

Lisandro · November 1, 2005, 7:46pm

How deep? What can I achive with msconfig.exe, startup delayer, the startup at control panel (.cpl)?

How can I know?
I use AnalogX Script blocker and avast! Script Blocker (Pro version).

system · November 1, 2005, 8:12pm

freewheelinfrank, here is my log, sorry dont know what the otehr posts are talking about!

Logfile of HijackThis v1.99.1
Scan saved at 20:05:42, on 01/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM..\Run: [HPHUPD05] c:\Program Files\HP{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [BearShare] “C:\Program Files\BearShare\BearShare.exe” /pause
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\pchbutton.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129922076046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by14fd.bay14.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip..{06040C5F-4E0E-4491-926C-F9E6DBD2A4A2}: NameServer = 80.225.252.178 80.225.252.186
O17 - HKLM\System\CS2\Services\Tcpip..{06040C5F-4E0E-4491-926C-F9E6DBD2A4A2}: NameServer = 80.225.252.178 80.225.252.186
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

on 017 i dont know whos isp it is but i keep deleting and it keeps coming back, any ideas?
marie

win32:Rbot-ANG

Announcements