Win32.Wootbot Help

Viruses and worms
1

Hi. Im using AVast 4.5 Home Edition (4.5.523) with virus database 0448-0 (dated 23-11-2004). Was stupid enough to run the computer with firewall (sygate personal) off and was infected by this virus/worm.

Now the suspicious file is a 76kb file named iexplore.exe in Windows\System32 folder (on my Windows XP SP1a). This is starting automatically every time Windows starts, remains in the background and tries to connect to an address “ilovebitch3z.no-ip.org” . There is no version tab in its properties either to show whether it is a real Microsoft file or not.

Trouble is, AVast is not recognising it even with ‘Thorough scan’ and ‘scan within archives’ options enabled. So I sent this file to a virus submission site (uh…does this forum allow naming other virus software?) which reported it as Win32.Wootbot variant.

Now what do I do with this file. Can I simply delete it? How to detect if any more files are infected or dameged?

2

Click on the link in my signature and start cleaning your system from malware in a proper way.

3

::slight_smile: I did run AdAware and Spybots S&D scans but they found nothing :-\

4

The webpage I refered you to, isn’t only telling you to run Spybot s&d or Ad-aware. Have you followed everything there?

5

Hi Firefox,

I would highly recomend doing what Eddy says in his signiture.

Just for interest go to http://virusscan.jotti.dhs.org/ (which is a online multible AV scanner) and put the suspect file through the scanner and post back if anyother AV software detect the file.

Cheers

Jlo

6

Imho there’s no need to test it; there is NO legit iexplore.exe in the SYSTEM32-folder (unless you intentionally copied the IE-App. there)

  1. Read the link “VirusRemoval” below for Links, info & howto’s
  2. Disable system RESTORE
  3. Restart the PC in SafeMode (F8-Boot)
  4. MOVE the file to a password-protected archive (ZIP, RAR …)
  5. remove the file’s startup-entry via msconfig or Hjackthis or manual Registry-Editing (backup Registry first)
  6. reboot normally
  7. Please submit the file to virus (at) avast.com with archive-password & short description

If not successful, post a hijackthis-Log here…

:wink:

7

P.S.:
Google is your friend
Wootbot-Info

Apply ALL Windowsupdates (also for IE); get full instaler of SP2 from a friend & install it OFFLINE
or first apply (OFFLINE) most urgent updates against Blaster, Sasser, Agobot, DCOM/RPC/LSASS-Exploits: see Microsoft-Site or “VirusInfo” below

& change all passwords, PIN’s, sensitive data etc ever entered on the PC

Read BACKDOOR-Section of “VirusRemoval”-Link

:wink: