Re: Infected w-svhost / worm_rbot.ffx

Thanks David & Bear,

David -- I got the virus-checking batch files and DLed and ran the virus
checkers. I ran them in NORMAL mode because I could not boot into safe
mode.

Sophos: all clean
Trend: found and cleaned WORM_RBOT.FFX
Kaspersky: ran all the way; all clean; no logfile found

Rebooted. The file svhost.exe is no longer on my system.

Could not run http://secunia.com/software_inspector because the program
would not load. I got the java applet okay, but nothing showed up on the
page; it just sat there. I haven't applied any updates to Windows or MS
files since January. I use Adobe Acrobat 5. I also use Thunderbird,
Firefox, OE6 for these newsgroups, occasionally IE 6, Newsbin and
occasionally Forte Agent. I keep FF & Tbird up to date. I don't let other
applications go online. None of my games go online.

Tried 3x to boot into safe mode. I've done this before. Use f8 key. The
list of files loading ran, but stopped at drivers\mup.xxx. It sat there for
15 minutes the first time. It sat there the second time I don't how long.
So I finally booted back into Normal.

I will update and run Hijack This and report back. I will try again
tomorrow to get into Safe Mode. In the meantime, if you have any
suggestions for me on that, I'll be glad to give them a try.

BTW, I've had computers since 1991. This is the first time I've ever had an
infection. I use Zone Alarm and AVG and keep AVG up to date.

What damage might the worm have done? Do I need to check any file
integrities, or change passwords, or notify others online?

--

*rain*drops*

--

*rain*drops*



"*rain*drops*" <rain@xxxxxxxxxx> wrote in message
news:%23$RTPw%23lHHA.960@xxxxxxxxxxxxxxxxxxxxxxx
I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
system32 folder. I let it clean. I have not rebooted yet. I googled and
most entries say svhost.exe is a bogus file with a worm in it. Some posts
said it was a valid process that causes problems after an MS update. I'm
confused.

I found the file svhost.exe and checked properties -- no version or
manufacturer. Its creation date was 2/15/2006 and modification date was
8/10/2004. My computer software was first loaded on 2/15/2006.

I use MCE 2005 / XP SP2 with updates.


Questions:
1. Is it a worm or a valid MS component?
2. Am I safe to reboot?
3. What other security measures should I take?

Thank you for your assistance.

--

*rain*drops*






.

Relevant Pages

  • Re: Safe Mode Boot Loop; Normal Boot OK
    ... in normal mode "or" ... I attempted to boot to Safe Mode to run a virus/malware ... load if logged in as Administrator (normal machine login is as a Power ...
    (microsoft.public.windowsxp.general)
  • Re: Incessant loop
    ... Safe Mode and Normal Mode. ... In Normal Mode you get the lot. ... Boot into Safe Mode. ... Do not restore your Internet connection until your firewall/ ...
    (microsoft.public.windowsxp.general)
  • Re: Incessant loop
    ... the Windows XP boot menu. ... it went into Normal mode. ... I now recommend that you boot the machine into Safe Mode, ...
    (microsoft.public.windowsxp.general)
  • Re: problem[s] with booting
    ... I am having problems with Windows MCE and would like some detective help. ... Recently the PC began to have long boot times -- it would boot at normal ... The machine would, however, do a Safe Mode boot without any problem. ... Machines that can boot in Safe Mode but not in normal mode ...
    (microsoft.public.windowsxp.general)
  • Re: Blank screen on Login
    ... click on selective boot and in the boot.ini tab tick the /BOOTLOG box. ... Randem Systems ... I can get in under safe mode, and VGA mode but the display is 640 X 480; ... Is there a way to see what the last updates were? ...
    (microsoft.public.windowsxp.general)