Re: Windows XP "RBOT" virus infection

From: "Salahuddin" <Salahuddin@xxxxxxxxxxxxxxxxxxxxxxxxx>

| I seem to have a problem with what I believe to be an "RBOT" infection on my
| Windows x64 Professional Edition as mentioned in the article below:
|
| http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39437
|
| The reason is because in msconfig and hijackthis, I had the following item
| starting up: adobereaderpro = directx.exe
|
| This was similar to the startup items listed here:
| http://www.sysinfo.org/startuplist.php?filter=adobereaderpro
|
| The only difference is that I can't seem to find any mention of
| adobereaderpro and directx.exe on the Internet anywhere. I am assuming
| though, it is a variant of the same trojan virus.
|
| In any case, my system was doing fine, until I installed the latest updates
| on February 14th. Since then, my Internet slowed to a crawl. My Event
| Viewer showed repeated errors of "Event ID 4226" which stated that all my
| TCP/IP connections were used up. I tried using the EventID patcher, to edit
| tcpip.sys and increase the number of connections from 10 to 100, but even
| then the error continued. Only when I increased the number of connections to
| 1000 did my internet connection return to normal and the EventID 4226 no
| longer occur.
|
| So basically, I believe this trojan is using my TCP connections (as
| mentioned in the initial link) and I can't seem to get rid of it. I cannot
| find any direct.exe file on my hard drive, and even after I delete all the
| registry keys involving adobereaderpro, the problem persists. I ran SpyBot
| v1.4 and Windows Defender, both turned up nothing. I am running Trend Micro
| HouseCall 6.5 and eTrust AntiVirus Web scanners at the moment.
|
| But I was just wondering if anyone has any idea on how to fix this problem.
|
| BTW, I've also noticed that either the Windows Updates or the Trojan has
| edited my Windows Firewall settings such that they are controlled by a group
| policy (i.e. I can't change the settings because they are greyed out). I
| also think it is closing some of my services periodically for no reason (like
| Windows Firewall/Internet Connection Sharing).
|
| Any advice would be much appreciated.

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Since you indicated you already have a Trend Micro AV solution installed, use the McAfee,
Sophos and/or Kaspersky modules in the below tool.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.

Relevant Pages

  • Re: 0-length ntoskrnl.dll (NOT ntoskrnl.exe)
    ... | Windows xp system at all, so I am tempted to remove this file ... FireWall to allow it to download the needed AV vendor related files. ... This will bring up the initial menu of choices and should be executed in Normal Mode. ... Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: svchost.exe is a virus! HELP!
    ... Opening "My Computer" produces an scvhost.exe error pop up and the ... I have updates all the recomended Windows Update fixes, patches, windows ... You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to allow it to download the needed AV vendor related files. ... You can choose to go to each menu item and just download the needed files or you can download the files and perform a scan in Normal Mode. ...
    (microsoft.public.windowsxp.general)
  • Re: Virus that corrupts process names
    ... I tried to install Zone Alarm but it would not ... Finally I deleted the whole partition and reinstalled Windows. ... FireWall to allow it to download the needed AV vendor related files. ... This will bring up the initial menu of choices and should be executed in Normal Mode. ...
    (alt.comp.anti-virus)
  • Re: Need help Pls..Is it a virus??
    ... | and Windows Defender. ... Download MULTI_AV.EXE from the URL -- ... This will bring up the initial menu of choices and should be executed in Normal Mode. ... It is suggested to run the scanners in both Safe Mode and Normal Mode. ...
    (microsoft.public.security.virus)
  • Re: Need help Pls..Is it a virus??
    ... My host file reads exactly as the original and my ... # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. ... Download MULTI_AV.EXE from the URL -- ... This will bring up the initial menu of choices and should be executed in Normal Mode. ...
    (microsoft.public.security.virus)