DDos.rat.rbot

Discussion in 'Trojan Defence Suite' started by DGeorge, Jul 10, 2004.

Thread Status:
Not open for further replies.
  1. DGeorge

    DGeorge Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    36
    Hi all,

    According to TDS-3, It appears the above rat is on one of my pc's. It appears as a registry entry but when I select to delete it and reboot, it still shows up when I rescan.

    Any suggestions on how to remove this permanently are appreciated.

    Thanks,

    David
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello David and welcome,
    yeah that's one of those spybots people spit around on internet, among others through port 17300.

    Anyway:
    after deleting thje thing, disable the system restore if you're on XP,
    reboot, enable again the system restore and make manually a new restore point.
    If you scan again, is it gone now? System restore has the habit to put back what you just deleted.

    Post back if this solved it please?
     
  3. DGeorge

    DGeorge Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    36
    Thanks Jooske,

    I figured out that one of my antispyware programs was protecting against changes to the startup files so once I disabled that, it was permanently removed.

    There is still on strage thing occuring. My pc has a single NIC which usually gets an ip assigned by my ISP. I dont have a router but once I enable my internet connection, my firewall log shows an incoming ICMP with local 192.168.100.2 and remote 192.168.100.1, both on port 3. I set up my fire wall to block this so my XP system logs shows an entry RE dhcp saying "unable to renew address from dhcp server" and then "lost least to ip address 192.168.100.2"


    Does the creation of these local ip's sound fishy? I can post a log or whatever else you may need.

    Thanks for your help
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    >I figured out that one of my antispyware programs was protecting against changes to the startup files so once I disabled that, it was permanently removed.<

    If this happened, so how was the startup protection when infection took place? Should have protected against the infection in the first place.
    Was that SpybotS&D or another one?
     
  5. DGeorge

    DGeorge Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    36
    The start up infection protection was from Spysweeper, which I installed after the infection, to try and detect spyware.

    As a side note, of all the antispy stuff I installed to try and track the infection down, the only ones which seemed to do more than detect cookies were Spysweeper, Pest Patrol and TDS-3.
    Spysweeper found a key logger and TDS-3 found the rbot entry.

    What about the local dhcp server which seems to be set up when I connect to the net? Any thoughts on that?

    Thanks again
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If the startup entry doesnt delete, run the Autostart Explorer - press CTRL-A or go to System Analysis > Autostart Explorer

    You should be able to see the startup entry there as specified by the alarm in TDS, then right-click and delete. Whatever file is being run will be listed, can you reboot then send us that file please ? submit@diamondcs.com.au
     
  7. DGeorge

    DGeorge Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    36
    There was no actual file. Just a registry entry which I deleted.

    Thanks for the help
     
  8. meyer

    meyer Guest

    same here.

    RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Microsoft Update Machine=iexplorer.exe]
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.