Hi all, According to TDS-3, It appears the above rat is on one of my pc's. It appears as a registry entry but when I select to delete it and reboot, it still shows up when I rescan. Any suggestions on how to remove this permanently are appreciated. Thanks, David
Hello David and welcome, yeah that's one of those spybots people spit around on internet, among others through port 17300. Anyway: after deleting thje thing, disable the system restore if you're on XP, reboot, enable again the system restore and make manually a new restore point. If you scan again, is it gone now? System restore has the habit to put back what you just deleted. Post back if this solved it please?
Thanks Jooske, I figured out that one of my antispyware programs was protecting against changes to the startup files so once I disabled that, it was permanently removed. There is still on strage thing occuring. My pc has a single NIC which usually gets an ip assigned by my ISP. I dont have a router but once I enable my internet connection, my firewall log shows an incoming ICMP with local 192.168.100.2 and remote 192.168.100.1, both on port 3. I set up my fire wall to block this so my XP system logs shows an entry RE dhcp saying "unable to renew address from dhcp server" and then "lost least to ip address 192.168.100.2" Does the creation of these local ip's sound fishy? I can post a log or whatever else you may need. Thanks for your help
>I figured out that one of my antispyware programs was protecting against changes to the startup files so once I disabled that, it was permanently removed.< If this happened, so how was the startup protection when infection took place? Should have protected against the infection in the first place. Was that SpybotS&D or another one?
The start up infection protection was from Spysweeper, which I installed after the infection, to try and detect spyware. As a side note, of all the antispy stuff I installed to try and track the infection down, the only ones which seemed to do more than detect cookies were Spysweeper, Pest Patrol and TDS-3. Spysweeper found a key logger and TDS-3 found the rbot entry. What about the local dhcp server which seems to be set up when I connect to the net? Any thoughts on that? Thanks again
If the startup entry doesnt delete, run the Autostart Explorer - press CTRL-A or go to System Analysis > Autostart Explorer You should be able to see the startup entry there as specified by the alarm in TDS, then right-click and delete. Whatever file is being run will be listed, can you reboot then send us that file please ? submit@diamondcs.com.au
same here. RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\RunServices [Microsoft Update Machine=iexplorer.exe]