New instances of "Qbot" abuse?

Discussion in 'malware problems & news' started by XweAponX, Apr 25, 2009.

Thread Status:
Not open for further replies.
  1. XweAponX

    XweAponX Registered Member

    Sep 18, 2008
    I am working on a computer I built for a client. He says "I was trying to upload pictures to Craigs List when I got kicked offline and I could no longer get on the internet"

    I didn't know what he meant until tried to open IE, Nothing happened, and checking TaskMan, I saw about 100 instances of the IE crash detection tool.

    Because this PC had XP SP3, I could do no troubleshooting because of the nature of the changes they applied to the IE crash detection program- I had to remove SP3 and I found this:

    -A Program called KDWNY.EXE was in MSCONFIG but there was no actual file called that- the MSCONFIG entry could be disabled but it would reenable itself.

    -KDWNY would allow me to remove reg entries related to it, but they would magically reappear.

    I finally was able to run Ad Aware Pro SE and it directed me to some malware that had been installed, which in turn directed me to a folder in "All Users" called "_qbothome"

    I moved the folder to my desktop and it helped,

    But there is still a part of the hack I can't get out.

    I am posting here, because of this thread:

    WHich was posted 3 years ago, well, this is similar to the problems discussed in that thread, but there is also something else.

    I still cannot remove the reg entries to the "KWDNY.exe" and the MSCONFIG entry always reappears.

    I dealt with a related issue, where the reg entries had something that caused them to be rewritten, but I can't remember how I dealt with that.

    Putting Hijackthis and other helper apps is difficult because this PC will nto connect.

    Finally, the RCPSS service keeps shutting off in regular mode, causing symptoms similar to the Blaster virus.

    Anyone got any ideas what this is?

    I'll be back later with some more details once I can get hijackthis into the machine.
  2. axial

    axial Registered Member

    Jun 27, 2007
    XweAponX, because you mentioned Hijackthis, just a quick preemptive note that the Wilders forums no longer do Hijackthis fixes, but there are several who do, listed in this thread:

    Please let us know how your troubleshooting goes -- best of luck.
  3. JRViejo

    JRViejo Global Moderator

    Jul 9, 2008
    XweAponX, first, welcome to Wilders! According to that old thread, SUPERAntiSpyware stated that its program could remove the Qbot infection and perhaps Malwarebytes' Anti-Malware free trial version could do so as well. You should try them both.
  4. PRG

    PRG Registered Member

    May 23, 2009
    I, too, just caught this a few days ago, and I am glad that old thread was there as there is very little information about _qbothome and _qbotinj.exe and _qbot.dll available on the internet. AVG Anti-virus which was installed at the time did not catch it, and does not detect it, even when pointed directly at the folder to scan it. It was apparently caught by surfing one of just a few regularly visited and perfectly harmless websites. I wish I could find a good way to discover which one is infected so that I can tell them.

    I plan to try the SuperAntiSpyware, but I found the lack of response to the poster that talked about finding a _cognitas folder later on to be alarming. I know from personal experience with Klez how a nastie can morph and mutate and hide again every time an anti-virus tool is used to remove it. That one I had to take down by myself, and I could not have done it without Ctl-Alt-Del which used to stop everything dead in its tracks. Not having that full-system-stop capability anymore is making me very nervous about trying to handle this...

    I am a bit alarmed that even over 2 years later, most of the AV companies had little to no information on a backdoor, password stealing, bit of nastiness.
  5. SUPERAntiSpy

    SUPERAntiSpy Developer

    Mar 21, 2006
    SUPERAntiSpyware has been very successful in removing the QBot components and items dropped and protected by QBot and its variants.

    If you have a specific infection/variant that we can't remove, we would be happy to run our custom diagnostic tools to analyze the system and remove the infection.
Thread Status:
Not open for further replies.