This little parasite somehow made it onto one of my systems 2 days ago. I found it this morning when one of it's programs crashed as I closed an Internet Explorer window. It installed itself into Documents and Settings\All Users\_qbothome contents of the directory were: 8/10/2005 0:47 1,505 R__A________ cert.pem 11/29/2006 22:39 728 R__A________ crontab.cb 11/30/2006 21:10 34,304 R__A________ msadvapi32.dll 11/30/2006 21:10 3,410 R__A________ ps_dump_xyz 11/30/2006 21:10 3,412 R__A________ ps_dump_xyz.cb 11/30/2006 21:10 28,160 R__A________ q1.32585 12/01/2006 9:13 1,184 R__A________ seclog.cb 12/01/2006 8:42 1,184 R__A________ seclog.txt 11/30/2006 21:10 376 R__A________ si.cb 11/30/2006 21:10 373 R__A________ si.txt 11/29/2006 22:39 432 R__A________ updates.cb 11/30/2006 21:10 160 R__A________ updates1.cb 11/30/2006 21:10 596 R__A________ _qbot.cb 11/29/2006 21:09 48,640 R__A________ _qbot.dll 11/23/2006 5:09 6,656 R__A________ _qbotinj.exe 12/01/2006 10:34 43,520 R__A________ _qbotinj.opt 11/30/2006 21:10 20,480 R__A________ _qbotnti.exe 11/30/2006 21:10 0 R__A________ _qbot_installed There was a rootkit involved(I'm guessing _qbotnti.exe) as I could not see any of the _* files or directories while the system was up. Though they showed up just fine with a Knoppix Boot CD. The _qbotinj.exe was the program that crashed letting me know something was up. I think it's primary purpose is to sniff passwords typed into internet explorer. The _qbotinj.opt is from Visual Studio when I hit debug when it crashed, saving the project workspace is what finally let me know where the heck it was since nothing else could find a _qbotinj.exe anywhere on the system. qbot.dll once un-upxed has a bunch of strings that seemed to indicate it was a remote control trojan of some sort maybe via IRC. ps_dump_xyz contained account info and passwords that I think were extracted from outlook express. I quickly changed them, from another computer, along with every other important password that came to mind. What a pain. seclog.txt had various search strings I had typed into Internet Explorer. I do most of my browsing with Firefox so it wasn't nearly as bad as it could've been. si.txt had system info, computer name, user name, external IP, internal IP, etc. I'm assuming the contents of those 3 files all got sent off somewhere. Searching on google for the various filenames and strings didn't turn up anything allowing me to identify it. I don't know how it got installed. I'm guessing an exploit in IE, or possibly Firefox or Thunderbird, since those are the 3 main programs I use on that PC that access the net. Other notes of interest: The sysinternals Rootkit Revealer could not find it at all, but F-secure's BlackLight managed to find all the files. Both were run while the system was up, with the ethernet cable pulled. Once I knew the _qbothome directory existed, I could cd into it at a command prompt and list/view all the files except the ones that started with an underscore. Has anyone seen this before? I restored the PC from a backup, but I still have a copy of the files. Is there a good place to send them off to if this is new?