Help with Win32 Rbot Trojan

Discussion in 'malware problems & news' started by Albinoni, Mar 8, 2006.

Thread Status:
Not open for further replies.
  1. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    I think I have a Win32 Rbot Trojan on my PC. I accidently downloaded a corrupt file what ever and NOD32 popped up ASAP and said something like Win32 Rbot Trojan.

    Also my Limewire Pro and Shareaza started to just start automatically even after I closed them both down. They would keep re-starting.

    How can I remove this nasty trojan once and for all.
     
  2. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Which file is NOD saying has this trojan?
     
  3. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    C:\WINNT\b.exe
     
  4. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    It was partly my fault. NOD32 did catch it ASAP but a few secs after my FW popped up and asked if I want to allow somthing like SVCHost etc, and I said yes.

    After this my Shareaza and Limewire Pro went a bit mad and started to just load themselves.
     
  5. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Please email the file b.exe to me at magnus@misec.net and I'll have a look at it and get back to you with removal instructions.
     
  6. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    Now I downloaded a tool call Rbot GUI from Sophos and did a full scan using it and it did not pick up any thing at all. Like I said NOD32 did catch it ASAP.

    But its just after a few secs after that my ZA firewall and my MS Antispyware popped up asking me if I want to allow svshost etc to access something something at startup, and when I applied ok than this is where both my Shareaza and Limewire started to go a bit crazy.

    I also tried to look for this b.exe file in Winnt but cannot seem to locate it whats the best way to search this file.

    This is where my confusion is, is my PC affected with this Trojan ?
     
  7. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    If you got alerts from ZoneAlarm then yes, the trojan did probably get installed.
     
  8. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    Have a look over here.
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I don't think so - else how did it get installed and start popping things up at you? Probably NOD caught something else and let this one through. However you can check NOD's logs.
    Am I to take it that svchost.exe has been entered as a 'startup'? You should be able to see from the startup section of MS-AS or looking at msconfig. The real svchost.exe should be running from the System32 folder, and it does not need to create an autostart for itself.

    ZAP possibly could have stopped this, but of course you do have to decline the pop-up it gives you. Unfortunately it is all too easy to click these things through without realising the consequences.

    Edit - Panther beat me to the post, but that looks possible, perhaps you can check whether the entries apply in your case?
     
  10. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    NOD32 did catch it because when I refer back to its Log File it has Win32Rbot Trojan listed. And also when NOD popped yes it did say the same thing.

    Am I to take it that svchost.exe has been entered as a 'startup'?
    Yes correct this is what both ZA and MS AS come up with and I allowed
    .

    You should be able to see from the startup section of MS-AS or looking at msconfig. The real svchost.exe should be running from the System32 folder, and it does not need to create an autostart for itself.

    And how do I go abouts doing this ?
     
  11. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    Just a Q here why do I need to use Sophos, hasnt NOD32 got a removal tool for this.

    Also I did run an rbotgui tool from Sophos but nothing was found.
     
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Are any scans finding anything?

    Have you got changes to your list of autostarts in msconfig?
     
  13. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    No so far Scans are cleaned. I ran scan with Ewido and it cleaned three trojans or whatever but not the Rbot ones.

    How do I check for changhes in my list for MSCONFIG.
     
  14. Wolfe

    Wolfe Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    160
    No one stated you do need Sophos - just pointing to possibly needed info.

    Thanks for the info.
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It is begining to sound like a false alarm, but you can look at the startup tab in msconfig by clicking Start/Run and entering 'msconfig'; also you can check in MS-AS's 'Startup' section. You should look for something that should not be there, such as a referrence to b.exe or scvhost.exe etc.

    Also you can confirm what the ZAP pop-ups were about by looking at the ZA's log section - just enter 'OS Firewall' in the drop-down box, after that look at the entries for 'Programs'.

    Similarly, you can check the MS-AS alerts by looking at the log section for viewing active protection events.

    In this way you can find out whether there is anything to worry about or not.
     
  16. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    It is begining to sound like a false alarm, but you can look at the startup tab in msconfig by clicking Start/Run and entering 'msconfig'; also you can check in MS-AS's 'Startup' section. You should look for something that should not be there, such as a referrence to b.exe or scvhost.exe etc.

    Win 2000 does not support MSCONFIG. But if I go to Start, Settings, taskbar & start menu, than the advanced tab in there I get a Remove button which will allow me to see what come on at Start Up.

    Also you can confirm what the ZAP pop-ups were about by looking at the ZA's log section - just enter 'OS Firewall' in the drop-down box, after that look at the entries for 'Programs'.

    Is this under Program Control, Programs Tab ?

    Similarly, you can check the MS-AS alerts by looking at the log section for viewing active protection events.

    I cannot seem to find the alert logs, how do I get to it.
     
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Sorry, I didn't realise you were on W2K. But you should find all the info in MS-AS. Look in the Advanced Tools section.
    No, go to ZA's alerts and Logs section and click the Log Viewer tab. Changing the entry in the 'Alert Type' drop-down box will provide the info you require (I believe your pop-up would have come from the OS Firewall component). You just click the relevant entry to select it and then get the info from the 'entry detail' panel below.
    Currently I am not using MS-AS, so I cannot be precice, but I'm sure if you look in the realtime protection section you will find a way to view logs of alerts issued. Perhaps you could try 'options' on the toolbar menu? I certainly used to be able to do it when I ran Giant and I doubt they would have done away with the log viewing facility!
     
  18. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    I didn't realise you were on W2K. But you should find all the info in MS-AS. Look in the Advanced Tools section.

    Not a problem yep I love my W2K Pro with SP4 :D
    Now I did go into the Startup Prog of MS AS and all looks clear apart there is one thing in there called iconra.exe I dont want to delete this as yet as I'm not 100% sure if its a part of any of my progs. But apart from that all looks well.

    No, go to ZA's alerts and Logs section and click the Log Viewer tab. Changing the entry in the 'Alert Type' drop-down box will provide the info you require (I believe your pop-up would have come from the OS Firewall component). You just click the relevant entry to select it and then get the info from the 'entry detail' panel below.

    I did do this and Yes I got two logs in the OS FW section. This is what I got:

    Rating: High
    Date/Time: 2006/03/09
    Type: Process
    Subtype: Spawn Process
    Data: C/Progfiles/Limwire
    Prog: C/Internet Downloads
    Action: Allowed

    The above also applies to Shareaza.

    Now the other thing is with the log above the time says 05:28 for Limewire and 05:17 for Shareaza. But when I got this probleb it was way before that around 02:15. I did end up uninstalling both LW and Shareaza and did re-install them at a later time which was around past the 05:00 mark.

    Apart from those two there was no other log files listed in ZA and all looks clear.

    The good news now is that my computer seems to be running fine and not having both Shareza and LW popping up ever 15 secs.

    Like I said perhaps this had nothing to do with the Rbot Trojan because NOD did grab it quickly and the only option I had in the NOD window was to close it as NOD had already terminated it.

    Also I have re installed both Limewire and Shareaza and both are working very well.

    Many thanks for your help and apprecaited.
     
  19. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    IconRA.exe should be O.K., but you can check its credentials by finding it in Explorer (probably in your C:\Windows folder) and right clicking it and selecting properties; that will give the company name etc and you can Google for further info if in doubt.

    NOD would have picked the trojan up as soon as it was written to HD, so there is no chance that it could have done any damage at all. It's just that you initially gave the impression something might have slipped by and got installed, but that does not seem to be the case; so it looks like you are good to go! ;)
     
  20. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    Just like to thank those here who helped me out here, greatly appreciated.
     
Loading...
Thread Status:
Not open for further replies.