New instances of "Qbot" abuse?

I am working on a computer I built for a client. He says "I was trying to upload pictures to Craigs List when I got kicked offline and I could no longer get on the internet"

I didn't know what he meant until tried to open IE, Nothing happened, and checking TaskMan, I saw about 100 instances of the IE crash detection tool.

Because this PC had XP SP3, I could do no troubleshooting because of the nature of the changes they applied to the IE crash detection program- I had to remove SP3 and I found this:

-A Program called KDWNY.EXE was in MSCONFIG but there was no actual file called that- the MSCONFIG entry could be disabled but it would reenable itself.

-KDWNY would allow me to remove reg entries related to it, but they would magically reappear.

I finally was able to run Ad Aware Pro SE and it directed me to some malware that had been installed, which in turn directed me to a folder in "All Users" called "_qbothome"

I moved the folder to my desktop and it helped,

But there is still a part of the hack I can't get out.

I am posting here, because of this thread:

https://www.wilderssecurity.com/showthread.php?t=156461

WHich was posted 3 years ago, well, this is similar to the problems discussed in that thread, but there is also something else.

I still cannot remove the reg entries to the "KWDNY.exe" and the MSCONFIG entry always reappears.

I dealt with a related issue, where the reg entries had something that caused them to be rewritten, but I can't remember how I dealt with that.

Putting Hijackthis and other helper apps is difficult because this PC will nto connect.

Finally, the RCPSS service keeps shutting off in regular mode, causing symptoms similar to the Blaster virus.

Anyone got any ideas what this is?

I'll be back later with some more details once I can get hijackthis into the machine.

 

XweAponX, because you mentioned Hijackthis, just a quick preemptive note that the Wilders forums no longer do Hijackthis fixes, but there are several who do, listed in this thread:
https://www.wilderssecurity.com/showthread.php?t=42148

Please let us know how your troubleshooting goes -- best of luck.

 

I, too, just caught this a few days ago, and I am glad that old thread was there as there is very little information about _qbothome and _qbotinj.exe and _qbot.dll available on the internet. AVG Anti-virus which was installed at the time did not catch it, and does not detect it, even when pointed directly at the folder to scan it. It was apparently caught by surfing one of just a few regularly visited and perfectly harmless websites. I wish I could find a good way to discover which one is infected so that I can tell them.

I plan to try the SuperAntiSpyware, but I found the lack of response to the poster that talked about finding a _cognitas folder later on to be alarming. I know from personal experience with Klez how a nastie can morph and mutate and hide again every time an anti-virus tool is used to remove it. That one I had to take down by myself, and I could not have done it without Ctl-Alt-Del which used to stop everything dead in its tracks. Not having that full-system-stop capability anymore is making me very nervous about trying to handle this...

I am a bit alarmed that even over 2 years later, most of the AV companies had little to no information on a backdoor, password stealing, bit of nastiness.

 

SUPERAntiSpyware has been very successful in removing the QBot components and items dropped and protected by QBot and its variants.

If you have a specific infection/variant that we can't remove, we would be happy to run our custom diagnostic tools to analyze the system and remove the infection.