WIN32.poebot-C and B and D

[jimminy]

Help, my computer keeps on downloading a virus everytime i connect to the internet, i move the Poebot virus to the avast virus chest as reccomended then when i disconnect, a shutdown timer occurs sayin my RPC was broken and the computer will shutdown in 1 minute.

[Lisandro]

Can you enter avast Chest and see the name and the path of the infected file?
Can you schedule a boot time scanning and see what more is infected in your computer?

[jimminy]

they mostly go to the
C:\WINDOWS\system32   directory and have different names for themselves, but the are all either win32.poebot's - B, C, or D.

another virus is in the directory,

C:\system volume information\_restore{8D7B10E3-6472-4F04-AB93-DD500C5079EA}\RP3,

and there is one more that was originally in the directory,

C:\RECYCLER\S-1- SORRY BOUT THE SUDDEN END COMP SHUTTIN ITSELF AUTOMATICALLY RPC THING

[Lisandro]

C:\WINDOWS\system32   directory and have different names for themselves, but the are all either win32.poebot's - B, C, or D.

You need to run a boot time scanning or, at least, boot in Safe Mode (press F8 while booting) and scan from there.

another virus is in the directory,
C:\system volume information\_restore{8D7B10E3-6472-4F04-AB93-DD500C5079EA}\RP3,

If you find a virus keeps coming back after you delete it, it's most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. System Restore cannot be disabled on Windows 9x  and it's not available in Windows 2k.

Enable/Disable System restore on Windows ME: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887
Enable/Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405

Windows attempts to protect files that are deleted from the system folders (just in case it was an accident), so they can be restored if required.
The problem is many malware writers are wise to that and put their files in the system folders, this is also done to confuse you into thinking you could be deleting an important system file. Disable system restore, reboot, scan and if clean enable system restore again.

and there is one more that was originally in the directory,
C:\RECYCLER\S-1- SORRY BOUT THE SUDDEN END COMP SHUTTIN ITSELF AUTOMATICALLY RPC THING

Can you empty your recicly bin and delete your Internet temporary files?
To do this go to Internet explorer >Tools > Internet options > Delete files > Click delete all offline content (just to be sure) > click ok.
It might take some time to delete them.

[jimminy]

right, did what you said, deleted all of the temp internet files, shut down system restore then restarted the computer into safe mode and started to scan the hard drive foe viruses there and it found non. ( note, the last one came and i moved it to the chest, where i deleted them all).

 i then set Avast to scan on boot up, and it found nothing again....but, as soon as went online to visit this forum again, a new threat appeared, win32.Zlob-af, this also originally appeared in the C:\windows\system32, but ONLY when i went online. i'm not sure if this is connected because i mostly receive (and still do as i type) the poebot trojan, which almost behaves as if it is being downloaded as soon as i go on the web.

i've also noticed since yesterday that in the virus chest there are 3 system files in there aswell, all from   C:\windows\system32,     Kernal32.dll, winsock.dll and winsock32.dll.

As mention very briefly on my last thread, when i disconnect, a warning box appears saying my Remote Procedure Call (RPC) was canceled and the system was shutting down in 1 minute, this made me think that it was a blaster or sasser virus.


any ideas how or what this is???

[FreewheelinFrank]

Have you got a firewall? What OS have you got?Is your system up to date?

This thing exploits known OS vulnerabilities: if you don't update, you will fall victim again.

If you don't have a good firewall, please download a good free one: Zone Alarm free is probably your best choice at the moment.

Also download Ewido and a-Squared anti-Trojan scanners. (Ewido won't work on older systems but a-Squared will.)

Check avast! is up to date, install and update the two programs above.

Go offline and do a scan with avast! A boot time scan if possible. Scan with Ewido and a-squared. Install the firewall if you didn't have one.

Go back online and visit the MS update site:

http://office.microsoft.com/en-us/officeupdate/default.aspx

Download every critical update. Reboot if asked to. Visit the site  again. Repeat until there are no more critical updates.

[Lisandro]

Note, the last one came and i moved it to the chest, where i deleted them all

Let the file into the Chest for further analysis. It's safe there, can't harm and allow you to understand what happened.

i've also noticed since yesterday that in the virus chest there are 3 system files in there aswell, all from
C:\windows\system32\Kernal32.dll, winsock.dll and winsock32.dll.

These files, as it was posted a lot of times, are there for backup purposes.
See that they are into System files folder and NOT into the infected folder.

[jimminy]

right cheers, me thinks??? cos the virus has stopped being downloaded, just had to get the second service pack for XP installed (HA), downloaded that ewido, like you said, is it better than spy bot or is it just a case of the more scanners you have, the better chance you have of gettin rid of pesky trojans nd such.

And also, any good freeware firewalls i could be downloadin cos me thinks that the XP one could do with some upgrading. any anything else to that might be helpful (and free )

[polonus]

Yes jimminy,

When you have upgraded your XP with the SP2, you have one good resident AV (remember only one), like AVAST, you also need one good Software Firewall (only one), like ZoneAlarm or Kerio.
That is a good start,

polonus

[Lisandro]

And also, any good freeware firewalls

Kerio, ZoneAlarm, Outpost, Sygate, Jetico, Comodo... All of them have free versions.
You need just ONE of them to be protected in your outbound connections.
I suggest ZA or Kerio.

[jimminy]

right cheers, i downloaded that zone alarm and it seems to be alright. it has conflicts with avast about the web shield or something but i dont think that its that important.

once again thanks

[DavidR]

The conflict only occures in the ZA Pro Privacy Control settings you should have no problem with the free version as that doesn't have that function.

See this for more information http://www.avast.com/eng/webshield_issues.html

AVAST Web Shield compatibility dialogue - Install/Update Question - YES or NO

If you are using ZoneAlarm Free you should click NO, because privacy features are not present in ZoneAlarm Free this will not turn off webshield transparent mode proxy.
Use a text editor and edit the avast4.ini file, the default installation location is C:\Program Files\Alwil Software\Avast4\DATA\avast4.ini (I would advise you copy avast4.ini before editing it, just in case).
Locate the line containing ZoneAlarmCompatibility= and delete that line.  Save the edited avast4.ini file.