Author Topic: win32:Rbot-ANG (Read 15295 times)

marieandgordon · « **on:** October 29, 2005, 06:27:26 PM »

Can anyone tell me how to get rid of this trojan. it originally appeared C:\WINDOWS\system32\winlog.exe and then C:SystemVolumeInformation\_Restore{lots of numberes}.exe and now in C:\programFiles\winsupdater\winsupdater.exe file. i moved it to chest yesterday but after a scan now it is again in the winsupdater.exe file
i use windows xp with avast and zone alarm
marie

Lisandro · « **Reply #1 on:** October 29, 2005, 06:47:30 PM »

Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Besides this, disable System Restore and then enable it again to clean it.
Start > Control Panel > System > System restore > Disable
Click Apply
Enable it again
Click Ok

FreewheelinFrank · « **Reply #2 on:** October 29, 2005, 07:30:09 PM »

If a boot time scan fails, try this disinfector:

http://www.sophos.com/support/disinfection/rbotek.html

Do you have a good firewall? Download a good free one like Zone Alarm if you haven't. Install it after you have cleaned the infection.

And then go straight to the Microsoft Update site and download all the critical updates, or you will easily be infected again.

http://windowsupdate.microsoft.com/

Spiritsongs · « **Reply #3 on:** October 29, 2005, 07:44:36 PM »

You may have other malware on your computer !? Do you
use an antiSPYWARE program and if yes, what does its
"Full" scan results show ? Should also consider using the
good & FREE Ewido from www.ewido.net/en ; this program
"specializes" in detecting and removing trojans, worms,
dialers, etc . "Winsupdater" sounds like a spyware I have
seen "dealt" with on various antispyware forums !?

MrBabis · « **Reply #4 on:** October 29, 2005, 09:37:00 PM »

AVAST can remove but you need to update your windows.

Win32:Rbot-ANG [Trj]

marieandgordon · « **Reply #5 on:** October 30, 2005, 10:18:43 AM »

only just logged on again so have not yet done a boot time scan. we use adaware, spybot search and destroy, trend micro anti spywear - intenet expolrer is up to date on updates and so is zone alarm, nothing has picked this up on a scan only avast .
i will do a boot time scan and let you know
marie

Lisandro · « **Reply #6 on:** October 30, 2005, 12:54:40 PM »

Quote from: marieandgordon on October 30, 2005, 10:18:43 AM

Nothing has picked this up on a scan only avast

Anyway, it does not seem a false positive but a real infection... $:-\$
After scanning with avast (archive option checked), try online spyware scanning at http://www.spywareguide.com/txt_onlinescan.html
and one of the online virus scanning at http://www.security-ops.tk/

You can submit the files to Jotti and let us know the results, i.e., if it is or not a false positive.

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus (at) avast.com.
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see About avast: right click avast icon) will also help.

polonus · « **Reply #7 on:** October 30, 2005, 02:34:09 PM »

Hello marieandgordon,

There is a whole array of Rbot viruses, worms all used to prey on innocent users by hackers or industrial hackers. They were build to put more functionality to these worms. Some can even look into the bedroom (so turn you webcam off or patch your OS).
For removal instructions, I second FwF, look here:
http://www.sophos.com/support/disinfection/rbotek.html

Get this worm from your machine soon, lots of success, and welcome to the web forum,

polonus

marieandgordon · « **Reply #8 on:** October 31, 2005, 11:36:36 PM »

right, i have run spybot, ad aware, ewido, trend micro and avast anti virus, i have done a boot scan and done the disinfection thing on sophos, nothing showed up, does this mean it has gone or is it lurking somehere?
All my windows updates are up to date i checked and zone alarm is up to date
Marie

MrBabis · « **Reply #9 on:** October 31, 2005, 11:39:46 PM »

Did you try autoruns to se if some other programs that loads on startup?

marieandgordon · « **Reply #10 on:** October 31, 2005, 11:41:41 PM »

sorry what are autoruns? how do i do that, i know it is probably something very simple...

DavidR · « **Reply #11 on:** October 31, 2005, 11:53:43 PM »

Autoruns is a program to check what runs on start-up. You can check this in windows though, Start, Run, type msconfig and click enter. Then check the Startup Tab and see what is in there.

Lisandro · « **Reply #12 on:** November 01, 2005, 12:40:44 AM »

Quote from: marieandgordon on October 31, 2005, 11:41:41 PM

sorry what are autoruns? how do i do that, i know it is probably something very simple...

If I`m not wrong, check www.sysinternals.com

Spiritsongs · « **Reply #13 on:** November 01, 2005, 05:22:09 AM »

Marie :

Since you have Ad-Aware, I would suggest you ask the
Ad-Aware Experts on the forums at www.landzdown.com
for help !? They know of "special instructions" to be used
with Ad-Aware to get rid of serious spyware, etc .

FreewheelinFrank · « **Reply #14 on:** November 01, 2005, 08:57:59 AM »

Can you post a HijackThis! log please?

http://www.bleepingcomputer.com/forums/tutorial42.html

Author Topic: win32:Rbot-ANG (Read 15295 times)

marieandgordon

win32:Rbot-ANG

Lisandro

Re: win32:Rbot-ANG

FreewheelinFrank

Re: win32:Rbot-ANG

Spiritsongs

Re: win32:Rbot-ANG

MrBabis

Re: win32:Rbot-ANG

marieandgordon

Re: win32:Rbot-ANG

Lisandro

Re: win32:Rbot-ANG

polonus

Re: win32:Rbot-ANG

marieandgordon

Re: win32:Rbot-ANG

MrBabis

Re: win32:Rbot-ANG

marieandgordon

Re: win32:Rbot-ANG

DavidR

Re: win32:Rbot-ANG

Lisandro

Re: win32:Rbot-ANG

Spiritsongs

Re: win32:Rbot-ANG

FreewheelinFrank

Re: win32:Rbot-ANG