worm R Bot.gen

  • Thread starter Thread starter Brian
  • Start date Start date
B

Brian

Getting this message from my PC Cillin, have search for it
to delete it, what PC Cillin says in a box that comes up,
but not found, i have run spybot,spyware blaster. it says
C:\WINDOWS\system32\msie.exe is infected with worm R Bot.gen
 
Hey Brian

Id like to see a Hijack This log to be safe as it will
also have run commands if its the RBot worm, You can
download that from here if needed :

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save to Desktop or c:drive and run, Choose system scan
and save logfile then post that back

What Im interested in is the 04 run entries in the log
and if any display "Microsoft Ansti Update" "Microsoft
Features" or "Microsoft upnp Update" and then the
msie.exe file as this would confirm your system is
infected with Rbot (It would look like this)

O4 - HKLM\..\Run: [Microsoft Ansti Update] msie.exe
O4 - HKLM\..\RunServices: [Microsoft Ansti Update]
msie.exe
O4 - HKCU\..\Run: [Microsoft Ansti Update] msie.exe

Note it will usually add itself to all 3 area's as shown
above to make sure that it runs everytime the pc starts,
But if you use Hijack This post the full log so I can
check for other problems.


If you do not need to use Hiajck This and just want to
delete the file then make sure you do not delete these
msieftp.dll or msiexec.exe as they are not connected to
this Worm

First enable hidden files and folders :

Go to Start then search > goto tools on the top bar> then
click Folder Options-> then goto the View tab .

make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is
checked & 'Hide extentions for known file types ' is not
checked then press apply

You can set this back later by opening the same page and
pressing 'restore defaults' then pressing apply,

Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane, click on the 'More advanced options' at the
bottom. Make sure that Search system folders, Search
hidden files and folders, and Search subfolders are
checked.

Search for the file or check system32 for the file and
delete it if found,

If you search and delete the file then also run an
Antivirus scan to make sure there is no other problems

http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/
http://us.mcafee.com/root/mfs/default.asp?cid=8433
http://www.kaspersky.com/virusscanner

And visit Microsoft Updates to make sure all your
securirty patches are up to date

http://windowsupdate.microsoft.com/


Let us know if you need more help with this

Regards

Andy
 
Hi Andy
Went last night to Trend site and did a house call free
scan, and it was virus free when it finished.i will do a
hijackthis, will i copy the file and paste it hear or
send it to hijackthis.

Brian
 
Just done a search ,i have XP Pro,search for sysem32, and
Rbot.Gen it found nothing,

-----Original Message-----
Hi Andy
Went last night to Trend site and did a house call free
scan, and it was virus free when it finished.i will do a
hijackthis, will i copy the file and paste it hear or
send it to hijackthis.

Brian
-----Original Message-----

Hey Brian

Id like to see a Hijack This log to be safe as it will
also have run commands if its the RBot worm, You can
download that from here if needed :

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save to Desktop or c:drive and run, Choose system scan
and save logfile then post that back

What Im interested in is the 04 run entries in the log
and if any display "Microsoft Ansti Update" "Microsoft
Features" or "Microsoft upnp Update" and then the
msie.exe file as this would confirm your system is
infected with Rbot (It would look like this)

O4 - HKLM\..\Run: [Microsoft Ansti Update] msie.exe
O4 - HKLM\..\RunServices: [Microsoft Ansti Update]
msie.exe
O4 - HKCU\..\Run: [Microsoft Ansti Update] msie.exe

Note it will usually add itself to all 3 area's as shown
above to make sure that it runs everytime the pc starts,
But if you use Hijack This post the full log so I can
check for other problems.


If you do not need to use Hiajck This and just want to
delete the file then make sure you do not delete these
msieftp.dll or msiexec.exe as they are not connected to
this Worm

First enable hidden files and folders :

Go to Start then search > goto tools on the top bar> then
click Folder Options-> then goto the View tab .

make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is
checked & 'Hide extentions for known file types ' is not
checked then press apply

You can set this back later by opening the same page and
pressing 'restore defaults' then pressing apply,

Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane, click on the 'More advanced options' at the
bottom. Make sure that Search system folders, Search
hidden files and folders, and Search subfolders are
checked.

Search for the file or check system32 for the file and
delete it if found,

If you search and delete the file then also run an
Antivirus scan to make sure there is no other problems

http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/
http://us.mcafee.com/root/mfs/default.asp?cid=8433
http://www.kaspersky.com/virusscanner

And visit Microsoft Updates to make sure all your
securirty patches are up to date

http://windowsupdate.microsoft.com/


Let us know if you need more help with this

Regards

Andy
.
Click to expand...
.
Click to expand...
 
Andy
When i run my PC-Cillin 2005. it finds the worm but the 3
buttons to delete, quarantine, save is grayed out do you
think my PC-Cillin is faulty
Brian
 
Hi Brian

Sorry for the delay, Im in the UK so there's a big time
difference, Ive just got in from work as its 7.30pm
here :)

Its good your system is showing clean, This entry is used
by RBot so I dont think PC-Cillin is faulty, The problem
with worms is that they can start off as one name like
msie.exe then create a new file and delete its original
entries, One variant of RBot starts as msie.exe then
creates a file called explorer.exe in a folder called
system in the system32 folder then deletes the msie.exe
entry, You shouldnt delete explorer.exe though as its a
essential windows file but it should only be in the
windows folder/prefetch folder or service pack files
folder if you have one in system32 inside a folder called
system let us know but it may be a different variant that
was detected here, as Plun said there is alot of
different variants of this.

If the scans are showing clean then it may of been a
false alert but Hijack This would show if there is any
problems on the pc, There is auto analysis sites for
Hijack This but I wouldnt recommend using them as the
results cannot be trusted and could cause alot of
problems if people follow them(The main reason for this
is that most malware uses genuine names but in the wrong
area so the auto analysis sites can say something is
nasty and it may be clean and say something is clean
which may be nasty). If you need advise on a Hijack Log
feel free to post it on here and I will check it out or
use a Hijack This support forums like TomCoyote,
SpywareInfo etc..

Regards Andy
 
Hi Andy
Done a search for systems, 8 came up,3rd one down
C:documents and settings\brian. there was a folder called
system, in it was a folder called mui, then hhctrl.ocx,
itlrcl.dll,itss.dll

Brian
 
Hi Again

These are genuine files, itlrcl.dll would be "itircl.dll"
and again is genuine. You may not have any problems on
your system now if Virus scans are showing clean but
Hijack This would show if there is any malware, the 04
run entries especially would be important to look at if
you have the same named entry being called from more than
one position even this "explorer.exe" from the system
folder would show in the 04 area if it was present on the
system so it starts with windows, the genuine
explorer.exe will not be listed under the 04 entries in
hijack this so it would be easy to spot.

I do not think these will be there if Virus scans are now
showing clear but it was just for an example of how these
worms can change the original name, If you want to post
the hijack log I will let you know if there is any
problems, It will take me about a hour to review the log
but for the worm to run it would be listed under the 04
area and can be spotted as it will have more than one
entry for the same named file,

If you feel the system is clean then Hijack This may not
be needed and maybe the PC-Cillin detection was a false
alert, Its hard for me to comment without seeing the log
but maybe if it was present PC-Cillin was able to delete
the file and the run keys without problems.

Andy
 
Hi Andy
I have done a hijackthis and i have saved the file how do
i send it you, do i copy and paste it to this page, there
are 22 showing 04

Brian
 
Hi Brian

Yes Please Copy & Paste the full Hijack this log on here
or send it as a email to me

Thanks

Andy
 
Hi Brian

It looks like the worm is still active on your system and
is running or was running when you made that Hijack This
log but the rest of your log is clean so it looks like we
only have to remove this one file,

With you not being able to find the file lets use Killbox
to make sure it goes first time

Copy this to notepad and save it to your desktop as we
will need to reboot abit later

Download Killbox to your desktop

http://www.downloads.subratam.org/KillBox.zip

Extract the files (Unzip)

Then Use Hijack This again

Run Hijack This Again and choose to do a system scan

Place a check next to these entries


O4 - HKLM\..\Run: [msie] msie.exe

O4 - HKLM\..\RunServices: [msie] msie.exe


Close all open browser windows except Hijack This and
press "Fix Checked"

Exit Hijack This

Reboot the machine

When its restarted run Killbox

Place a checkmark (Tick) next to "Delete On Reboot"

Also place a checkmark (Tick) next to "End Explorer Shell
While Killing File"

You will see an area at the top of killbox called "Full
Path Of File To Delete"

copy & paste this into that area

C:\WINDOWS\system32\msie.exe

After you paste it into Killbox you should then see it
written below in Blue

Next press the red circle with a white X which is delete
(Press yes on both prompts and let it reboot)

That's then fully removed , The 04 's are the registry
run commands so it starts with windows, we remove them
and reboot so that when it reboots the worm isnt
running , then use killbox to remove the file,

Let us know if you need more help with this

Regards

Andy
 
Back
Top