 |
 | Please help a clueless user with Borobot-B & Win32:Salit |  |
|
Karl_v_B
|
|
Earlier this week when I started my computer Winpooch alerted me of a couple of processes that were trying to run........
C:\ Document and Settings\Karl\lat.exe and C:\ WINDOWS \ System 32 \ mssecure.exe Naturally I rejected the process and set the filters to reject any actions from the above mentioned...... I did a quick scan with Avast and discovered a trojan - "Win32:Sality-W" - on my computer........I quarantined it in the virus chest and removed it from my system.........I then did another scan with ClamWin and also Avast and they both found nothing..... I then restarted my pc only to find that the same two processes mentioned above were once again trying to run...... I did a google search on mssecure.exe and found that it is associated with Troj/Borobot-B aka * Backdoor.Win32.Robobot.w * DDoS-Boxed * BKDR_ROBOBOT.GEN which apparently "When first run, Troj/Borobot-B copies itself to <Windows>\mssecure.exe and creates a registry entry to run mssecure.exe on startup." I then followed the intructions provided by Sophos "At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens. Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup. Locate the HKEY_LOCAL_MACHINE entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run .mssecure "<Windows>\mssecure.exe" and delete it if it exists. " The mssecure.exe. entry wasn't where Sophos said it would be but I found it eventually and deleted it....... Did another scan with both Clamwin and Avast and both found nothing..... Things were fine for a couple of days until this morning when I started up and guess who was back? C:\ Document and Settings\Karl\lat.exe and C:\ WINDOWS \ System 32 \ mssecure.exe I once again set the filters on Winpooch to reject all actions from these two as I had changed the filters back to default........ That seemed to have worked in the sense that they can't run but the biggest problem is that I can't seem to find the registry entries they made........what concerns me even more is that neither Clamwin or Avast have found anything on my C:\ despite repeated scans...... I looked for the mssecure.exe entry in my registry and can't find it.......has it not made the changes to the registry yet?...........I also had a hell of a time finding LAT.EXE as it is not in C:\ Document and Settings\Karl\lat.exe..........In fact the only file that I eventually found that I think could be is in C:\ WINDOWS \ Prefetch So now my questions are: 1.) Why is neither Clamwin or Avast picking up anything?........is it because I stopped it from running and it is just sitting in the Prefetch folder?......or is there another reason? 2.) How in the hell do I keep on picking up the same bloody trojan - is there some patch that I don't have and its repeatedly exploiting the same vulnerability? and finally 3.) How do I get rid of it once and for all? Should I just delete the LAT.EXE file from the prefetch folder? Any and all help will be greatly appreciated...... Karl |
|||||||||||
|
|||||||||||||
 |
| Problem solved.......I hope...... | |
|
Karl_v_B
|
|
I installed a program from a UK company called PREVX last night and it found what I hope was the last of the malware.........
http://www.prevx.com/ I am a little concerned though that Clamwin and Avast missed some of these programs....... Any insights into why this may have happened? Thanks K |
|||||||||||
|
|||||||||||||
|
| Help From The Also Clueless | |
|
GuitarBob
|
|
I understand that Previx is one of those behavior blockers that doesn't depend upon a virus database. It sounds like you had a "persistent" virus, and perhaps there was a double payload. Check the databases for ClamWin and Avast to see if those viruses are in their databases. If they aren't, contact them both after a day or so and inform them.
Continue to scan with Avast and ClamWin. I also suggest that you do a free online scan with a couple of other commercial antivirus vendors--say Kaspersky and F-Secure. If nothing shows up, then you've probably gotten rid of it. Also make sure you have all Microsoft "patches" for your operating system. Clamwin only uses a virus database to check for viruses, but I think that after it's been around in a real-time version for awhile, they will add some other techniques for checking as well. Regards, |
|||||||||||
|
|||||||||||||
|
 | Please help a clueless user with Borobot-B & Win32:Salit | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.