 | Please help a clueless user with Borobot-B & Win32:Salit |  |
Karl_v_B
Joined: 15 Jul 2006 |
Posts: 0 |
|
|
 |
Posted: Sat Jul 15, 2006 10:31 pm |
|
 |
 |
 |
 |
Earlier this week when I started my computer Winpooch alerted me of a couple of processes that were trying to run........
C:\ Document and Settings\Karl\lat.exe
and
C:\ WINDOWS \ System 32 \ mssecure.exe
Naturally I rejected the process and set the filters to reject any actions from the above mentioned......
I did a quick scan with Avast and discovered a trojan - "Win32:Sality-W" - on my computer........I quarantined it in the virus chest and removed it from my system.........I then did another scan with ClamWin and also Avast and they both found nothing.....
I then restarted my pc only to find that the same two processes mentioned above were once again trying to run......
I did a google search on mssecure.exe and found that it is associated with Troj/Borobot-B
aka
* Backdoor.Win32.Robobot.w
* DDoS-Boxed
* BKDR_ROBOBOT.GEN
which apparently
"When first run, Troj/Borobot-B copies itself to <Windows>\mssecure.exe and creates a registry entry to run mssecure.exe on startup."
I then followed the intructions provided by Sophos
"At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
.mssecure
"<Windows>\mssecure.exe"
and delete it if it exists. "
The mssecure.exe. entry wasn't where Sophos said it would be but I found it eventually and deleted it.......
Did another scan with both Clamwin and Avast and both found nothing.....
Things were fine for a couple of days until this morning when I started up and guess who was back?
C:\ Document and Settings\Karl\lat.exe
and
C:\ WINDOWS \ System 32 \ mssecure.exe
I once again set the filters on Winpooch to reject all actions from these two as I had changed the filters back to default........
That seemed to have worked in the sense that they can't run but the biggest problem is that I can't seem to find the registry entries they made........what concerns me even more is that neither Clamwin or Avast have found anything on my C:\ despite repeated scans......
I looked for the mssecure.exe entry in my registry and can't find it.......has it not made the changes to the registry yet?...........I also had a hell of a time finding LAT.EXE as it is not in C:\ Document and Settings\Karl\lat.exe..........In fact the only file that I eventually found that I think could be is in C:\ WINDOWS \ Prefetch
So now my questions are:
1.) Why is neither Clamwin or Avast picking up anything?........is it because I stopped it from running and it is just sitting in the Prefetch folder?......or is there another reason?
2.) How in the hell do I keep on picking up the same bloody trojan - is there some patch that I don't have and its repeatedly exploiting the same vulnerability?
and finally
3.) How do I get rid of it once and for all?
Should I just delete the LAT.EXE file from the prefetch folder?
Any and all help will be greatly appreciated......
Karl
|
|
 |
 | Problem solved.......I hope...... |  |
Karl_v_B
Joined: 15 Jul 2006 |
Posts: 0 |
|
|
 |
Posted: Sun Jul 16, 2006 12:02 pm |
|
 |
 |
 |
 |
I installed a program from a UK company called PREVX last night and it found what I hope was the last of the malware.........
https://www.prevx.com/
I am a little concerned though that Clamwin and Avast missed some of these programs.......
Any insights into why this may have happened?
Thanks
K
|
|
 | Help From The Also Clueless |  |
GuitarBob
Joined: 09 Jul 2006 |
Posts: 9 |
Location: USA |
|
 |
Posted: Sun Jul 16, 2006 5:56 pm |
|
 |
 |
 |
 |
I understand that Previx is one of those behavior blockers that doesn't depend upon a virus database. It sounds like you had a "persistent" virus, and perhaps there was a double payload. Check the databases for ClamWin and Avast to see if those viruses are in their databases. If they aren't, contact them both after a day or so and inform them.
Continue to scan with Avast and ClamWin. I also suggest that you do a free online scan with a couple of other commercial antivirus vendors--say Kaspersky and F-Secure. If nothing shows up, then you've probably gotten rid of it. Also make sure you have all Microsoft "patches" for your operating system.
Clamwin only uses a virus database to check for viruses, but I think that after it's been around in a real-time version for awhile, they will add some other techniques for checking as well.
Regards,
|
|
 |
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by
phpBB © phpBB Group
Design by
phpBBStyles.com |
Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.