PoeBot.explorer

[fabricater]

ms antispyware detects it, stops it from installing. the
problem is that i keep loosing my ntldr file upon boot.
when i explore my c/root and try to open autoexec.bat
poebot is detected as trying to install. web search for
PoeBot.explorer returns 5 hits all for one company. tire
co. throwing nails in the road? how do i rectify this and
or remove this trojan. ms anti spyware has no info.
hopefully, thanks ahead of time (e-mail address removed)

 

[Steve Wechsler [MVP]]

ms antispyware detects it, stops it from installing. the
problem is that i keep loosing my ntldr file upon boot.
when i explore my c/root and try to open autoexec.bat
poebot is detected as trying to install. web search for
PoeBot.explorer returns 5 hits all for one company. tire
co. throwing nails in the road? how do i rectify this and
or remove this trojan. ms anti spyware has no info.
hopefully, thanks ahead of time (e-mail address removed)

http://www.sophos.com/virusinfo/analyses/w32poebotk.html
Click the Recovery tab :

" In Windows NT/2000/XP/2003 you will also need to edit the following
registry entry. The removal of this entry is optional in Windows
95/98/Me. Please read the warning about editing the registry.
http://www.sophos.com/support/knowledgebase/article/388.html
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The
registry editor opens.

Before you edit the registry, you should make a backup. On the
'Registry' menu, click 'Export Registry File'. In the 'Export range'
panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Winamp Agent
<Windows system folder>\winamp.exe

and delete it if it exists.

Close the registry editor. "

See if you can determine if the worm is running as a Process via Task
Manager. End Process first if possible, then do the reg edit.

Does MSAS identify the infecting file ?

Steve Wechsler (akaMowGreen)
MS-MVP 2004-2005

............. In memory of our dear friend, MVP Alex Nichol .............
........................ 1935-2005 ............................

 

[Engel]

Fabricater:
Go to the NG Signatures,
Re: Wrong trojan detection
Mar 21 2005

Engel

 

[Michael]

I have the same trouble but I don't have the winamp in my
registry, or on my pc for that matter. I still can't get
rid of the warning. I now have for poebots in my
quarantine folder. Any help? Michael

 

[Paul]

I have the same problem. I have three computers and I am
able to replicate the problem exactly on all three.

It occurs when I right click on start and browse to the
startup folder. It seems to happen when I reach the
Programs folder. If I clean it then I get
the "Mediatickets CDT" spyware on scan. If I don't
remove "poebot" I get nothing on scan. I cannot detect
any damage cause by this problem. My antivirus program
did not detect anything.

 

[Bill Sanderson]

Do you use IE-SPYAD2?

 

[Bill Sanderson]

Do you use IE-SPYAD2?

 

[Bill Sanderson]

Do you use IE-SPYAD2?

 

[Guest]

Only on one of the three PC's has IE-SPYAD 2. I added a
fourth PC and was able to get the same thing to happen on
it. All four PC's use Windows XP SP2. Two of the four
PC's have MVPS hosts file with SBotS&D hosts file. None
of the PC's has the regular IE-SPYAD.

 

[Bill Sanderson]

Thanks - I don't understand what is going on here. IE-SPYAD2 appears to
cause a false positive for MediaTicketsCDT.

the PoeBot.Explorer detection seems to be triggered by an empty .bat file.
You can demonstrate this by right-clicking the desktop, choosing new, text
file, and renaming the created empty file test.bat, and then double clicking
on it.

Autoexec.bat is often such an empty batch file on an XP system--but I
haven't been able to demonstrate this detection with scans, only via the
real-time protection.

So my sense of what you are seeing is that both detections are false
positives of some sort. When MediaTickets is detected--what are the details
of the findings? How many items, and what sort of item--can you post an
example?