RBot Worm removal

[David K]

Microsoft Antispyware always finds RBot Worm, I select the remove option but
it is found again next time Antispyware is run. I am using XP with service
pack 2 and all updates have been automatically insttalled. Various MS
security bulletins advise of downloads to fix the problem but as I am
supposedly up to date in protection will not run for me. What can I try
next?
David

 

[David H. Lipman]

From: "David K" <[email protected]>

| Microsoft Antispyware always finds RBot Worm, I select the remove option but
| it is found again next time Antispyware is run. I am using XP with service
| pack 2 and all updates have been automatically insttalled. Various MS
| security bulletins advise of downloads to fix the problem but as I am
| supposedly up to date in protection will not run for me. What can I try
| next?
| David
|

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

* * * Please report back your results * * *

 

[David K]

Thank you, I will do that but why did Norton 2005 not find this worm and
deal with it?
David.

From: "David K" <[email protected]>

| Microsoft Antispyware always finds RBot Worm, I select the remove option
but
| it is found again next time Antispyware is run. I am using XP with
service
| pack 2 and all updates have been automatically insttalled. Various MS
| security bulletins advise of downloads to fix the problem but as I am
| supposedly up to date in protection will not run for me. What can I try
| next?
| David
|

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart
scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee
Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows
XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running
c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will
automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will
download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is
using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already
executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be
obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in
Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or
Internet Explorer).
It is suggested that you move the report out of c:\mcafee before
performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a
copy of the HTML
report for each session.

* * * Please report back your results * * *

 

[David H. Lipman]

From: "David K" <[email protected]>

| Thank you, I will do that but why did Norton 2005 not find this worm and
| deal with it?
| David.

Don't know. It could be a False Positive. MS Anti Spyware is not an AV package. The term
RBot is extremely generic and maybe Symantec doesn't have signature for what was found.

Is there a particular file that was flagged to have this RBot detection ?

 

[David K]

From: "David K" <[email protected]>

| Thank you, I will do that but why did Norton 2005 not find this worm and
| deal with it?
| David.

Don't know. It could be a False Positive. MS Anti Spyware is not an AV
package. The term
RBot is extremely generic and maybe Symantec doesn't have signature for
what was found.

Is there a particular file that was flagged to have this RBot detection ?

The reference is to:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run system
uptime sysentry.exe
David.

 

[David H. Lipman]

From: "David K" <[email protected]>


| The reference is to:
| HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run system
| uptime sysentry.exe
| David.
|

A little research indicated McAfee "may" call this the "W32/Sdbot.worm.gen.x"
And Mcafee DAT v4494 and above should handle it with Todays DAT being v4496

The instructions I previously provided you should remove this SDbot variant.

To be sure you can submit "sysentry.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.

Please post back the EXACT results.

-------------

Here are the directions once again to remove the SDbot variant.


Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *

 

[David K]

When double clicking 'getfiles link' from within windows, .Error message
"Failrd to find open script" comes up.
David

From: "David K" <[email protected]>


| The reference is to:
| HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run system
| uptime sysentry.exe
| David.
|

A little research indicated McAfee "may" call this the
"W32/Sdbot.worm.gen.x"
And Mcafee DAT v4494 and above should handle it with Todays DAT being
v4496

The instructions I previously provided you should remove this SDbot
variant.

To be sure you can submit "sysentry.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's
scanners.

Please post back the EXACT results.

-------------

Here are the directions once again to remove the SDbot variant.


Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart
scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee
Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go
through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running
c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will
automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will
download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is
using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already
executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be
obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in
Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or
Internet Explorer).
It is suggested that you move the report out of c:\mcafee before
performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a
copy of the HTML
report for each session.


* * * Please report back your results * * *

 

[David H. Lipman]

From: "David K" <[email protected]>

| When double clicking 'getfiles link' from within windows, .Error message
| "Failrd to find open script" comes up.
| David

When you execute CLEAN.EXE ( the self extracting ZIP file ) you must go with the default of
c:\mcafee. The scripts and processes are hard coded for that folder, c:\mcafee


Execute CLEAN.EXE again and make sure the files extract to c:\mcafee

 

[Peter Seiler]

David K - 21.05.2005 01:03 :

When double clicking 'getfiles link' from within windows, .Error message
"Failrd to find open script" comes up.
David

please do NOT always unnecessarely quote ~ 130! quoting lines (in this
case) only to say a few words. THX for your kind understanding.

 

[David K]

From: "David K" <[email protected]>

| When double clicking 'getfiles link' from within windows, .Error message
| "Failrd to find open script" comes up.
| David

When you execute CLEAN.EXE ( the self extracting ZIP file ) you must go
with the default of
c:\mcafee. The scripts and processes are hard coded for that folder,
c:\mcafee


Execute CLEAN.EXE again and make sure the files extract to c:\mcafee

Still the same error message. I have two HD's and the problem is on the
second one Drive D so that is where I have put the mcfee directory. I also
tried the Trend Micro free online
scanner. It found Worm_rbot.lk, said that it had deleted it but it was still
there on a repeated scan and again when using MS Antispyware.
David.

 

[David H. Lipman]

From: "David K" <[email protected]>


| Still the same error message. I have two HD's and the problem is on the
| second one Drive D so that is where I have put the mcfee directory. I also
| tried the Trend Micro free online
| scanner. It found Worm_rbot.lk, said that it had deleted it but it was still
| there on a repeated scan and again when using MS Antispyware.
| David.
|

Like I said, it is hard coded for C:\mcafee and will work no where else !

The utility will scan all fixed hard disks so if it is installed on c:\mcafee, it will scan
"C:, "D:", etc. Just not removeable media. (yet).

 

[David K]

From: "David K" <[email protected]>


| Still the same error message. I have two HD's and the problem is on the
| second one Drive D so that is where I have put the mcfee directory. I
also
| tried the Trend Micro free online
| scanner. It found Worm_rbot.lk, said that it had deleted it but it was
still
| there on a repeated scan and again when using MS Antispyware.
| David.
|

Like I said, it is hard coded for C:\mcafee and will work no where else !

The utility will scan all fixed hard disks so if it is installed on
c:\mcafee, it will scan
"C:, "D:", etc. Just not removeable media. (yet).

O.K. I ran it from C from Safe Mode and from within windows, it found a few
bits unconnected with this problem. I ran it another four times and it found
nothing else. Antispyware and the free Trend scan still find the worm and
say that it will be deleted but it is not.
On the Trend site I found advice on deleting sysentry.exe (see below) and
tried the registry deletions apart from the final one which did not show.
That has not cured the problem either as the entries returned.
David.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from
executing at startup.

1.. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2.. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3.. In the right panel, locate and delete the entry:
System Uptime Server = "<dropped_file>"
4.. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
5.. In the right panel, locate and delete the entry:
System Uptime Server = "<dropped_file>"
6.. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>OLE
7.. In the right panel, locate and delete the entry:
System Uptime Server = "<dropped_file>"
8.. Close Registry Editor.

 

[David H. Lipman]

From: "David K" <[email protected]>


| O.K. I ran it from C from Safe Mode and from within windows, it found a few
| bits unconnected with this problem. I ran it another four times and it found
| nothing else. Antispyware and the free Trend scan still find the worm and
| say that it will be deleted but it is not.
| On the Trend site I found advice on deleting sysentry.exe (see below) and
| tried the registry deletions apart from the final one which did not show.
| That has not cured the problem either as the entries returned.
| David.
| Removing Autostart Entries from the Registry
|
| Removing autostart entries from the registry prevents the malware from
| executing at startup.
|
| 1.. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
| 2.. In the left panel, double-click the following:
| HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>> CurrentVersion>Run
| 3.. In the right panel, locate and delete the entry:
| System Uptime Server = "<dropped_file>"
| 4.. In the left panel, double-click the following:
| HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>> CurrentVersion>RunServices
| 5.. In the right panel, locate and delete the entry:
| System Uptime Server = "<dropped_file>"
| 6.. In the left panel, double-click the following:
| HKEY_CURRENT_USER>Software>Microsoft>OLE
| 7.. In the right panel, locate and delete the entry:
| System Uptime Server = "<dropped_file>"
| 8.. Close Registry Editor.
|

David:

If you ran the McAfee Scan in Safe Mode it wouldn't be running and it should have ben
removed.

Let's try Trend Micro Sysclean. It'll run locally instead of through a web page and it will
create the log file SYSCLEAN.LOG

Follow the below instructions and after you run Sysclean in Safe Mode, copy and paste the
contents of the SYSCLEAN.LOG file in your reply to this post.

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

2) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

3) Reboot your PC into Safe Mode and shutdown as many applications as possible.

4) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.

5) Copy and paste the contents of the SYSCLEAN.LOG file in your reply to this post.

 

[David K]

I get errror message when double clicking sysclean_fe.exe. Trend pattern
file was not found . Computer shutting down to allow Sysclean.fe to obtain
the pattern file.
David.

 

[David H. Lipman]

From: "David K" <[email protected]>

|
| I get errror message when double clicking sysclean_fe.exe. Trend pattern
| file was not found . Computer shutting down to allow Sysclean.fe to obtain
| the pattern file.
| David.
|

Just like the other utility, this is hard coded to use c:\sysclean only.

 

[David K]

From: "David K" <[email protected]>

|
| I get errror message when double clicking sysclean_fe.exe. Trend
pattern
| file was not found . Computer shutting down to allow Sysclean.fe to
obtain
| the pattern file.
| David.
|

Just like the other utility, this is hard coded to use c:\sysclean only.

I put it there.
David

 

[David H. Lipman]

From: "David K" <[email protected]>


| I put it there.
| David
|

You ran sysclean_fe. It extracted to c:\sysclean.

You then ran; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }

At that point it should download SSYSCLEAN.COM and the the Pattern File.

What happens ?

If error messages, post the EXACT error messages and what happens when you run;
c:\sysclean\SYSCLEAN_FE.BAT

 

[David K]

From: "David K" <[email protected]>


| I put it there.
| David
|

You ran sysclean_fe. It extracted to c:\sysclean.

You then ran; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }

At that point it should download SSYSCLEAN.COM and the the Pattern File.

What happens ?

If error messages, post the EXACT error messages and what happens when you
run;
c:\sysclean\SYSCLEAN_FE.BAT

As I said Box with error message:

" Trend pattern was file was not found . Computer shutting down to allow
Sysclean.fe to
obtain the pattern file".
Computer then re boots back to Windows.
David.

 

[David K]

From: "David K" <[email protected]>


| I put it there.
| David
|

You ran sysclean_fe. It extracted to c:\sysclean.

You then ran; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }

At that point it should download SSYSCLEAN.COM and the the Pattern File.

What happens ?

If error messages, post the EXACT error messages and what happens when you
run;
c:\sysclean\SYSCLEAN_FE.BAT

As I said Box with error message:

" Trend pattern was file was not found . Computer shutting down to allow
Sysclean.fe to
obtain the pattern file".
Computer then re boots back to Windows.
David.

 

[David K]

From: "David K" <[email protected]>


| I put it there.
| David
|

You ran sysclean_fe. It extracted to c:\sysclean.

You then ran; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }

At that point it should download SSYSCLEAN.COM and the the Pattern File.

What happens ?

If error messages, post the EXACT error messages and what happens when you
run;
c:\sysclean\SYSCLEAN_FE.BAT

As I said Box with error message:

" Trend pattern was file was not found . Computer shutting down to allow
Sysclean.fe to
obtain the pattern file".
Computer then re boots back to Windows.
David.