Windows XP "RBOT" virus infection

[Guest]

I seem to have a problem with what I believe to be an "RBOT" infection on my
Windows x64 Professional Edition as mentioned in the article below:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39437

The reason is because in msconfig and hijackthis, I had the following item
starting up: adobereaderpro = directx.exe

This was similar to the startup items listed here:
http://www.sysinfo.org/startuplist.php?filter=adobereaderpro

The only difference is that I can't seem to find any mention of
adobereaderpro and directx.exe on the Internet anywhere. I am assuming
though, it is a variant of the same trojan virus.


In any case, my system was doing fine, until I installed the latest updates
on February 14th. Since then, my Internet slowed to a crawl. My Event
Viewer showed repeated errors of "Event ID 4226" which stated that all my
TCP/IP connections were used up. I tried using the EventID patcher, to edit
tcpip.sys and increase the number of connections from 10 to 100, but even
then the error continued. Only when I increased the number of connections to
1000 did my internet connection return to normal and the EventID 4226 no
longer occur.

So basically, I believe this trojan is using my TCP connections (as
mentioned in the initial link) and I can't seem to get rid of it. I cannot
find any direct.exe file on my hard drive, and even after I delete all the
registry keys involving adobereaderpro, the problem persists. I ran SpyBot
v1.4 and Windows Defender, both turned up nothing. I am running Trend Micro
HouseCall 6.5 and eTrust AntiVirus Web scanners at the moment.

But I was just wondering if anyone has any idea on how to fix this problem.

BTW, I've also noticed that either the Windows Updates or the Trojan has
edited my Windows Firewall settings such that they are controlled by a group
policy (i.e. I can't change the settings because they are greyed out). I
also think it is closing some of my services periodically for no reason (like
Windows Firewall/Internet Connection Sharing).

Any advice would be much appreciated.

 

[David H. Lipman]

From: "Salahuddin" <[email protected]>

| I seem to have a problem with what I believe to be an "RBOT" infection on my
| Windows x64 Professional Edition as mentioned in the article below:
|
| http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39437
|
| The reason is because in msconfig and hijackthis, I had the following item
| starting up: adobereaderpro = directx.exe
|
| This was similar to the startup items listed here:
| http://www.sysinfo.org/startuplist.php?filter=adobereaderpro
|
| The only difference is that I can't seem to find any mention of
| adobereaderpro and directx.exe on the Internet anywhere. I am assuming
| though, it is a variant of the same trojan virus.
|
| In any case, my system was doing fine, until I installed the latest updates
| on February 14th. Since then, my Internet slowed to a crawl. My Event
| Viewer showed repeated errors of "Event ID 4226" which stated that all my
| TCP/IP connections were used up. I tried using the EventID patcher, to edit
| tcpip.sys and increase the number of connections from 10 to 100, but even
| then the error continued. Only when I increased the number of connections to
| 1000 did my internet connection return to normal and the EventID 4226 no
| longer occur.
|
| So basically, I believe this trojan is using my TCP connections (as
| mentioned in the initial link) and I can't seem to get rid of it. I cannot
| find any direct.exe file on my hard drive, and even after I delete all the
| registry keys involving adobereaderpro, the problem persists. I ran SpyBot
| v1.4 and Windows Defender, both turned up nothing. I am running Trend Micro
| HouseCall 6.5 and eTrust AntiVirus Web scanners at the moment.
|
| But I was just wondering if anyone has any idea on how to fix this problem.
|
| BTW, I've also noticed that either the Windows Updates or the Trojan has
| edited my Windows Firewall settings such that they are controlled by a group
| policy (i.e. I can't change the settings because they are greyed out). I
| also think it is closing some of my services periodically for no reason (like
| Windows Firewall/Internet Connection Sharing).
|
| Any advice would be much appreciated.

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Since you indicated you already have a Trend Micro AV solution installed, use the McAfee,
Sophos and/or Kaspersky modules in the below tool.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Guest]

Thanks a lot. I didn't know about the the virus specific newsgroups... my
apologies. Your suggestions were much appreciated. I'll be sure the check
them out.

 

[Guest]

I ran that program you mentioned, Multi_AV.exe. Apparently it doesn't work
with Windows x64.

I found some programming running called msrundll32.exe. Apparently its a
virus of some sort. So I deleted it and tried deleting any registry keys
associated with it. Going to see if that works.

 

[Guest]

Well, I think I fixed the main problem. Apparently msrundll32.exe was
somehow installed as a service that would load up automatically as windows
started. This would tie up my TCP ports and close my Windows Firewall... and
perhaps other things I'm not sure of yet.

I ended the process in task manager, deleted all the registry keys
associated with adobereaderpro, msrundll32.exe and directx.exe. That seems
to have given me my internet connection back. I reset my tcpip.sys back to
10 maximum connections and everything is running smoothly.

I still have the problem of my Windows Firewall being controlled by a group
policy... but I imagine that will be easy to fix once I search around.

 

[David H. Lipman]

From: "Salahuddin" <[email protected]>

| I ran that program you mentioned, Multi_AV.exe. Apparently it doesn't work
| with Windows x64.
|
| I found some programming running called msrundll32.exe. Apparently its a
| virus of some sort. So I deleted it and tried deleting any registry keys
| associated with it. Going to see if that works.

There are more than one infectors using the name;
http://www.sophos.com/virusinfo/analyses/w32lilea.html
http://www.sophos.com/virusinfo/analyses/w32vbsp.html

How come you couldn't mention you were using WinXP/64 in the first place ! Do you think
that is an important fact ?

The Multi AV Scanning Tool has NOT been tested on WinXP/64. I am curious as to where it
failed.

Please examine the registry key...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

What is "CurrentVersion" equal to ?

Could you please include any other information aboy what happened and where the MULTI AV
tool failed when you ran it.

 

[Robert Moir]

How come you couldn't mention you were using WinXP/64 in the first
place ! Do you think that is an important fact ?

To be fair David, he did. Check 2nd line of original post.

 

[David H. Lipman]

From: "Robert Moir" <[email protected]>

| David H. Lipman wrote:
||
| To be fair David, he did. Check 2nd line of original post.
|

Do'h !

You have me there Robert. Thanx for the correction.

My Apologies Salahuddin.

BTW: Since I have 'ya here... Your picture in the a.c.v gallery on Laura's web site no
longer works. I just thought I mention it. I was there recently to see if the site was
updated for Norman DeForest. Norman is now in a "in memoriam" section. RIP Norman !