Infected w-svhost / worm_rbot.ffx

I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
system32 folder. I let it clean. I have not rebooted yet. I googled and
most entries say svhost.exe is a bogus file with a worm in it. Some posts
said it was a valid process that causes problems after an MS update. I'm
confused.

I found the file svhost.exe and checked properties -- no version or
manufacturer. Its creation date was 2/15/2006 and modification date was
8/10/2004. My computer software was first loaded on 2/15/2006.

I use MCE 2005 / XP SP2 with updates.


Questions:
1. Is it a worm or a valid MS component?
2. Am I safe to reboot?
3. What other security measures should I take?

Thank you for your assistance.

--

*rain*drops*

David
Wed May 16 15:29:17 CDT 2007

From: "*rain*drops*" <rain@oregon.net>

| I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
| system32 folder. I let it clean. I have not rebooted yet. I googled and
| most entries say svhost.exe is a bogus file with a worm in it. Some posts
| said it was a valid process that causes problems after an MS update. I'm
| confused.
|
| I found the file svhost.exe and checked properties -- no version or
| manufacturer. Its creation date was 2/15/2006 and modification date was
| 8/10/2004. My computer software was first loaded on 2/15/2006.
|
| I use MCE 2005 / XP SP2 with updates.
|
| Questions:
| 1. Is it a worm or a valid MS component?
| 2. Am I safe to reboot?
| 3. What other security measures should I take?
|
| Thank you for your assistance.
|

Reboot, "svhost.exe" is NOT valid.

Check to make sure ALL vulnerabilities have been mitigated...
http://secunia.com/software_inspector


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

PA
Wed May 16 16:10:51 CDT 2007

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin; DTS-L.org

*rain*drops* wrote:
> I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
> system32 folder. I let it clean. I have not rebooted yet. I googled and
> most entries say svhost.exe is a bogus file with a worm in it. Some posts
> said it was a valid process that causes problems after an MS update. I'm
> confused.
>
> I found the file svhost.exe and checked properties -- no version or
> manufacturer. Its creation date was 2/15/2006 and modification date was
> 8/10/2004. My computer software was first loaded on 2/15/2006.
>
> I use MCE 2005 / XP SP2 with updates.
>
>
> Questions:
> 1. Is it a worm or a valid MS component?
> 2. Am I safe to reboot?
> 3. What other security measures should I take?
>
> Thank you for your assistance.

*rain*drops*
Wed May 16 20:54:04 CDT 2007

Thanks David & Bear,

David -- I got the virus-checking batch files and DLed and ran the virus
checkers. I ran them in NORMAL mode because I could not boot into safe
mode.

Sophos: all clean
Trend: found and cleaned WORM_RBOT.FFX
Kaspersky: ran all the way; all clean; no logfile found

Rebooted. The file svhost.exe is no longer on my system.

Could not run http://secunia.com/software_inspector because the program
would not load. I got the java applet okay, but nothing showed up on the
page; it just sat there. I haven't applied any updates to Windows or MS
files since January. I use Adobe Acrobat 5. I also use Thunderbird,
Firefox, OE6 for these newsgroups, occasionally IE 6, Newsbin and
occasionally Forte Agent. I keep FF & Tbird up to date. I don't let other
applications go online. None of my games go online.

Tried 3x to boot into safe mode. I've done this before. Use f8 key. The
list of files loading ran, but stopped at drivers\mup.xxx. It sat there for
15 minutes the first time. It sat there the second time I don't how long.
So I finally booted back into Normal.

I will update and run Hijack This and report back. I will try again
tomorrow to get into Safe Mode. In the meantime, if you have any
suggestions for me on that, I'll be glad to give them a try.

BTW, I've had computers since 1991. This is the first time I've ever had an
infection. I use Zone Alarm and AVG and keep AVG up to date.

What damage might the worm have done? Do I need to check any file
integrities, or change passwords, or notify others online?

--

*rain*drops*

--

*rain*drops*



"*rain*drops*" <rain@oregon.net> wrote in message
news:%23$RTPw%23lHHA.960@TK2MSFTNGP03.phx.gbl...
>I did an online scan using TrendMicro. It found "worm_rbot.ffx" in the
>system32 folder. I let it clean. I have not rebooted yet. I googled and
>most entries say svhost.exe is a bogus file with a worm in it. Some posts
>said it was a valid process that causes problems after an MS update. I'm
>confused.
>
> I found the file svhost.exe and checked properties -- no version or
> manufacturer. Its creation date was 2/15/2006 and modification date was
> 8/10/2004. My computer software was first loaded on 2/15/2006.
>
> I use MCE 2005 / XP SP2 with updates.
>
>
> Questions:
> 1. Is it a worm or a valid MS component?
> 2. Am I safe to reboot?
> 3. What other security measures should I take?
>
> Thank you for your assistance.
>
> --
>
> *rain*drops*
>
>
>
>

Alex
Thu May 17 13:50:40 CDT 2007

yes, Rbot has alot of variants and is pretty common

> BTW, I've had computers since 1991. This is the first time I've ever had
> an infection.

...that you know of....

> What damage might the worm have done? Do I need to check any file
> integrities, or change passwords, or notify others online?

to be honest, anything and everything.

The general rule (for me, YMMV) is that once something is detected, pretty
much no matter what, I flatten and rebuild. I do data-backups to CD/DVD
semi-regularly to keep the pain of this process to a minimum, and try to
minimize keeping anything particularly interesting (financial data, blah
blah blah) on my machine