Video Screencast Help

Can't seem to find this pesky qbot virus ....

Created: 25 Sep 2009 • Updated: 21 May 2010 | 2 comments

Anyone want to help me with a few ideas on how to track down how this virus is coming in or the pc it is coming in through?

Running SEP 11

I can't seem to find the orgin of it and and it keeps hitting some pc's daily now. Drivng me nuts!

Comments 2 CommentsJump to latest comment

P_K_'s picture

On the Clients what are the componets that are installed ?
If you have the Procative Threat Protection is installed the Threat Log will help us to track the virus

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

SuperAVremover's picture

QBOT virus is a pain, but once you understand it, it takes 5-10 minutes to get it off of an infected machine and is easily prevented from coming back.

It is a rootkit that creates files hidden to the operating system. Its main folder (in XP/2000) is C:\Documents and Settings\All Users\_qbothome. Type it in the run prompt if you can't see it directly and it will take you to the folder (it will not show up even if you "Show Hidden Files and Folder" in Windows).

Inside that folder are text files where the keystrokes are gathered, and the main API dll (msadvapi32.dll) that allows it to hide from the OS.

TO REMOVE, DO THE FOLLOWING:

1) Open Task Manager, kill any _qbotxxxx processes.

2) Open the Registry, search for "qbot" and delete any associated keys (may have to reset permissions to delete certain keys).

3) Do a Windows search for "qbot" and delete any files you can.  Some files may be in use and can't be deleted at the moment.

4) Goto C:\Documents and Settings\All Users\_qbothome and delete everything you can.  The only thing you won't be able to delete is a file called "msadvapi32.dll" but you can rename it.  Rename it to something random.  This will break the rootkit.

5) Reboot.  Once the computer is back up, open Task Manager again, you will see more _qbotxxx processes, in particular _qbotinj.exe.  Kill them.

6) Do another Windows and Registry search for "qbot"  Since the rootkit is now broken, all the files will now be visible to the OS and you will see all the real crap.  Delete everything, and at this point you will be able to delete the C:\Documents and Settings\All Users\_qbothome folder (which will now be visible to the OS).

7) It may have installed a Scheduled Task, if so there will be a file C:\Windows\System32\icsmgr.js which needs to be deleted in addition to the Scheduled Task.

8) The computer will now be clean, however if there are multiple computers on the network, one more step will prevent it from spreading back to the computer you just cleaned.  Go to C:\Documents and Settings\All Users\ and create the _qbothome folder (we are going to create a spoof folder).  Inside _qbothome, create a file called msadvapi32.dll (in desktop OS's, you will need to ensure that the "Hide extensions for known file types" option is disabled in Folder Options->View so it doesn't really create a text file).  Once that is done, set security on the folder to deny access to everyone.  This will prevent reinfection while other computers are cleaned.