Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help!! TROJ_LOWZONES and WORM_RBOT.GEN

Status
Not open for further replies.
pikk67

pikk67

IS-IT--Management
Nov 10, 2004
204
CA
I recently got hit on my network by these two bad boys and have tried all day unsucessfully to remove them. I imagine they're running off my network somewhere as the same 5 pc's were re-infected shortly after I cleaned all of them and put them back on-line.

The same files always show up in my processes on these pc's. They are, welcome.exe, photos.exe, winmsn.exe and taskmanger.exe.

Can anyone offer any suggestions on getting rid of them? I've tried all the usual steps...boot Safe Mode, clean registry, delete malware, reboot........etc etc

TIA,

Pikk
 
Sort by date Sort by votes
ya,

welcome.exe appears to be a legit file.

Download the pocket killbox



Download hijack this from the link below.Please do this. Click here:


to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.



do a ctr/alt/del and in taskmanager stop these processes if running.


photos.exe
winmsn.exe
taskmanger.exe.


run hijack this and fix the above if they show up in the log



Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.Then click yes to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do notexist. If that happens, just continue on with all the files. Be sure you don't miss any.

these should be something like

C:\windows\system32\photos.exe or

C:\windows\photos.exe


you need to tell the killbox the path to these pests so it can delete them!




photos.exe
winmsn.exe
taskmanger.exe.



post a hijack this log, there could be more !
 
Upvote 0 Downvote
I would also suggest you get a copy of EWIDO ( and run it...

Disable Restore, boot into safemode, clear TEMP and Internet Temp files, first, then scan with EWIDO... then Run HJT, do a LOG, paste it here ( for analization... and hope the buggers get caught...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
Thnx for the tips. I'll give these programs a try.

BTW: these processes will not end even when you select end process tree. I had to boot these pc's in safe mode and remove the files and reg entries manually. In fcat...when you try to delete the reg entries while running in normal mode, the entries just re-appear.

I'll let you know how I fair.

P'
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
Police: Do as we say and not as we do! 1
Replies
4
Views
131
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
206
DrB0b
DrB0b
kjv1611
  • Locked
  • Question
POS Malware Infections Detection and Protection
Replies
0
Views
105
kjv1611
kjv1611
BionicJohn
  • Locked
  • Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
197
BionicJohn
BionicJohn
waikhu
  • Locked
  • Question
Somebody help me out, when my pc st
Replies
3
Views
116
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top