Results 1 to 6 of 6

Thread: Trojan (Win32Rbot.byt) in System Restore: how to rid

  1. #1
    lipmanson Guest

    Default Trojan (Win32Rbot.byt) in System Restore: how to rid

    I picked up a Trojan and managed to get rid of it via several tools. However, ZA SS continues to detect it realtime in my c:\System Restore, shortly after each boot. ZA quarantines it before it can do any damage, but how can I get rid of it in System Restore.

    I cannot get into the SR directory with Explorer even when I try to remove the h,r,s,a attributes. Even though I am the Administrator it appears that I don't have the privileges to look at what's in the SR directory.

    Will this problem eventually disappear through attrition as I accumulate more Restore points? I tried turning off SR and then turning it on again. It appeared to get rid of the restore points, but eventually ZA started picking up the trojan again. (I did not reboot after turning SR off and on.) I do delete it from the virus log, but this appears to get rid of it only in the log.

    I've run RootkitRevealer and Hijaak, poured through all my startup settings and autoruns, and can see nothing obvious.

    Any suggestions? Again the Trojan is the Win32Rbot.byt.

    Thanks in advance

    Running ZA SS 7.0.337.0

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Nov 2004
    Location
    localhost
    Posts
    17,292

    Default Re: Trojan (Win32Rbot.byt) in System Restore: how to rid

    Hi!try to reduce the size of system restore to 0 (zero) and reboot. Turn OFF system restore and reboot.Turn ON system restoreThis should finallywipe out any system restore datain your system.Cheers,Fax

    Click here for ZA Support
    Monday-Saturday 6am to 10pm Central time
    Closed Sundays and Holidays

  3. #3
    lipmanson Guest

    Default Re: Trojan (Win32Rbot.byt) in System Restore: how to rid

    Fax:

    Yes, I was saving that as a last resort. Hate to reboot w/o any safety zone, although I'll probably do that tomorrow morning after my initial boot with system restore. If everything comes up fine then, I'll feel safe rebooting immediately without a restore point.

    There appears to be some controversy about the danger of a Trojan in System Restore. Some gurus say it's inactive and other say it's potentially dangerous even if you don't restore that point. Better to get rid of it.


    Thanks.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Trojan (Win32Rbot.byt) in System Restore: how to rid

    More details:

    Disable the systems restore [start > right click My computer > open Properties > select the System Restore tab > check the box with "turn off system restore on all drives > Apply and OK > turn off the PC.

    Start the PC in the safe Mode. To get into the XP Safe mode, as the computer is booting ( the manufactures or "BIOS" screen appears) just press and hold your "F8 Key" ( or just keep tapping the F8 key) which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.
    Select Safe Mode with no networking. When the windows appears for the system restore option, do not use and the windows will then go straight to the safe mode desktop.

    Now open the ZA. The firewall will be off . There is no internet connection when the no networking mode is selected so no danger is present.
    Open the antivirus scanner and do a full scan of all disks and harddrives.
    The scanner will now detect and be able to remove the file in the system volume directory. After this just reboot or restart The scan should be repeated again in the normal mode.
    ----------------------------------------------------------------------------

    Yes if the system restore is ever used again, then the troyan will be restored as well and become active once again. So yes please remove it.

    Oldsod
    Best regards.
    oldsod

  5. #5
    lipmanson Guest

    Default Re: Trojan (Win32Rbot.byt) in System Restore: how to rid

    Oldsod:

    Want to give you the outcome of my problem. Thanks to you, it is gone, and has been gone for more than 24 hrs of running.

    I inadvertently found another method that seemed to do the job too, although I ran yours afterward just to be sure. Thought I'd let you know what that is.

    Before turning off System Restore and booting into safe mode, I downloaded Microsoft's Malicious Software removal tool. Ran it once at default values and it found nothing. Ran it again using only the Custom option and pointed the program at System Information directory. MMSR appears to be able to access all of the system restore files and evaluate them. I had to run the program this way 8 times, each with a reboot between. Each run it went a little further into the system restore files. Concurrently, as MMSR examined each infected file, ZA was triggered, and this time gave me the option of deleting the Trojan on boot, which I selected. Hence all the boots I had to do. After each deletion I found that one restore point was gone. I finally ended up with no restore points, even though System Restore was turned on, and clean scans by ZA and the MMSR. At that point I turned off System Restore, rebooted once, then rebooted into Safe Mode per your instructions. Ran ZA and it came up clean.

    Brought my system up normally and ran it for 1 day with System Restore turned off. Made sure not to make any changes to the system during this period. Saw no evidence of any Trojan or virus activity. Turned on System Restore again and ran another day, clean as a whistle. Reran both scanners, ZA and MMSR, and again it came up clean.

    So, it appears that the System Restore area is not as innocuous and inactive as I thought, even when nothing is restored.
    What surprises me is that when the Microsoft malicious software removal tool examined the system restore area it did not register as having found a virus or trojan. ZA seems to have detected the troublemaker springing into action first and took it out before the MS tool could do anything. The MS tool was handy, however, for accessing and examining that usually untouchable area without going into Safe Mode.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Trojan (Win32Rbot.byt) in System Restore: how to rid

    Hi lipmanson

    That is very interesting. It is nice to know the MMSR will remove the restore points as it cleans. Seems to be complete for what it does.

    Glad to hear it is gone and cleaned up.

    Cheers,

    Oldsod
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •