Nov 182009

Mal/Qbot-B is a virus that may pose threat on computers that will lead to intrusions, disruptions and damage to systems of the infected computer. Mal/Qbot-B is a general detection to identify malicious files with these characteristics to warn computer users and prevent execution.
QBOT Removal Procedures

It is a rootkit that creates files hidden to the operating system. Its main folder (in XP/2000) is C:\Documents and Settings\All Users\_qbothome. Type it in the run prompt if you can’t see it directly and it will take you to the folder (it will not show up even if you “Show Hidden Files and Folder” in Windows).

Inside that folder are text files where the keystrokes are gathered, and the main API dll (msadvapi32.dll) that allows it to hide from the OS.

1) Open Task Manager, kill any _qbotxxxx processes.

2) Open the Registry, search for “qbot” and delete any associated keys (may have to reset permissions to delete certain keys).

3) Do a Windows search for “qbot” and delete any files you can. Some files may be in use and can’t be deleted at the moment.

4) Goto C:\Documents and Settings\All Users\_qbothome and delete everything you can. The only thing you won’t be able to delete is a file called “msadvapi32.dll” but you can rename it. Rename it to something random. This will break the rootkit.

5) Reboot. Once the computer is back up, open Task Manager again, you will see more _qbotxxx processes, in particular _qbotinj.exe. Kill them.

6) Do another Windows and Registry search for “qbot” Since the rootkit is now broken, all the files will now be visible to the OS and you will see all the real crap. Delete everything, and at this point you will be able to delete the C:\Documents and Settings\All Users\_qbothome folder (which will now be visible to the OS).

7) It may have installed a Scheduled Task, if so there will be a file C:\Windows\System32\icsmgr.js which needs to be deleted in addition to the Scheduled Task.

8) The computer will now be clean, however if there are multiple computers on the network, one more step will prevent it from spreading back to the computer you just cleaned. Go to C:\Documents and Settings\All Users\ and create the _qbothome folder (we are going to create a spoof folder). Inside _qbothome, create a file called msadvapi32.dll (in desktop OS’s, you will need to ensure that the “Hide extensions for known file types” option is disabled in Folder Options->View so it doesn’t really create a text file). Once that is done, set security on the folder to deny access to everyone. This will prevent reinfection while other computers are cleaned.

Incoming search terms:

  One Response to “How to Remove Mal/Qbot-B Virus”

  1. I’m afraid to say this guide didn’t quite work for you – I got to step 5 but presumably the rootkit hadn’t been killed because I couldn’t see all the Qbot crap and I was still having problems! Fortunately, the new MalwareBytes upgrade seems to have it fixed though – so all users who do step 4 and reboot but don’t have it fixed, get the latest MalwareBytes!

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>