QBOT Removal Procedures
It is a rootkit that creates files hidden to the operating system. Its main folder (in XP/2000) is C:\Documents and Settings\All Users\_qbothome. Type it in the run prompt if you can’t see it directly and it will take you to the folder (it will not show up even if you “Show Hidden Files and Folder” in Windows).
Inside that folder are text files where the keystrokes are gathered, and the main API dll (msadvapi32.dll) that allows it to hide from the OS.
1) Open Task Manager, kill any _qbotxxxx processes.
2) Open the Registry, search for “qbot” and delete any associated keys (may have to reset permissions to delete certain keys).
3) Do a Windows search for “qbot” and delete any files you can. Some files may be in use and can’t be deleted at the moment.
4) Goto C:\Documents and Settings\All Users\_qbothome and delete everything you can. The only thing you won’t be able to delete is a file called “msadvapi32.dll” but you can rename it. Rename it to something random. This will break the rootkit.
5) Reboot. Once the computer is back up, open Task Manager again, you will see more _qbotxxx processes, in particular _qbotinj.exe. Kill them.
6) Do another Windows and Registry search for “qbot” Since the rootkit is now broken, all the files will now be visible to the OS and you will see all the real crap. Delete everything, and at this point you will be able to delete the C:\Documents and Settings\All Users\_qbothome folder (which will now be visible to the OS).
7) It may have installed a Scheduled Task, if so there will be a file C:\Windows\System32\icsmgr.js which needs to be deleted in addition to the Scheduled Task.
8) The computer will now be clean, however if there are multiple computers on the network, one more step will prevent it from spreading back to the computer you just cleaned. Go to C:\Documents and Settings\All Users\ and create the _qbothome folder (we are going to create a spoof folder). Inside _qbothome, create a file called msadvapi32.dll (in desktop OS’s, you will need to ensure that the “Hide extensions for known file types” option is disabled in Folder Options->View so it doesn’t really create a text file). Once that is done, set security on the folder to deny access to everyone. This will prevent reinfection while other computers are cleaned.