Resolve for Esbot and Rootkit-AA description
A tool that removes Esbot and Rootkit-AA trojan
Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
W32/Esbot-B is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Esbot-B will connect to an IRC channel and wait for instructions. W32/Esbot-B is a network worm and IRC backdoor Trojan for the Windows platform.
W32/Esbot-B will connect to an IRC channel and wait for instructions.
When first run W32/Esbot-B copies itself to services32.exe.
The file services32.exe is registered as a new system driver service named “Content List Management Sub System”, with a display name of “services32” and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLMSYSTEMCurrentControlSetServicesContent List Management Sub System
The following registry entry is set:
Troj/Rootkit-AA is a kernel-mode driver that is capable of hiding processes by directly manipulating kernel structures.
W32/Esbot and Troj/Rootkit-AA can be removed from Windows computers automatically with the following Resolve tools:
ESBOTGUI is a disinfector for standalone Windows computers. To use it you have to do the following:
· Open ESBOTGUI.com file from your desktop after downloading it.
· Click on the Start Scan Button.
· Wait for the process to complete.
· After removing the worm you should install the Microsoft security patches, as described in the W32/Esbot removal tool Readme.
Command line disinfector
ESBOTSFX.EXE is a self-extracting archive containing ESBOTCLI, a Resolve command line disinfector for use by system administrators on Windows networks.
Please comments and give ratings. You may also report of broken or incorrect link using comments box below. Thanks!