rbot worm?

ok this should be easy for most of you and worth 300 points but i cannot figure this one out.   I have about 30 users that IT will not let on the network because of arp storms.  The platforms are nt4, w2k, and xp.  These machine's were not security patched but are running Mcafee 7.1.  Now all are security patched and have the latest dat and engine.  Macafee does not detect a virus but in the reg there are entries "start upping" and "iexplorerupdt.exe".  This happened at another location last week and I manually had to delete all of the references in the reg, spyware, and files in system32 systems were clean.  Now it doesn't work at this location accross town.  What would cause these machines to broadcast so much?  We are talking arp traffic and it is about 9000b in half a min.....
txtr8rAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SheharyaarSaahilCommented:
Hello txtr8r =)

Trend Micro should detect it if its present on the machines >> http://uk.trendmicro-europe.com/consumer/security_info/ve_detail.php?Vname=WORM_RBOT.ABQ
run this online virus scan to verify it >> http://housecall.trendmicro.com/
0
stevenlewisCommented:
0
txtr8rAuthor Commented:
yes thank you and have tried trend micro and it does detect and deletes some but not all even in safe mode.....even if i do get it deleted in one instance i had to change the nic brd.......and for dos attacks....that is more along the lines of what i was thinking beings this is the same company....is there an easy way to prove/clean the arp cache?    IT needs proof.....i am just a low desktop support person......
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

SheharyaarSaahilCommented:
>> it does detect and deletes some but not all
why..... does it thrwo any error ??
0
SheharyaarSaahilCommented:
>> thrwo
throw*
0
txtr8rAuthor Commented:
cannot delete in use therefore i go into safe mode no network connection
0
txtr8rAuthor Commented:
am i looking at to many variables with 3 diff platforms?
0
txtr8rAuthor Commented:
oh one more thing last week at the other local it was start upping w/ taksmgr.exe........why would the file name change is this what the rbot does????
0
SheharyaarSaahilCommented:
Ok then try this,

F-Bot
The F-Bot utility disinfects computers infected with certain variants
of Agobot, Wootbot, SdBot, RBot, SpyBot, ForBot, IRCBot. Please see
the readme.txt file for more information.
  Download: http://www.f-secure.com/tools/f-bot.zip
  Download: ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip

ref >> http://www.f-secure.com/download-purchase/tools.shtml

get this tool, disconnect the machine from network, boot in Safemode(only) and then run that tool to eliminate the virus from the system!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SheharyaarSaahilCommented:
Start Upping is alse related to Worm Rbot !!
0
txtr8rAuthor Commented:
i started those scanning before i left tonite on one machine will check it tomorrow.......do you have any info on the dos attacks how to detect?  should I give it a mac addy to IT can they check it or is this the wrong ave.....reason why i ask is the network admin was just removed.......
0
txtr8rAuthor Commented:
none worked.....back to the old search and delete works on some machines and not on others......last time i had a question cisco came out with a known issue a week later maybe so will mcafee or some other security company thanks and i would like to give you each 100 pts for trying but how would i go about that?
0
SheharyaarSaahilCommented:
Sorry to listen that....... you can ask in the Support area for the refund for this question :)
good luck :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.