Click here to get back home

Need help on home network with recovery from rbot.gen virus
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.security.virus    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Need help on home network with recovery from rbot.gen virus denzel 01-15-2008
Posted by Leonard Agoado on January 21, 2008, 5:53 pm
Please log in for more thread options
| Hi David, After reading your answer to this post i went to Task Manger
| and found five (5) svchost.exe services running - 3 Network Services ,
| and 2 System. Now after seeing your answer and checking
| Process Library and finding out this svchost.exe could be used by a
| Trojan, How can i find out the path's of these services in Task Manger
| like in your example? Thanks Ron (Defender)
|

It is common to have multiple SVCHOST.EXE processes running. Each load
specifcommunication
capabilities of the OS.

Like I said, it is not the name of the file that is important, it is the Fully
Qualified
Name and Path to that file.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Posted by denzel on January 24, 2008, 1:15 pm
Please log in for more thread options
> Denzel,
>
> If you have the original file, upload it to http://www.virustotal.com
> and report the results back here.
>
> Regards,
>
> Leonard Agoado
> agoado@msn.com
>

http://www.virustotal.com/analisis/eb1fcb79ea86a866a31ca76bcc285695



Antivirus Version Last Update Result

AhnLab-V3 - - -

AntiVir - - BAT/RBot.94038

Authentium - - -

Avast - - Win32:Rbot-CYW

AVG - - IRC/BackDoor.SdBot3.XGI

BitDefender - - GenPack:Generic.Sdbot.4502EEEF

CAT-QuickHeal - - Backdoor.Rbot.fwe

ClamAV - - -

DrWeb - - Win32.HLLW.MyBot.based

eSafe - - suspicious Trojan/Worm

eTrust-Vet - - Win32/Rbot!generic

Ewido - - -

FileAdvisor - - -

Fortinet - - -

F-Prot - - -

F-Secure - - Backdoor.Win32.Rbot.fwe

Ikarus - - Backdoor.Win32.Rbot.aeu

Kaspersky - - Backdoor.Win32.Rbot.fwe

McAfee - - -

Microsoft - - Backdoor:Win32/Rbot.gen

NOD32v2 - - a variant of Win32/Rbot

Norman - - W32/Spybot.CKSQ

Panda - - W32/Sdbot.LMD.worm

Prevx1 - - Backdoor.IRCBot.gen

Rising - - Backdoor.Win32.Rbot.GEN

Sophos - - Mal/Generic-A

Sunbelt - - Backdoor.SDBot

Symantec - - -

TheHacker - - -

VBA32 - - Win32.HLLW.MyBot.based

VirusBuster - - -

Webwasher-Gateway - - Worm.Rbot.210944

Additional information

MD5: fc216d7b5859115a618d3adc83359349

SHA1: 18a8897baa1b1ded75e221be47cd0841d305eb6f

SHA256: 73a3f914ca5f0c2ce76186288f4c8919ea73dbc0f4c5e13fc38806ec721cc6df

SHA512: 915653b73f83b657f9ed19806d3fdcbfd3857837245d5c18836972fd32002dfe

a6362bf50a7b335ed0f03d85b371cbcd28b0a18e681a24100145610b9c0ef567





Posted by AyeKantSpeylGud on February 9, 2008, 4:03 am
Please log in for more thread options
Hi Denzel,

I have to admit that I can totally understand your frustration with this. I
came to this page looking for the exact same thing - I had a virus, a BUNCH
of them, as well as spyware and other garbage that had done a number of
things to make it next to impossible to get rid of them. One of the things it
did was to turn off the ability to go straight to Windows Update. (It'd also
turned off Control Panel, disabled Regedit, all saying that it'd been blocked
by the system administrator, even though I AM the System Administrator!)

If I am personally understanding you correctly, you are simply asking for
where in the registry you can turn it back on - now that you HAVE gotten rid
of the virus! I am currently stuck in the same situation. If I find the
answer, I will try to post it back here for you. Who knows though, it's been
a few days, perhaps you've already found the answer!

Take care and best of luck!

Heather

"denzel" wrote:

> > Denzel,
> >
> > If you have the original file, upload it to http://www.virustotal.com
> > and report the results back here.
> >
> > Regards,
> >
> > Leonard Agoado
> > agoado@msn.com
> >
>
> http://www.virustotal.com/analisis/eb1fcb79ea86a866a31ca76bcc285695
>
>
>
> Antivirus Version Last Update Result
>
> AhnLab-V3 - - -
>
> AntiVir - - BAT/RBot.94038
>
> Authentium - - -
>
> Avast - - Win32:Rbot-CYW
>
> AVG - - IRC/BackDoor.SdBot3.XGI
>
> BitDefender - - GenPack:Generic.Sdbot.4502EEEF
>
> CAT-QuickHeal - - Backdoor.Rbot.fwe
>
> ClamAV - - -
>
> DrWeb - - Win32.HLLW.MyBot.based
>
> eSafe - - suspicious Trojan/Worm
>
> eTrust-Vet - - Win32/Rbot!generic
>
> Ewido - - -
>
> FileAdvisor - - -
>
> Fortinet - - -
>
> F-Prot - - -
>
> F-Secure - - Backdoor.Win32.Rbot.fwe
>
> Ikarus - - Backdoor.Win32.Rbot.aeu
>
> Kaspersky - - Backdoor.Win32.Rbot.fwe
>
> McAfee - - -
>
> Microsoft - - Backdoor:Win32/Rbot.gen
>
> NOD32v2 - - a variant of Win32/Rbot
>
> Norman - - W32/Spybot.CKSQ
>
> Panda - - W32/Sdbot.LMD.worm
>
> Prevx1 - - Backdoor.IRCBot.gen
>
> Rising - - Backdoor.Win32.Rbot.GEN
>
> Sophos - - Mal/Generic-A
>
> Sunbelt - - Backdoor.SDBot
>
> Symantec - - -
>
> TheHacker - - -
>
> VBA32 - - Win32.HLLW.MyBot.based
>
> VirusBuster - - -
>
> Webwasher-Gateway - - Worm.Rbot.210944
>
> Additional information
>
> MD5: fc216d7b5859115a618d3adc83359349
>
> SHA1: 18a8897baa1b1ded75e221be47cd0841d305eb6f
>
> SHA256: 73a3f914ca5f0c2ce76186288f4c8919ea73dbc0f4c5e13fc38806ec721cc6df
>
> SHA512: 915653b73f83b657f9ed19806d3fdcbfd3857837245d5c18836972fd32002dfe
>
> a6362bf50a7b335ed0f03d85b371cbcd28b0a18e681a24100145610b9c0ef567
>
>
>
>
>

Posted by AyeKantSpeylGud on February 9, 2008, 4:25 am
Please log in for more thread options
I think I found it! I tried it and it just worked for me. :-D

Go here: http://windowsxp.mvps.org/aupolicy.htm

Basically...

Open Regedit.
Go to HKLM\Software\Policies\Windows\WindowsUpdate\AU
Delete or change any value that implies disabling Windows Update (See
website). I did not have any values in this key.

Also check:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
Delete or change any value indicating that Windows Update will be disabled.
I did not have the values that the website mentions but the virus had entered
a "NoWindowsUpdate" and had that value ON.

In that same exact area was a different option for no control panel! I knew
I should've changed that, I thought it was weird when I first saw that but I
didn't bother. Oh well. Hope that helps you as much as it did me!

Take care & Best Luck!!!
Heather


HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Policies \ WindowsUpdate

In the right-pane, delete the value DisableWindowsUpdateAccess





"denzel" wrote:

> > Denzel,
> >
> > If you have the original file, upload it to http://www.virustotal.com
> > and report the results back here.
> >
> > Regards,
> >
> > Leonard Agoado
> > agoado@msn.com
> >
>
> http://www.virustotal.com/analisis/eb1fcb79ea86a866a31ca76bcc285695
>
>
>
> Antivirus Version Last Update Result
>
> AhnLab-V3 - - -
>
> AntiVir - - BAT/RBot.94038
>
> Authentium - - -
>
> Avast - - Win32:Rbot-CYW
>
> AVG - - IRC/BackDoor.SdBot3.XGI
>
> BitDefender - - GenPack:Generic.Sdbot.4502EEEF
>
> CAT-QuickHeal - - Backdoor.Rbot.fwe
>
> ClamAV - - -
>
> DrWeb - - Win32.HLLW.MyBot.based
>
> eSafe - - suspicious Trojan/Worm
>
> eTrust-Vet - - Win32/Rbot!generic
>
> Ewido - - -
>
> FileAdvisor - - -
>
> Fortinet - - -
>
> F-Prot - - -
>
> F-Secure - - Backdoor.Win32.Rbot.fwe
>
> Ikarus - - Backdoor.Win32.Rbot.aeu
>
> Kaspersky - - Backdoor.Win32.Rbot.fwe
>
> McAfee - - -
>
> Microsoft - - Backdoor:Win32/Rbot.gen
>
> NOD32v2 - - a variant of Win32/Rbot
>
> Norman - - W32/Spybot.CKSQ
>
> Panda - - W32/Sdbot.LMD.worm
>
> Prevx1 - - Backdoor.IRCBot.gen
>
> Rising - - Backdoor.Win32.Rbot.GEN
>
> Sophos - - Mal/Generic-A
>
> Sunbelt - - Backdoor.SDBot
>
> Symantec - - -
>
> TheHacker - - -
>
> VBA32 - - Win32.HLLW.MyBot.based
>
> VirusBuster - - -
>
> Webwasher-Gateway - - Worm.Rbot.210944
>
> Additional information
>
> MD5: fc216d7b5859115a618d3adc83359349
>
> SHA1: 18a8897baa1b1ded75e221be47cd0841d305eb6f
>
> SHA256: 73a3f914ca5f0c2ce76186288f4c8919ea73dbc0f4c5e13fc38806ec721cc6df
>
> SHA512: 915653b73f83b657f9ed19806d3fdcbfd3857837245d5c18836972fd32002dfe
>
> a6362bf50a7b335ed0f03d85b371cbcd28b0a18e681a24100145610b9c0ef567
>
>
>
>
>

Similar ThreadsPosted
Norton and home network October 4, 2006, 4:05 pm
Windows XP "RBOT" virus infection? February 18, 2006, 7:20 pm
spyware recovery July 25, 2005, 9:58 pm
URL of home in IE has been replaced!! Which Virus? July 18, 2005, 7:17 pm
Virus on yahoo.com home page February 6, 2006, 2:04 pm
Virus, rootkit or something else ??? Strange network behavior... January 6, 2006, 5:59 pm
How to find virus/worm/trojan on network client September 21, 2005, 8:29 pm
MS05-39 Plug and Play Network virus and Trend Micro July 5, 2006, 11:28 pm
Anti-Virus program: Free avast! 4 Home Edition April 9, 2006, 9:10 pm
Cannot use network after Sobig November 1, 2005, 2:57 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap