Backdoor.Win32.Rbot.gay Options

[nenolovesopera]

Trojan Program Backdoor.Win32.Rbot.gay (Yesterday my Kaspersky found it,and it's deleted as I can see...Today-again!My computer was turned on, I was in the other room...And when I came again in my room where the computer is: WARNING! TROJAN PROGRAM BACKDOOR.WIN32.RBOT.GAY...what is this?I deleted it!And it's deleted, but why is it here again...I had it yesterday for 1st time! Please helppppp me, I am very panic-man!) And, what's ,,gay'' ?

What is this?
Could any1 help me, please?I am really desperate!!! I am really afraid from all the viruses...I hate it!I don't like to hava a computer because of the viruses:(

Also, help me with this: Detected: Riskware Trojan.generic
What is this and how can I delete it? It's in my C:\WINDOWS\System32\z.exe AND I am afraid! I don't know what is going to be with my WINDOWS if I delete it!

[aroon7651]

name='nenolovesopera' date='3.01.2008 03:14' post='515931']
Trojan Program Backdoor.Win32.Rbot.gay (Yesterday my Kaspersky found it,and it's deleted as I can see...Today-again!My computer was turned on, I was in the other room...And when I came again in my room where the computer is: WARNING! TROJAN PROGRAM BACKDOOR.WIN32.RBOT.GAY...what is this?I deleted it!And it's deleted, but why is it here again...I had it yesterday for 1st time! Please helppppp me, I am very panic-man!) And, what's ,,gay'' ?

What is this?
Could any1 help me, please?I am really desperate!!! I am really afraid from all the viruses...I hate it!I don't like to hava a computer because of the viruses:(

Hello nenolovesopera welcome to the kaspersky forum .. first please calmdown .. then do folowin steps
...............................................
1 first turn off system restore
............................................
Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
.....................................................
then restart your pc on Safe Mode
F8 - By pressing the F8 key right when Windows starts, usually right after you hear your computer beep when you reboot it, you will be brought to a menu where you can choose to boot into safe mode. If it does not work on the first try, reboot and try again as you have to be quick when you press it. I have found that during boot up right after the computer shows you all the equipment , memory, etc installed on your computer, if you start lightly tapping the F8 key you will usually be able to get to the desired menu.
......................................................
on safe mode please run a full system scan with kaspersky when the scan done just restart your pc on Normal Mode then just go and Turn system restore back On
........................................................
Steps to turn on System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4. Click OK.
after you have done everything please let us know if you still having problem s with that infection ....

Also, help me with this: Detected: Riskware Trojan.generic
What is this and how can I delete it? It's in my C:\WINDOWS\System32\z.exe AND I am afraid! I don't know what is going to be with my WINDOWS if I delete it!

Trojan.generic is one of the common popups that you will experience, you will mostly recieve it at installations.
This behavioural detection is very simple. If a program creates a copy of itself somewhere and then registers that copy as an autostart object you can found detailed info about this alert HERE credits to Lucian Bara:

This post has been edited by aroon7651: 3.01.2008 09:25

[dawgg]

Please submit C:\WINDOWS\System32\z.exe to Kaspersky's VirusLab. Instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881

Where was Backdoor.Win32.Rbot.gay found... what file/directory?

Also, Download and run ComboFix. (Allow any warnings Kaspersky gives about it). Attach the log file it creates to your next post.

This post has been edited by dawgg: 3.01.2008 15:22

[nenolovesopera]

HERE:[/b]deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\System Volume Information\_restore{B3529652-8DA3-47B0-8F27-17110D48F545}\RP270\A0069489.exe

HERE:deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system32\z.exe


AND HERE: deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system\smscg.exe

I think that they are all deleted!Currently, I am doing a scaning of the LOCAL DISC C and my antivirus found again the same virus (the third one in system\smscg.exe ... I am so afraid!!! I am really afraid... What's this ,,gay'' ? I didn't visit some sex pages!!! How did I catchet it? It's 50% scaning and it goes soooo easy...not at all:)))

And, why do I have to do the ,,System Restore'' ?

[Lucian Bara]

hi.
no "gay" is simply a 3 letter variant designation (starts at a, b,c, then aa and so on, now it's at ggx). unfortunatly gay is a 3 letter word, that's why: http://www.kaspersky.com/viruswatchlite?se...amp;x=0&y=0

disabling system restore will clear the : C:\System Volume Information\ folder and remove any malware that might be in there.

do the combofix step suggested by dawgg: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
execute, follow the steps and when it's done it will create a c:\combofix.txt file. attach it to your post.

This post has been edited by Lucian Bara: 3.01.2008 23:20

[nenolovesopera]

Also, I want to say: THANK YOU to aroon7651
I hope that he'll help me in this problem!
I am sooo scared!
I am a biiig panic-boy!
Hey...my scaning...55%...

Is it possible to not recognise the virus ? And is it possible to this virus to copy itself after the scanning and deleting all the viruses in my computer?Is it possible to alive again ?

[dawgg]

Is it possible to not recognise the virus ? And is it possible to this virus to copy itself after the scanning and deleting all the viruses in my computer?Is it possible to alive again ?

Its recognized the trojan. Because the file reappeared again supposedly (as you mentioned in your first post), there may be something which is causing it to reappear (which is why we are requesting the log). Or it may be that you had several of the same trojan on your computer and yesterday it detected one of them, and today its finding the others.

After your scan is completed, post the results here and attatch the combofix log which was requested in the post.
Restart your computer and see if the trojan and files mentioned below reappear.
C:\WINDOWS\system32\z.exe
C:\WINDOWS\system\smscg.exe
Post back informing us whether they reappear or not.

This post has been edited by dawgg: 4.01.2008 00:49

[nenolovesopera]

Yeah, I think that I had few of them in 4 locations.
1.deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\System Volume Information\_restore{B3529652-8DA3-47B0-8F27-17110D48F545}\RP270\A0069489.exe
2.deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\System Volume Information\_restore{B3529652-8DA3-47B0-8F27-17110D48F545}\RP270\A0069502.exe
3.deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system32\z.exe
4.deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system\smscg.exe

So I had 4 other places infected with the same virus.

And, the scanning is 74% and it's staying like this for about 15 minutes or something...I am so afraid!
Tomorrow, after this night's scanning, I am going to scan the computer again (just THE C: local disc, and I'll tell u about the viruses!

So, I am thinking that my KASPERSKY deleted all the viruses!

[dawgg]

Do not scan the computer yet again tomorrow. Just restart and see if the files re-appear. Maybe scan C:\WINDOWS\ but scanning the whole c: drive is a waste of time.

[nenolovesopera]

Hey hey...I am feeling soooo happy!
I have finished the scanning of my computer and there is nothing more...
...and, I restarted my computer, and I saw: There was nothing re-appeared.Is it all?

So...I am checking MY COMPUTER LOCAL DISC C every minute!
There are not those files were before here!
So, in Local Disc C (system and system 32) the files were hidden before I opened them to see are there again the virus-folders and I checked that they are not, so how can I re-do those files to come back into a hidden files like they were before?

Oh my God...thank you to all of you!!! I was so desperated, but now I am free and more free:))

This post has been edited by Lucian Bara: 4.01.2008 03:17

[nenolovesopera]

Can you tell me is it all that I have to do?

[dawgg]

Yes, that should be all. You do not need to do anything else.

"how can I re-do those files to come back into a hidden files like they were before?"... sorry, I do not understand

[nenolovesopera]

Well...my english is not good:)))
I just wanted to say that before I opened the C:WINDOWS-SYSTEM32 and SYSTEM files, they were hidden and I choose that I want to unhide them!So, they are now unhidden:)
I want to know how can I make them hidden again or they will stay like this forever?

So, about the TROJAN PROGRAM BACKDOOR.WIN32.RBOT.GAY virus, I found that this is a virus controled by mIRC servers or something like this.
So-I have to stop using the mIRC or...?

[Don Pelotas]

Open Explorer then in the menu choose "Tools", next "Folder options" and "View", you can "unhide" there in the list. Using mIRC is up to you, i would not consider using it, but that does not mean it isn't safe as long as you use it with caution.

[dawgg]

"unhide" there in the list.

or hide ... "Hidden Files and Folders" > "Do not show hidden files and folders"

[nenolovesopera]

So...THE SAME PROBLEM AGAIN:(((( I am feeling so nervous:(((
The same virus is founded by Kaspersky (with no scaning it found it when I was writting some messages on my MSN), my Kaspersky rangs and told me that the same virus is founded...Here it is?


deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system32\2k3.exe

So...what is this?
I am so nervous Oh My God...Please help me!!!

[dawgg]

Do as Lucian posted regarding Combofix (Post #5)

[nenolovesopera]

And what's ,,Combofix'' ?

[Don Pelotas]

And what's ,,Combofix'' ?

Read post #5.

[nenolovesopera]

Today, my KASPERSKY founded 2 viruses again (The same virus was find).

So, they were founded when my computer was turned on with internet connection turned on, but I wasn't working on, I was in the other room.

I spenden about 2 hours, when I came back to my room, and I saw that there is the same virus.
I deleted it.

I turned back into the other room, and I came back in the room where the computer is, so I founded again that Another virus is founded, so I deleted it!

In what's the problem?

Is it possible for this virus to be sent by some hacker or something, becasue I am not opening web-pages in the moments when the virus cames in the computer???

Please tell me what should I do, I am afraid and confused!

I hate it !