Backdoor.Win32.Rbot.gay Options

[Lucian Bara]

read post 5 please. it's probably autodownlaoded by something undetected on your pc.

This post has been edited by Lucian Bara: 11.01.2008 22:51

[dawgg]

jeeeezzzzzzz!

[nenolovesopera]

I am so desperate.
After, maybe 1 month, the virus came back in to my lap top
I am worried.
I don't know how to do this from the post 5 ???
Please help me!

And why the virus is called:.gay ?

[Lucian Bara]

i already explained why it's .gay, in post 5.

no "gay" is simply a 3 letter variant designation (starts at a, b,c, then aa and so on, now it's at ggx). unfortunatly gay is a 3 letter word, that's why: http://www.kaspersky.com/viruswatchlite?se...amp;x=0&y=0

how to do it.
1 you download and save it to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2 you execute it
3 you follow the steps, it should be straight forward.
4 when it's done it will probably want to reboot, after the reboot you will find a file called c:\combofix.txt, open it with notepad, copy the contents and post it here.

[nenolovesopera]

and sp what should I aspect from this?
what will be the results?

[Don Pelotas]

and sp what should I aspect from this?
what will be the results?

I think this is where you ask yourself if you really want any help, you don't have to do what is suggested, but on the other hand if you don't then most will probably just ignore after a while.

[mr_goh]

Hey.. i need help on this.. i realized i got this problem yesterday!! and kaspersky can't seemed to delete it or something else is playing tricks!!

anyway.. i ran ComboFix and I attached the file here.. hope someone can help check if I still need to do anything else to get rid of this stupid rbot.gay!!

thanks!!!

Attached File(s)

 ComboFix.txt ( 23.43K ) Number of downloads: 9

 

[mr_goh]

Hey.. i need help on this.. i realized i got this problem yesterday!! and kaspersky can't seemed to delete it or something else is playing tricks!!

anyway.. i ran ComboFix and I attached the file here.. hope someone can help check if I still need to do anything else to get rid of this stupid rbot.gay!!

thanks!!!

looks like nobody's interested to help...

but anyway.. i scanned my laptop using CounterSpy and managed to detect Bifrost
http://research.sunbelt-software.com/threa...;threatid=29428

and deleted the problem already..hopefully it's related and my laptop is trojan free!!!

[Baz^^]

Posted by mr_goh Today, 03:35


Unfortunately, we do not read posts at 3AM local time. Remember that we are in different timezones and we also have other responsibilites so it may take a while for a reply. Be patient

This post has been edited by MAPKOBKA^^: 27.02.2008 13:59

[mr_goh]

Posted by mr_goh Today, 03:35
Unfortunately, we do not read posts at 3AM local time. Remember that we are in different timezones and we also have other responsibilites so it may take a while for a reply. Be patient

oh.. hahaha.. sorrie then.. i was expecting people from somewhere.. anywhere that can give me an answer.. thanks for the reminder though..

anyway.. looks like the CounterSpy didn't solve the problem!! sigh... the trojan is still around ...

This post has been edited by mr_goh: 28.02.2008 09:22

[dawgg]

Where does Kaspersky detect the backdoor?... where is it located and what is its file name?
Where did CounterSpy detect Bitfrost?... location and file name...
Please submit the BitFrost which CounterSpy detected to Kaspersky's VirusLab... instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881


Click Start>Run>regedit
... navigate to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\ and delete that key/folder

Click Start>Search>File&Folder>AllFilesAndFolders... where it says "all or part of the filename", search for autoregistry.exe and autorun.exe. Submit them to Kaspersky's VirusLab

Also submit the following files to Kaspersky's Viruslab
C:\QooBox\Quarantine\C\WINDOWS\system32\nsprs.dll
C:\QooBox\Quarantine\C\WINDOWS\system32\prsgrc.dll
C:\QooBox\Quarantine\C\WINDOWS\system32\prsrvk.dll

[mr_goh]

Where does Kaspersky detect the backdoor?... where is it located and what is its file name?
Where did CounterSpy detect Bitfrost?... location and file name...
Please submit the BitFrost which CounterSpy detected to Kaspersky's VirusLab... instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881
Click Start>Run>regedit
... navigate to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\ and delete that key/folder

Click Start>Search>File&Folder>AllFilesAndFolders... where it says "all or part of the filename", search for autoregistry.exe and autorun.exe. Submit them to Kaspersky's VirusLab

Also submit the following files to Kaspersky's Viruslab
C:\QooBox\Quarantine\C\WINDOWS\system32\nsprs.dll
C:\QooBox\Quarantine\C\WINDOWS\system32\prsgrc.dll
C:\QooBox\Quarantine\C\WINDOWS\system32\prsrvk.dll

Hi, I had already deleted the registry but once in a while i still get the prompt for the trojan.
I searched for autoregistry.exe and autorun.exe and found 2, but i'm quite sure they are not the problem because 1 of them is actually fires SQL2000 install menu and the other fires my USB Camera's driver.

I'm using Kaspersky 6.0 and i do not have the "send" option. So how do i submit the files?

thanks for your prompt reply though..

copied from CounterSpy, sorrie.. i can't find the log file...

Bifrost Backdoor more information...
Details: Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-4079698638-1517994909-2720848000-500\SOFTWARE\WGET

[dawgg]

Dont wory about sending it if you're sure its clean.

Send the files using instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881

CounterSpy just found a registry entry, not a malicious file... (nothing to do with something which Kaspersky would have detected)


Open Kaspersky, click "computer protection status" and then the "detected" tab. Please post a screenshot of that. (Make sure we can see everything in the "Object" column; (full directory and filename)

[mr_goh]

Dont wory about sending it if you're sure its clean.

Send the files using instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881

CounterSpy just found a registry entry, not a malicious file... (nothing to do with something which Kaspersky would have detected)
Open Kaspersky, click "computer protection status" and then the "detected" tab. Please post a screenshot of that. (Make sure we can see everything in the "Object" column; (full directory and filename)

hi there... i'd emailed the suspected virus files already... hope you guys got it..

the screen shot you requested is as follows... thanks!



This post has been edited by mr_goh: 3.03.2008 04:19

[dawgg]

Hi, I had already deleted the registry but once in a while i still get the prompt for the trojan.

Has this happened recently again?... If it has, what trojan was it and where was it located?

[mr_goh]

Has this happened recently again?... If it has, what trojan was it and where was it located?

hi... i sent another 2 files to the kaspersky team,
2k3.exe and eq

currently.. yes... i still have the problem.. kaspersky still prompts the message every once in a while...



if you notice.. the list is getting longer... i'm not sure if the
trojan-downloaded.bat.ftp.ab virus is downloading the files..

for you info, the files renamed as *.vir are done by me... i was compiling the virus to be sent to kaspersky for investigation... anyway.. i deleted all the *.vir files already..

This post has been edited by mr_goh: 4.03.2008 11:51

[dawgg]

Can you please post another Combofix log.

Also post a link to your PC's GSI Parser here.
Instructions shown here: http://gsi.kaspersky.fr/
Scroll down and read the following links on the page for instructions
"How to create a GetSystemInfo report file using GetSystemInfo utility"
"Video : How to create and upload a GetSystemInfo report?)