Trojan Program Backdoor.Win32.Rbot.gay (Yesterday my Kaspersky found it,and it's deleted as I can see...Today-again!My computer was turned on, I was in the other room...And when I came again in my room where the computer is: WARNING! TROJAN PROGRAM BACKDOOR.WIN32.RBOT.GAY...what is this?I deleted it!And it's deleted, but why is it here again...I had it yesterday for 1st time! Please helppppp me, I am very panic-man!) And, what's ,,gay'' ?

What is this?
Could any1 help me, please?I am really desperate!!! I am really afraid from all the viruses...I hate it!I don't like to hava a computer because of the viruses:(

Also, help me with this: Detected: Riskware Trojan.generic
What is this and how can I delete it? It's in my C:\WINDOWS\System32\z.exe AND I am afraid! I don't know what is going to be with my WINDOWS if I delete it!

Hello nenolovesopera welcome to the kaspersky forum .. first please calmdown .. then do folowin steps
...............................................
1 first turn off system restore
............................................
Steps to turn off System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
.....................................................
then restart your pc on Safe Mode
F8 - By pressing the F8 key right when Windows starts, usually right after you hear your computer beep when you reboot it, you will be brought to a menu where you can choose to boot into safe mode. If it does not work on the first try, reboot and try again as you have to be quick when you press it. I have found that during boot up right after the computer shows you all the equipment , memory, etc installed on your computer, if you start lightly tapping the F8 key you will usually be able to get to the desired menu.
......................................................
on safe mode please run a full system scan with kaspersky when the scan done just restart your pc on Normal Mode then just go and Turn system restore back On
........................................................
Steps to turn on System Restore
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4. Click OK.
after you have done everything please let us know if you still having problem s with that infection ....


Trojan.generic is one of the common popups that you will experience, you will mostly recieve it at installations.
This behavioural detection is very simple. If a program creates a copy of itself somewhere and then registers that copy as an autostart object you can found detailed info about this alert HERE credits to Lucian Bara:

Please submit C:\WINDOWS\System32\z.exe to Kaspersky's VirusLab. Instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881

Where was Backdoor.Win32.Rbot.gay found... what file/directory?

Also, Download and run ComboFix. (Allow any warnings Kaspersky gives about it). Attach the log file it creates to your next post.

HERE:[/b]deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\System Volume Information\_restore{B3529652-8DA3-47B0-8F27-17110D48F545}\RP270\A0069489.exe

HERE:deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system32\z.exe


AND HERE: deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system\smscg.exe

I think that they are all deleted!Currently, I am doing a scaning of the LOCAL DISC C and my antivirus found again the same virus (the third one in system\smscg.exe ... I am so afraid!!! I am really afraid... What's this ,,gay'' ? I didn't visit some sex pages!!! How did I catchet it? It's 50% scaning and it goes soooo easy...not at all:)))

And, why do I have to do the ,,System Restore'' ?

hi.
no "gay" is simply a 3 letter variant designation (starts at a, b,c, then aa and so on, now it's at ggx). unfortunatly gay is a 3 letter word, that's why: http://www.kaspersky.com/viruswatchlite?se...amp;x=0&y=0

disabling system restore will clear the : C:\System Volume Information\ folder and remove any malware that might be in there.

do the combofix step suggested by dawgg: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
execute, follow the steps and when it's done it will create a c:\combofix.txt file. attach it to your post.

Also, I want to say: THANK YOU to aroon7651
I hope that he'll help me in this problem!
I am sooo scared!
I am a biiig panic-boy!
Hey...my scaning...55%...

Is it possible to not recognise the virus ? And is it possible to this virus to copy itself after the scanning and deleting all the viruses in my computer?Is it possible to alive again ?

Its recognized the trojan. Because the file reappeared again supposedly (as you mentioned in your first post), there may be something which is causing it to reappear (which is why we are requesting the log). Or it may be that you had several of the same trojan on your computer and yesterday it detected one of them, and today its finding the others.

After your scan is completed, post the results here and attatch the combofix log which was requested in the post.
Restart your computer and see if the trojan and files mentioned below reappear.
C:\WINDOWS\system32\z.exe
C:\WINDOWS\system\smscg.exe
Post back informing us whether they reappear or not.

Yeah, I think that I had few of them in 4 locations.
1.deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\System Volume Information\_restore{B3529652-8DA3-47B0-8F27-17110D48F545}\RP270\A0069489.exe
2.deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\System Volume Information\_restore{B3529652-8DA3-47B0-8F27-17110D48F545}\RP270\A0069502.exe
3.deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system32\z.exe
4.deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system\smscg.exe

So I had 4 other places infected with the same virus.

And, the scanning is 74% and it's staying like this for about 15 minutes or something...I am so afraid!
Tomorrow, after this night's scanning, I am going to scan the computer again (just THE C: local disc, and I'll tell u about the viruses!

So, I am thinking that my KASPERSKY deleted all the viruses!

Do not scan the computer yet again tomorrow. Just restart and see if the files re-appear. Maybe scan C:\WINDOWS\ but scanning the whole c: drive is a waste of time.

Hey hey...I am feeling soooo happy!
I have finished the scanning of my computer and there is nothing more...
...and, I restarted my computer, and I saw: There was nothing re-appeared.Is it all?

So...I am checking MY COMPUTER LOCAL DISC C every minute!
There are not those files were before here!
So, in Local Disc C (system and system 32) the files were hidden before I opened them to see are there again the virus-folders and I checked that they are not, so how can I re-do those files to come back into a hidden files like they were before?

Oh my God...thank you to all of you!!! I was so desperated, but now I am free and more free:))

Can you tell me is it all that I have to do?

Yes, that should be all. You do not need to do anything else.

"how can I re-do those files to come back into a hidden files like they were before?"... sorry, I do not understand

Well...my english is not good:)))
I just wanted to say that before I opened the C:WINDOWS-SYSTEM32 and SYSTEM files, they were hidden and I choose that I want to unhide them!So, they are now unhidden:)
I want to know how can I make them hidden again or they will stay like this forever?

So, about the TROJAN PROGRAM BACKDOOR.WIN32.RBOT.GAY virus, I found that this is a virus controled by mIRC servers or something like this.
So-I have to stop using the mIRC or...?

Open Explorer then in the menu choose "Tools", next "Folder options" and "View", you can "unhide" there in the list. Using mIRC is up to you, i would not consider using it, but that does not mean it isn't safe as long as you use it with caution.

or hide ... "Hidden Files and Folders" > "Do not show hidden files and folders"

So...THE SAME PROBLEM AGAIN:(((( I am feeling so nervous:(((
The same virus is founded by Kaspersky (with no scaning it found it when I was writting some messages on my MSN), my Kaspersky rangs and told me that the same virus is founded...Here it is?


deleted: Trojan program Backdoor.Win32.Rbot.gay File: C:\WINDOWS\system32\2k3.exe

So...what is this?
I am so nervous Oh My God...Please help me!!!

Do as Lucian posted regarding Combofix (Post #5)

And what's ,,Combofix'' ?

Read post #5.

Today, my KASPERSKY founded 2 viruses again (The same virus was find).

So, they were founded when my computer was turned on with internet connection turned on, but I wasn't working on, I was in the other room.

I spenden about 2 hours, when I came back to my room, and I saw that there is the same virus.
I deleted it.

I turned back into the other room, and I came back in the room where the computer is, so I founded again that Another virus is founded, so I deleted it!

In what's the problem?

Is it possible for this virus to be sent by some hacker or something, becasue I am not opening web-pages in the moments when the virus cames in the computer???

Please tell me what should I do, I am afraid and confused!

I hate it !

read post 5 please. it's probably autodownlaoded by something undetected on your pc.

jeeeezzzzzzz!

I am so desperate.
After, maybe 1 month, the virus came back in to my lap top
I am worried.
I don't know how to do this from the post 5 ???
Please help me!

And why the virus is called:.gay ?

i already explained why it's .gay, in post 5.



how to do it.
1 you download and save it to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2 you execute it
3 you follow the steps, it should be straight forward.
4 when it's done it will probably want to reboot, after the reboot you will find a file called c:\combofix.txt, open it with notepad, copy the contents and post it here.

and sp what should I aspect from this?
what will be the results?

I think this is where you ask yourself if you really want any help, you don't have to do what is suggested, but on the other hand if you don't then most will probably just ignore after a while.

Hey.. i need help on this.. i realized i got this problem yesterday!! and kaspersky can't seemed to delete it or something else is playing tricks!!

anyway.. i ran ComboFix and I attached the file here.. hope someone can help check if I still need to do anything else to get rid of this stupid rbot.gay!!

thanks!!!

looks like nobody's interested to help...

but anyway.. i scanned my laptop using CounterSpy and managed to detect Bifrost
http://research.sunbelt-software.com/threa...;threatid=29428

and deleted the problem already..hopefully it's related and my laptop is trojan free!!!

Posted by mr_goh Today, 03:35


Unfortunately, we do not read posts at 3AM local time. Remember that we are in different timezones and we also have other responsibilites so it may take a while for a reply. Be patient

oh.. hahaha.. sorrie then.. i was expecting people from somewhere.. anywhere that can give me an answer.. thanks for the reminder though..

anyway.. looks like the CounterSpy didn't solve the problem!! sigh... the trojan is still around ...

Where does Kaspersky detect the backdoor?... where is it located and what is its file name?
Where did CounterSpy detect Bitfrost?... location and file name...
Please submit the BitFrost which CounterSpy detected to Kaspersky's VirusLab... instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881


Click Start>Run>regedit
... navigate to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\ and delete that key/folder

Click Start>Search>File&Folder>AllFilesAndFolders... where it says "all or part of the filename", search for autoregistry.exe and autorun.exe. Submit them to Kaspersky's VirusLab

Also submit the following files to Kaspersky's Viruslab
C:\QooBox\Quarantine\C\WINDOWS\system32\nsprs.dll
C:\QooBox\Quarantine\C\WINDOWS\system32\prsgrc.dll
C:\QooBox\Quarantine\C\WINDOWS\system32\prsrvk.dll

Hi, I had already deleted the registry but once in a while i still get the prompt for the trojan.
I searched for autoregistry.exe and autorun.exe and found 2, but i'm quite sure they are not the problem because 1 of them is actually fires SQL2000 install menu and the other fires my USB Camera's driver.

I'm using Kaspersky 6.0 and i do not have the "send" option. So how do i submit the files?

thanks for your prompt reply though..

copied from CounterSpy, sorrie.. i can't find the log file...

Dont wory about sending it if you're sure its clean.

Send the files using instructions shown here: http://forum.kaspersky.com/index.php?showtopic=13881

CounterSpy just found a registry entry, not a malicious file... (nothing to do with something which Kaspersky would have detected)


Open Kaspersky, click "computer protection status" and then the "detected" tab. Please post a screenshot of that. (Make sure we can see everything in the "Object" column; (full directory and filename)

hi there... i'd emailed the suspected virus files already... hope you guys got it..

the screen shot you requested is as follows... thanks!

Has this happened recently again?... If it has, what trojan was it and where was it located?

hi... i sent another 2 files to the kaspersky team,
2k3.exe and eq

currently.. yes... i still have the problem.. kaspersky still prompts the message every once in a while...



if you notice.. the list is getting longer... i'm not sure if the
trojan-downloaded.bat.ftp.ab virus is downloading the files..

for you info, the files renamed as *.vir are done by me... i was compiling the virus to be sent to kaspersky for investigation... anyway.. i deleted all the *.vir files already..

Can you please post another Combofix log.

Also post a link to your PC's GSI Parser here.
Instructions shown here: http://gsi.kaspersky.fr/
Scroll down and read the following links on the page for instructions
"How to create a GetSystemInfo report file using GetSystemInfo utility"
"Video : How to create and upload a GetSystemInfo report?)