Need help on home network with recovery from rbot.gen virus

[denzel]

I've tried this question on
miscrosoft.public.windows.vista.networking_sharing and haven't gotten any
help. Hopefully someone here will have more experience with this.

Skipping the stupid part of having the virus in the first place, I need help
in fixing my home network. Virus (rbot.gen) was removed and the file that
was containing the virus was deleted. I've run a couple of anti-virus
programs (and spyware programs) and it is definitely gone.

One of the things this did was kept my two computers (one XP and one Vista -
the one with the virus) from seeing each other on the home network. A
couple of the clues were that Windows Update kept being turned off and I
could no longer print from the XP computer to the printer attached to the
Vista computer. So I know that the bot would turn off the Windows Update
service, but I don't know what it did to the home networking.

Can anyone give me some directions to help?

Both computers (wired) and 2 TIVOs (1 wired, 1 wireless) can access the
internet just fine through my Linksys WRT54G router and could do this even
with the bot running. XP computer has also been scanned for any viruses
(and spyware) and is clean. I've deleted and re-established home networking
on both computers with the same workgroup name on both computers. Windows
firewall is not running on either computer (no other firewall for anti-virus
programs are running to interfere with the network). I've changed all the
network settings on the Vista computer to one way, then back. Hey, it's
worked before just fine but stopped working when the Vista computer was
infected. I've looked through the Services to reset back to automatic those
services that looked network related that were set to disabled.

I'm guessing that the bot turned off a service that I need or changed a
registry value that isn't resetting by removing and re-establishing a home
network (I've tried changing workgroup names also). Does anyone know
exactly what this bot did to me? Or can you point me to specific directions
I need to walk through? (I've looked through and followed what I could from
http://nitecruzr.blogspot.com/2005/05/troubleshooting-network-neighborhood.html#AskingForHelp
but maybe someone could point me directly to what I need to follow here.
Cabling, pinging the internet, etc. works, but no seeing the other computers
on the network.).

I've seen that an anonymoususer setting in the registry can get changed by
this virus, but I haven't seen anything that tells me what the setting
should be changed back to. Has anyone got any experience in recovering from
this virus?

Thanks for taking the time to help.

 

[David H. Lipman]

From: "denzel" <denzel@nothere.com>

| I've tried this question on
| miscrosoft.public.windows.vista.networking_sharing and haven't gotten any
| help. Hopefully someone here will have more experience with this.
|
| Skipping the stupid part of having the virus in the first place, I need help
| in fixing my home network. Virus (rbot.gen) was removed and the file that
| was containing the virus was deleted. I've run a couple of anti-virus
| programs (and spyware programs) and it is definitely gone.
|
| One of the things this did was kept my two computers (one XP and one Vista -
| the one with the virus) from seeing each other on the home network. A
| couple of the clues were that Windows Update kept being turned off and I
| could no longer print from the XP computer to the printer attached to the
| Vista computer. So I know that the bot would turn off the Windows Update
| service, but I don't know what it did to the home networking.
|
| Can anyone give me some directions to help?
|
| Both computers (wired) and 2 TIVOs (1 wired, 1 wireless) can access the
| internet just fine through my Linksys WRT54G router and could do this even
| with the bot running. XP computer has also been scanned for any viruses
| (and spyware) and is clean. I've deleted and re-established home networking
| on both computers with the same workgroup name on both computers. Windows
| firewall is not running on either computer (no other firewall for anti-virus
| programs are running to interfere with the network). I've changed all the
| network settings on the Vista computer to one way, then back. Hey, it's
| worked before just fine but stopped working when the Vista computer was
| infected. I've looked through the Services to reset back to automatic those
| services that looked network related that were set to disabled.
|
| I'm guessing that the bot turned off a service that I need or changed a
| registry value that isn't resetting by removing and re-establishing a home
| network (I've tried changing workgroup names also). Does anyone know
| exactly what this bot did to me? Or can you point me to specific directions
| I need to walk through? (I've looked through and followed what I could from
| http://nitecruzr.blogspot.com/2005/05/troubleshooting-network-neighborhood.html#AskingForHelp
| but maybe someone could point me directly to what I need to follow here.
| Cabling, pinging the internet, etc. works, but no seeing the other computers
| on the network.).
|
| I've seen that an anonymoususer setting in the registry can get changed by
| this virus, but I haven't seen anything that tells me what the setting
| should be changed back to. Has anyone got any experience in recovering from
| this virus?
|
| Thanks for taking the time to help.
|


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose Unzip
Choose Close

Execute C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[denzel]

Thanks....but, this is just a method of scanning for viruses with multiple
av programs, right?

I don't have the virus any more, so they won't find any and can't fix any.
I've cleaned the system from viruses, but what I need is help in fixing
whatever settings were changed for my home network.

So even if these programs could fix the changed settings if they found the
virus, they can't fix it now because I don't have the virus any longer. I
guess I could re-install the virus and see if these programs would do a
better job of recovery, but I don't like that method.

I guess I'm looking for a little higher level of expertise help from someone
that actually knows what this virus changed in my registry or services and
what I need to do to fix it back.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OmXuus7VIHA.4076@TK2MSFTNGP03.phx.gbl...
> From: "denzel" <denzel@nothere.com>
>
> | I've tried this question on
> | miscrosoft.public.windows.vista.networking_sharing and haven't gotten
> any
> | help. Hopefully someone here will have more experience with this.
> |
> | Skipping the stupid part of having the virus in the first place, I need
> help
> | in fixing my home network. Virus (rbot.gen) was removed and the file
> that
> | was containing the virus was deleted. I've run a couple of anti-virus
> | programs (and spyware programs) and it is definitely gone.
> |
> | One of the things this did was kept my two computers (one XP and one
> Vista -
> | the one with the virus) from seeing each other on the home network. A
> | couple of the clues were that Windows Update kept being turned off and I
> | could no longer print from the XP computer to the printer attached to
> the
> | Vista computer. So I know that the bot would turn off the Windows
> Update
> | service, but I don't know what it did to the home networking.
> |
> | Can anyone give me some directions to help?
> |
> | Both computers (wired) and 2 TIVOs (1 wired, 1 wireless) can access the
> | internet just fine through my Linksys WRT54G router and could do this
> even
> | with the bot running. XP computer has also been scanned for any viruses
> | (and spyware) and is clean. I've deleted and re-established home
> networking
> | on both computers with the same workgroup name on both computers.
> Windows
> | firewall is not running on either computer (no other firewall for
> anti-virus
> | programs are running to interfere with the network). I've changed all
> the
> | network settings on the Vista computer to one way, then back. Hey, it's
> | worked before just fine but stopped working when the Vista computer was
> | infected. I've looked through the Services to reset back to automatic
> those
> | services that looked network related that were set to disabled.
> |
> | I'm guessing that the bot turned off a service that I need or changed a
> | registry value that isn't resetting by removing and re-establishing a
> home
> | network (I've tried changing workgroup names also). Does anyone know
> | exactly what this bot did to me? Or can you point me to specific
> directions
> | I need to walk through? (I've looked through and followed what I could
> from
> |
> http://nitecruzr.blogspot.com/2005/05/troubleshooting-network-neighborhood.html#AskingForHelp
> | but maybe someone could point me directly to what I need to follow here.
> | Cabling, pinging the internet, etc. works, but no seeing the other
> computers
> | on the network.).
> |
> | I've seen that an anonymoususer setting in the registry can get changed
> by
> | this virus, but I haven't seen anything that tells me what the setting
> | should be changed back to. Has anyone got any experience in recovering
> from
> | this virus?
> |
> | Thanks for taking the time to help.
> |
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.pctipp.ch/downloads/dl/35905.asp
>
> To use this utility, perform the following...
> Execute Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose Unzip
> Choose Close
>
> Execute C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
> go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
> Normal Mode.
> This way all the components can be downloaded from each AV vendor's web
> site.
> The choices are Sophos, Trend, McAfee, Kaspersky, Exit this menu and
> Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
> or you can
> download the files and perform a scan in Normal Mode. Once you have
> downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
> Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
> to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
> Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help
> file.
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[David H. Lipman]

From: "denzel" <denzel@nothere.com>

| Thanks....but, this is just a method of scanning for viruses with multiple
| av programs, right?
|
| I don't have the virus any more, so they won't find any and can't fix any.
| I've cleaned the system from viruses, but what I need is help in fixing
| whatever settings were changed for my home network.
|
| So even if these programs could fix the changed settings if they found the
| virus, they can't fix it now because I don't have the virus any longer. I
| guess I could re-install the virus and see if these programs would do a
| better job of recovery, but I don't like that method.
|
| I guess I'm looking for a little higher level of expertise help from someone
| that actually knows what this virus changed in my registry or services and
| what I need to do to fix it back.
|

Unfortunately all we have is the name, RBot.Gen. Not even the AV application that declared
it.

By this name all we know is this is a Generic RBot worm. Specifics can NOT be provided.

There are two options if substantial alterations of the OS have been made...

Restore the OS to point prior to the RBot infection.

Wipe, reformat and re-install the OS from scratch.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[denzel]

I never quite know how to respond to replies like this. I don't really like
to argue in forums for some reason it never seems to help and it certainly
won't change your mind. But maybe if I keep this thread open with one more
entry, the right person will see it. But I also know that if you don't get
an answer in the first 12 hours, you're likely not going to get it.

I'm sure there are hundreds of people with the question like "My computer is
going slow I must have a virus What do I do???" And your answer is great
for them. But my original post clearly states that I've removed the virus I
had, but I need help in fixing my network. Now we can argue about whether
you think I removed it or not, but I'm not asking you to weigh in on this.
You gave me your stock answer on virus scanning. Thanks, but I don't need
that.

So I responded because I don't want anyone reading this thread to think that
you've solved my problem and I don't need any more help. But of course you
have to justify your first response. You can't help me because I didn't
give you the specific anti-virus program and specific name that the scan
found. You even yelled! ("Specifics can NOT be provided.") No soup for
you!

Obviously, there's a lot more information I can provide, down to the serial
number of my motherboard. But the original post didn't justify all that
detail. Do you know anything about this family of viruses and what setting
changes it could make to my network? Do you have information that could
help me but you are holding out because I didn't give you a specific av
scanner name? I'd be glad to provide whatever details the right
knowledgeable person would need to help me. In fact, I just need to be
pointed in the right general direction from somebody that knows something.
But you don't sound like the one. Especially since you didn't fully read
the original post and gave me a canned answer that didn't apply to me. And
you gave me such useful information. Only two options? You left out

Buy a new computer.

Do without any computers.

Spread the virus to as many other computers as you can in hopes that someone
will have the same problem and post a solution.

Do without home networking.

Track down the original virus author and get his help.

Get a degree in computer programming with a minor in viruses and fix it
yourself.

Ask someone smarter than David H. Lipman.

Yeah, I apologize now. I'm kind of bored and thought I'd just type for a
while. Really, no hard feelings. You're not required to help me and you
probably do help a lot of people. Hopefully, I haven't pissed you off. I'm
just another ranter without anything useful to say. Just trying to be funny
today. Rant back at me if you wish and I'll read it and not take it
personal and won't post a reply. Or of course you can take the higher
ground and just ignore me. Probably be the best if I had done the same. I
really appreciate all the help I do find on public boards and the internet.
Like I said at the top of this reply, I just wanted to keep this thread
alive for one more post in case someone really could help a fellow out.
Have a good day.

Dennis



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OEdWFr8VIHA.1184@TK2MSFTNGP04.phx.gbl...
> From: "denzel" <denzel@nothere.com>
>
> | Thanks....but, this is just a method of scanning for viruses with
> multiple
> | av programs, right?
> |
> | I don't have the virus any more, so they won't find any and can't fix
> any.
> | I've cleaned the system from viruses, but what I need is help in fixing
> | whatever settings were changed for my home network.
> |
> | So even if these programs could fix the changed settings if they found
> the
> | virus, they can't fix it now because I don't have the virus any longer.
> I
> | guess I could re-install the virus and see if these programs would do a
> | better job of recovery, but I don't like that method.
> |
> | I guess I'm looking for a little higher level of expertise help from
> someone
> | that actually knows what this virus changed in my registry or services
> and
> | what I need to do to fix it back.
> |
>
> Unfortunately all we have is the name, RBot.Gen. Not even the AV
> application that declared
> it.
>
> By this name all we know is this is a Generic RBot worm. Specifics can
> NOT be provided.
>
> There are two options if substantial alterations of the OS have been
> made...
>
> Restore the OS to point prior to the RBot infection.
>
> Wipe, reformat and re-install the OS from scratch.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
>
>

 

[David H. Lipman]

From: "denzel" <denzel@nothere.com>

| I never quite know how to respond to replies like this. I don't really like
| to argue in forums for some reason it never seems to help and it certainly
| won't change your mind. But maybe if I keep this thread open with one more
| entry, the right person will see it. But I also know that if you don't get
| an answer in the first 12 hours, you're likely not going to get it.
|
| I'm sure there are hundreds of people with the question like "My computer is
| going slow I must have a virus What do I do???" And your answer is great
| for them. But my original post clearly states that I've removed the virus I
| had, but I need help in fixing my network. Now we can argue about whether
| you think I removed it or not, but I'm not asking you to weigh in on this.
| You gave me your stock answer on virus scanning. Thanks, but I don't need
| that.
|
| So I responded because I don't want anyone reading this thread to think that
| you've solved my problem and I don't need any more help. But of course you
| have to justify your first response. You can't help me because I didn't
| give you the specific anti-virus program and specific name that the scan
| found. You even yelled! ("Specifics can NOT be provided.") No soup for
| you!
|
| Obviously, there's a lot more information I can provide, down to the serial
| number of my motherboard. But the original post didn't justify all that
| detail. Do you know anything about this family of viruses and what setting
| changes it could make to my network? Do you have information that could
| help me but you are holding out because I didn't give you a specific av
| scanner name? I'd be glad to provide whatever details the right
| knowledgeable person would need to help me. In fact, I just need to be
| pointed in the right general direction from somebody that knows something.
| But you don't sound like the one. Especially since you didn't fully read
| the original post and gave me a canned answer that didn't apply to me. And
| you gave me such useful information. Only two options? You left out
|
| Buy a new computer.
|
| Do without any computers.
|
| Spread the virus to as many other computers as you can in hopes that someone
| will have the same problem and post a solution.
|
| Do without home networking.
|
| Track down the original virus author and get his help.
|
| Get a degree in computer programming with a minor in viruses and fix it
| yourself.
|
| Ask someone smarter than David H. Lipman.
|
| Yeah, I apologize now. I'm kind of bored and thought I'd just type for a
| while. Really, no hard feelings. You're not required to help me and you
| probably do help a lot of people. Hopefully, I haven't pissed you off. I'm
| just another ranter without anything useful to say. Just trying to be funny
| today. Rant back at me if you wish and I'll read it and not take it
| personal and won't post a reply. Or of course you can take the higher
| ground and just ignore me. Probably be the best if I had done the same. I
| really appreciate all the help I do find on public boards and the internet.
| Like I said at the top of this reply, I just wanted to keep this thread
| alive for one more post in case someone really could help a fellow out.
| Have a good day.
|
| Dennis
|

Dennis:

I have been studying viruses since ~1990 when I removed the Jerusalem.B virus from a Netware
v2.x network. I fully understand your problem but I have to state that are many versions of
Bot worms GAOBot, RBot, SDBot, etc. In each family of Bot worms there are *many* Bot
variants. Each variant has a varied attack vector and payload.

The problem is different anti virus vendors often name the SAME infector differently. Thus
knowing what the anti virus application (vendor) was that removed this can narrow down what
this Bot actually is. I will also reiterate that the declaration was for a Generic RBot.
Thus the decalraration is none specific and the exact modifications to the Registry and the
OS can't be provided. Knowing WHO the AV vendor is that declared this infector can at least
provide generic information on OS modifications. I do not understand your unwillingness to
provide the requested AV vendor.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Leonard Agoado]

"denzel" <denzel@nothere.com> wrote in message
news:newscache$qy0ruj$ymm$1@dada.knx.tva.gov...


> I never quite know how to respond to replies like this...

That is usually a good indicator that you should hold your tongue
and proceed no further.

What David was telling you is that you were asking for a specific
course of action based on a generic description of your problem.
This would be like asking a mechanic, "How do I perform a tune-up
on my car? It's yellow." Would you really get that pissy if he
had the nerve to ask, "What make and model is it?"

Reread his response with a bit less attitude, and you'll know how
to respond.


Len Agoado
agoado@msn.com

 

[kurt wismer]

denzel wrote:
> I never quite know how to respond to replies like this. I don't really like
> to argue in forums for some reason it never seems to help and it certainly
> won't change your mind. But maybe if I keep this thread open with one more
> entry, the right person will see it. But I also know that if you don't get
> an answer in the first 12 hours, you're likely not going to get it.
>
> I'm sure there are hundreds of people with the question like "My computer is
> going slow I must have a virus What do I do???" And your answer is great
> for them. But my original post clearly states that I've removed the virus I
> had, but I need help in fixing my network. Now we can argue about whether
> you think I removed it or not, but I'm not asking you to weigh in on this.
> You gave me your stock answer on virus scanning. Thanks, but I don't need
> that.

you've misunderstood his answer... his answer is that there is too
little information provided to give you a solution to your problem and
with a {whatever}.gen declaration from an unknown scanner he is most
certainly correct... worse still for you, the actual malware is now gone
so any hopes of acquiring additional information necessary to reverse
it's specific OS changes are lost... (just one more reason to use
quarantine instead of disinfect/delete)

> So I responded because I don't want anyone reading this thread to think that
> you've solved my problem and I don't need any more help.

indeed, your problem isn't *solved* but there's little anyone else can
do to help you at this point...

> But of course you
> have to justify your first response. You can't help me because I didn't
> give you the specific anti-virus program and specific name that the scan
> found. You even yelled! ("Specifics can NOT be provided.") No soup for
> you!

he was putting emphasis on the "not"... that's not yelling... people
don't yell single words in the middle of normal sentences (unless
perhaps they have a neurological condition beyond their control)...

> Obviously, there's a lot more information I can provide, down to the serial
> number of my motherboard.

unfortunately none of it (save for the scanner that you used) will help
narrow down which piece of malware you had...

you may think that all members of a particular malware family behave
enough alike that what works for fixing one will work for others, but if
so you'd be wrong...

knowing the scanner you used *might* help (though i wouldn't hold my
breath, personally)... otherwise i think his suggestions of restoring to
a previous state or rebuilding from scratch are probably your best
options... if you really want one more then how about comparing the
networking related files/settings/registry entries from your machine
with a similar but working machine...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

 

[denzel]

Thanks for your replies.

The original virus was found and cleaned by Windows Defender. I'm not sure
of the exact syntax anymore, but it was identified as win32/rbot.gen or
winsys32/rbot.gen. And I already agree that it's not much to go on.

I have the original file also, Bit Defender recognizes it as
GenPack:Generic.Sdbot.4502EEEF. More specific, but I'm not sure that
provides me any specifc help.

With so many viruses out there, I never expected a specific solution that
fit only this specific virus. I did internet searches and AV website
searches (and newsgroup searches) first to see if there was any information
available. I believe in self-help whenever possible. You learn more that
way. The only information I found wasn't very exact although a couple of
websites did mention changing of registry values such as anonymoususer.
This information looked more XP versus Vista as the values didn't match
anything I thought was close enough to change.

The best I hoped for was someone that had seen similar problems for certain
classes of viruses that do "...whatever..." and could give me some pointers
as to what to look for. Or someone pointing me to another website or forum
that was more suited to my problem.

System recovery did not go back far enough to restore before this problem
(about a month). And I've reloaded OS's on machines before it's just time
consuming. I know it's a cure-all for a lot of things, but I thought I'd
look for an easier solution first. Right now it just affects my ability to
share files and printers with my daughter's machine.

In looking through the networking groups, I see that a lot of people are
having trouble sharing between XP and Vista machines. My concern would be
that some recent patch during the time I had the virus is the real source of
my network problem. I'd be pretty dejected if I reloaded Vista and the
updates and all my other programs...and then had the same problem.

 

[BoaterDave]

Hello Dennis

You may care to drop in here to seek advice: http://aumha.net/ (You will
have to 'register' before making a post)

I suggest you post your query in the General Discussion section and let the
Moderators decide where to move the thread should it develop. There are some
very clever people there with much knowledge! )

Dave

***************************************************
"denzel" <denzel@nothere.com> wrote in message
news:newscache$ykzzuj$czj$1@dada.knx.tva.gov...
> Thanks for your replies.
>
> The original virus was found and cleaned by Windows Defender. I'm not
> sure of the exact syntax anymore, but it was identified as win32/rbot.gen
> or winsys32/rbot.gen. And I already agree that it's not much to go on.
>
> I have the original file also, Bit Defender recognizes it as
> GenPack:Generic.Sdbot.4502EEEF. More specific, but I'm not sure that
> provides me any specifc help.
>
> With so many viruses out there, I never expected a specific solution that
> fit only this specific virus. I did internet searches and AV website
> searches (and newsgroup searches) first to see if there was any
> information available. I believe in self-help whenever possible. You
> learn more that way. The only information I found wasn't very exact
> although a couple of websites did mention changing of registry values such
> as anonymoususer. This information looked more XP versus Vista as the
> values didn't match anything I thought was close enough to change.
>
> The best I hoped for was someone that had seen similar problems for
> certain classes of viruses that do "...whatever..." and could give me some
> pointers as to what to look for. Or someone pointing me to another
> website or forum that was more suited to my problem.
>
> System recovery did not go back far enough to restore before this problem
> (about a month). And I've reloaded OS's on machines before it's just
> time consuming. I know it's a cure-all for a lot of things, but I thought
> I'd look for an easier solution first. Right now it just affects my
> ability to share files and printers with my daughter's machine.
>
> In looking through the networking groups, I see that a lot of people are
> having trouble sharing between XP and Vista machines. My concern would be
> that some recent patch during the time I had the virus is the real source
> of my network problem. I'd be pretty dejected if I reloaded Vista and the
> updates and all my other programs...and then had the same problem.
>
>

 

[Leonard Agoado]

"denzel" <denzel@nothere.com> wrote in message
news:newscache$ykzzuj$czj$1@dada.knx.tva.gov...
> Thanks for your replies.
>
> The original virus was found and cleaned by Windows Defender.
> I'm not sure of the exact syntax anymore, but it was identified
> as win32/rbot.gen or winsys32/rbot.gen. And I already agree
> that it's not much to go on.
>
> I have the original file also...



Denzel,

If you have the original file, upload it to
http://www.virustotal.com and report the results back here.

Regards,

Leonard Agoado
agoado@msn.com

 

[denzel]

> Denzel,
>
> If you have the original file, upload it to http://www.virustotal.com
> and report the results back here.
>
> Regards,
>
> Leonard Agoado
> agoado@msn.com
>

http://www.virustotal.com/analisis/eb1fcb79ea86a866a31ca76bcc285695



Antivirus Version Last Update Result

AhnLab-V3 - - -

AntiVir - - BAT/RBot.94038

Authentium - - -

Avast - - Win32:Rbot-CYW

AVG - - IRC/BackDoor.SdBot3.XGI

BitDefender - - GenPack:Generic.Sdbot.4502EEEF

CAT-QuickHeal - - Backdoor.Rbot.fwe

ClamAV - - -

DrWeb - - Win32.HLLW.MyBot.based

eSafe - - suspicious Trojan/Worm

eTrust-Vet - - Win32/Rbot!generic

Ewido - - -

FileAdvisor - - -

Fortinet - - -

F-Prot - - -

F-Secure - - Backdoor.Win32.Rbot.fwe

Ikarus - - Backdoor.Win32.Rbot.aeu

Kaspersky - - Backdoor.Win32.Rbot.fwe

McAfee - - -

Microsoft - - Backdoor:Win32/Rbot.gen

NOD32v2 - - a variant of Win32/Rbot

Norman - - W32/Spybot.CKSQ

Panda - - W32/Sdbot.LMD.worm

Prevx1 - - Backdoor.IRCBot.gen

Rising - - Backdoor.Win32.Rbot.GEN

Sophos - - Mal/Generic-A

Sunbelt - - Backdoor.SDBot

Symantec - - -

TheHacker - - -

VBA32 - - Win32.HLLW.MyBot.based

VirusBuster - - -

Webwasher-Gateway - - Worm.Rbot.210944

Additional information

MD5: fc216d7b5859115a618d3adc83359349

SHA1: 18a8897baa1b1ded75e221be47cd0841d305eb6f

SHA256: 73a3f914ca5f0c2ce76186288f4c8919ea73dbc0f4c5e13fc38806ec721cc6df

SHA512: 915653b73f83b657f9ed19806d3fdcbfd3857837245d5c18836972fd32002dfe

a6362bf50a7b335ed0f03d85b371cbcd28b0a18e681a24100145610b9c0ef567

 

[AyeKantSpeylGud]

Hi Denzel,

I have to admit that I can totally understand your frustration with this. I
came to this page looking for the exact same thing - I had a virus, a BUNCH
of them, as well as spyware and other garbage that had done a number of
things to make it next to impossible to get rid of them. One of the things it
did was to turn off the ability to go straight to Windows Update. (It'd also
turned off Control Panel, disabled Regedit, all saying that it'd been blocked
by the system administrator, even though I AM the System Administrator!)

If I am personally understanding you correctly, you are simply asking for
where in the registry you can turn it back on - now that you HAVE gotten rid
of the virus! I am currently stuck in the same situation. If I find the
answer, I will try to post it back here for you. Who knows though, it's been
a few days, perhaps you've already found the answer!

Take care and best of luck!

Heather

"denzel" wrote:

> > Denzel,
> >
> > If you have the original file, upload it to http://www.virustotal.com
> > and report the results back here.
> >
> > Regards,
> >
> > Leonard Agoado
> > agoado@msn.com
> >
>
> http://www.virustotal.com/analisis/eb1fcb79ea86a866a31ca76bcc285695
>
>
>
> Antivirus Version Last Update Result
>
> AhnLab-V3 - - -
>
> AntiVir - - BAT/RBot.94038
>
> Authentium - - -
>
> Avast - - Win32:Rbot-CYW
>
> AVG - - IRC/BackDoor.SdBot3.XGI
>
> BitDefender - - GenPack:Generic.Sdbot.4502EEEF
>
> CAT-QuickHeal - - Backdoor.Rbot.fwe
>
> ClamAV - - -
>
> DrWeb - - Win32.HLLW.MyBot.based
>
> eSafe - - suspicious Trojan/Worm
>
> eTrust-Vet - - Win32/Rbot!generic
>
> Ewido - - -
>
> FileAdvisor - - -
>
> Fortinet - - -
>
> F-Prot - - -
>
> F-Secure - - Backdoor.Win32.Rbot.fwe
>
> Ikarus - - Backdoor.Win32.Rbot.aeu
>
> Kaspersky - - Backdoor.Win32.Rbot.fwe
>
> McAfee - - -
>
> Microsoft - - Backdoor:Win32/Rbot.gen
>
> NOD32v2 - - a variant of Win32/Rbot
>
> Norman - - W32/Spybot.CKSQ
>
> Panda - - W32/Sdbot.LMD.worm
>
> Prevx1 - - Backdoor.IRCBot.gen
>
> Rising - - Backdoor.Win32.Rbot.GEN
>
> Sophos - - Mal/Generic-A
>
> Sunbelt - - Backdoor.SDBot
>
> Symantec - - -
>
> TheHacker - - -
>
> VBA32 - - Win32.HLLW.MyBot.based
>
> VirusBuster - - -
>
> Webwasher-Gateway - - Worm.Rbot.210944
>
> Additional information
>
> MD5: fc216d7b5859115a618d3adc83359349
>
> SHA1: 18a8897baa1b1ded75e221be47cd0841d305eb6f
>
> SHA256: 73a3f914ca5f0c2ce76186288f4c8919ea73dbc0f4c5e13fc38806ec721cc6df
>
> SHA512: 915653b73f83b657f9ed19806d3fdcbfd3857837245d5c18836972fd32002dfe
>
> a6362bf50a7b335ed0f03d85b371cbcd28b0a18e681a24100145610b9c0ef567
>
>
>
>
>

 

[AyeKantSpeylGud]

I think I found it! I tried it and it just worked for me. :-D

Go here: http://windowsxp.mvps.org/aupolicy.htm

Basically...

Open Regedit.
Go to HKLM\Software\Policies\Windows\WindowsUpdate\AU
Delete or change any value that implies disabling Windows Update (See
website). I did not have any values in this key.

Also check:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
Delete or change any value indicating that Windows Update will be disabled.
I did not have the values that the website mentions but the virus had entered
a "NoWindowsUpdate" and had that value ON.

In that same exact area was a different option for no control panel! I knew
I should've changed that, I thought it was weird when I first saw that but I
didn't bother. Oh well. Hope that helps you as much as it did me!

Take care & Best Luck!!!
Heather


HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Policies \ WindowsUpdate

In the right-pane, delete the value DisableWindowsUpdateAccess





"denzel" wrote:

> > Denzel,
> >
> > If you have the original file, upload it to http://www.virustotal.com
> > and report the results back here.
> >
> > Regards,
> >
> > Leonard Agoado
> > agoado@msn.com
> >
>
> http://www.virustotal.com/analisis/eb1fcb79ea86a866a31ca76bcc285695
>
>
>
> Antivirus Version Last Update Result
>
> AhnLab-V3 - - -
>
> AntiVir - - BAT/RBot.94038
>
> Authentium - - -
>
> Avast - - Win32:Rbot-CYW
>
> AVG - - IRC/BackDoor.SdBot3.XGI
>
> BitDefender - - GenPack:Generic.Sdbot.4502EEEF
>
> CAT-QuickHeal - - Backdoor.Rbot.fwe
>
> ClamAV - - -
>
> DrWeb - - Win32.HLLW.MyBot.based
>
> eSafe - - suspicious Trojan/Worm
>
> eTrust-Vet - - Win32/Rbot!generic
>
> Ewido - - -
>
> FileAdvisor - - -
>
> Fortinet - - -
>
> F-Prot - - -
>
> F-Secure - - Backdoor.Win32.Rbot.fwe
>
> Ikarus - - Backdoor.Win32.Rbot.aeu
>
> Kaspersky - - Backdoor.Win32.Rbot.fwe
>
> McAfee - - -
>
> Microsoft - - Backdoor:Win32/Rbot.gen
>
> NOD32v2 - - a variant of Win32/Rbot
>
> Norman - - W32/Spybot.CKSQ
>
> Panda - - W32/Sdbot.LMD.worm
>
> Prevx1 - - Backdoor.IRCBot.gen
>
> Rising - - Backdoor.Win32.Rbot.GEN
>
> Sophos - - Mal/Generic-A
>
> Sunbelt - - Backdoor.SDBot
>
> Symantec - - -
>
> TheHacker - - -
>
> VBA32 - - Win32.HLLW.MyBot.based
>
> VirusBuster - - -
>
> Webwasher-Gateway - - Worm.Rbot.210944
>
> Additional information
>
> MD5: fc216d7b5859115a618d3adc83359349
>
> SHA1: 18a8897baa1b1ded75e221be47cd0841d305eb6f
>
> SHA256: 73a3f914ca5f0c2ce76186288f4c8919ea73dbc0f4c5e13fc38806ec721cc6df
>
> SHA512: 915653b73f83b657f9ed19806d3fdcbfd3857837245d5c18836972fd32002dfe
>
> a6362bf50a7b335ed0f03d85b371cbcd28b0a18e681a24100145610b9c0ef567
>
>
>
>
>