Windows 7 - Need help on home network with recovery from rbot.gen virus

Asked By denzel

15-Jan-08 01:02 PM

I've tried this question on
miscrosoft.public.windows.vista.networking_sharing and haven't gotten any
help.  Hopefully someone here will have more experience with this.

Skipping the stupid part of having the virus in the first place, I need help
in fixing my home network.  Virus (rbot.gen) was removed and the file that
was containing the virus was deleted.  I've run a couple of anti-virus
programs (and spyware programs) and it is definitely gone.

One of the things this did was kept my two computers (one XP and one Vista -
the one with the virus) from seeing each other on the home network.  A
couple of the clues were that Windows Update kept being turned off and I
could no longer print from the XP computer to the printer attached to the
Vista computer.  So I know that the bot would turn off the Windows Update
service, but I don't know what it did to the home networking.

Can anyone give me some directions to help?

Both computers (wired) and 2 TIVOs (1 wired, 1 wireless) can access the
internet just fine through my Linksys WRT54G router and could do this even
with the bot running.  XP computer has also been scanned for any viruses
(and spyware) and is clean.  I've deleted and re-established home networking
on both computers with the same workgroup name on both computers.  Windows
firewall is not running on either computer (no other firewall for anti-virus
programs are running to interfere with the network).  I've changed all the
network settings on the Vista computer to one way, then back.  Hey, it's
worked before just fine but stopped working when the Vista computer was
infected. I've looked through the Services to reset back to automatic those
services that looked network related that were set to disabled.

I'm guessing that the bot turned off a service that I need or changed a
registry value that isn't resetting by removing and re-establishing a home
network (I've tried changing workgroup names also).  Does anyone know
exactly what this bot did to me?  Or can you point me to specific directions
I need to walk through?  (I've looked through and followed what I could from
http://nitecruzr.blogspot.com/2005/05/troubleshooting-network-neighborhood.html#AskingForHelp
but maybe someone could point me directly to what I need to follow here.
Cabling, pinging the internet, etc. works, but no seeing the other computers
on the network.).

I've seen that an anonymoususer setting in the registry can get changed by
this virus, but I haven't seen anything that tells me what the setting
should be changed back to.  Has anyone got any experience in recovering from
this virus?

Thanks for taking the time to help.

15-Jan-08 04:11 PM

From: "denzel" <denzel@nothere.com>



Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * *   Please report back your results  * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

15-Jan-08 05:50 PM

Thanks....but, this is just a method of scanning for viruses with multiple
av programs, right?

I don't have the virus any more, so they won't find any and can't fix any.
I've cleaned the system from viruses, but what I need is help in fixing
whatever settings were changed for my home network.

So even if these programs could fix the changed settings if they found the
virus, they can't fix it now because I don't have the virus any longer.  I
guess I could re-install the virus and see if these programs would do a
better job of recovery, but I don't like that method.

I guess I'm looking for a little higher level of expertise help from someone
that actually knows what this virus changed in my registry or services and
what I need to do to fix it back.

15-Jan-08 06:02 PM

From: "denzel" <denzel@nothere.com>


Unfortunately all we have is the name, RBot.Gen.  Not even the AV application that declared
it.

By this name all we know is this is a Generic RBot worm.  Specifics can NOT be provided.

There are two options if substantial alterations of the OS have been made...

Restore the OS to point prior to the RBot infection.

Wipe, reformat and re-install the OS from scratch.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

16-Jan-08 04:38 PM

From: "denzel" <denzel@nothere.com>


Dennis:

I have been studying viruses since ~1990 when I removed the Jerusalem.B virus from a Netware
v2.x network.  I fully understand your problem but I have to state that are many versions of
Bot worms;  GAOBot, RBot, SDBot, etc.  In each family of Bot worms there are *many* Bot
variants.  Each variant has a varied attack vector and payload.

The problem is different anti virus vendors often name the SAME infector differently.  Thus
knowing what the anti virus application (vendor) was that removed this can narrow down what
this Bot actually is.  I will also reiterate that the declaration was for a Generic RBot.
Thus the decalraration is none specific and the exact modifications to the Registry and the
OS can't be provided.  Knowing WHO the AV vendor is that declared this infector can at least
provide generic information on OS modifications.  I do not understand your unwillingness to
provide the requested AV vendor.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

16-Jan-08 04:57 PM

That is usually a good indicator that you should hold your tongue
and proceed no further.

What David was telling you is that you were asking for a specific
course of action based on a generic description of your problem.
This would be like asking a mechanic, "How do I perform a tune-up
on my car?  It's yellow."  Would you really get that pissy if he
had the nerve to ask, "What make and model is it?"

Reread his response with a bit less attitude, and you'll know how
to respond.


Len Agoado
agoado@msn.com

16-Jan-08 07:52 PM

you've misunderstood his answer... his answer is that there is too
little information provided to give you a solution to your problem and
with a {whatever}.gen declaration from an unknown scanner he is most
certainly correct... worse still for you, the actual malware is now gone
so any hopes of acquiring additional information necessary to reverse
it's specific OS changes are lost... (just one more reason to use
quarantine instead of disinfect/delete)


indeed, your problem isn't *solved* but there's little anyone else can
do to help you at this point...


he was putting emphasis on the "not"... that's not yelling... people
don't yell single words in the middle of normal sentences (unless
perhaps they have a neurological condition beyond their control)...


unfortunately none of it (save for the scanner that you used) will help
narrow down which piece of malware you had...

you may think that all members of a particular malware family behave
enough alike that what works for fixing one will work for others, but if
so you'd be wrong...

knowing the scanner you used *might* help (though i wouldn't hold my
breath, personally)... otherwise i think his suggestions of restoring to
a previous state or rebuilding from scratch are probably your best
options... if you really want one more then how about comparing the
networking related files/settings/registry entries from your machine
with a similar but working machine...

--
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

21-Jan-08 09:31 AM

Thanks for your replies.

The original virus was found and cleaned by Windows Defender.  I'm not sure
of the exact syntax anymore, but it was identified as win32/rbot.gen or
winsys32/rbot.gen.  And I already agree that it's not much to go on.

I have the original file also, Bit Defender recognizes it as
GenPack:Generic.Sdbot.4502EEEF.  More specific, but I'm not sure that
provides me any specifc help.

With so many viruses out there, I never expected a specific solution that
fit only this specific virus.  I did internet searches and AV website
searches (and newsgroup searches) first to see if there was any information
available.  I believe in self-help whenever possible.  You learn more that
way.  The only information I found wasn't very exact although a couple of
websites did mention changing of registry values such as anonymoususer.
This information looked more XP versus Vista as the values didn't match
anything I thought was close enough to change.

The best I hoped for was someone that had seen similar problems for certain
classes of viruses that do "...whatever..." and could give me some pointers
as to what to look for.  Or someone pointing me to another website or forum
that was more suited to my problem.

System recovery did not go back far enough to restore before this problem
(about a month).  And I've reloaded OS's on machines before; it's just time
consuming.  I know it's a cure-all for a lot of things, but I thought I'd
look for an easier solution first.  Right now it just affects my ability to
share files and printers with my daughter's machine.

In looking through the networking groups, I see that a lot of people are
having trouble sharing between XP and Vista machines.  My concern would be
that some recent patch during the time I had the virus is the real source of
my network problem.  I'd be pretty dejected if I reloaded Vista and the
updates and all my other programs...and then had the same problem.

21-Jan-08 05:53 PM

Denzel,

If you have the original file, upload it to
http://www.virustotal.com and report the results back here.

Regards,

Leonard Agoado
agoado@msn.com

24-Jan-08 01:15 PM

http://www.virustotal.com/analisis/eb1fcb79ea86a866a31ca76bcc285695



Antivirus Version Last Update Result

AhnLab-V3 - - -

AntiVir - - BAT/RBot.94038

Authentium - - -

Avast - - Win32:Rbot-CYW

AVG - - IRC/BackDoor.SdBot3.XGI

BitDefender - - GenPack:Generic.Sdbot.4502EEEF

CAT-QuickHeal - - Backdoor.Rbot.fwe

ClamAV - - -

DrWeb - - Win32.HLLW.MyBot.based

eSafe - - suspicious Trojan/Worm

eTrust-Vet - - Win32/Rbot!generic

Ewido - - -

FileAdvisor - - -

Fortinet - - -

F-Prot - - -

F-Secure - - Backdoor.Win32.Rbot.fwe

Ikarus - - Backdoor.Win32.Rbot.aeu

Kaspersky - - Backdoor.Win32.Rbot.fwe

McAfee - - -

Microsoft - - Backdoor:Win32/Rbot.gen

NOD32v2 - - a variant of Win32/Rbot

Norman - - W32/Spybot.CKSQ

Panda - - W32/Sdbot.LMD.worm

Prevx1 - - Backdoor.IRCBot.gen

Rising - - Backdoor.Win32.Rbot.GEN

Sophos - - Mal/Generic-A

Sunbelt - - Backdoor.SDBot

Symantec - - -

TheHacker - - -

VBA32 - - Win32.HLLW.MyBot.based

VirusBuster - - -

Webwasher-Gateway - - Worm.Rbot.210944

Additional information

MD5: fc216d7b5859115a618d3adc83359349

SHA1: 18a8897baa1b1ded75e221be47cd0841d305eb6f

SHA256: 73a3f914ca5f0c2ce76186288f4c8919ea73dbc0f4c5e13fc38806ec721cc6df

SHA512: 915653b73f83b657f9ed19806d3fdcbfd3857837245d5c18836972fd32002dfe

a6362bf50a7b335ed0f03d85b371cbcd28b0a18e681a24100145610b9c0ef567

09-Feb-08 04:03 AM

Hi Denzel,

I have to admit that I can totally understand your frustration with this. I
came to this page looking for the exact same thing - I had a virus, a BUNCH
of them, as well as spyware and other garbage that had done a number of
things to make it next to impossible to get rid of them. One of the things it
did was to turn off the ability to go straight to Windows Update. (It'd also
turned off Control Panel, disabled Regedit, all saying that it'd been blocked
by the system administrator, even though I AM the System Administrator!)

If I am personally understanding you correctly, you are simply asking for
where in the registry you can turn it back on - now that you HAVE gotten rid
of the virus! I am currently stuck in the same situation. If I find the
answer, I will try to post it back here for you. Who knows though, it's been
a few days, perhaps you've already found the answer!

Take care and best of luck!

Heather

09-Feb-08 04:25 AM

I think I found it! I tried it and it just worked for me. :-D

Go here: http://windowsxp.mvps.org/aupolicy.htm

Basically...

Open Regedit.
Go to HKLM\Software\Policies\Windows\WindowsUpdate\AU
Delete or change any value that implies disabling Windows Update (See
website). I did not have any values in this key.

Also check:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
Delete or change any value indicating that Windows Update will be disabled.
I did not have the values that the website mentions but the virus had entered
a "NoWindowsUpdate" and had that value ON.

In that same exact area was a different option for no control panel! I knew
I should've changed that, I thought it was weird when I first saw that but I
didn't bother. Oh well. Hope that helps you as much as it did me!

Take care & Best Luck!!!
Heather


HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Policies \ WindowsUpdate

In the right-pane, delete the value DisableWindowsUpdateAccess