W32/Rbot disinfection instructions
Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
Windows 95/98/Me and Windows NT/2000/XP/2003
W32/Rbot-I, W32/Rbot-R, W32/Rbot-AD, W32/Rbot-DT, W32/Rbot-EK, W32/Rbot-ET, W32/Rbot-FA, W32/Rbot-FH, W32/Rbot-FLP, W32/Rbot-FT, W32/Rbot-HD, W32/Rbot-HN, W32/Rbot-IC, W32/Rbot-IG, W32/Rbot-IR, W32/Rbot-IU, W32/Rbot-NA, W32/Rbot-NZ, W32/Rbot-PR, W32/Rbot-QH, W32/Rbot-QP, W32/Rbot-RD, W32/Rbot-SQ, W32/Rbot-TB, W32/Rbot-UE, W32/Rbot-XW, W32/Rbot-YA, W32/Rbot-AAY, W32/Rbot-AHT, W32/Rbot-AMN, W32/Rbot-AMP, W32/Rbot-AMT, W32/Rbot-AMU, W32/Rbot-AMY, W32/Rbot-ANG, W32/Rbot-APJ, W32/Rbot-APX, W32/Rbot-AQT, W32/Rbot-ASS, W32/Rbot-ASZ, W32/Rbot-AUF, W32/Rbot-AXJ, W32/Rbot-DOQ, W32/Rbot-FMZ and W32/Rbot-FON can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.
Note: When disinfecting variants not listed above, use the recovery instructions in the appropriate virus analysis.
Windows disinfector
RBOTGUI is a disinfector for standalone Windows computers
- open RBOTGUI
- run it
- then click GO.
If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.
After removing the worm you should read the security bulletins and, where appropriate, install the Microsoft patches MS04-011, MS03-039, MS03-007, MS01-059, MS02-039, MS02-061, MS03-049, MS04-007, MS04-012, MS05-039 and MS06-040 or, on single computers, update with all relevant security patches from Windows update.
Note: Microsoft has documented several known issues with the MS04-011 update in Microsoft Knowledge Base Article 835732. Read this article carefully before applying the update. If any of the described problems occur after applying the update, please contact Microsoft support.
For W32/Rbot-ET, you should replace the HOSTS file from backup, or open it in Notepad and remove any of the entries listed in the virus description.
Command line disinfector
RBOTSFX.EXE is a self-extracting archive containing RBOTCLI, a Resolve command line disinfector for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.
After removing the worm you should read the security bulletins and, where appropriate, install the Microsoft patches MS04-011, MS03-039, MS03-007, MS01-059, MS02-039, MS02-061, MS03-049, MS04-007, MS04-012, MS05-039 and MS06-040 or, on single computers, update with all relevant security patches from Windows update.
Note: Microsoft has documented several known issues with the MS04-011 update in Microsoft Knowledge Base Article 835732. Read this article carefully before applying the update. If any of the described problems occur after applying the update, please contact Microsoft support.
For W32/Rbot-ET, you should replace the HOSTS file from backup, or open it in Notepad and remove any of the entries listed in the virus description.
Other platforms
To remove W32/Rbot-I, W32/Rbot-R, W32/Rbot-AD, W32/Rbot-DT, W32/Rbot-EK, W32/Rbot-ET, W32/Rbot-FA, W32/Rbot-FH, W32/Rbot-FLP, W32/Rbot-FT, W32/Rbot-HD, W32/Rbot-HN, W32/Rbot-IC, W32/Rbot-IG, W32/Rbot-IR, W32/Rbot-IU, W32/Rbot-NA, W32/Rbot-NZ, W32/Rbot-PR, W32/Rbot-QH, W32/Rbot-QP, W32/Rbot-RD, W32/Rbot-SQ, W32/Rbot-TB, W32/Rbot-UE, W32/Rbot-XW, W32/Rbot-YA, W32/Rbot-AAY, W32/Rbot-AHT, W32/Rbot-AMN, W32/Rbot-AMP, W32/Rbot-AMT, W32/Rbot-AMU, W32/Rbot-AMY, W32/Rbot-ANG, W32/Rbot-APJ, W32/Rbot-APX, W32/Rbot-AQT, W32/Rbot-ASS, W32/Rbot-ASZ of W32/Rbot-AUF, W32/Rbot-AXJ, W32/Rbot-DOQ, W32/Rbot-FMZ and W32/Rbot-FON on other platforms please follow the instructions for removing worms.
