The following instructions have been created to help you to get rid of "Win32.Rbot.bms" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site.

Threat Details:

Categories:
  • trojan

Description:
This trojan is a backdoor program. It installs itself in the registry, deactivates firewalls and security settings, kills running antivirus software, modifies the host list, to prevent further antivirus updates. It creates autorun entries and allows others to access the computer. This program starts the Microsoft Messenger software in the background, it also creates multiple copies of itself within the Windows system directory.
Removal Instructions:

Autorun:

Please use Spybot-S&D, RunAlyzer or msconfig.exe to remove the following autorun entries.
  • Entries named "392" and pointing to "|".
  • Entries named "Microsoft dll Host Service " and pointing to "wkssr.exe".
  • Entries named "Microsoft dll Host Service " and pointing to "wkssr.exe".
  • Entries named "MSN Drivers" and pointing to "msmsgers.exe".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.
  • The file at "<$WINDIR>\msmsgers.exe".
  • The file at "<$SYSDIR>\phqghum.exe".
  • The file at "<$SYSDIR>\Software\AC3-MP3 converter.exe".
  • The file at "<$SYSDIR>\Software\Adobe Acrobat Reader 5.6.exe".
  • The file at "<$SYSDIR>\Software\AdvZip Recovery.exe".
  • The file at "<$SYSDIR>\Software\Age of Empire crack.exe".
  • The file at "<$SYSDIR>\Software\Age of Mythology crack.exe".
  • The file at "<$SYSDIR>\Software\AIM Pass stealer.exe".
  • The file at "<$SYSDIR>\Software\All Editor 3.0b.exe".
  • The file at "<$SYSDIR>\Software\All Microsoft games crack.exe".
  • The file at "<$SYSDIR>\Software\American concuest crack.exe".
  • The file at "<$SYSDIR>\Software\AMI BIOS Cracker.exe".
  • The file at "<$SYSDIR>\Software\Anno 1503 Crack - No cd.exe".
  • The file at "<$SYSDIR>\Software\AOL hacker.exe".
  • The file at "<$SYSDIR>\Software\AOL password stealer.exe".
  • The file at "<$SYSDIR>\Software\Auction Sentry (new).exe".
  • The file at "<$SYSDIR>\Software\AudioLabel CD Labeler 3.0 ( crack).exe".
  • The file at "<$SYSDIR>\Software\Beach life crack nocd.exe".
  • The file at "<$SYSDIR>\Software\BearShare 5.1.1.exe".
  • The file at "<$SYSDIR>\Software\blood patch.exe".
  • The file at "<$SYSDIR>\Software\Britney spears game.exe".
  • The file at "<$SYSDIR>\Software\Bugbear remover.exe".
  • The file at "<$SYSDIR>\Software\buttman.exe".
  • The file at "<$SYSDIR>\Software\C&C Generals Pack2 (new patch).exe".
  • The file at "<$SYSDIR>\Software\crack serials.exe".
  • The file at "<$SYSDIR>\Software\Digimon.exe".
  • The file at "<$SYSDIR>\Software\DirectDVD 4.9.exe".
  • The file at "<$SYSDIR>\Software\dos and ddos ping udp syn flooder.exe".
  • The file at "<$SYSDIR>\Software\Driver 2 crack.exe".
  • The file at "<$SYSDIR>\Software\DvD Rip guide ( tools) st0rm.exe".
  • The file at "<$SYSDIR>\Software\Dvd ripper.exe".
  • The file at "<$SYSDIR>\Software\Dynamite Downloads.exe".
  • The file at "<$SYSDIR>\Software\EA games Keygen.exe".
  • The file at "<$SYSDIR>\Software\Easy CD Creator Software Update.exe".
  • The file at "<$SYSDIR>\Software\edonkey_serverlist.exe".
  • The file at "<$SYSDIR>\Software\Esafe desktop protection crack.exe".
  • The file at "<$SYSDIR>\Software\exegen.exe".
  • The file at "<$SYSDIR>\Software\FlashFXP (keygen).exe".
  • The file at "<$SYSDIR>\Software\Free ADSl.exe".
  • The file at "<$SYSDIR>\Software\FreeRip 4.30.exe".
  • The file at "<$SYSDIR>\Software\Frontpage cracker.exe".
  • The file at "<$SYSDIR>\Software\Genie Stream 3.2.4.exe".
  • The file at "<$SYSDIR>\Software\GetRight 5.5 crack.exe".
  • The file at "<$SYSDIR>\Software\Global DiVX Player 2.0.1.exe".
  • The file at "<$SYSDIR>\Software\Gothic 2 (m-patch).exe".
  • The file at "<$SYSDIR>\Software\Grokster 2.0.exe".
  • The file at "<$SYSDIR>\Software\hack tool.exe".
  • The file at "<$SYSDIR>\Software\Hacker Tutorial (by ph3Akz).exe".
  • The file at "<$SYSDIR>\Software\Highland warriors crack.exe".
  • The file at "<$SYSDIR>\Software\HL keys (working).exe".
  • The file at "<$SYSDIR>\Software\I.G.I. 2 (new crack).exe".
  • The file at "<$SYSDIR>\Software\Icon extractor v1.7 - full.exe".
  • The file at "<$SYSDIR>\Software\IIS_shellbind_exploit.exe".
  • The file at "<$SYSDIR>\Software\iMesh 4.1 beta.exe".
  • The file at "<$SYSDIR>\Software\invisible_IP.exe".
  • The file at "<$SYSDIR>\Software\iSnipeIt 5.0c.exe".
  • The file at "<$SYSDIR>\Software\Jack the ripper v1.0.exe".
  • The file at "<$SYSDIR>\Software\John the ripper v1.0.exe".
  • The file at "<$SYSDIR>\Software\KaZooM MP3 Kazaa Accelerator 2.5.exe".
  • The file at "<$SYSDIR>\Software\keylogger best keylog ever.exe".
  • The file at "<$SYSDIR>\Software\Klez fixtool.exe".
  • The file at "<$SYSDIR>\Software\kmd151_en.exe".
  • The file at "<$SYSDIR>\Software\Lord of the rings VCD.exe".
  • The file at "<$SYSDIR>\Software\Love calculator.exe".
  • The file at "<$SYSDIR>\Software\Mafia game crack noCD.exe".
  • The file at "<$SYSDIR>\Software\Mcafee virusscanner crack.exe".
  • The file at "<$SYSDIR>\Software\Medal Of Honor (Allied Assault) crack.exe".
  • The file at "<$SYSDIR>\Software\Morpheus 2.6.exe".
  • The file at "<$SYSDIR>\Software\Most important hacker tool ever!.exe".
  • The file at "<$SYSDIR>\Software\msconfig.exe".
  • The file at "<$SYSDIR>\Software\MSN 5.0 Banner remover.exe".
  • The file at "<$SYSDIR>\Software\MSN PLUS!.exe".
  • The file at "<$SYSDIR>\Software\msn_IP_finder.exe".
  • The file at "<$SYSDIR>\Software\msncracker.exe".
  • The file at "<$SYSDIR>\Software\msnhacker.exe".
  • The file at "<$SYSDIR>\Software\MXlinx 0.30 crack.exe".
  • The file at "<$SYSDIR>\Software\NeoNapster 3.92.exe".
  • The file at "<$SYSDIR>\Software\Nero Burning ROM 5.8.2.4.exe".
  • The file at "<$SYSDIR>\Software\Network Cable ADSL Speed 2.0 (beta).exe".
  • The file at "<$SYSDIR>\Software\New Nvidia (geForce) drivers (beta).exe".
  • The file at "<$SYSDIR>\Software\Nikki cox game and movie.exe".
  • The file at "<$SYSDIR>\Software\Nimo Codec Pack 9.0 (stable).exe".
  • The file at "<$SYSDIR>\Software\norton anti virus FULL VERSION.exe".
  • The file at "<$SYSDIR>\Software\Norton antivirus crack.exe".
  • The file at "<$SYSDIR>\Software\Office key Gen.exe".
  • The file at "<$SYSDIR>\Software\OfficeXP_Keygen.exe".
  • The file at "<$SYSDIR>\Software\Operation Flashpoint (bloopatch).exe".
  • The file at "<$SYSDIR>\Software\password stealer.exe".
  • The file at "<$SYSDIR>\Software\PhotoShow 3.1.exe".
  • The file at "<$SYSDIR>\Software\Pokemon.exe".
  • The file at "<$SYSDIR>\Software\Pop-Up Stopper 4.0 (beta).exe".
  • The file at "<$SYSDIR>\Software\Powerful MP3 ripper.exe".
  • The file at "<$SYSDIR>\Software\Ps2 to Pc tutorial ( tool).exe".
  • The file at "<$SYSDIR>\Software\PS2_emulator_bleem.exe".
  • The file at "<$SYSDIR>\Software\psx2 emulator FINAL WORKING FOR PLAYSTATION.exe".
  • The file at "<$SYSDIR>\Software\QuickTime 7.2 (new).exe".
  • The file at "<$SYSDIR>\Software\Raven Shield 5.32 crack.exe".
  • The file at "<$SYSDIR>\Software\RealJukebox Basic 2.8.exe".
  • The file at "<$SYSDIR>\Software\RealOne Free Player 2.8.exe".
  • The file at "<$SYSDIR>\Software\RemoteSpy 1.5.exe".
  • The file at "<$SYSDIR>\Software\shortcut to northwind.lnk.exe".
  • The file at "<$SYSDIR>\Software\Shriek DVD crack patch.exe".
  • The file at "<$SYSDIR>\Software\sms bomber WORKING.exe".
  • The file at "<$SYSDIR>\Software\Splinter Cell crack.exe".
  • The file at "<$SYSDIR>\Software\spyware remover.exe".
  • The file at "<$SYSDIR>\Software\Stop the war (intro).exe".
  • The file at "<$SYSDIR>\Software\Stronghold Crusader crack- All versions [noCD].exe".
  • The file at "<$SYSDIR>\Software\Stuart Little 2 crack game noCD.exe".
  • The file at "<$SYSDIR>\Software\Sub7_masterpwd.exe".
  • The file at "<$SYSDIR>\Software\Super 2000key keygen.exe".
  • The file at "<$SYSDIR>\Software\The Sims crack.exe".
  • The file at "<$SYSDIR>\Software\Theme park world cracker.exe".
  • The file at "<$SYSDIR>\Software\TitJiggle (flash game).exe".
  • The file at "<$SYSDIR>\Software\Trillian 0.8 plugins.exe".
  • The file at "<$SYSDIR>\Software\Tropico crack.exe".
  • The file at "<$SYSDIR>\Software\universal game NO-CD crack WORKS ON ALL GAMES.exe".
  • The file at "<$SYSDIR>\Software\UniversalFlood (4.8b).exe".
  • The file at "<$SYSDIR>\Software\Unreal2 (2.8) crack.exe".
  • The file at "<$SYSDIR>\Software\UT2003 multi-crack (new).exe".
  • The file at "<$SYSDIR>\Software\Warcraft 3 crack.exe".
  • The file at "<$SYSDIR>\Software\Warcraft3 battle.net(2.5) crack.exe".
  • The file at "<$SYSDIR>\Software\Webcracker.exe".
  • The file at "<$SYSDIR>\Software\Website hacker v1.0.exe".
  • The file at "<$SYSDIR>\Software\win2k_pass_decryptor.exe".
  • The file at "<$SYSDIR>\Software\Win2k_reboot_exploit.exe".
  • The file at "<$SYSDIR>\Software\win2k_serial.exe".
  • The file at "<$SYSDIR>\Software\Window Washer 4.8.exe".
  • The file at "<$SYSDIR>\Software\Windows Me crack.exe".
  • The file at "<$SYSDIR>\Software\windows XP 2000 98 NT keygen (allin1).exe".
  • The file at "<$SYSDIR>\Software\Windows XP license crack.exe".
  • The file at "<$SYSDIR>\Software\Windows_Keygen_allver.exe".
  • The file at "<$SYSDIR>\Software\WinMX 3.5.1.exe".
  • The file at "<$SYSDIR>\Software\WinRAR CRACKED.exe".
  • The file at "<$SYSDIR>\Software\winxp_hacker.exe".
  • The file at "<$SYSDIR>\Software\winxphack.exe".
  • The file at "<$SYSDIR>\Software\Wippit 2.1 (beta).exe".
  • The file at "<$SYSDIR>\Software\Word_Pass_Cracker.exe".
  • The file at "<$SYSDIR>\Software\WS_FTP LE 6.0.exe".
  • The file at "<$SYSDIR>\Software\xbox_emulator_beta.exe".
  • The file at "<$SYSDIR>\Software\XP DVD Plugin.exe".
  • The file at "<$SYSDIR>\Software\XP ScreenSaver.exe".
  • The file at "<$SYSDIR>\Software\XP_Box_emulator.exe".
  • The file at "<$SYSDIR>\Software\XP_keygen.exe".
  • The file at "<$SYSDIR>\Software\XViD bundle (codec tutorial).exe".
  • The file at "<$SYSDIR>\Software\Yaha Fixtool.exe".
Make sure you set your file manager to display hidden and system files. If Win32.Rbot.bms uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
  • The directory at "<$SYSDIR>\Software".
  • The directory at "<$SYSDIR>\Software".
Make sure you set your file manager to display hidden and system files. If Win32.Rbot.bms uses rootkit technologies, use our RootAlyzer or our Total Commander anti-rootkit plugins.
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.
  • Remove "012345:<$SYSDIR>\Software\" from registry value "Dir0" at "HKEY_CURRENT_USER\Software\Kazaa\LocalContent\".
  • Remove "|" from registry value "392" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\".
  • Remove "|" from registry value "392" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\".
  • Remove "wkssr.exe" from registry value "Microsoft dll Host Service " at "HKEY_CURRENT_USER\Software\Microsoft\OLE\".
  • Remove "wkssr.exe" from registry value "Microsoft dll Host Service " at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\".
  • Remove "wkssr.exe" from registry value "Microsoft dll Host Service " at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\".
  • Remove "wkssr.exe" from registry value "Microsoft dll Host Service " at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Lsa\".
  • Remove "msmsgers.exe" from registry value "MSN Drivers" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\".
  • Remove "msmsgers.exe" from registry value "MSN Drivers" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa\".
  • Remove "msmsgers.exe" from registry value "MSN Drivers" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Lsa\".
If Win32.Rbot.bms uses rootkit technologies, use our RegAlyzer, RootAlyzer or our Total Commander anti-rootkit plugins.

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
  1. Please read these instructions before requesting assistance,
  2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.