Hi, this may not be the right thread for this, but I'm not sure where else to post. I hope someone can help me out.
My parents' computer has been hit with a virus or worm and I can't determine which one it is so I can clean it. My mom got the virus warning from NAV and instead of cleaning etc she shut the comp down (!). So, now it's infected with something. The problem is-NAV 2004 doesn't find anything after I scan so I don't know what virus it is. I've also done a Panda search and it found 4 infected files in the email storage folders-these have been cleaned out. But the problem still occurs.

Symptoms are: NAV auto protect is disabled and can't enable it, can't connect to NAV Live Update, can't access certain websites (symantec.com etc)
When the computer is rebooted, a DOS window opens up (path leads to System32 folder) which I guess is the worm or virus starting itself up. Also, there are about 10 .exe files in the C:/ directory, all with weird names like xdcsskyt.exe

I went to Symantec site on my computer and everything they have written suggests this worm is from the W32.Gaobot family but when I check the registry keys that are supposed to be affected, the files that are supposed to be added to the keys aren't there. Also, Symantec says that a manual scan with the latest definitions should find the worm files but any scan I do comes back clean.
So, now I don't know what to do-has someone had this problem or does anyone have any idea how to identify what virus this actually is so I can start cleaning it properly.

Sorry for the long post but this has me scratching my head. Thanks kindly for any help you can give. Cheers

Maybe it's in quaratine. Disable system restore. Delete all files in quaratine.

When you are virus free reenable system restore.

thanks for the reply. yeah, i disabled restore when i scanned with NAV yesterday. Also deleted 1 file from quarrantine (in the backup items folder) that was from around the time I think the infection started. Scanned again, nothing found, but the symptoms of infection are all still there. damn! :angry:

Did you try starting in safe mode? Then scan with your anti virus .I read that on the norton site. :)

Its here under removal instuctions.
http://securityresponse.symantec.com/avcen....gaobot.yc.html (http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.yc.html)

Here is the virus removal tool for the virus you have.
http://securityresponse.symantec.com/avcenter/FxGaobot.exe

Hey all, thanks for the replies. I haven't tried any of the removal tools because I can't confirm that the Goabot is the worm that I actually have. The NAV scan still shows nothing, even in Safe Mode.
Now weirder things have started happening-I'm trying to help my dad over the phone yesterday and now his printer and internet connections have stopped working. And sometimes, when he goes to shut the PC down, the Shut down button doesn't show up, just the logoff and suspend (I think) so he has to manually shut the PC down. I'm going over there tonight to see what's going on first hand, but it sure would be nice to nail down what I'm dealing with here.

Anyone heard of HijackThis? Supposed to show you all the processes going when your machine boots up. any thoughts?

Thanks again for your help.

Download a copy of NOD 32 and try that A.V. Disable system restore, Run scan, If nothing comes up, and problems contune I would make your MOM backup your files and do a clean install of your os.

Or charge her for you doing it... ;)

OK thanks. If it all fails, should I format the C:/ before reinstalling the OS or will doing a clean (ie-overwriting all the old info, can't remember what option that is under XP installation) be enough?

"Or charge her for you doing it... " LOL! by her calculations, I owe her around $500 000 for my upbringing, so I'll tell her to knock some off my tab :D

See if you can prevent that DOS window from opening whenever you boot. Run msconfig, click on the Startup tab and uncheck anything you don't think you need. Reboot and try scanning with NAV again.

If you can't find it with msconfig, download Regseeker and use that to remove hidden startup entries from the registry.

Originally posted by danzak@2 May 2004 - 13:21
Hey all, thanks for the replies. I haven't tried any of the removal tools because I can't confirm that the Goabot is the worm that I actually have. The NAV scan still shows nothing, even in Safe Mode.
Now weirder things have started happening-I'm trying to help my dad over the phone yesterday and now his printer and internet connections have stopped working. And sometimes, when he goes to shut the PC down, the Shut down button doesn't show up, just the logoff and suspend (I think) so he has to manually shut the PC down. I'm going over there tonight to see what's going on first hand, but it sure would be nice to nail down what I'm dealing with here.

Anyone heard of HijackThis? Supposed to show you all the processes going when your machine boots up. any thoughts?

Thanks again for your help.

Here is a quote from one of the mods on the other forum.
"C:\windows\system32\drivers\etc\hosts

edit this file and remove the added lines at the end of the file. The worm places entries in there to prevent you from accessing security related sites. Once you empty off the extra lines you will be able to access all sites."

Doing that will let you get onto some of the sites it block and you may just be able to do an online scan and get rid of it.
Good luck.
There is another worm virus out there which is a variant of tha goabot worm it is called worm_agobot.mg . Norton does not recognize it for some reason.Because it is a variant of the agoabot worm the removal tool I posted earlier could possibly work on it according to trend micro. In another forum I frequent there has been about 5-10 people that have gotten one of these two over the last week or two.

Thanks for all the advice everyone, I finally put this one to bed (I hope). It looks like this was caused by a few worms (variances of the Gaobot and Sasser worms) I dlded and ran the Symantec Gaobot removal tool, this didn't find anything but NAV started working normally again. As soon as Auto protect was working it started finding a bunch more infections-these with the Sasser worm so I then had to download and run the Sasser worm removal tool. I then updated the virus definitions using their "manual" update (the .exe file/not live update), ran this and it found about 19 infected files and cleaned most of them, I deleted the other files.
Finally, there were a few startup processes that were still going-namely a microsoft.exe that should not be there. Once I manually deleted the bad files from the C://Windows/System32 folder, and deleted the registry keys they created, it works OK. It was a battle but I think it's finally over.
Thanks again for your help.

Oh and finally-get the darn Windows security updates. Even as I was cleaning everything out and finally got online-there were files being put on my machine. NAV was catching them, but there were about 2 or 3 infected files found in the span of about a half hour. I installed the Windows patches and so far-nothing