Virus Problem

[danzak]

Hi, this may not be the right thread for this, but I'm not sure where else to post. I hope someone can help me out.
My parents' computer has been hit with a virus or worm and I can't determine which one it is so I can clean it. My mom got the virus warning from NAV and instead of cleaning etc she shut the comp down (&#33. So, now it's infected with something. The problem is-NAV 2004 doesn't find anything after I scan so I don't know what virus it is. I've also done a Panda search and it found 4 infected files in the email storage folders-these have been cleaned out. But the problem still occurs.

Symptoms are: NAV auto protect is disabled and can't enable it, can't connect to NAV Live Update, can't access certain websites (symantec.com etc)
When the computer is rebooted, a DOS window opens up (path leads to System32 folder) which I guess is the worm or virus starting itself up. Also, there are about 10 .exe files in the C:/ directory, all with weird names like xdcsskyt.exe

I went to Symantec site on my computer and everything they have written suggests this worm is from the W32.Gaobot family but when I check the registry keys that are supposed to be affected, the files that are supposed to be added to the keys aren't there. Also, Symantec says that a manual scan with the latest definitions should find the worm files but any scan I do comes back clean.
So, now I don't know what to do-has someone had this problem or does anyone have any idea how to identify what virus this actually is so I can start cleaning it properly.

Sorry for the long post but this has me scratching my head. Thanks kindly for any help you can give. Cheers

[zapjb]

Maybe it's in quaratine. Disable system restore. Delete all files in quaratine.

When you are virus free reenable system restore.

[danzak]

thanks for the reply. yeah, i disabled restore when i scanned with NAV yesterday. Also deleted 1 file from quarrantine (in the backup items folder) that was from around the time I think the infection started. Scanned again, nothing found, but the symptoms of infection are all still there. damn!

[peat moss]

Did you try starting in safe mode? Then scan with your anti virus .I read that on the norton site.

Its here under removal instuctions.
http://securityresponse.symantec.com/avcen....gaobot.yc.html

[johnboy27]

Here is the virus removal tool for the virus you have.
http://securityresponse.symantec.com...r/FxGaobot.exe

[danzak]

Hey all, thanks for the replies. I haven't tried any of the removal tools because I can't confirm that the Goabot is the worm that I actually have. The NAV scan still shows nothing, even in Safe Mode.
Now weirder things have started happening-I'm trying to help my dad over the phone yesterday and now his printer and internet connections have stopped working. And sometimes, when he goes to shut the PC down, the Shut down button doesn't show up, just the logoff and suspend (I think) so he has to manually shut the PC down. I'm going over there tonight to see what's going on first hand, but it sure would be nice to nail down what I'm dealing with here.

Anyone heard of HijackThis? Supposed to show you all the processes going when your machine boots up. any thoughts?

Thanks again for your help.

[ricochet]

Download a copy of NOD 32 and try that A.V. Disable system restore, Run scan, If nothing comes up, and problems contune I would make your MOM backup your files and do a clean install of your os.

Or charge her for you doing it...

[danzak]

OK thanks. If it all fails, should I format the C:/ before reinstalling the OS or will doing a clean (ie-overwriting all the old info, can't remember what option that is under XP installation) be enough?

"Or charge her for you doing it... " LOL! by her calculations, I owe her around $500 000 for my upbringing, so I'll tell her to knock some off my tab

[Nightwolf]

See if you can prevent that DOS window from opening whenever you boot. Run msconfig, click on the Startup tab and uncheck anything you don't think you need. Reboot and try scanning with NAV again.

If you can't find it with msconfig, download Regseeker and use that to remove hidden startup entries from the registry.

[johnboy27]

Originally posted by danzak@2 May 2004 - 13:21
Hey all, thanks for the replies. I haven't tried any of the removal tools because I can't confirm that the Goabot is the worm that I actually have. The NAV scan still shows nothing, even in Safe Mode.
Now weirder things have started happening-I'm trying to help my dad over the phone yesterday and now his printer and internet connections have stopped working. And sometimes, when he goes to shut the PC down, the Shut down button doesn't show up, just the logoff and suspend (I think) so he has to manually shut the PC down. I'm going over there tonight to see what's going on first hand, but it sure would be nice to nail down what I'm dealing with here.

Anyone heard of HijackThis? Supposed to show you all the processes going when your machine boots up. any thoughts?

Thanks again for your help.

Here is a quote from one of the mods on the other forum.
"C:\windows\system32\drivers\etc\hosts

edit this file and remove the added lines at the end of the file. The worm places entries in there to prevent you from accessing security related sites. Once you empty off the extra lines you will be able to access all sites."

Doing that will let you get onto some of the sites it block and you may just be able to do an online scan and get rid of it.
Good luck.

There is another worm virus out there which is a variant of tha goabot worm it is called worm_agobot.mg . Norton does not recognize it for some reason.Because it is a variant of the agoabot worm the removal tool I posted earlier could possibly work on it according to trend micro. In another forum I frequent there has been about 5-10 people that have gotten one of these two over the last week or two.