Gaobot.gen 2

[jdhilljr]

I have 2 computers running windows xp home infected with this worm. I have done all manual fixes according to Norton.
1, Disabled system restore
2, Made sure all windows xp home updates are current.
3, Made sure all Norton updates we're done.
4, Checked all hosts files for 127.0.0.1 localhosts
5. Ran Norton complete scan in safe mode
6. Deleted lmss.exe infected file
7. Scanned registry according to instructions and found no problems.
Then after a restart
Ran Norton and showed no virus.
Approximately 20 minutes later the virus reaapears.

I have done these steps about 6 times.

Any help or suggestions would be appreciated.

Jim

 

[diogenes10]

1) Did you try the symantec removal tool?

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.removal.tool.html

2)McAfee has a removal tool called stinger, not sure it will work on this one, but you could try.

http://vil.nai.com/vil/stinger/

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

http://www.dslreports.com/forum/remark,10157111~mode=flat?hilite=remove+gaobot

The thread above mentions a lesser know av product the poster used.

You could also try using hijackthis to look at processes running for something out of the ordinary.
This thread as an example:

http://internetcops.biz/modules.php?name=Forums&file=viewtopic&p=192906

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[jdhilljr]

Thank you for your suggestions. I had already tried the symantec removal tool which didn't locate the virus. I am currently trying the other remedies and will let you know the outcome. I disconnected these PC's from access to an intenet connection and deleted the virus file and it has not yet returned.

Thanks,
Jim

 

[Kesser]

AVG's vCleaner gets rid of all known worms, I have found it to be good....

 

[jdhilljr]

Thank you all for your very good suggestions. I have tried all and still have the virus. I even called symantec and agreed to pay for their assistance with removal. After explaining the way the virus reacts and the steps I have taken to remove it their only suggestion was a possibility of corrupted norton anti-virus. After scanning that computer with another computers Norton Antivirus and using another anti-virus software program, I can only conclude that is not the case. They even declined to charge my credit card. Are there any other suggestions or help available?

Thanks,
Jim

 

[diogenes10]

I started to do a little hunting, have been interrupted and cant finish checking.
I've not had time to compare the things below to the symantec instructions to see if they are different
Ill pass them along as is incase they're any help.

http://216.239.51.104/search?q=cach..._remove_gaobot_sy.htm+remove+gaobot.gen&hl=en

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=sol&idvirus=40759

http://216.239.51.104/search?q=cach...e/0,1761,a=128438,00.asp+remove+gaobot+&hl=en

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[jdhilljr]

Thank you for your posts. We had an expert come in last night who found the virus and deleted it. Once I find out how I will post it.

Jim

 

[diogenes10]

Glad you got it fixed, most of the things I was reading about showed either Norton's removal tool fixing it or being able to find the process with HijackThis. Will be interested to see how it was fixed on your system.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[bfralia]

Gaobot keeps changing, for awhile it's active process is soundcntrl or soundctl or something else to do with sound. A recent version of it came out that was being detected as hosts.apb. It removed the bad entries fromm the host file at boot up but didn't ever find the cause.

My cohorts and I discovered a program called soundcntrl.exe was causing the host file problem. We stopped the process, took it out of registry run and run services entries and rebooted. we then deleted the program. I sent a copy to McAfee and the next morning got an extra dat file to detect that version of the virus.

Later I found a varient that was soundctl.exe that McAfee didn't pick up.

 

[jdhilljr]

Diogenes10
I tried the Panda Software at home. The download was corrupt and disable all external devices including USB and Ethernet ports. When I went to remove it I encountered another error and the program wouldn't remove. I had run the scan during the download which I thought might have caused the error. I finally found the install file, ran install which fixed the problem with the file but still wouldn't allow external communication. I then removed the program and everything returned back to normal.
On what operating system are you using this software?

Jim

 

[diogenes10]

I've used pandasoft,trendmicro, and pestpatrol scans on my win98se system without any trouble. I'd try pandasoft myself but our company AV product was changed over the weekend and the disable feature is password protected, so I can no longer disable it and experiment with something else.

I've also used pandasoft or trendmicro on an ME system, but I dont remember which one.

There is no indication of operating system issues in smah's faq either. I dont know what happened with your situation.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?