GAOBOT: A POS virus that really screwed my system over!

[Dark Fact]

Guys, I got a problem and it goes like this:

A couple weeks ago, my sister flew in from Ottawa, Canada to stay with us over the holidays for 10 days before she went off to Jamaica to attend one of her friends' wedding.  While she was here, she wanted me to install LIMEWIRE on my computer so she can download songs onto her iPod (her Christmas gift) considering that she didn't want to pay for songs from iTunes.  Anyways, I downloaded the program, got her songs, and all was hicky-dory.

However, after she left, I wanted to download an episode of Cadillacs & Dinosaurs but the file I got contained a nasty virus which after I scanned using Housecall v6.5, turned out to be the GAOBOT.DF worm.

What is this virus you ask? Like I said, it's f*cking nasty.  It saved to my System32 and Microsoft Outlook folders, COMPLETELY hid the folders where I can't access them, disabled my task manager, kept rebooting LIMEWIRE, and disabled my desktop.

Housecall couldn't eradicate the virus, and I couldn't access the desktop even in Safe Mode.  So, I went into Command Prompt, deleted the winlog.exe and Outlook folder, and got my desktop back.  I also went and deleted LIMEWIRE and the virally infected folder.

However, this is where I need your help: my task manager is still disabled and I've been getting error messages about the existence of winlog.exe.  Not to mention my System32 folder is still inaccessible.

Do you guys know where I can get a replacement winlog.exe, and more importantly, how to get rid of that GAOBOT virus for good? It's f*cking annoying!

[rolins]

Dude, forget it. There's no point in rescuing the O.S. when it's infected. Even if you quarantine or remove the virus/trojans/worms there will always be residue left over. Save any files you can to CDR, and reformat the entire hard drive & start over.

[Necromancer]

I'm with Rolins, but if a fresh start isn't in the cards - try one of the gaobot removal tools from symantec, mcafee, etc.  You'll likely have to download them from another computer, as this virus changes the hosts file to keep you from visiting their web sites.  After using a removal tool (or two), boot from your Windows CD and repair Windows.  Hopefully this will bring everything back to normal.

[Dark Fact]

I came here to be helped and now I'm being told to throw the baby out with the bathwater? WTF!

First of all, this isn't the first time my computer has been infected with viruses.  I had the infamous sasser virus on my system before.  I used Housecall to get rid of it just fine without any lasting damage to my system but that is after I seeked technical support and reformatted my system.  The system restore caused the virus to be permanently backed up into my system files where it remains in backup to this day.

Another thing, I have a SONY VAIO system.  This computer doesn't come with an installation disk.  It performs system restore on my C: drive from a built-in program.

I want to know if anyone here knows how to get rid of this worm and know where else to find a spare winlog.exe file.  That's all I ask.

[Keranu]

Ouch, stay away from Lime Wire! Those programs are infested with e-AIDS and should be avoided like a hooker with jumping crabs. I agree with what everyone else said, back up any files you want to keep (assuming they are safe, better do a quick virus scan to see), format your hard drive and reinstall your OS.

[Tatsujin]

dangerous world we live in it nowadays 

[rolins]

Look you do not want to replace the winlog.exe because it's part of the problem. It a file that the worm plants into your system.

Here's a guide to actually removing GAOBOT.DF

I copied & pasted the importants stuff for ya.

Removing Autostart and Added Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

   1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
   2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
      Windows>CurrentVersion>RunServices
   3. In the right panel, locate and delete the entry:
      Winlog = "winlog.exe"
   4. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
      Windows>CurrentVersion>Run
   5. In the right panel, locate and delete the entries:
      • winlog = "winlog.exe"
      • outlook = "%Programs Files%\outlook\outlook.exe \auto"
      (Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)
   6. In the left panel, double-click the following:
      HKEY_CURRENT_USER>Software>Microsoft>OLE
   7. In the right panel, locate and delete the entry:
      Winlog = "winlog.exe"
   8. Close Registry Editor.

Deleting the Malware File

   1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
   2. In the Named input box, type:
      bszip.dll
   3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
   4. Once located, select the file then press Delete.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_GAOBOT.DF. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the patches supplied by Microsoft:

    * Microsoft Security Bulletin MS03-039
    * Microsoft Security Bulletin MS04-011

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.

[Dark Fact]

Rolins, I'll try downloading the patches from Microsoft's security bulletin but for using regedit, the virus has locked me out of the registry.  I'll let you all know what comes of this.

[Michael Helgeson]

At request you may be able to coax Sony into sending you a system restore on disc if you explain the situation. Then again they may just tell you to f*ck off for downloading music that you didn't pay for. You'll prob have to come up with a generic explanation and beg them. Or if possible take the Windows key you have,find one of the Windows ALL in One disc that has all the OEM versions,Sony,Compaq,Emachines, on it and use that and your key for a restore.

Ive done this before for people and it tends to work ok now and then.

[nodtveidt]

If it's blocked access to regedit, you could try an alternate registry editor. Also, if you can access system32 from the command prompt, you should be okay, otherwise, try something simple like deleting the hosts file from somewhere else, or even seeing if you can edit it yourself. Also, if you have access to attrib, you could probably make any permission changes yourself.

[Dark Fact]

If it's blocked access to regedit, you could try an alternate registry editor. Also, if you can access system32 from the command prompt, you should be okay, otherwise, try something simple like deleting the hosts file from somewhere else, or even seeing if you can edit it yourself. Also, if you have access to attrib, you could probably make any permission changes yourself.

What kind of alternate registry editor? Could you give some examples? As for system32, I can access it just fine from Command Prompt but Housecall detects that the virus has infected the winlog.exe file but winlog.exe isn't even listed in the directory! Whoever made this virus was one big son of a bitch!

I'm not too familiar with attrib...what's it like?

At request you may be able to coax Sony into sending you a system restore on disc if you explain the situation. Then again they may just tell you to f*ck off for downloading music that you didn't pay for. You'll prob have to come up with a generic explanation and beg them. Or if possible take the Windows key you have,find one of the Windows ALL in One disc that has all the OEM versions,Sony,Compaq,Emachines, on it and use that and your key for a restore.

Ive done this before for people and it tends to work ok now and then.

Ha, like I can trust those nosepickers over at SONY.  I tend to rely on people I can actually trust like you guys here.

As for those patches, they don't have the ones that match my system.  My system uses a Windows XP Service Pack 2 2002 edition.

[nodtveidt]

http://www.google.com/search?q=alternative+registry+editor

"attrib" is a commandline utility that can modify file and directory attributes, if you have the correct user level. As Administrator, you should be able to modify just about everything except a few protected system-level files and directories.

[FM-77]

I suggest getting a pirated, illegal version of Windows and installing that instead.

[Hobo Xiphas]

I suggest getting a pirated, illegal version of Windows and installing that instead.

Why bother with pirated Windows when you could use this instead?

[Keranu]

HURD is the greatest!