GAOBOT: A POS virus that really screwed my system over!

[Dark Fact]

Nodtveidt, is there an "attrib" for XP? Because the search results keep listing Windows 2000 and Windows Server 2003.

By the way, I'm NOT installing another O/S on my computer.  It'll overwrite all the pre-installed software on this computer and render it useless in the future. 

Or maybe I'll just do a complete system restore over the weekend.  This whole virus bullshit is making me sick and tired and I have university tests to study for in the coming weeks.

[Hobo Xiphas]

Or maybe I'll just do a complete system restore over the weekend.  This whole virus bullshit is making me sick and tired and I have university tests to study for in the coming weeks.

That is seriously the best option if you don't want to do a full reinstall.

And I wasn't serious about HURD at all, you'd have to be some sort of deviant to use that piece of crap.

[FM-77]

Why will it be useless? Just re-install all the software, or better yet - get better software. The stuff that comes bundled with these computer is usually crap stuff.

[Dark Fact]

Why will it be useless? Just re-install all the software, or better yet - get better software. The stuff that comes bundled with these computer is usually crap stuff.

Seldane, I can't because the software is all installed within the system.  There is no separate restore disk that contains this software.  If it's overwritten with a new O/S, it's gone forever.

[Necromancer]

Have you tried a removal tool (i.e. FxGaobot.exe from Symantec) as previously posted?  These removal tools are usually effective and fool proof.  If the tool fails, try the manual removal instructions (http://www.symantec.com/security_response/writeup.jsp?docid=2003-112112-1102-99&tabid=3).  You could also try booting from a usb thumb drive (or cd) loaded with antivirus tools.  Disabling system restore before running the antivirus tool will allow the old restore points to be cleaned.  For alternatives to regedit.exe, try Nirsoft's RegScanner or DC Software's RegEditX.  Good luck. 

P.S. - Get a virus scanner to prevent future problems.  Grisoft's AVG Anti-Virus is free & pretty good.

[nodtveidt]

"attrib" is a part of Windows (it's been a part of the OS since the early PC-DOS days). I'm not sure if having system32 tampered with will affect it or not, as attrib.exe is a program that resides in system32. You could also try "regedt32" instead of "regedit", few people know that regedt32 exists and is a part of XP. Again though, it's also kept in system32.

[TR0N]

Damn sounds like your pc is screwed.

I was talking, to my father today he's having the same problem as well.

Still he's going the other way on the fix he's gonna buy a mac insted.

Pretty much he told me he's sick and tried of... windows period and i don't blame him at all.

[Dark Fact]

Nodtveidt, Necromancer, thanks for the help.   I managed to get into regedit32 with the help from the article you guys put up and I managed to get rid of all the shitty files that disabled access to my task manager.  In addition, that stupid winlog error message that pops up every time I start windows is gone.

However, the virus isn't completely gone yet.  My System32 file is still disabled and housecall still detects traces in Outlook and the System32.  The files it still detects that are infected are winlog and outlook.  Both EXE files.  However, the files don't appear in Command Prompt.  Is there another path in regedit32 that I can take that can eliminate these remaining strains?

[nodtveidt]

Do a little test...

Go to a command prompt (cmd) and type attrib \windows\system32 and hit Enter. On a normal system, you should see it give the path to the system32 directory and nothing else. If there are ANY things different (such as an R or an S to the left of the path name), then you might be able to correct that using attrib. Also, can you do this:

cd \windows\system32

without difficulty? No error messages or "Access denied" messages? If so, then it's an Explorer exploit and is easily corrected.

[Dark Fact]

Go to a command prompt (cmd) and type attrib \windows\system32 and hit Enter. On a normal system, you should see it give the path to the system32 directory and nothing else. If there are ANY things different (such as an R or an S to the left of the path name), then you might be able to correct that using attrib.

Got a "System cannot find the path specified" error.

Also, can you do this:

cd \windows\system32

without difficulty? No error messages or "Access denied" messages? If so, then it's an Explorer exploit and is easily corrected.

that worked fine but the winlog file isn't in there yet housecall still detects it in my system...strange.

[nodtveidt]

Hrm...weird. That looks like a bogus message to me. attrib uses a different response when it can't find something...it would look more like this:

File not found - \windows\system32

or it will tell you "Path not found: [pathname]" if you tried running it from another drive. That specific error you wrote is highly suspect.

Go to \windows\system32 and do:

dir /a:h/p

and see if it turns up. if not, then do:

dir /a:s/p

and see if it turns up as well. If it does on EITHER one, do this:

attrib +a -s -h -r winlog*.*

to make it "accessible". If this works, you can manually delete the file with "del".

If NONE of this works, there are other ways. Remote Desktop comes to mind, if you want to try such a route. Regardless, if there's a way to break the system, there's a way to mend it as well, and I've yet to find a piece of malware that I couldn't conquer.

[Dark Fact]

Great news guys, with the help of this little frames site for housecall, I was finally able to get those last couple of strains off of my computer. I thought that housecall removed their frames page in favour of their java scanner but it still exists and the little frames scanner did the job just fine.

However, even though my system is virus free now, the System32 folder is still hidden in my WINDOWS directory and I can only access it through command prompt.  Is there a way to fix this?

[rolins]

Great news guys, with the help of this little frames site for housecall, I was finally able to get those last couple of strains off of my computer. I thought that housecall removed their frames page in favour of their java scanner but it still exists and the little frames scanner did the job just fine.

That good news you got your PC running healthy again.

However, even though my system is virus free now, the System32 folder is still hidden in my WINDOWS directory and I can only access it through command prompt.  Is there a way to fix this?

Try this. Goto "My Computer" then

At the top, Tools --> Folder Options --> View

under "Hidden Files and Folders" select "Show hidden files and folders"

[Dark Fact]

Try this. Goto "My Computer" then

At the top, Tools --> Folder Options --> View

under "Hidden Files and Folders" select "Show hidden files and folders"

I tried that already.  It didn't work.

There is also some other strange problem.  It seems that every now and then the browser windows disappear and reappear in the blink of an eye with my HD flashing like something got loaded over the network but I don't know what.  Does it also have something to do with Gaobot?

[nodtveidt]

At the command prompt:

attrib -a -r -s -h \windows\system32

That will clear all attribute flags from that directory. If that doesn't work, try looking in \windows\system32 for autorun.* or desktop.* files. If they exist, delete them. Also, try looking in \windows for the same files. Autorun files scripted deviously can block access from Explorer, and desktop INIs can do similar evil things when scripted right. There are other methods that can be used but one of the above will likely fix the folder problem.

Realistically, there's rarely a need for a common PC user to go browsing through system32, even advanced users have little need for it. Glad you got the annoying virus removed though.

As for your other problem, no idea offhand. You might want to try running the latest copy of HijackThis.