W32.Gaobot.SN Removal?

Discussion in 'Malware Help (A Specialist Will Reply)' started by ryansiu, Sep 7, 2005.

  1. ryansiu

    ryansiu Private E-2

    Hi people I have a virus on my comp which Norton alerts me of everytime i start my computer and am connected to the internet the virus is W32.Gaobot.SN, Norton alerts me of the virus and then it tells me it has been deleted but it keeps coming back, it says the virus is in a file called

    C:\DOCUME~1\Ryan\LOCALS~1\Temp\ac3275.exe
    and

    C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\VNNX2Q4G\k2[1].txt

    but they are deleted everytime

    I also get an alert for viruses called W32.Randex and W32.Spybot.Worm, but these are also deleted

    Please help!!

    Any help would be greatly appreciated

    Thanks in advance
     
    ryansiu, Sep 7, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the steps below:

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Sep 7, 2005
    #2
  3. ryansiu

    ryansiu Private E-2

    Thanks for your reply

    I followed that guide and had the following results,

    Bitdefender

    Delected file - infected with Backdoor.SDBot.B7E176BD
    in C:\Program Files\Norton Antivirus\Quarantine

    Delected file - C:\Windows\scrbmk.exe - suspected of:BehavesLike:Trojan.Downloader

    RAV Antivirus

    Suspicious file - C:\Program Files\WinRAR\Uninstall.exe - Backdoor:Win32/Poebot.E

    Stinger

    no infected files found

    CWShredder

    Removed CWS.MSConfig

    And I have also attached the hijacklog
     

    Attached Files:

    ryansiu, Sep 8, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you know that Messenger Plus! 3 is the cause of problems tons of PCs? It can install (if you are not careful) a load of bad stuff including a LOP infection. I call it TrickWare, because it tries to trick you into install bad stuff. I always recommend that software like this be uninstall. They are not to be trusted.

    Did you want the below settings to about:blank:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
     
    chaslang, Sep 8, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [cpds] C:\WINDOWS\cpds.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2731b8eaa97082c90f06/netzip/RdxIE601.cab

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\cpds.exe
    C:\WINDOWS\scrbmk.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Sep 8, 2005
    #5
  6. ryansiu

    ryansiu Private E-2

    Yea i think i reset them all to blank

    I did not know that about MSN PLus3, i thought as long as you dont install the sponsor program then its fine, thanks for you help, Ill try the new steps you recommended
     
    ryansiu, Sep 8, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's what I meant when I said "(if you are not careful) ". But it is still not recommended to use stuff like this due to their sneaky tactics. But in the end, it is your decision. We removed it from our download folders as soon as we realized what was in the license agreement and what it could possibly do to unsuspecting users who do not read the license aggreement.
     
    chaslang, Sep 8, 2005
    #7
  8. ryansiu

    ryansiu Private E-2

    Ok Done, Thank you everything seems to be working now

    I noticed a file called bdoscandel.exe, in the Windows directory, is this ok?

    Also I have another problem you might be able to help me with, my computer takes a long time to start up, do you know any way to fix this, Also it takes even longer when I do not connect to a wireless router, but it is quicker when a wireless router is avaliable, any ideas?

    Again thanks for your help, hijackthis log attached
     

    Attached Files:

    ryansiu, Sep 8, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    bdoscandel.exe is from BitDefender online scan.

    You boot up speed may just be normal for the items you are loading at startup. And when you do not have the router it could just be spinning its wheels looking for the network interface.

    There are also items that you could consider not loading during startup but this is not really a malware topic.
     
    chaslang, Sep 8, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds