Help, can't delete virus, can't do update

I just installed Avast 4 yesterday; when I ran it today, it found 2 viruses - it deleted one and couldn’t do anything about other (Win 32: Gaobot -129 (wrm). All the options don’t work because they say the file it is in is being used by other programs.

My computer has been wonky for a long time, and my other anti-virus program never detected this virus. Right now, I’m only using Avast 4, with no firewall. But I’m aghast that the comp can’t do automatic updates as well. It says that some server is down…what can I do?
I’m not a tech-savvy person, so I need real simple instructions…

Hello-
Turn off"system restore"
Reboot into "safe-mode"and then run avast.
You need to use a firewall. Check out my site for some tips.
Check your"hosts’"file. WINDOWS\System32\Drivers\ect
Open with Notepad, there is info with a # sign in front.
After the info there is “127.0.0.1 localhost”
Delete any entries after that one.Those entries will stop you from updating.
See: http://vil.nai.com/vil/content/v_125006.htm
Post back with results
-max

Hi,

Thanks for the instructions. I know this sounds stupid but I don’t know how to turn off “system restore” - I’m using Win 2000 professional. How do I go into safe mode?

I did check the “hosts” file, and did not find a “#” sign in front of the info. I deleted some weird entries that did not have the “127.0.0.1” thing, but the comp still refuses to update - those entries were actually before the legit entries, not after.

I am sorry but I don’t have much experience with Win2000
In win98 and XP you hit f8 at boot-up and menu comes on.
I am not sure if 200 has "system restore"but you will find it in system properties if ther is one. My web site has links to some scanners.
Also make sure windows has been updated with latest patches.
-max

It doesn’t seem to have a “system restore” function, so I rebooted in safe mode and ran Avast. It found a trojan, another Gaobot worm and a VBS: Redlof. It managed to delete them, but it still couldn’t do anything about the original one I found, which is Win 32: Gaobot-129 (wrm) in C:\WINNT\System32\svchostx.exe[PEShield]…it says “cannot access file because it is being used by another”. There is another file in that same folder but it’s an svchost.exe - is that why I can’t delete the one with the worm?

I’ve been having this svchost.exe error for over 6 mths, where the computer will disable all linking functions (like copy and paste) once I’ve been on the Internet for a while - it could be 1 minute or 20 minutes before the error message pops up. After that, I can’t use copy and paste, I can’t click on most website links (nothing happens when I click) and I can’t open Excel (it will just try to start up and then close itself).

As a result of this error, I can’t install any patches I’ve downloaded, so I stopped trying. I tried installing Service Packs also, but couldn’t. I don’t know how this error came about, but it’s probably also why I can’t receive automatic updates for anti-virus softwares. Don’t know what to do…

You should run HijachThis and see what is going on
PE Shield is a “packer”
What scanners have you tried?
=max

Hi,

here are some info & removal instructions for your worm:
VGREP

you might also use onlinescanners Trend, RAV & kav to get a more specific identification…

BUT:

  • it will always come back if you don’t do Windowsupdates & change your passwords…
  • with all those problems you experience, it would be better to format & rebuild.
    → Download & backup all ServicePacks & Windowsupdates/patches before; Install them BEFORE EVER going online.

Read the BACKDOOR-section in the pinned “VirusRemoval” topic on top the virus-board here…

:wink:

What is a “packer”?

Haven’t run any scanners yet - but will soon. How do you temporarily switch off Avast so that I can run an online scanner?

I ran Avast again just now, and found that the infected files that were supposedly deleted were still there - I deleted them again, so hopefully they are really gone.

I deleted the last remaining infected file manually - went to the directory and just deleted the thing, after unchecking the “read only”. I don’t know if this would have done more harm than good…

I have no idea how to reformat the PC, but I know you’re right…with all the problems I have, I really need to.

I’ve scanned the PC with Kaspersky, Rav - couldn’t use Trend Micro for some reason - the thing downloaded for helluva long time, and then nothing happened.

Anyway, they say I have a file C:\WINNT\System32\waumgrd.exe which is infected by Backdoor.Rbot.gen I tried looking for this under Symantec and others and couldn’t find one with the same name…can I just delete it?

It’s probably called “wuamgrd.exe”, and you can and should delete it…
if you don’t secure your system, it will come back, however, as soon as you go online…

:wink: