Help !!!!! please aspparantely have a virus worm.........

I was on my pc yesterday and after a few brief slowing down and semi freezes i got a box indicating i have to remove a virus… I’m not sure from where the message was from… mbam, security esssentials or just windows??..
this is the message i got:
-=Remove the W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm virus from your computer
This problem was caused by W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm, a known computer virus.
To prevent this problem from occurring again, install and run an up-to-date antivirus and antispyware program on your computer.=-
I had recently updated adobe and have seen in the forums from avast that there is a false adobe update…??
I have windows vista premium…32 bit…, Mike Murphy from ms advised me to use avast free edition together with mbam back in november 2009… since then i have been quite content with both…
I have done scans with both but nothing comes up over an infection… they both report clean…
I would like help with this please im not so technical’… have taught myself everything on the pc…
I would like to continue using avast… I still have 4.8 on, I see through the forums there is a new edition 5… but seeing that this is apparantely an old virus/worm :slight_smile: it should show some kind of trace?? or not ??
thanks in advance tisha :slight_smile:

tisha,

have you tried scheduling a boot scan with avast 4.8? that might help. Hopefully a more experienced person will be around shortly to give more indepth advice.

I have vista, and made the jump from 4.8 free to 5.0 free recently, and am glad I did, i dont recommend doing this untill youve solved this worm problem though

Saty

thanks saty,
not sure what a boot scan is… do you mean thorough??

Boot time Avast Antivirus Scanning
http://www.digitalred.com/avast-boot-time.php

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

Saty, I cannot scedule a scan in avast 4.8… not sure why maybe i didn’t install correctly… but it updates and does everything else OK… I do a scan manually at a regular time once or twice a week… I do twice a month mbam scan and twice a week with security essentials…
???
this was advised to me from Mike Murphy at microsoft when i had trouble with a month trial with bitdefender AV…

W32.Gaobot Removal Tool
http://www.symantec.com/security_response/writeup.jsp?docid=2004-011316-4140-99

Hi Pondus,

sorry for the delayed reply… took so long to do the boot scan more than 2 hours…
I had done a mbam scan yesterday the 11 april…as i have it installed already but it did not find anything… but just to be sure i ran it again and still reported no malicious items found…
I installed the superantispy as you recomended and run a scan… he found 47 infected entries but not the gaobot worm…
I have tried to get the removal tool from symantec but it keeps telling me that i am not the administrator which is abit obsurd ??? :o… I looked up on the net and it was from 2003 and i think that its not compatible with vista…
so i googled the tool and softpedia has one from spyware doctor… but i’m not sure as i have a few anti spyware’s installed and i dont know how the doctor will respond… is there anyone who can give me directions???
thanks … and its really great to get so efficient and fast responses…
really impressed… great job…
tisha

Follow this guide from Essexboy and post the log`s HERE then he will have a look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0

if the log`s are big: down left corner > Additional Options > Attach

Hi Pondos,
here is the log from s-antispy plus
mbam log…
I tried to do as you suggested downloading the otl…
but i don’t know how to download to the desktop… when i click
run it says have to go to desktop and disappears…lol…
I’m not so technical its probably real simple…lol… but am anxious to give it a try…
thankyou all for your quick & useful responses…
tisha

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/13/2010 at 00:14 AM

Application Version : 4.35.1002

Core Rules Database Version : 4796
Trace Rules Database Version: 2608

Scan type : Quick Scan
Total Scan Time : 00:35:12

Memory items scanned : 725
Memory threats detected : 0
Registry items scanned : 600
Registry threats detected : 13
File items scanned : 32084
File threats detected : 34

Adware.IWinGames
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{8CA5ED52-F3FB-4414-A105-2E3491156990}
HKCR\CLSID{8CA5ED52-F3FB-4414-A105-2E3491156990}
HKCR\CLSID{8CA5ED52-F3FB-4414-A105-2E3491156990}
HKCR\CLSID{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32
HKCR\CLSID{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32#ThreadingModel
HKCR\CLSID{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID
HKCR\CLSID{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable
HKCR\CLSID{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID
HKCR\IEHlprObj.IEHlprObj.1
HKCR\IEHlprObj.IEHlprObj.1\CLSID
HKCR\IEHlprObj.IEHlprObj
HKCR\IEHlprObj.IEHlprObj\CurVer
C:\PROGRAM FILES\IWIN GAMES\IWINGAMESHOOKIE.DLL
HKU\S-1-5-21-1889172688-3994323396-1824962613-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{8CA5ED52-F3FB-4414-A105-2E3491156990}

Adware.Tracking Cookie
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@weborama[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@serving-sys[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@tradedoubler[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@yieldmanager[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ads.pointroll[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@fl01.ct2.comclick[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@adtech[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@content.yieldmanager[7].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@doubleclick[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@amlocalhost.trymedia[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ads.creative-serving[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@thephonehouse.solution.weborama[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@content.yieldmanager[3].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@bs.serving-sys[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@pointroll[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@apmebf[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@adserver.zylom[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@bluemango.solution.weborama[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@bluestreak[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@xm.xtendmedia[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ads.boonty[3].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@beacons.hottraffic[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@collective-media[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@nl.sitestat[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@mediaplex[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@statse.webtrendslive[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ad.doubleclick[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@advertising[3].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@atdmt[2].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@content.yieldmanager[1].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ad.yieldmanager[9].txt
C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@2o7[3].txt
C:\Windows\Temp\Cookies\tricia@statse.webtrendslive[2].txt

Malwarebytes’ Anti-Malware 1.45
www.malwarebytes.org

Database version: 3983

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

13/04/2010 00:35:54
mbam-log-2010-04-13 (00-35-54).txt

Scan type: Quick scan
Objects scanned: 108787
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

you click download > save and then you browse to location / desktop (bureaublad)

Hi Pondus…
Well i got it installed on the desktop…
I’m gonna try to send them now as the first attempt failed…
hope it works this time

I had done a system restore after the mbam & avast did not find the worm on april 11th…
yesterday i deleted my daughters limewire as precaution as it needed an update and wasn’t functioning…
I wanna re-install it but wanna make sure the pc is clean first…
greets tisha

Hi again forgot to mention that with my experience with XP Pro
the system restore don’t get rid of virus ect… they get hidden…
so I really do appreciate all your help…
tishas

Hi, is there anyone around??
been waiting to get respons…
does anyone know if I’ve done enough or if i still have to try yo find this worm!!!
lol…
Tisha*s

Hi tisha-uk there should be a second log just called OTL could you post that and I will start to clean you up ;D

:‘( not good for limewire :’(
limewire is not bad but the ability of this software to get the music of what you want is the cause. but avast has resolve it, by using sandbox.

i also use limewire but i open it in sandbox to avoid some infection that come from the site that limewire download the music.

nevermind my post.!!!

Best Regards!!!

Hi Essexboy,
I thought i sent both files…
here it is:
and hi there bong2 give me some pointers then cus my daughter downloads lots of music
she needs to for the band she sings in…
lol… tisha

Hi not a great deal there which is curious - I feel it may be a scam

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O4 - HKCU..\Run: [d1a8e7e173cc22d4acf2bb3a23339ad8] C:\Users\Public\Public Downloads\3DMahjonggSetup-dm[1].exe File not found
[2010/01/27 16:08:36 | 000,000,004 | ---- | C] () -- C:\Users\tricia\AppData\Roaming\1rq1mqcv5kerdomfscuz4235redqf8gaz7x

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Just poke my nose in here for a second to remind people about Limewire, and P2P programs in general.

bong2x said:

Really unfortunate advice bong2x, no offence, just some need for education ? Please read to end of my post, thanks . ;D

tisha-uk :

" ... and hi there bong2 give me some pointers then cus my daughter downloads lots of music she needs to for the band she sings in.... lol.. tisha"

As essexboy is working here (please excuse !) I don’t want to cloud your cleanup with extra distractions, But … and essexboy may offer same advice, just thought best to nip this in the bud :wink:

tisha-uk please read this very important info when time permits.
http://www.malwareremoval.com/p2pindex.php

"As prevailing opinion holds that the use of P2P software, even clean P2P software, more often than not results in infection of the computer(s) engaged in such practice, and that said P2P software has been determined to be a primary vector for the spread of malware..."

Please read the following information regarding the use of P2P filesharing programs.
http://www.malwareremoval.com/forum/viewtopic.php?p=491394#p491394

Kind Regards,

Abraxas

Hi essexboy… I’ve done the fix… do i have to paste anything for the quick scan
by otl??

Essexboy, I just did a quick scan with otl: attached are the results…
after the fix scan i found 2 icons on my desktop…
desktop.ini with a gear on page??? what is this??
I’m going further with the combo
be back when finished
tisha