I got hit by this one after reformatting entire drive and getting ready to install all patches. It disables virus scanners and its update feature(norton). I tried going to www.symantec.com but it also blocks your access to the site which is the only one that I know has a removal tool for this bad boy. Does anybody out there already have it or know where I might be able to get it?

I found it. Hopefully that will be it. Once I run the fxGaobot.exe I will do a hijackthis log to see what registry entries were affected. I will post for MVP to forum admins or helpers to look at for me.

Didn't work ! Help anyone.

:mad:

Hi littlepr,

See if you can download this free tool to remove Gaobot from McAfee:

McAfee AVERT Stinger
http://vil.nai.com/vil/stinger/

If so, download it and run the tool after booting into SAFE MODE

How to start the computer in Safe mode (all)
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

If you are not able to download it from the site I can upload it here for you

Jane,

I already did run stinger but the damage to norton antivirus is done. Liveupdate will not run. I also can't surf to www.symantec.com or www.mcafee.com. Can this be solved with a highkjack log fix?

NOTE:
All patches are installed including sp1 and firewall is on.

Post your HijackThis log :)

Jane,

Thank you for helping. I really don't want to have to Fdisk/re-install again. Here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 7:27:52 PM, on 3/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Highjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.frontiernet.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8062.5864930556
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

littlepr,

There is no sign of Gaobot running in your log.

What is telling you that you have that infection? I need file name and exact location (full path).

JAne, I found this on this site:

http://www.nacs.uci.edu/security/gaobot.html

Is it true?

NACS > Security > Viruses > Gaobot Virus

Summary: A new virus, Gaobot, is infecting some machines on campus causing them to become Spam relays. These machines have been blocked from UCInet. Use the tool below to remove this virus and get unblocked.


Related Information
UCInet Blocked List
Description
If you think that you may be infected with Gaobot, use the Symantec Removal Tool to clean your machine.

Note: Because this is considered a low level threat by McAfee, it is not one of the viruses that the Stinger utility detects.

Both the full versions of Norton Anti-Virus and Mcafee Anti-virus (with the latest virus definitions) detect and remove this virus, so if you have either of those programs, use that.

It is possible, there are many new variants of Gaobot....but nothing harmful is running in your startups.

What is detecting Gaobot on your PC?

Here are some free online scanners. Try at least two of them to see what they say (each has full signature defs, with most recent updates)

Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

Let us know if any detect anything and make careful not of the file and and full location path

Stinger.exe seemed to have cleaned it out but I still can't run live update on norton products and I cannot surf to www.symantec.com or www.mcafee.com. The odd thing is that I can surf network associates web page (http://vil.nai.com/).

I already did three of those. I have a feeling that the virus is no longer on my client but norton products locumserver.exe and the url for mcafe and symantec are being redirected or blocked some where in my system. You think the hosts file might be the culprit?

McAfee site has been down for this user and had him worried too, but he was OK....just a problem connecting.

http://www.dslreports.com/forum/remark,9704741~mode=flat

What is the reference to locumserver.exe?? Norton is detecting this file as infected or something? If so what is the full path and the folder it is located in.

Do you have a hosts file?

I really think you are ok if 3 of those scanners passed you as clean. There is no indication of infection in your HJT log either.

Jane,

Here is what I found out and was able to edit the specific file mentioned.
You might want to post this for other people who might be in my same boat.

As always, I appreciate what you have done for me and this is my return.

Littlepr

#####################################################

> "Mike" <mamarti@frontiernet.net> wrote in message
> news:fbee01c40d48$53f0e880$a301280a@phx.gbl...
> > I was infected by the w32.hllw.gaobot.gen virus right
> > after fdisking and installing XP. I tried to update my
> > norton virus scanner but the liveupdate kept saying that
> > it could not connect to the server. I then tried to
> > browse mcafee to get removal tools but it kept giving me
> > this message:
> >
> > Cannot find server or DNS Error
> >
> > I also tried symantec but it reroutes to this link:
> >
> > http://search.msn.com/dnserror.aspx?
> > FORM=DNSAS&q=www.symantec.com
> >
> > Which says this:
> >
> > #####################################################


> > We can't find "www.symantec.com"
> >
> > You can try again by typing the URL in the address bar
> > above.
> > Or, search the Web:
> >
> > Go to MSN Search to see complete results
> > for "www.symantec.com".
> >
> > Download MSN Toolbar!
> >
> >
> > ----------------------------------------------------------
> > ----------------------
> > Did you intend to go to one of these similar Web
> > addresses?
> > www.symantec.com
> >
> > ----------------------------------------------------------
> > ----------------------
> > You can also visit one of these related Web sites.
> > Symantec
> > Symantec
> > Symantec - Financials
> > Symantec - Press Center
> >
> > Check availability or register the domain
> > name 'www.symantec.com'.
> > ----------------------------------------------------------
> > ----------------------
> >
> > More information about this error.
> > About Results
> >
> > #####################################################

> > I ended up uninstalling norton and installing the free
> > version of avast! 4 Home Edition. I downloaded the
> > fxgaobot.exe removal tool and ran it. I also got a hold
> > of the stinger.exe from vil.nai.com and ran it in safe
> > mode. It cleaned whatever was infected but I have a
> > feeling that the virus did something to my registry which
> > prevents me from browsing any url containing mcafee or
> > symantec in it. If anyone has or is experiencing the same
> > problem and knows how to resolve it please contact me.
> >
> > Thank you in advance.

#####################################################


Check your C:\Windows\Hosts file as per this article:
Problems Using Internet Explorer with Incorrect Hosts File
http://support.microsoft.com/default.aspx?...b;EN-US;q219843

Those viruses or other malware programs may have put entries into your Hosts
file.

Here's some more helpful info on how to protect your system to keep this
from happening again:
http://www.microsoft.com/security/protect/default.asp
And...
http://www.mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/secure.htm

--

Jon R. Kennedy
Charlotte, NC, USA
jkennedy2@carolina.rr.com

#####################################################

"Mike Burgess" <winhelp2002@spamthis.com> wrote in message
news:O9XAHEVDEHA.3392@TK2MSFTNGP11.phx.gbl...
> Mike,
> Check your HOSTS file for entries that may be preventing access
> to the desired sites .....
> [or]
> You can use a simple batch file to rename the HOSTS file "on-the-fly".
> Download: RenHosts.bat
> http://www.mvps.org/winhelp2002/hosts.htm
> ____________________________________________________________
> Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
> Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
> http://www.mvps.org/winhelp2002/hosts.htm [updated 03-15-04]
> Please post replies to this Newsgroup, email address is invalid
> --
>



#####################################################


Thank you very much guys. I knew it was something like redirecting. I knew
about the host file thing but I thought that was a kazaalite file. Good to
know that I can add/make this file without having kazaalite installed.