GAOBOT: A POS virus that really screwed my system over!

[Dark Fact]

Guys, I got a problem and it goes like this:

A couple weeks ago, my sister flew in from Ottawa, Canada to stay with us over the holidays for 10 days before she went off to Jamaica to attend one of her friends' wedding.  While she was here, she wanted me to install LIMEWIRE on my computer so she can download songs onto her iPod (her Christmas gift) considering that she didn't want to pay for songs from iTunes.  Anyways, I downloaded the program, got her songs, and all was hicky-dory.

However, after she left, I wanted to download an episode of Cadillacs & Dinosaurs but the file I got contained a nasty virus which after I scanned using Housecall v6.5, turned out to be the GAOBOT.DF worm.

What is this virus you ask? Like I said, it's fucking nasty.  It saved to my System32 and Microsoft Outlook folders, COMPLETELY hid the folders where I can't access them, disabled my task manager, kept rebooting LIMEWIRE, and disabled my desktop.

Housecall couldn't eradicate the virus, and I couldn't access the desktop even in Safe Mode.  So, I went into Command Prompt, deleted the winlog.exe and Outlook folder, and got my desktop back.  I also went and deleted LIMEWIRE and the virally infected folder.

However, this is where I need your help: my task manager is still disabled and I've been getting error messages about the existence of winlog.exe.  Not to mention my System32 folder is still inaccessible.

Do you guys know where I can get a replacement winlog.exe, and more importantly, how to get rid of that GAOBOT virus for good? It's fucking annoying!

[rolins]

Dude, forget it. There's no point in rescuing the O.S. when it's infected. Even if you quarantine or remove the virus/trojans/worms there will always be residue left over. Save any files you can to CDR, and reformat the entire hard drive & start over.

[NecroPhile]

I'm with Rolins, but if a fresh start isn't in the cards - try one of the gaobot removal tools from symantec, mcafee, etc.  You'll likely have to download them from another computer, as this virus changes the hosts file to keep you from visiting their web sites.  After using a removal tool (or two), boot from your Windows CD and repair Windows.  Hopefully this will bring everything back to normal.

[Dark Fact]

I came here to be helped and now I'm being told to throw the baby out with the bathwater? WTF!

First of all, this isn't the first time my computer has been infected with viruses.  I had the infamous sasser virus on my system before.  I used Housecall to get rid of it just fine without any lasting damage to my system but that is after I seeked technical support and reformatted my system.  The system restore caused the virus to be permanently backed up into my system files where it remains in backup to this day.

Another thing, I have a SONY VAIO system.  This computer doesn't come with an installation disk.  It performs system restore on my C: drive from a built-in program.

I want to know if anyone here knows how to get rid of this worm and know where else to find a spare winlog.exe file.  That's all I ask.

[Keranu]

Ouch, stay away from Lime Wire! Those programs are infested with e-AIDS and should be avoided like a hooker with jumping crabs. I agree with what everyone else said, back up any files you want to keep (assuming they are safe, better do a quick virus scan to see), format your hard drive and reinstall your OS.

[Tatsujin]

dangerous world we live in it nowadays 

[rolins]

Look you do not want to replace the winlog.exe because it's part of the problem. It a file that the worm plants into your system.

Here's a guide to actually removing GAOBOT.DF

I copied & pasted the importants stuff for ya.

Removing Autostart and Added Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

   1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
   2. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
      Windows>CurrentVersion>RunServices
   3. In the right panel, locate and delete the entry:
      Winlog = "winlog.exe"
   4. In the left panel, double-click the following:
      HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
      Windows>CurrentVersion>Run
   5. In the right panel, locate and delete the entries:
      • winlog = "winlog.exe"
      • outlook = "%Programs Files%\outlook\outlook.exe \auto"
      (Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)
   6. In the left panel, double-click the following:
      HKEY_CURRENT_USER>Software>Microsoft>OLE
   7. In the right panel, locate and delete the entry:
      Winlog = "winlog.exe"
   8. Close Registry Editor.

Deleting the Malware File

   1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
   2. In the Named input box, type:
      bszip.dll
   3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
   4. Once located, select the file then press Delete.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_GAOBOT.DF. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows. Download and install the patches supplied by Microsoft:

    * Microsoft Security Bulletin MS03-039
    * Microsoft Security Bulletin MS04-011

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.

[Dark Fact]

Rolins, I'll try downloading the patches from Microsoft's security bulletin but for using regedit, the virus has locked me out of the registry.  I'll let you all know what comes of this.

[PCEngineHell]

At request you may be able to coax Sony into sending you a system restore on disc if you explain the situation. Then again they may just tell you to fuck off for downloading music that you didn't pay for. You'll prob have to come up with a generic explanation and beg them. Or if possible take the Windows key you have,find one of the Windows ALL in One disc that has all the OEM versions,Sony,Compaq,Emachines, on it and use that and your key for a restore.

Ive done this before for people and it tends to work ok now and then.

[OldRover]

If it's blocked access to regedit, you could try an alternate registry editor. Also, if you can access system32 from the command prompt, you should be okay, otherwise, try something simple like deleting the hosts file from somewhere else, or even seeing if you can edit it yourself. Also, if you have access to attrib, you could probably make any permission changes yourself.

[Dark Fact]

If it's blocked access to regedit, you could try an alternate registry editor. Also, if you can access system32 from the command prompt, you should be okay, otherwise, try something simple like deleting the hosts file from somewhere else, or even seeing if you can edit it yourself. Also, if you have access to attrib, you could probably make any permission changes yourself.

What kind of alternate registry editor? Could you give some examples? As for system32, I can access it just fine from Command Prompt but Housecall detects that the virus has infected the winlog.exe file but winlog.exe isn't even listed in the directory! Whoever made this virus was one big son of a bitch!

I'm not too familiar with attrib...what's it like?

At request you may be able to coax Sony into sending you a system restore on disc if you explain the situation. Then again they may just tell you to fuck off for downloading music that you didn't pay for. You'll prob have to come up with a generic explanation and beg them. Or if possible take the Windows key you have,find one of the Windows ALL in One disc that has all the OEM versions,Sony,Compaq,Emachines, on it and use that and your key for a restore.

Ive done this before for people and it tends to work ok now and then.

Ha, like I can trust those nosepickers over at SONY.  I tend to rely on people I can actually trust like you guys here.

As for those patches, they don't have the ones that match my system.  My system uses a Windows XP Service Pack 2 2002 edition.

[OldRover]

http://www.google.com/search?q=alternative+registry+editor

"attrib" is a commandline utility that can modify file and directory attributes, if you have the correct user level. As Administrator, you should be able to modify just about everything except a few protected system-level files and directories.

[Seldane]

I suggest getting a pirated, illegal version of Windows and installing that instead.

[Hobo Xiphas]

I suggest getting a pirated, illegal version of Windows and installing that instead.

Why bother with pirated Windows when you could use this instead?

[Keranu]

HURD is the greatest!

[Dark Fact]

Nodtveidt, is there an "attrib" for XP? Because the search results keep listing Windows 2000 and Windows Server 2003.

By the way, I'm NOT installing another O/S on my computer.  It'll overwrite all the pre-installed software on this computer and render it useless in the future. 

Or maybe I'll just do a complete system restore over the weekend.  This whole virus bullshit is making me sick and tired and I have university tests to study for in the coming weeks.

[Hobo Xiphas]

Or maybe I'll just do a complete system restore over the weekend.  This whole virus bullshit is making me sick and tired and I have university tests to study for in the coming weeks.

That is seriously the best option if you don't want to do a full reinstall.

And I wasn't serious about HURD at all, you'd have to be some sort of deviant to use that piece of crap.

[Seldane]

Why will it be useless? Just re-install all the software, or better yet - get better software. The stuff that comes bundled with these computer is usually crap stuff.

[Dark Fact]

Why will it be useless? Just re-install all the software, or better yet - get better software. The stuff that comes bundled with these computer is usually crap stuff.

Seldane, I can't because the software is all installed within the system.  There is no separate restore disk that contains this software.  If it's overwritten with a new O/S, it's gone forever.

[NecroPhile]

Have you tried a removal tool (i.e. FxGaobot.exe from Symantec) as previously posted?  These removal tools are usually effective and fool proof.  If the tool fails, try the manual removal instructions (http://www.symantec.com/security_response/writeup.jsp?docid=2003-112112-1102-99&tabid=3).  You could also try booting from a usb thumb drive (or cd) loaded with antivirus tools.  Disabling system restore before running the antivirus tool will allow the old restore points to be cleaned.  For alternatives to regedit.exe, try Nirsoft's RegScanner or DC Software's RegEditX.  Good luck. 

P.S. - Get a virus scanner to prevent future problems.  Grisoft's AVG Anti-Virus is free & pretty good.

[OldRover]

"attrib" is a part of Windows (it's been a part of the OS since the early PC-DOS days). I'm not sure if having system32 tampered with will affect it or not, as attrib.exe is a program that resides in system32. You could also try "regedt32" instead of "regedit", few people know that regedt32 exists and is a part of XP. Again though, it's also kept in system32.

[TR0N]

Damn sounds like your pc is screwed.

I was talking, to my father today he's having the same problem as well.

Still he's going the other way on the fix he's gonna buy a mac insted.

Pretty much he told me he's sick and tried of... windows period and i don't blame him at all.

[Dark Fact]

Nodtveidt, Necromancer, thanks for the help.   I managed to get into regedit32 with the help from the article you guys put up and I managed to get rid of all the shitty files that disabled access to my task manager.  In addition, that stupid winlog error message that pops up every time I start windows is gone.

However, the virus isn't completely gone yet.  My System32 file is still disabled and housecall still detects traces in Outlook and the System32.  The files it still detects that are infected are winlog and outlook.  Both EXE files.  However, the files don't appear in Command Prompt.  Is there another path in regedit32 that I can take that can eliminate these remaining strains?

[OldRover]

Do a little test...

Go to a command prompt (cmd) and type attrib \windows\system32 and hit Enter. On a normal system, you should see it give the path to the system32 directory and nothing else. If there are ANY things different (such as an R or an S to the left of the path name), then you might be able to correct that using attrib. Also, can you do this:

cd \windows\system32

without difficulty? No error messages or "Access denied" messages? If so, then it's an Explorer exploit and is easily corrected.

[Dark Fact]

Go to a command prompt (cmd) and type attrib \windows\system32 and hit Enter. On a normal system, you should see it give the path to the system32 directory and nothing else. If there are ANY things different (such as an R or an S to the left of the path name), then you might be able to correct that using attrib.

Got a "System cannot find the path specified" error.

Also, can you do this:

cd \windows\system32

without difficulty? No error messages or "Access denied" messages? If so, then it's an Explorer exploit and is easily corrected.

that worked fine but the winlog file isn't in there yet housecall still detects it in my system...strange.

[OldRover]

Hrm...weird. That looks like a bogus message to me. attrib uses a different response when it can't find something...it would look more like this:

File not found - \windows\system32

or it will tell you "Path not found: [pathname]" if you tried running it from another drive. That specific error you wrote is highly suspect.

Go to \windows\system32 and do:

dir /a:h/p

and see if it turns up. if not, then do:

dir /a:s/p

and see if it turns up as well. If it does on EITHER one, do this:

attrib +a -s -h -r winlog*.*

to make it "accessible". If this works, you can manually delete the file with "del".

If NONE of this works, there are other ways. Remote Desktop comes to mind, if you want to try such a route. Regardless, if there's a way to break the system, there's a way to mend it as well, and I've yet to find a piece of malware that I couldn't conquer.

[Dark Fact]

Great news guys, with the help of this little frames site for housecall, I was finally able to get those last couple of strains off of my computer. I thought that housecall removed their frames page in favour of their java scanner but it still exists and the little frames scanner did the job just fine.

However, even though my system is virus free now, the System32 folder is still hidden in my WINDOWS directory and I can only access it through command prompt.  Is there a way to fix this?

[rolins]

Great news guys, with the help of this little frames site for housecall, I was finally able to get those last couple of strains off of my computer. I thought that housecall removed their frames page in favour of their java scanner but it still exists and the little frames scanner did the job just fine.

That good news you got your PC running healthy again.

However, even though my system is virus free now, the System32 folder is still hidden in my WINDOWS directory and I can only access it through command prompt.  Is there a way to fix this?

Try this. Goto "My Computer" then

At the top, Tools --> Folder Options --> View

under "Hidden Files and Folders" select "Show hidden files and folders"

[Dark Fact]

Try this. Goto "My Computer" then

At the top, Tools --> Folder Options --> View

under "Hidden Files and Folders" select "Show hidden files and folders"

I tried that already.  It didn't work.

There is also some other strange problem.  It seems that every now and then the browser windows disappear and reappear in the blink of an eye with my HD flashing like something got loaded over the network but I don't know what.  Does it also have something to do with Gaobot?

[OldRover]

At the command prompt:

attrib -a -r -s -h \windows\system32

That will clear all attribute flags from that directory. If that doesn't work, try looking in \windows\system32 for autorun.* or desktop.* files. If they exist, delete them. Also, try looking in \windows for the same files. Autorun files scripted deviously can block access from Explorer, and desktop INIs can do similar evil things when scripted right. There are other methods that can be used but one of the above will likely fix the folder problem.

Realistically, there's rarely a need for a common PC user to go browsing through system32, even advanced users have little need for it. Glad you got the annoying virus removed though.

As for your other problem, no idea offhand. You might want to try running the latest copy of HijackThis.

[Dark Fact]

Well everyone, the trouble with my system is finally over.  Here's how it all went down:

-Yesterday evening, I spent a good 2 hours on my computer using homestead housecall to eliminate malware and backdoor intruders on my computer.  However, that didn't seem to stop the massive slowdowns.  On top of all that, I found that the memory from my C drive was getting mysteriously sucked away and I had to clear out my history folder after every use of the internet to retain whatever memory was left.

-This evening, I found out that I couldn't even access my MSN Live Messenger AND my e-mail account! I was getting really pissed as I was able to access my e-mail easily from the university's computer so it had to be something on my system but I didn't know fucking what! I then decided to check on my Norton security settings and to my shock, I found out that the GAOBOT worm that infected my system earlier didn't go without leaving some lasting damage to my system programs.  The fucking virus had ALL of Norton security completely disabled leaving room for malware, trojans, and backdoor worms to come crawling into my system.  I immediately tried to go on the internet to find a way to correct this problem but guess what? MY WEB BROWSER WOULDN'T WORK ANYMORE!!! That was the last fucking straw.  I didn't want to do it but I had no choice.  I had to use system restore to restore the system to what it was before all this shit went down.  But wait, it gets better.

-After system restore completed and windows XP booted up and I was getting my programs reinstalled, I kept getting pop-up messages from my system informing me that I had 55 system errors and every time I clicked OK, the system would keep shutting down and rebooting.  I had to put up with that in addition to rebooting the system every time each of my programs got installed.  Thus, I had to sit on my computer for 3 fucking hours installing programs, dealing with freeze ups, and rebooting my system until everything finally settled down.  I got my Norton Internet security up to date so I won't be dealing with anymore problems with that piece of shit virus, GAOBOT!

In closing, I want to say that my sister has no chance in HELL of ever using my computer or getting me to install anymore programs on my computer.  I want to thank everyone here for all their help in this endeavor and rest assured, it was most appreciated.

[OldRover]

It goes without saying that if Norton was doing its job in the first place, this wouldn't have happened. Truth be told that Norton is a piece of shit.

[Dark Fact]

Actually, to be honest, my free trial offer with Norton expired a long time ago and I didn't bother updating it as I had to pay to renew my subscription.  However, after I restored my system and it re-installed Norton, it gave me another 3 month free trial so now all my virus definitions and security are up to date.

[NecroPhile]

Again, let me suggest Grisoft's AVG Anti-Virus.  It's updated regularly and it's free forever - not just a three month free trial.  I won't say that it's the best in the world, but it's much better than getting another virus.  There are other free alternatives out there as well, and you have the next 90 days to find one that you like.  Or you can just keep your sister away from your computer = problem solved. 

[Dark Fact]

The funny thing is, my sister has a serious knack for putting viruses on my computer.  The first time she used it, she turned off the firewall so she can buy herself some shoes from some online store that required her to turn off her firewall before going through with the purchase.  Needless to say, I noticed some serious slowdowns on my computer and had to use Norton to deal with it. 

After my sister moved away, I never had any problems with viruses.  Hell, even after my free trial offer to Norton's Internet Security expired, I still never had any viruses or Trojan Horses or any of that other shit.  It was all when my sister had me install LIMEWIRE that upped the risk.  She even assured me that she uses the program on her laptop and never had problems and I believed her!

Again, let me suggest Grisoft's AVG Anti-Virus.  It's updated regularly and it's free forever - not just a three month free trial.  I won't say that it's the best in the world, but it's much better than getting another virus.  There are other free alternatives out there as well, and you have the next 90 days to find one that you like.

Got a link?

[M1Savage]

http://free.grisoft.com/doc/1
http://www.javacoolsoftware.com/spywareblaster.html
http://www.spywareinfo.com/~merijn/programs.php   (hijackthis)
http://www.lavasoftusa.com/products/ad-aware_se_personal.php

All are free and quite useful. Surf safe!

[Dark Fact]

Thanks! I'll look into those.

[NecroPhile]

Ah - you beat me to it m1savage! 

[TR0N]

http://www.lavasoftusa.com/products/ad-aware_se_personal.php
All are free and quite useful. Surf safe!

I've used them there good at weeding out spyware etc 

[OldRover]

AVG and Ad-Aware are both extremely useful pieces of software.

[Keranu]

Ad-Aware is good stuff. I also like AntiVir.

[akamichi]

Glad to hear you got your computer fixed up Dark Fact.  It's always a pain in the ass to undo what those stupid viruses screw up.  I'll just throw some ideas out there, maybe somebody will find them useful.

When weird stuff starts happening on my PC, I usually run AdAware, HijackThis, Spybot Search and Destroy, etc.  I usually don't have an antivirus program running, but I use ClamAV (free) on my laptop.

Of course prevention is the best defense.  Get a firewall either software like ZoneAlarm or hardware... pretty much every broadband router these days.  Even though XP has the built in firewall, a lot of the viruses are designed to disable it.  Probably the biggest help and biggest PITA (at least on XP) is not logging in as an administrator.  Don't do this unless you understand the consequences. Most likely your accounts already have admin rights so you don't notice a thing, but it's actually a security risk.  I'm just a plain ol' user (basic user rights) on my laptop and there's a lot of things you can't do unless you log off and log back on as an admin or use the "run as" command.  One big thing is that I can't burn CD/DVDs without being an admin.  Also, games usually want admin rights for whatever reason (bad design IMO).  Again, this is an option that hardly anybody does because it's such a pain to use your system.  The benefit is that if some crapware gets on your system, it can't install itself because it doesn't have rights. 

Oh and patch your system. MS puts out patches every month.

[OldRover]

I miss the customisable user rights system that Windows 2000 had. Windows XP really dumbified the whole process. You're either too limited or too wide open to do jack shit either way. I set my account as a normal account (not Limited), and I don't run antivirus...the only thing I've ever gotten was that PurityScan piggyback (likely from one of the Performics sites I visit often) but that's it...and it was ubereasy to dispose of. We have a broadband firewall with VERY specific rules set, and my XP install is tweaked anyways with tons of patches from MS as well as some homebrewed fixes to enhance security. System Restore is disabled, since it tends to cause more problems than it fixes. But most importantly, I don't visit seedy websites, allow ANY sites to install software that I don't know wtf it's installing, I don't open email attachments at ALL (ESPECIALLY from "people I know", these are always the first to kick your ass), and any unusual files I download from eMule or any other p2p app are run inside a VMware virtual machine so they can be tested in an airtight environment to eliminate "real" damage. Furthermore, I make regular backups of the registry manually, so any registry changes can be reverted extremely easily. After 22 years behind a keyboard, I've only been infected by a major virus once, and it affected thousands of people as well (Microsoft patched it up a couple of days later...sure took em long enough, and no antivirus stopped it).

[Dark Fact]

Really appreciate the onslaught of suggestions you guys are pitching. I don't suppose I could ask any of you guys in the future for programming help, could I?

[OldRover]

Depends on what kind of programming help.

[Dark Fact]

C, C++, Visual Basic, Java.  How much do you know of these?

[OldRover]

Hrm...

C: Very well, but focused in HuC.
C++: Mostly VC98, I tend to avoid gcc and dotnet varieties.
Visual Basic: VB6 was my bread and butter for a few years. I avoid the dotnet versions like the plague though.
Java: pfft. Enough to get by.

[Dark Fact]

Cool! I'll be sure to keep in touch when I have some problems with my code in the future!