Help !!!!! please aspparantely have a virus worm.........

[*tisha*-uk]

I was on my pc yesterday and after a few brief slowing down and semi freezes i got a box indicating i have to remove a virus.. I'm not sure from where the message was from..  mbam, security esssentials or just windows??...
this is the message i got:
-=Remove the W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm virus from your computer
This problem was caused by W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm, a known computer virus.
To prevent this problem from occurring again, install and run an up-to-date antivirus and antispyware program on your computer.=-
I had recently updated adobe and have seen in the forums from avast that there is a false adobe update...??
I have windows vista premium..32 bit.., Mike Murphy from ms advised me to use avast free edition together with mbam back in november 2009.. since then i have been quite content with both...
I have done scans with both but nothing comes up over an infection.. they both report clean...
I would like help with this please im not so technical'.. have taught myself everything on the pc...
I would like to continue using avast... I still have 4.8 on, I see through the forums there is a new edition 5... but seeing that this is apparantely an old virus/worm it should show some kind of trace?? or not ??
thanks in advance *tisha*

[Saty]

tisha,

have you tried scheduling a boot scan with avast 4.8? that might help. Hopefully a more experienced person will be around shortly to give more indepth advice.

I have vista, and made the jump from 4.8 free to 5.0 free recently, and am glad I did, i dont recommend doing this untill youve solved this worm problem though

Saty

[*tisha*-uk]

thanks saty,
not sure what a boot scan is... do you mean thorough??

[Pondus]

Boot time Avast Antivirus Scanning
http://www.digitalred.com/avast-boot-time.php



Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

[*tisha*-uk]

Saty, I cannot scedule a scan in avast 4.8... not sure why maybe i didn't install correctly.. but it updates and does everything else OK...  I do a scan manually at a regular time once or twice a week.. I do twice a month mbam scan and twice a week with security essentials...
  
this was advised to me from Mike Murphy at microsoft when i had trouble with a month trial with bitdefender AV...

[Pondus]

W32.Gaobot Removal Tool
http://www.symantec.com/security_response/writeup.jsp?docid=2004-011316-4140-99

[*tisha*-uk]

Hi Pondus,

sorry for the delayed reply... took so long to do the boot scan more than 2 hours...
I had done a mbam scan yesterday the 11 april...as i have it installed already but it did not find anything.. but just to be sure i ran it again and still reported no malicious items found...
I installed the superantispy as you recomended and run a scan.. he found 47 infected entries but not the gaobot worm...
I have tried to get the removal tool from symantec but it keeps telling me that i am not the administrator which is abit obsurd .. I looked up on the net and it was from 2003 and i think that its not compatible with vista...
so i googled the tool and softpedia has one from spyware doctor.. but i'm not sure as i have a few anti spyware's installed and i dont know how the doctor will respond.. is there anyone who can give me directions???
thanks .. and its really great to get so efficient and fast responses..
really impressed.. great job..
*tisha*

[Pondus]

Follow this guide from Essexboy and post the log`s HERE then he will have a look when he enters the forum
http://forum.avast.com/index.php?topic=53253.0


if the log`s are big: down left corner > Additional Options > Attach

[*tisha*-uk]

Hi Pondos,
here is the log from s-antispy plus
mbam log...
I tried to do as you suggested downloading the otl...
but i don't know how to download to the desktop... when i click
run it says have to go to desktop and disappears...lol...
I'm not so technical its probably real simple...lol.. but am anxious to give it a try..
thankyou all for your quick & useful responses..
*tisha*

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/13/2010 at 00:14 AM

Application Version : 4.35.1002

Core Rules Database Version : 4796
Trace Rules Database Version: 2608

Scan type       : Quick Scan
Total Scan Time : 00:35:12

Memory items scanned      : 725
Memory threats detected   : 0
Registry items scanned    : 600
Registry threats detected : 13
File items scanned        : 32084
File threats detected     : 34

Adware.IWinGames
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}
   HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}
   HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}
   HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32
   HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\InprocServer32#ThreadingModel
   HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\ProgID
   HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\Programmable
   HKCR\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}\VersionIndependentProgID
   HKCR\IEHlprObj.IEHlprObj.1
   HKCR\IEHlprObj.IEHlprObj.1\CLSID
   HKCR\IEHlprObj.IEHlprObj
   HKCR\IEHlprObj.IEHlprObj\CurVer
   C:\PROGRAM FILES\IWIN GAMES\IWINGAMESHOOKIE.DLL
   HKU\S-1-5-21-1889172688-3994323396-1824962613-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8CA5ED52-F3FB-4414-A105-2E3491156990}

Adware.Tracking Cookie
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@weborama[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@serving-sys[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@tradedoubler[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@yieldmanager[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ads.pointroll[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@fl01.ct2.comclick[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@adtech[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@content.yieldmanager[7].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@doubleclick[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@amlocalhost.trymedia[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ads.creative-serving[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@thephonehouse.solution.weborama[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@content.yieldmanager[3].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@bs.serving-sys[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@pointroll[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@apmebf[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@adserver.zylom[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@bluemango.solution.weborama[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@bluestreak[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@xm.xtendmedia[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ads.boonty[3].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@beacons.hottraffic[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@collective-media[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@nl.sitestat[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@mediaplex[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@statse.webtrendslive[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ad.doubleclick[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@advertising[3].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@atdmt[2].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@content.yieldmanager[1].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@ad.yieldmanager[9].txt
   C:\Users\tricia\AppData\Roaming\Microsoft\Windows\Cookies\tricia@2o7[3].txt
   C:\Windows\Temp\Cookies\tricia@statse.webtrendslive[2].txt

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3983

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

13/04/2010 00:35:54
mbam-log-2010-04-13 (00-35-54).txt

Scan type: Quick scan
Objects scanned: 108787
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Pondus]

you click download > save and then you browse to location / desktop (bureaublad)

[*tisha*-uk]

Hi Pondus..
Well i got it installed on the desktop..
I'm gonna try to send them now as the first attempt failed..
hope it works this time

I had done a system restore after the mbam & avast did not find the worm on april 11th..
yesterday i deleted my daughters limewire as precaution as it needed an update and wasn't functioning..
I wanna re-install it but wanna make sure the pc is clean first..
greets *tisha*

[*tisha*-uk]

Hi again forgot to mention that with my experience with XP Pro
the system restore don't get rid of virus ect.. they get hidden..
so I really do appreciate all your help...
*tisha*s

[*tisha*-uk]

Hi, is there anyone around??
been waiting to get respons...
does anyone know if I've done enough or if i still have to try yo find this worm!!!!
lol....
Tisha*s

[essexboy]

Hi  *tisha*-uk  there should be a second log just called OTL could you post that and I will start to clean you up  

[bong2x]

 :'( not good for limewire :'(
limewire is not bad but the ability of this software to get the music of what you want is the cause. but avast has resolve it, by using sandbox.

i also use limewire but i open it in sandbox to avoid some infection that come from the site that limewire download the music.

nevermind my post.!!!!

Best Regards!!!