PDA

View Full Version : Goabot.gen.d


kategriff
04-11-2004, 10:32 PM
Ok this thing is really starting ot bug me. I can't seem to find anything that can get rid of it. It sits in my c:\volume system information in the _restore part.

McAfee says that it cannot be quarauntened or deleted or fixed. What the heck do I do now.
AND when I finally did find my system information(not that particular problem though) I have this thing in there that is called NT AUTHORITY, that thing kept shutting my computer down and somehow I got that stopped but it is still in my computer.
Is is something that I really have to be concerned with?
Appreciate any help on these matters, I think that I am losing my hair and my mind. Oh wait a minute-my husband is losing his hair- I am just losing my mind....
thanks, Kath

Crockett
04-11-2004, 11:07 PM
Maybe McAfee says it cannot delete, but can't you manually delete the file?
How To Gain Access To The System Volume Information Folder (http://support.microsoft.com/default.aspx?scid=KB;en-us;q309531)

Temporarily disable System Restore, and clean out that directory.

In Windows XP Pro, you can Disable Simple Sharing in Folder Options, then right click on the System Volume Information folder and go to Sharing and Security and Add the Local Administrators group (temporarily) to the Access Control List and grant full control.

sixpac
04-12-2004, 10:04 AM
Depending what version of W32.HLLW.Gaobot you have

W32.HLLW.Gaobot.BV
W32.HLLW.Gaobot.BT
W32.HLLW.Gaobot.AO
W32.HLLW.Gaobot.AE
W32.HLLW.Gaobot.AA
Backdoor.Agobot.3.f
W32/Agobot.AA

there is more but those are the most common.

The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Connects to a predefined IRC channel, using its own IRC client, and listens for the commands from a hacker.

Allows a hacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:

Manage the installation of the worm
Dynamically update the installed worm
Download and execute files
Steal system information
Send the worm to other IRC users
Add new accounts

Generates a randomly calculated IP address and performs a Distributed Denial of Service (DDoS) attack against it.


Acts as a proxy server to direct attacks to another machine

Ends the following processes that are associated with antivirus and firewall software

ZONEALARM.EXE
PADMIN.EXE
OUTPOST.EXE
NAVWNT.EXE
NAVW32.EXE
NAVNT.EXE
NAVLU32.EXE
NAVAPW32.EXE
N32SCANW.EXE
F-PROT.EXE
BLACKICE.EXE
BLACKD.EXE

list is huge

how to get rid of it

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

In the right pane, delete the value

"Office Startup"="%System%\Exploer.exe"

On Windows 95/98/Me computers, navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices

In the right pane, delete the value


"Office Startup"="%System%\Exploer.exe"

Exit the Registry Editor.
then

Click Start, and then click Run. (The Run dialog box appears.) Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to each of the keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices

Note: The \RunServices key will not usually exist on Windows NT/2000/XP systems

In the right pane, delete the value

"Config Loader2"="explores.exe"

Exit the Registry Editor.