Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

m.ewbank

16 Posts

4105

December 6th, 2004 17:00

mydoom virus

I have just run the free virus scan from the McAfee website. It highlighted a virus known as       exploit-mydoom. I downloaded a fix tool from symantic, but when i ran the program, it could not detect any viruses. I also scanned my system from the microsoft website, and again no viruses could be detected.
I also keep getting  `hidden` files appearing within my file listings, these are typicall DAT files, named as hpothb07, or system files that were previously not there. Has anyone got any ideas about what is happening?
 
Thanks

Midnight Star

4.8K Posts

December 6th, 2004 17:00

According to this article, that particular exploit won't spread if the computer that it's resides on, isn't infected with particular variants of the MyDoom virus.
 
See this article, about enabling hidden files & folders, then scanning again in "Safe Mode".
Here's another article using DOS to delete the file(s).
 
Did the online virus scan remove the problem file(s)? Did it report the file name? If so, what was the full name, including the file's path? Have you tried running the online virus scan again (the one that reported it), to see if it's still there?
 
Mike.
 

m.ewbank

16 Posts

December 6th, 2004 18:00

running a scan from the symantec security site, it has picked up a virus call W32.gobot.A. Is this connected to 'mydoom'. Does anyone know where i can get a removal tool for W32.gobot.A The only one i could find was W32.Gaobot, which couldnt indentify W32.gobot.A.

The File path is c:\Documents and settings\all users\documents\!ReadMe.exe.

Is it Ok to delete the DAT files that keep appearing  within my file listings??

jamez kann

860 Posts

December 7th, 2004 10:00

http://secunia.com/virus_information/8807/gobot-a/
W32.Gobot.A is a worm that spreads through IRC, open network shares, and file-sharing networks. The worm also propagates through any backdoors installed by the Mydoom family of worms.

NOw we need to look into why did your computer get hit by the worm gaobot?
Do you have win98/xp?
Do you have any file sharing programs like kazaa.imesh.limewire?
Do you have a firewall?
lets see how the worm gets into the system
http://www.hkcert.org/valert/vinfo/lsass_worm.html
Several new variant of W32.Gaobot worms exploit a known Microsoft Windows Local Security Authority Subsystem Service vulnerability (LSASS) which described in Microsoft Securiy Bulletin MS04-011 to propagate across the Internet.(means the system does not have the latest windows patches)
If one of the windows holes is not patched with the patch mentioned here http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx could cause the system to get infected with the worm.

 

The worm uses multiple vulnerabilities to spread, including:

 

To prevent this from happening again you need to have the latest windows updates and a firewall and a good anti virus program

 

If you suspect or know that your computer has been infected by the Polybot/Gaobot virus, your first step should be to run the Stinger cleanup tool found at:

http://vil.nai.com/vil/stinger/

You should then run the Gaobot cleanup tool available for download from Symantec at:

http://securityresponse.symantec.com/avcenter/FxGaobot.exe

Next, apply any and all critical patches and updates—links can be found at the bottom of this Microsoft web page:

http://windowsupdate.microsoft.com

After you have run the two cleanup tools and applied the latest Microsoft Windows critical updates, you should then go back and re-run the cleanup tools 1-2 more times to verify that your computer is no longer infected.

post a hijackthis log if you still have the problem AFTER performing all the above steps

Was this post helpful?

View All

No Events found!

Top