According to this
article, that particular exploit won't spread if the computer that it's resides on, isn't infected with particular variants of the MyDoom virus.
See this
article, about enabling hidden files & folders, then scanning again in "Safe Mode".
Here's another
article using DOS to delete the file(s).
Did the online virus scan remove the problem file(s)? Did it report the file name? If so, what was the full name, including the file's path? Have you tried running the online virus scan again (the one that reported it), to see if it's still there?
running a scan from the symantec security site, it has picked up a virus call W32.gobot.A. Is this connected to 'mydoom'. Does anyone know where i can get a removal tool for W32.gobot.A The only one i could find was W32.Gaobot, which couldnt indentify W32.gobot.A.
The File path is c:\Documents and settings\all users\documents\!ReadMe.exe.
Is it Ok to delete the DAT files that keep appearing within my file listings??
http://secunia.com/virus_information/8807/gobot-a/ W32.Gobot.A is a worm that spreads through IRC, open network shares, and file-sharing networks. The worm also propagates through any backdoors installed by the Mydoom family of worms.
NOw we need to look into why did your computer get hit by the worm gaobot?
Do you have win98/xp?
Do you have any file sharing programs like kazaa.imesh.limewire?
Do you have a firewall?
lets see how the worm gets into the system
http://www.hkcert.org/valert/vinfo/lsass_worm.html Several new variant of W32.Gaobot worms exploit a known Microsoft Windows Local Security Authority Subsystem Service vulnerability (LSASS) which described in Microsoft Securiy Bulletin MS04-011 to propagate across the Internet.(means the system does not have the latest windows patches)
If one of the windows holes is not patched with the patch mentioned here
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx could cause the system to get infected with the worm.
The worm uses multiple vulnerabilities to spread, including:
The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 machines using this exploit.
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061), using UDP port 1434.
Sending itself to the backdoor ports that the Beagle and Mydoom families of worms open.
To prevent this from happening again you need to have the latest windows updates and a firewall and a good anti virus program
If you suspect or know that your computer has been infected by the Polybot/Gaobot virus, your first step should be to run the Stinger cleanup tool found at:
After you have run the two cleanup tools and applied the latest Microsoft Windows critical updates, you should then go back and re-run the cleanup tools 1-2 more times to verify that your computer is no longer infected.
post a hijackthis log if you still have the problem AFTER performing all the above steps
Midnight Star
4.8K Posts
0
December 6th, 2004 17:00
m.ewbank
16 Posts
0
December 6th, 2004 18:00
running a scan from the symantec security site, it has picked up a virus call W32.gobot.A. Is this connected to 'mydoom'. Does anyone know where i can get a removal tool for W32.gobot.A The only one i could find was W32.Gaobot, which couldnt indentify W32.gobot.A.
The File path is c:\Documents and settings\all users\documents\!ReadMe.exe.
Is it Ok to delete the DAT files that keep appearing within my file listings??
jamez kann
860 Posts
0
December 7th, 2004 10:00
W32.Gobot.A is a worm that spreads through IRC, open network shares, and file-sharing networks. The worm also propagates through any backdoors installed by the Mydoom family of worms.
NOw we need to look into why did your computer get hit by the worm gaobot?
Do you have any file sharing programs like kazaa.imesh.limewire?
Do you have a firewall?
Several new variant of W32.Gaobot worms exploit a known Microsoft Windows Local Security Authority Subsystem Service vulnerability (LSASS) which described in Microsoft Securiy Bulletin MS04-011 to propagate across the Internet.(means the system does not have the latest windows patches)
If one of the windows holes is not patched with the patch mentioned here http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx could cause the system to get infected with the worm.
The worm uses multiple vulnerabilities to spread, including:
To prevent this from happening again you need to have the latest windows updates and a firewall and a good anti virus program
If you suspect or know that your computer has been infected by the Polybot/Gaobot virus, your first step should be to run the Stinger cleanup tool found at:
http://vil.nai.com/vil/stinger/
You should then run the Gaobot cleanup tool available for download from Symantec at:
http://securityresponse.symantec.com/avcenter/FxGaobot.exe
Next, apply any and all critical patches and updates—links can be found at the bottom of this Microsoft web page:
http://windowsupdate.microsoft.com
After you have run the two cleanup tools and applied the latest Microsoft Windows critical updates, you should then go back and re-run the cleanup tools 1-2 more times to verify that your computer is no longer infected.
post a hijackthis log if you still have the problem AFTER performing all the above steps