thats just it..ive looked on the web and it all points to nortons help page..which ive read a done alls its said..but still this norton pop up warning:smileysad:
well i did all them scans on the sites you gave me and still all came back clean.
all the reg looked fine,no added values.
but i was still getting the norton pop up.
well today i turned of system restore and then turned off norton auto protect..rebooted the pc and then clicked systrem restore back on and norton auto protect....no pop up...so i restarted the pute and all seems ok now,no more norton pop ups....does this mean thats all ok now,now that norton isnt finding the worm....just seems strange.anyway...thank you for all your help:smileyhappy:
We still don’t know where the infected file was...
Cleaning all cashes (recycle, temp, sys/restore, etc.) is a part of any infection removal procedure.
Can you post back the full file names of infected files that norton's found? Check also in quarantine. That might tell you if the file being found was in the system restore folder. If it was, and the same file name is in norton's quarantine, then the system mightv'e backed it off for you before norton's had a chance to remove it.
i've also tried to get rid of this virus & followed all instructions (turn off system restore, re-boot insafe mode, run semantic removal tool, run norton system check & it can't find a virus. But when I connect to the internet I get the following messages from Norton
detected gaobot.sn
C:\ documents& settings\owner\local settings\temp internet files\content.IE5\GD8T6Z05\K2{1}.txt unable to repair file. Then another message - access to this file was denied
followed by
C:\docume~1\owner\locals~1\temp\ab62F1.exe
This file was automatically deleted
THEN
A above 3 messages but with the Content bit changed to
Content.IE5zK1QVSPE3\k2{1}.txt
I've tried deleting all temp internet files & running other removal tools but nothing works. Help. Have i got this virus hiding somewhere?
I sent the details of the messages I was getting to Norton for their evaluation and apparently Ab62F1.exe is a non repairable threat and it looks like Norton did not actually delete it. I've now deleted it manually by searching on C drive and the messages have stopped !!
I've also done a restore point just in case.
Message Edited by ineedmorehelp on 07-22-2005 03:36 PM
Norton Antivirus pop-ups began to notify us everytime we logged onto the Internet that w32.Gaobot.sn and w32.Randex.gen were in the computer. As others here have testified, tried Symantec website virus removal instructions to no avail and tried manual location and removal of the infected files as identified on the Norton pop-ups and through Norton Virus Scan, e.g, c:\Documents and Settings\Local Settings\temporary Internet Files\Content.IE5\CWM30HYJ\k2[1].txt and c:\Docments-1\Account Holder\locals-1\temp\ab62f1.exe. Nevertheless, Gaobot and Randex pop-ups continued whenever we logged onto the Internet. Purchased and installed latest 2005 Symantec Internet Security software, which appeared to locate and remove Gaobot and Randex files (and other Adware files). However, even after installing Internet Security, every time I went onto the Internet in both my and my wife's account the Norton Gaobot and Randex pop-ups began again. Also began noticing pop-ups from a “Messenger Service” notifying me that there were threats in my computer and that I needed to go to various websites and download diagnostic or patching software (symantec techies subsequently told me this was a trojan’s doing). A Norton pop-up began to continuously notify me that “cpds.exe” was attempting to enter the computer. Finally called Symantec tech support at 877-832-2811. After talking to three techies over the course of 18 hours (I was so frustrated at this point I was practically screaming at them-they were very patient) they were able to remove the virus, which turned out to be caused by a number of Trojan horses (including cpds). First, they ran a scan ($39.95) of my computer through the Internet, which found no viruses; however the Norton Gaobot and Randex pop-ups continued). Then (second telephone call) they told me to download Microsoft Service Pack 2. I download approximately 28 Microsoft updates (but not Service pack 2). The Gaobot and Randex pop-ups stopped in my account but continued to occur in Tatiana’s account. Symantec (third phone call) then told me to download and run (another $30)www.tomcoyote.org, which locates Trojans. I ran tomcoyote and then emailed the results in Notepad to the Symantec techie. He looked at the results and told me I had four “nasties.” We deleted the nasties after going into Safe Mode and made a lot of other changes to settings, which I can’t explain or remember. The big question which I forgot to ask the techie was why Norton virus scan and Internet Security software didn’t find the Trojans in the first place!!! (I'm still furious at Symantec as a corporation- they should have explained all of this on their Gaobot and Randex pages on their website). The techies told me that the reason I got these virus/Trojans in the first place was because I hadn’t been downloading the Microsoft security updates (see, there's a moral to this story). Anyway, this was probably the most frustrating episode I've every had with a computer. If you're having these problems, just call Symantec and pay the $69.95.
Hi, I have the exact same virus/trojan on my pc. This is the first reference anywhere on the WEB that has a direct match for me.
Here is how I think I got it. First, I did not have all my patches. Obviously, that was dumb of me. On 6/18/2005, my dialer was changed to a new number: "08710905xxx". I later found that the 087 number is a UK toll number (I am in the USA so it did not work). People use it in phone scams. I changed the number a few times but it kept coming back. I ran Norton and it said I had downloaded a trojan. I am not sure what the name was. I booted in safe mode and deleted it. Problem solved? I thought so.
A week or two later, I logged onto the internet and Norton said I was downloading the same Gaobot and Randex files you noted. Norton never found them in a sweep. During the connection, it would start to download the file ab62f1.exe and the k2[1].txt file that had these two viruses in it. I submitted ab62f1 to Norton and nothing was found. Scans never showed anything. The k2 file also had the international.statscounter.info address.
So I looked at what files were in my Registry load (CURRENTVERSION/RUN) and what loaded. Three files were suspect: scrbmk.exe, languard.exe and cpds.exe. Languard was saved on my pc on 6/18, the date of the original infection. The other two all have current dates so they must change at startup.
Cleansweep and the Microsoft spywear beta does not show these as bad. Spybot showed languard as "theguardian". It is a keystroke logger. Mcaffee says it may detect this. Also look for "avirex.exe" in google. It seems associated with scrbmk.exe and cpds.exe although it is not on my pc (it deletes itself and I may have deleted it on 6/18). Google scrbmk and cpds and you will find a lot of references to these.
So to delete these files, boot in safe mode and edit your registry "regedit" in RUN. Go to HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN. Save a backup of the registry first (save RUN branch only). Right click and delete the three files. Exit registry. Now they will not load at startup. Now go to c:/windows and rename the files xxxx.exe.old or just delete them if you are confident. This should work.
Let me know if this method works or if I should do something else.
Hi, I have the exact same virus/trojan on my pc. This is the first reference anywhere on the WEB that has a direct match for me.
Here is how I think I got it. First, I did not have all my patches. Obviously, that was dumb of me. On 6/18/2005, my dialer was changed to a new number: "08710905xxx". I later found that the 087 number is a UK toll number (I am in the USA so it did not work). People use it in phone scams. I changed the number a few times but it kept coming back. I ran Norton and it said I had downloaded a trojan. I am not sure what the name was. I booted in safe mode and deleted it. Problem solved? I thought so.
A week or two later, I logged onto the internet and Norton said I was downloading the same Gaobot and Randex files you noted. Norton never found them in a sweep. During the connection, it would start to download the file ab62f1.exe and the k2[1].txt file that had these two viruses in it. I submitted ab62f1 to Norton and nothing was found. Scans never showed anything. The k2 file also had the international.statscounter.info address.
So I looked at what files were in my Registry load (CURRENTVERSION/RUN) and what loaded. Three files were suspect: scrbmk.exe, languard.exe and cpds.exe. Languard was saved on my pc on 6/18, the date of the original infection. The other two all have current dates so they must change at startup.
Cleansweep and the Microsoft spywear beta does not show these as bad. Spybot showed languard as "theguardian". It is a keystroke logger. Mcaffee says it may detect this. Also look for "avirex.exe" in google. It seems associated with scrbmk.exe and cpds.exe although it is not on my pc (it deletes itself and I may have deleted it on 6/18). Google scrbmk and cpds and you will find a lot of references to these.
So to delete these files, boot in safe mode and edit your registry "regedit" in RUN. Go to HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN. Save a backup of the registry first (save RUN branch only). Right click and delete the three files. Exit registry. Now they will not load at startup. Now go to c:/windows and rename the files xxxx.exe.old or just delete them if you are confident. This should work.
Let me know if this method works or if I should do something else.
Let me share my story with you. I started getting the same warning about a month ago. (Windows XP + service package 2 + all security patches + Norton Antivirus 2003 with fully updated virus defnitions).... Following the instructions given by Norton's website, I did full system scans serveral times in differnet ways (normal mode, safe mode, on-line) and there is not virus in my computer. Then, I called the Norton service line and was willing to pay them to help me remove the virsus. When I told the technician the situation, he told me there is nothing he can do (since there is no virus). He said that it is probably my computer's problem and I should contact dell. I called dell and purchased the software assistance package for 49.00. The dell technician was very kind and waited for me to scan my computer and try different anti-spyware softwares with me. And there is nothing wrong with my computer.
Then I posted a question at kaspersky's forum and got several responses. I tried their online scanning tool and found the trouble makers. I removed them and there is no warning for a while. But the story does not end there. Today, I found the warning messages are back. The old k2[1].txt is there. EXE file is now ac3275.exe. .....
HI,
as noted last week, I had the same trojan on my pc. The three files scrbmk.exe, cpds.exe and languard.exe are in the c:\windows directory. Check if they are there. Also check the RUN portion of your registry (see my previous note). Delete the three files. Then they will not load at startup.
As noted before, Norton did not find any of these files for many weeks. I submitted scrbmk.exe to norton and they said it was a download trojan. They made a virus definition. I ran it but I had already deleted the three files so it did not find them. But it found two temp files dc305.tmp and dc446.exe in the C:\RECYCLERS\XXXXXXXXXXXXX directory so I wonder if it is the recycle bin. They were infected with the trojan.downloader. I hope it was the same trojan I deleted. Anyway, I have run norton with new definitions every day since and all is OK. I think I am rid of this. I hope it did not do anything to my files. By the way, the SEARCH option on the norton website still does not come up with anything for the three files. But I think it can detect some. I am not sure if it can detect all three files or any other signatures associated with this trojan.
Let me know if you have these three files and if deleting them works. Trust me, I have lost sleep over this.
boppo
2 Intern
•
4.4K Posts
0
July 13th, 2005 17:00
100mph
1.2K Posts
0
July 13th, 2005 18:00
All the Best!
rayskedgel
3 Posts
0
July 13th, 2005 22:00
100mph
1.2K Posts
0
July 14th, 2005 01:00
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FRBOT%2ESN&VSect=Sn
When done, clean all temp files and system restore.
Then scan online (use all):
http://www.fixyourwindows.com/windowsxpsolutions.htm#OnlineVirusScans
Let us know what's up.
If posting back, at least note a file name and where it’s located.
Good Luck!
rayskedgel
3 Posts
0
July 15th, 2005 21:00
well i did all them scans on the sites you gave me and still all came back clean.
all the reg looked fine,no added values.
but i was still getting the norton pop up.
well today i turned of system restore and then turned off norton auto protect..rebooted the pc and then clicked systrem restore back on and norton auto protect....no pop up...so i restarted the pute and all seems ok now,no more norton pop ups....does this mean thats all ok now,now that norton isnt finding the worm....just seems strange.anyway...thank you for all your help:smileyhappy:
100mph
1.2K Posts
0
July 15th, 2005 23:00
Cleaning all cashes (recycle, temp, sys/restore, etc.) is a part of any infection removal procedure.
Midnight Star
4.8K Posts
0
July 16th, 2005 01:00
Can you post back the full file names of infected files that norton's found? Check also in quarantine. That might tell you if the file being found was in the system restore folder. If it was, and the same file name is in norton's quarantine, then the system mightv'e backed it off for you before norton's had a chance to remove it.
=====
Mike.
ineedmorehelp
2 Posts
0
July 21st, 2005 16:00
i've also tried to get rid of this virus & followed all instructions (turn off system restore, re-boot insafe mode, run semantic removal tool, run norton system check & it can't find a virus. But when I connect to the internet I get the following messages from Norton
detected gaobot.sn
C:\ documents& settings\owner\local settings\temp internet files\content.IE5\GD8T6Z05\K2{1}.txt unable to repair file. Then another message - access to this file was denied
followed by
C:\docume~1\owner\locals~1\temp\ab62F1.exe
This file was automatically deleted
THEN
A above 3 messages but with the Content bit changed to
Content.IE5zK1QVSPE3\k2{1}.txt
I've tried deleting all temp internet files & running other removal tools but nothing works. Help. Have i got this virus hiding somewhere?
ineedmorehelp
2 Posts
0
July 22nd, 2005 19:00
I sent the details of the messages I was getting to Norton for their evaluation and apparently Ab62F1.exe is a non repairable threat and it looks like Norton did not actually delete it. I've now deleted it manually by searching on C drive and the messages have stopped !!
I've also done a restore point just in case.
Message Edited by ineedmorehelp on 07-22-2005 03:36 PM
Peteneedshelp
1 Message
0
July 23rd, 2005 17:00
Gaobot-Randex Virus Episode July 2005
Norton Antivirus pop-ups began to notify us everytime we logged onto the Internet that w32.Gaobot.sn and w32.Randex.gen were in the computer. As others here have testified, tried Symantec website virus removal instructions to no avail and tried manual location and removal of the infected files as identified on the Norton pop-ups and through Norton Virus Scan, e.g, c:\Documents and Settings\Local Settings\temporary Internet Files\Content.IE5\CWM30HYJ\k2[1].txt and c:\Docments-1\Account Holder\locals-1\temp\ab62f1.exe. Nevertheless, Gaobot and Randex pop-ups continued whenever we logged onto the Internet. Purchased and installed latest 2005 Symantec Internet Security software, which appeared to locate and remove Gaobot and Randex files (and other Adware files). However, even after installing Internet Security, every time I went onto the Internet in both my and my wife's account the Norton Gaobot and Randex pop-ups began again. Also began noticing pop-ups from a “Messenger Service” notifying me that there were threats in my computer and that I needed to go to various websites and download diagnostic or patching software (symantec techies subsequently told me this was a trojan’s doing). A Norton pop-up began to continuously notify me that “cpds.exe” was attempting to enter the computer. Finally called Symantec tech support at 877-832-2811. After talking to three techies over the course of 18 hours (I was so frustrated at this point I was practically screaming at them-they were very patient) they were able to remove the virus, which turned out to be caused by a number of Trojan horses (including cpds). First, they ran a scan ($39.95) of my computer through the Internet, which found no viruses; however the Norton Gaobot and Randex pop-ups continued). Then (second telephone call) they told me to download Microsoft Service Pack 2. I download approximately 28 Microsoft updates (but not Service pack 2). The Gaobot and Randex pop-ups stopped in my account but continued to occur in Tatiana’s account. Symantec (third phone call) then told me to download and run (another $30)www.tomcoyote.org, which locates Trojans. I ran tomcoyote and then emailed the results in Notepad to the Symantec techie. He looked at the results and told me I had four “nasties.” We deleted the nasties after going into Safe Mode and made a lot of other changes to settings, which I can’t explain or remember. The big question which I forgot to ask the techie was why Norton virus scan and Internet Security software didn’t find the Trojans in the first place!!! (I'm still furious at Symantec as a corporation- they should have explained all of this on their Gaobot and Randex pages on their website). The techies told me that the reason I got these virus/Trojans in the first place was because I hadn’t been downloading the Microsoft security updates (see, there's a moral to this story). Anyway, this was probably the most frustrating episode I've every had with a computer. If you're having these problems, just call Symantec and pay the $69.95.
dpdp
3 Posts
0
August 8th, 2005 16:00
Here is how I think I got it. First, I did not have all my patches. Obviously, that was dumb of me. On 6/18/2005, my dialer was changed to a new number: "08710905xxx". I later found that the 087 number is a UK toll number (I am in the USA so it did not work). People use it in phone scams. I changed the number a few times but it kept coming back. I ran Norton and it said I had downloaded a trojan. I am not sure what the name was. I booted in safe mode and deleted it. Problem solved? I thought so.
A week or two later, I logged onto the internet and Norton said I was downloading the same Gaobot and Randex files you noted. Norton never found them in a sweep. During the connection, it would start to download the file ab62f1.exe and the k2[1].txt file that had these two viruses in it. I submitted ab62f1 to Norton and nothing was found. Scans never showed anything. The k2 file also had the international.statscounter.info address.
So I looked at what files were in my Registry load (CURRENTVERSION/RUN) and what loaded. Three files were suspect: scrbmk.exe, languard.exe and cpds.exe. Languard was saved on my pc on 6/18, the date of the original infection. The other two all have current dates so they must change at startup.
Cleansweep and the Microsoft spywear beta does not show these as bad. Spybot showed languard as "theguardian". It is a keystroke logger. Mcaffee says it may detect this. Also look for "avirex.exe" in google. It seems associated with scrbmk.exe and cpds.exe although it is not on my pc (it deletes itself and I may have deleted it on 6/18). Google scrbmk and cpds and you will find a lot of references to these.
So to delete these files, boot in safe mode and edit your registry "regedit" in RUN. Go to HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN. Save a backup of the registry first (save RUN branch only). Right click and delete the three files. Exit registry. Now they will not load at startup. Now go to c:/windows and rename the files xxxx.exe.old or just delete them if you are confident. This should work.
Let me know if this method works or if I should do something else.
dp
dpdp
3 Posts
0
August 8th, 2005 16:00
Here is how I think I got it. First, I did not have all my patches. Obviously, that was dumb of me. On 6/18/2005, my dialer was changed to a new number: "08710905xxx". I later found that the 087 number is a UK toll number (I am in the USA so it did not work). People use it in phone scams. I changed the number a few times but it kept coming back. I ran Norton and it said I had downloaded a trojan. I am not sure what the name was. I booted in safe mode and deleted it. Problem solved? I thought so.
A week or two later, I logged onto the internet and Norton said I was downloading the same Gaobot and Randex files you noted. Norton never found them in a sweep. During the connection, it would start to download the file ab62f1.exe and the k2[1].txt file that had these two viruses in it. I submitted ab62f1 to Norton and nothing was found. Scans never showed anything. The k2 file also had the international.statscounter.info address.
So I looked at what files were in my Registry load (CURRENTVERSION/RUN) and what loaded. Three files were suspect: scrbmk.exe, languard.exe and cpds.exe. Languard was saved on my pc on 6/18, the date of the original infection. The other two all have current dates so they must change at startup.
Cleansweep and the Microsoft spywear beta does not show these as bad. Spybot showed languard as "theguardian". It is a keystroke logger. Mcaffee says it may detect this. Also look for "avirex.exe" in google. It seems associated with scrbmk.exe and cpds.exe although it is not on my pc (it deletes itself and I may have deleted it on 6/18). Google scrbmk and cpds and you will find a lot of references to these.
So to delete these files, boot in safe mode and edit your registry "regedit" in RUN. Go to HKEY_LOCAL_MACHINE/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN. Save a backup of the registry first (save RUN branch only). Right click and delete the three files. Exit registry. Now they will not load at startup. Now go to c:/windows and rename the files xxxx.exe.old or just delete them if you are confident. This should work.
Let me know if this method works or if I should do something else.
dp
umrhanyp
1 Message
0
August 16th, 2005 16:00
dpdp
3 Posts
0
August 17th, 2005 02:00
as noted last week, I had the same trojan on my pc. The three files scrbmk.exe, cpds.exe and languard.exe are in the c:\windows directory. Check if they are there. Also check the RUN portion of your registry (see my previous note). Delete the three files. Then they will not load at startup.
As noted before, Norton did not find any of these files for many weeks. I submitted scrbmk.exe to norton and they said it was a download trojan. They made a virus definition. I ran it but I had already deleted the three files so it did not find them. But it found two temp files dc305.tmp and dc446.exe in the C:\RECYCLERS\XXXXXXXXXXXXX directory so I wonder if it is the recycle bin. They were infected with the trojan.downloader. I hope it was the same trojan I deleted. Anyway, I have run norton with new definitions every day since and all is OK. I think I am rid of this. I hope it did not do anything to my files. By the way, the SEARCH option on the norton website still does not come up with anything for the three files. But I think it can detect some. I am not sure if it can detect all three files or any other signatures associated with this trojan.
Let me know if you have these three files and if deleting them works. Trust me, I have lost sleep over this.
dpdp