You guys on this forum have helped me out so much in the past so its to you i turn to in my time of need again..

just got broadband after your helpful advice in the 'uk broadband' thread a few weeks ago.

i was enjoying the luxuries of downloading everything i wanted on kazaa, i'm not thick and i know a bit about computers so i'm pretty sure i downloaded no 'exe' files like how some people get viruses.

but anyway i got a virus on friday night after my weekly norton search was finished. norton couldnt repair the file, virus definitions were uptodate too, so instead i deleted the virus. it was called 'explorer' or something.

saturday night the virus fun continues. this time i've got two. its those damn gaobot varities. so anyway i try to repair but i can't so instead delete again as the only option after putting them in quarantine.

I then download AVG virus scanner to help in the future. My norton is out of date, but my definitions are uptodate up to last week (dont ask me how i did this...im not proud of how i got 'uptodate'!)

Anyway it scans computer. no viruses. but then i see it can't scan a few folders.

i track the location of one file and use norton to scan the individual file.

ITS GAOBOT! AGAIN!

So i realised AVG is pretty useless for picking up viruses (free edition it is). And that Norton can't repair anything anyway then it finds the virus instead of deleting them.

-------------

So basically i've had 3 gaobots probably off kazaa but i've deleted them all. but i read the norton website about the virus and it scared me to hell.

how it opens ports, allows hackers, slows stuff down...its a worm isnt it?

firstly i want to know how i'm getting them. is it dodgy kazaa? is overnet safer?

secondly how do i undo the damage of the worm? it hasnt taken up any room on my c drive. my computer and internet connection are pretty much the same speed even though i'm getting paranoid and keep saying to myself 'oh my god its getting slow...' its pretty much ok.

the norton website told me to change file names of the internet etc etc but i couldnt find the files to change anyway.

SO I NEED HELP! Am i ok after deleting the viruses or has it done damage??

i have kerio firewall- again free off the internet enabled.

i'd forever be in debt to you all if someone could help. i have medium IT skills. so i might need explaining careful. nortons website is useful if im bill bloody gates.

Which files are all infected? If you look at your scan results in your Norton it should tell you.

it was documents\videons32.exe

norton told me it was infected with the w32.gaobot.azt virus

it then tells me it can't repair the file because access is denied. it then told me the same thing 170 times about the same file...

i deleted it....just searched for it again and the buggers back again so its again back in quarantine

One tip most people offer nowadays is avoid Kazaa.

Sometimes the virus is in a file that the AntiVirus can't delete (like explorer.exe) as it is integral to Windows or is simply a file that only certain things can delete/edit.

Have you tried running the scan in Safe Mode?

quote:

---

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

   1. Disable System Restore (Windows Me/XP).
   2. Restart the computer in Safe mode or VGA mode.
   3. Restore the Hosts file.
   4. Reverse the changes made to the registry, and then restart the computer.
   5. Update the virus definitions.
   6. Run a full system scan and delete all the files detected as W32.Gaobot.AZT.

---

Restore the Hosts file.
   4. Reverse the changes made to the registry, and then restart the computer.

i understand the registry bit. you delete the videons.exe part dont you? but whats the host file about. i dont understand what to do on that part.

if u go to the bottom of this link if gives you all the details

quote:

---

3. To restore the Windows Hosts file
Note: The location of the Hosts file may vary, and some computers may not have this file. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and it is located in the C:\WINNT\system32\drivers\etc folder in Windows 2000. There may also be multiple copies of this file in different locations.
Follow the instructions for your operating system:

    * Windows 95/98/Me/NT/2000
         1. Click Start, point to Find or Search, and then click Files or Folders.
         2. Make sure that "Look in" is set to (C and that "Include subfolders" is checked.
         3. In the "Named" or "Search for..." box, type:

            hosts

         4. Click Find Now or Search Now.
         5. For each one that you find, note its location. (This is displayed in the "In Folder" column.)
         6. Right-click each file, and then click "Open With."
         7. Deselect the "Always use this program to open this program" check box.
         8. Scroll through the list of programs and double-click Notepad.
         9. When the file opens, delete all the entries in the Hosts file, except for the following line:

            127.0.0.1     localhost

        10. Close Notepad and save your changes when prompted.

    * Windows XP
         1. Click Start, and then click Search.
         2. Click All files and folders.
         3. In the "All or part of the file name" box, type:

            hosts

         4. Verify that "Look in" is set to "Local Hard Drives" or to (C.
         5. Click "More advanced options."
         6. Check "Search system folders."
         7. Check "Search subfolders."
         8. Click Search.
         9. Click Find Now or Search Now.
        10. For each one that you find, note its location. (This is displayed in the "In Folder" column.)
        11. Right-click each file, and then click "Open With."
        12. Deselect the "Always use this program to open this program" check box.
        13. Scroll through the list of programs and double-click Notepad.
        14. When the file opens, delete all the entries in the Hosts file except for the following line:

            127.0.0.1     localhost

        15. Close Notepad and save your changes when prompted.

---

quote:

---

4. To reverse the changes made to the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

   1. Click Start, and then click Run. (The Run dialog box appears.)
   2. Type regedit

      Then click OK. (The Registry Editor opens.)

   3. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   4. In the right pane, delete the value:

      "Windows Video Drivers" = "videons32.exe"

   5. Do one of the following:
          * Windows NT/2000/XP. Skip to step h.
          * Windows 95/98/Me. Proceed with step f.

   6. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      RunServices

   7. In the right pane, delete the value:

      "Windows Video Driver" = "videons32.exe"

   8. Exit the Registry Editor.

   9. Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document.

---

right first attempt at this failed miserably.

i got the pc into safe mode easily enough and then set about searching for hosts.

i found 5 files. one was 'my name@tophosts' so i ignored it. i then got four whole files all in system32 directory. i opened all four files in notepad as it says.

i got nothing except a microsoft guide to editing hosts, well at least it looked like one. and the other files mentioned nothing which i was looking for.

i searched each file for "127.0.0.1     localhost" since thats the thing im meant to leave in so it would be an indication of what file it was.

it didnt work on any. i cannot get the hosts file, even open the host file or find the bloody damn host file!

i need to know how to do it. so please any more suggestions.

im as scared right now as an english footballer about to take a penalty in euro 2004 :{

quote:

---

Originally posted by Matty.
If you are running Windows 2k or higher type this into your run command (Start > Run)

Windows 2000

    code:notepad.exe C:\WinNT\system32\drivers\etc\hosts


Windows XP/2003 Server

    code:notepad.exe C:\Windows\system32\drivers\etc\hosts



The only text that should be in the hosts file is the following.

    quoteriginally posted by Original Hosts File
    # Copyright 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host

    127.0.0.1       localhost



If you have anything other then that is above delete it and replace it.

Matty

---

# Copyright 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Hmmm thats exactly what i've got too. I do have the w32.gaobot.azt virus its in quarantine under the file name videoons32.exe i can see it right now but yet it hasnt altered the host file. any ideas why this is?

should i just continue onto the next stage of clearing this virus now?

toddy may i just say thank you so so much for your help tonight i really do appreciate it you've been great work.

unsure of what to do next though now

Also gone onto the next stage . ive gone through regedit and through to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

all i have in the right pane is 'default, AVG, Messenger 3, overnet, p2p networking and tkbellexe

i do not have "Windows Video Drivers" = "videons32.exe"

But yet i do have the virus its in quarantine. ive deleted it twice from quarantine but its returned. that means i need to get rid of it. but i cant.

any ideas at all people?

start > all programs > (norton systemworks) > norton antivirus > quarantine

try deleting it from there

Right its deleted. last time though it came back after i'd deleted it for more tricks...

but as of yet it hasnt done any of the things it says on the website like change registry etc i dont know whether this is a good or bad thing though...

BUMP!