w32.gaobot!inf virus in my hosts file... cant remove it!!

[mcveigh]

I have a friends computer here, she got the w32.gaobot virus, norton keeps saying it's in her hosts file and can't clean it but deny's acess to it.

I manually delete it reboot and it pops up there again, because it's the hosts file I can't get onl ine to download any updates of fixes, I did download symantec gabot fix tool on a cd and run it but it's taking forever and it doesn't fix all version of this SOB.

anybody else have some info on getting rid of this?

 

[jbrock31]

Try disabling system restore. Deleting the file, and rebooting again. If its gone, turn restore back on.

 

[mcveigh]

wont work.

so far I have manually updated the NAV defs and those found about 10 more of this virus in the c:\ and in system32.

internet still won't work though.

 

[M4LMiniMe]

Haveyou tried to remove the virus in safemode

 

[dahunan]

Try working in SafeMode

Also.. this looks helpful - it looks like it has set your hosts file to deny access to all websites that will help get rid of it - evil bastards :evil:
http://forum.gladiator-antivirus.com/index.php?showtopic=14059


If you are getting this error, you probably have the newest Gaobot(aka Agobot) virus that disables NAV and blocks your access to security sites (including Symantec).

W32.Gaobot.AFC, W32.Gaobot.AFJ and W32.Gaobot.AFW

1. These worms add entries to your HOSTS file which blocks access to certain websites.

First, Please do a search on your PC for a file named: hosts (you want the one with no extension)

It is located in the folder listed for your Operating System:

Windows 95/98/ME c:\windows directory

Windows NT4/2000/XP/2003 c:\winnt\system32\drivers\etc directory.

Please open it up - Windows will popup a dialogue box. Put a dot in the choose program option down at the bottom, and you can select a program to open it with (use Open with Notepad or Wordpad). and look at the entries inside. If you did not place them there yourself, please delete them (just the bad entries - not the whole hosts file). Most *bad* entries begin with: O1 - Hosts: 127.0.0.* (where * can be any number) and then a name of a security site

The list will look something like this:

O1 - Hosts: 127.0.0.0 localhost --(leave this entry)

(Delete the rest that may look like the following)

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
(etc, many more sites listed.)

 

[paradigm9]

i had a few at work..nasty little bastard

stinger got rid of it easily...takes usually two full scnas to get rid of it completely

download here

 

[mcveigh]

Originally posted by: paradigm9
i had a few at work..nasty little bastard

stinger got rid of it easily...takes usually two full scnas to get rid of it completely

download here

I just got back to this pc.

left it running a full AV scan in safe mode and also a removal tool from syamntec.

norton found one more instance of it.

the network still won't work though. I will try running stinger (good link I forgot about that as I haven't used it in a while)

I may reinstall windows in the end though