Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 819
  • Last Modified:

how do I get rid of w32.gobi on my windows 2003 server

I have w32.gobi on two of my servers one is a win2003 and the other is win 2000 server. I look at the symantec web site but it wants you to go to a registery entry hkey_classes_root\software\classes\exefile\shell\open\command. This path does not appear in windows 2003 server. Also on my win2000 server I cannot run regedit or regedt32 with the exe or con extentions. I get a meesage saying that the registry editing has been disabled by your administrator. I am login as the administrator also my symantec anti virus on this server does not work. Is their some type of removal tool ?
0
mpearson99
Asked:
mpearson99
  • 4
  • 2
  • 2
  • +1
1 Solution
 
mpearson99Author Commented:
I have read this document and as i said before the following path:
 HKEY_CLASSES_ROOT\Software\Classes\
is not on windows 2003 server also the path:
HKEY_CLASSES_ROOT\Software\Classes\exefile\
is not on windows 2000 server. Any more ideas ?
0
 
naushadkhanCommented:
Download MWAV and try cleaning your system with this utility.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
warturtleCommented:
Download MalwareBytes Anti-Malware on the Windows 2003 machine and do a full scan with that. It could take sometime and send us the log after the scan is done. It can be downloaded from:

www.malwarebytes.org

Hope it helps.
0
 
mpearson99Author Commented:
Ok I will try it
0
 
Mohamed OsamaSenior IT ConsultantCommented:
This is a file infector virus, I do not believe Malwarebytes can handle this , it may be able to detect the backdoor that is dropped but not disinfect the system.
Download Regtools.vbs
-reboot into safe mode or Safe mode with networking
-run the script regtools.vbs, then restart again into safe mode.
- try the manual symantec removal steps
- run a full virus scan while in safe mode
let us see if the problem persists.

0
 
mpearson99Author Commented:
You may be right I ran the Malwarebytes on the 2003 server but it did not detect the w32.gobi. It did fine a few items here is the file. one of the files I was not sure if I should delete it I think it may effect my db
mbam-log-2009-04-24--02-20-28-.txt
0
 
mpearson99Author Commented:
What does the regtools.vbs do ? When you say use symantec manual remove steps are you talking about the w32.gobi removal from regestry ? if so will this regtool create the registry path that I do not see currently in Windows 2000 /2003 server
0
 
warturtleCommented:
Vundo can be quite difficult to remove because it can hook up with existing processes to access internet and propogate. I suggest backing up your important stuff first of all. Secondly, you can download this tool called Process Explorer and see the processes that are loading in the background when no other application on this server is loaded except for the startup processes. Its available from:

http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

Let us know, if you see any strange named files there. An online scan with AVG/Ewido online scanner will also be beneficial, its based at: www.ewido.net/en/onlinescan/

Hope it helps.
0
 
Mohamed OsamaSenior IT ConsultantCommented:
regtools.vbs should allow you to re-enable registry editing restrictions that was set by the malware.
so you can further edit the registry by running regedit.exe or regedit.com as per symantec article.
you can also directly try the exe file association fix after running regtools.vbs
hopefully you should be able to boot into safe mode & disinfect the machine
it may also be a good idea to use a program like CCleaner to delete temp files , as it appears this virus uses %TEMP% folders to hide
however, this virus is a Polymorphic File infector with Troan horse functionality that is not really well documented.it  should give you a bit of a hard time fixing
they operate similarly, a file infector program runs in memory infecting other executables, you should disable / delete / find this & kill it in safe mode , then scan the machine fully using your AV
-The symantec manual steps should help
- always scan in safe mode 
- backup your essential Data files & be prepared to rebuild the machine as a last resort.
as for the Vundo detection , you should retry the malwarebytes scan in safe mode & allow the program ot fix it.
finally a very good Online scan that can helpl here
http://www.bitdefender.com/scan8/ie.html




0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now