how to clean a virus file.

[test]

Hi
I have a Gateway PC which runs window xp professional. Currently i ran a
full scan of symantec anti virus program v8.1 which has detected a virus
called "backdoor.trojan" for a file called c:\windows\system32\gilsoh.exe.
And it also mentions that clean failed,quarantine failed. And when i tried
to delete, it is also failed. So i am not sure,what i should do to clean
this virus.

is this file part of the window xp OS, or was it created by a virus program?
is it ok to somehow delete this file ? What i should do clean this virus.
please let me know asap.
Thanks.

 

[Guest]

Have a look here:
http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99&tabid=3

Milt

 

[Malke]

Hi
I have a Gateway PC which runs window xp professional. Currently i ran a
full scan of symantec anti virus program v8.1 which has detected a virus
called "backdoor.trojan" for a file called c:\windows\system32\gilsoh.exe.
And it also mentions that clean failed,quarantine failed. And when i tried
to delete, it is also failed. So i am not sure,what i should do to clean
this virus.

is this file part of the window xp OS, or was it created by a virus program?
is it ok to somehow delete this file ? What i should do clean this virus.
please let me know asap.
Thanks.

That is not a Windows file. It is malware. Go through these general
malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://pcdid.com/Multi_AV.htm - download

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may
be so infested that Windows will need to be clean-installed. Have all
your data backed up before you take the machine into a shop.


Malke

 

[Waz Up]

Even easier. Restart in SAFE MODE and nuke the file. Then run MSCONFIG and
uncheck the file startup link (if one is there). Then restart.

Sure enuff, most of these issues can be fixed with Safe Mode.

Hope it helps.

 

[Malke]

Even easier. Restart in SAFE MODE and nuke the file. Then run MSCONFIG and
uncheck the file startup link (if one is there). Then restart.

Sure enuff, most of these issues can be fixed with Safe Mode.

No, that is incorrect. That technique may have worked for you with a
very simple infestation but it will not be sufficient to remove most
malware and viruses. See my previous post.


Malke

 

[Guest]

Hi
I have a Gateway PC which runs window xp professional. Currently i ran a
full scan of symantec anti virus program v8.1 which has detected a virus
called "backdoor.trojan" for a file called c:\windows\system32\gilsoh.exe.
And it also mentions that clean failed,quarantine failed. And when i tried
to delete, it is also failed. So i am not sure,what i should do to clean
this virus.

is this file part of the window xp OS, or was it created by a virus program?
is it ok to somehow delete this file ? What i should do clean this virus.
please let me know asap.
Thanks.

Sophos Anti-Rootkit
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run = In the
right pane/window delete the gilsoh.exe running process

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices = In the right pane/window delete the gilsoh.exe running service

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run =
In the right pane/window delete the gilsoh.exe running process

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services =
In the right pane/window delete the gilsoh.exe running service.

You can use this tool to delete the file from the pre-mentioned path in your
post:
AutoRuns for Windows v8.61:
http://www.microsoft.com/technet/sysinternals/SystemInformation/Autoruns.mspx
scanning for them
Scan for malware from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
Run a scan from here on-line:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/

Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
http://www.merijn.org/index.php
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
nass

 

[Waz Up]

Actually, you can download gilsoh.exe. (with the batch file to install).

I just did so, restarted in SAFE MODE and tried my fix and it worked fine!!!

Nuff said...

 

[Waz Up]

Also, worked with the following (albiet in a VMware 2K and XP machine):

GPCoder.h
W32/Zhelatin.gen!eml
Phish-BuyPhony
W32/Stration.gen.dldr
PWS-Banker.gen.ac


AND

MS07-039 Active Dir ..
MS07-038 MS Vista FW
MS07-031 MS SChannel
MS07-035 MS Win32 API
MS07-026 MIME Decodi..
MS07-029 MS DNS RPC
MS07-017 MS Win ANI
MS07-034 MS UNC Nav
MS07-033 IE 7 Spoofi..

 

[Ken Blake, MVP]

Even easier. Restart in SAFE MODE and nuke the file. Then run MSCONFIG and
uncheck the file startup link (if one is there). Then restart.

Sure enuff, most of these issues can be fixed with Safe Mode.

No, very few of these issues can be fixed by simply nuking them in
Safe Mode. If you were successful in doing this with some, consider
yourself lucky.

 

[Waz Up]

OK now to be clear. I AM NOT suggesting that Safe Mode fixes all like
issues. In this "Particular Case" yes it works fine (as well as some of the
others I posted). I think that the universe should always look at the easy
fix before installing and running all kinds of software to remove malware.

I do suggest that it "sometimes" may be just as easy to try Safe Mode, then
hit the panic button. In addition to fixing issues like drivers, Safe Mode
is there cause it is a "SAFE MODE" method to "Try to Fix" issues before
spending all kinds of time and money using all kinds of tools.

I don't believe that "Luck" has anything to do with it. It's simply a matter
of trying the "Obvious" first.

Just a few thoughts, but of course after being a MS SE and Trainer for over
20 years, I may be way out to lunch.

Not...

 

[Ken Blake, MVP]

OK now to be clear. I AM NOT suggesting that Safe Mode fixes all like
issues. In this "Particular Case" yes it works fine (as well as some of the
others I posted).

OK, sorry, if that's all you meant, I missed it.

I think that the universe should always look at the easy
fix before installing and running all kinds of software to remove malware.

No argument from me.

I do suggest that it "sometimes" may be just as easy to try Safe Mode, then
hit the panic button. In addition to fixing issues like drivers, Safe Mode
is there cause it is a "SAFE MODE" method to "Try to Fix" issues before
spending all kinds of time and money using all kinds of tools.

I don't believe that "Luck" has anything to do with it. It's simply a matter
of trying the "Obvious" first.

Just a few thoughts, but of course after being a MS SE and Trainer for over
20 years, I may be way out to lunch.

Your statements need to stand on their own merits here, not on the
number of years experience you have. Besides, you're a beginner
compared to me. I've worked in the computer field since 1962.