Hijack Log and w32.Gaobot!inf virus in Security

Hijack Log and w32.Gaobot!inf virus in Security http://www.dslreports.com/forum/r10141165 en Thu, 03 Dec 2009 09:39:05 EDT Thu, 03 Dec 2009 09:39:05 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10160019 sonnysims : We are in the same boat here. Soundtasks.exe and Soundtctrls.exe running on machines.

If you scan them for viruses with Trend's Sysclean you get BKDR_SDBOT.M virus on the machine.

After we remove the registry entries and delete the .EXEs from windows\system32 it seems to cure them. They have to have the patches though or they get reinfected.

NONE of the anti-virus companies have anything about this. I've submitted soundtasks.exe and soundtctrls.exe to Trend yesterday. Nothing yet, even scanning with their latest 886 pattern.]]> http://www.dslreports.com/forum/remark,10160019 Wed, 05 May 2004 14:24:20 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10159892 anon : We have had all of our Windows 2000 PCs in our office infected with soundtasks.exe which appears to be very similar to the w32.sasser worm

The only things I could tell it was doing was 1) sending out a large amount of network traffic (trying to infect other computers) 2) modifying the c:\winnt\system32\drivers\etc\hosts file (adding a bunch of anti-virus web sites with loop-back IP to prevent reaching them) and 3) making multiple copies of itself to the root of c:\ drive with random characters as its name (with a .exe extension) all 142 kb in size.

I killed the process, removed the file (c:\winnt\system32\soundtasks.exe), and removed it from the registry (hkey_local_machine\software\microsoft\windows\currentversion\run\soundtasks) and all of the excessive network traffic seems to have stopped.

It spreads through the same vulnerability as the w32.sasser worm exploits (I've noticed that once we've patched our PCs with that fix they are not getting re-infected).]]> http://www.dslreports.com/forum/remark,10159892 Wed, 05 May 2004 14:08:28 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10157900 ccullins : You need to take the system off the network and go to your HKLM, software, microsoft, windows, currentversion, run look far an entry 10base-t and delete it, and do the same for runservices. This gets rid of the virus but I have a couple of machinces I have do this to but I have gotten it back once or twice. Still looking for the fix ]]> http://www.dslreports.com/forum/remark,10157900 Wed, 05 May 2004 09:26:49 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141879 John2g : I think your answer is in this post.

»Re: Comp is under serious attack - HijackThisLog
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,10141879 Mon, 03 May 2004 17:44:41 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141855 paddy_cass : In relation to the file Msrv32.exe, have scanned system and cannot find this file, have deleted and check regedit but no sign of this file.

However i have am still getting virus alert for W32gaobot!inf.

Hosts file is the one infected. ]]> http://www.dslreports.com/forum/remark,10141855 Mon, 03 May 2004 17:40:55 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141490 John2g : When you have got rid of the viruses, have HJT fix these.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = �uk.red.clientapps.yahoo.com/customize/.">uk.docs.yahoo.com/info/bt_side.html">u...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = �uk.red.clientapps.yahoo.com/customize/.">uk.search.yahoo.com/">uk.red.clientapp...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = �uk.red.clientapps.yahoo.com/customize/.">uk.search.yahoo.com/">uk.red.clientapp...
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,10141490 Mon, 03 May 2004 16:55:57 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141401 John2g : avserve2.exe is the sasser worm

sasser removal tools can be found here

»securityresponse.symantec.com/av···ool.html

Or in all in one removal tool from MS

»support.microsoft.com/?kbid=841720]]> http://www.dslreports.com/forum/remark,10141401 Mon, 03 May 2004 16:46:39 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141374 John2g : This will help you remove the phatbot worm

»www.nacs.uci.edu/security/phatbot.html
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,10141374 Mon, 03 May 2004 16:43:59 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141361 darkstar2778 : You're in good hands now paddy_cass

....hang tight as I would imagine John2g

is looking around to help you now.]]> http://www.dslreports.com/forum/remark,10141361 Mon, 03 May 2004 16:42:53 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141348 paddy_cass : Have no idea, MSRV.exe is a w32.Gaobot virus. When i get rid of the current virus by simply deleting the file its associated with it reappears again.

This is actually the very first hijack log i have ever run.]]> http://www.dslreports.com/forum/remark,10141348 Mon, 03 May 2004 16:41:51 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141320 paddy_cass : yeah, i have 4, does anyone know how to get rid of the virus]]> http://www.dslreports.com/forum/remark,10141320 Mon, 03 May 2004 16:39:00 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141318 darkstar2778 : Wait for an expert to come along and help you out (please don't do anything with Hijack This until an expert comments). This looks off to me:

O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe

I see some things you can fix but will let someone with more experience post. Do you know what this is:

O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe

EDIT: Please move Hijack This to it own permanent folder (i.e. C:\Hijack This\hijackthis.exe). This will allow it to make back-ups of any changes you make. This is important in the event you need to restore items you chose to fix with Hijack This.]]> http://www.dslreports.com/forum/remark,10141318 Mon, 03 May 2004 16:38:53 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141305 John2g :

said by paddy_cass :
Can i also add that the file svchost.exe is continuously running in the background. Not sure if this is a prob or not but when i attempt to close it it restarts the comnputer. An RPC violation.

You should have about 4 svchost.exes running.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,10141305 Mon, 03 May 2004 16:37:37 EDT Re: Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141202 paddy_cass : Can i also add that the file svchost.exe is continuously running in the background. Not sure if this is a prob or not but when i attempt to close it it restarts the comnputer. An RPC violation.]]> http://www.dslreports.com/forum/remark,10141202 Mon, 03 May 2004 16:27:31 EDT Hijack Log and w32.Gaobot!inf virus http://www.dslreports.com/forum/remark,10141165 paddy_cass : Need help, yesterday I had the sasser virus. managed to get rid of this after 6 hours. Scanned using Stinger.

Got up today put on the computer and viola i have the w32.Gaobot!inf virus. Can seem to get rid of this. Symantec programs seem to crash while they are scanning for it.

Have run the following hijack log, can u pls check and see if there is anything i should remove:

Logfile of HijackThis v1.97.7
Scan saved at 17:48:35, on 03/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\soundtasks.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Owner\Desktop\stinger.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [soundtasks] soundtasks.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Homepage (HKCU)
O9 - Extra button: BT (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - »us.chat1.yimg.com/us.yimg.com/i/···chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »dev-www.fileplanet.com/fpdlmgr/c···0_41.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - »www.wildtangent.com/multiplayer/···inst.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - »launch.gamespyarcade.com/softwar···unch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···ient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···95717593
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - »download.yahoo.com/dl/installs/y···mapi.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - »www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1436D38F-83E0-4D33-AFA2-2BBA2B3FCBEF}: NameServer = 194.74.65.69 194.72.9.38

Also this from CWShredder:

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (1112 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be ») [] »
Registry value: WWW Prefix (should be ») [www] »
Registry value: Mosaic Prefix (should be ») [mosaic] »
Registry value: Home Prefix (should be ») [home] »
Found Win.ini file: C:\WINDOWS\win.ini (718 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (274 bytes, A)

Any help with the virus and these logs would be greatly appreciated. ]]> http://www.dslreports.com/forum/remark,10141165 Mon, 03 May 2004 16:23:32 EDT