Hijack Log and w32.Gaobot!inf virus

Author	All Replies
paddy_cass join:2004-05-03	Hijack Log and w32.Gaobot!inf virus Need help, yesterday I had the sasser virus. managed to get rid of this after 6 hours. Scanned using Stinger. Got up today put on the computer and viola i have the w32.Gaobot!inf virus. Can seem to get rid of this. Symantec programs seem to crash while they are scanning for it. Have run the following hijack log, can u pls check and see if there is anything i should remove: Logfile of HijackThis v1.97.7 Scan saved at 17:48:35, on 03/05/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\pctspk.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\soundtasks.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Documents and Settings\Owner\Desktop\stinger.exe C:\Program Files\Yahoo!\browser\ybrowser.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »bt.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »uk.red.clientapps.yahoo.com/cust···hoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »search.yahoo.com/search?p=%s O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [Msrv32] Msrv32.exe O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe O4 - HKLM\..\Run: [soundtasks] soundtasks.exe O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: BT Yahoo! Sidebar (HKLM) O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM) O9 - Extra button: Money Viewer (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra button: Homepage (HKCU) O9 - Extra button: BT (HKCU) O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chat - »us.chat1.yimg.com/us.yimg.com/i/···chat.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »dev-www.fileplanet.com/fpdlmgr/c···0_41.cab O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - »www.wildtangent.com/multiplayer/···inst.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - »launch.gamespyarcade.com/softwar···unch.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···ient.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···95717593 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - »download.yahoo.com/dl/installs/y···mapi.dll O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - »www.gamespot.com/KDX/kdx.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1436D38F-83E0-4D33-AFA2-2BBA2B3FCBEF}: NameServer = 194.74.65.69 194.72.9.38 Also this from CWShredder: Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (1112 bytes, A) Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe, Registry value: DefaultPrefix (should be ») [] » Registry value: WWW Prefix (should be ») [www] » Registry value: Mosaic Prefix (should be ») [mosaic] » Registry value: Home Prefix (should be ») [home] » Found Win.ini file: C:\WINDOWS\win.ini (718 bytes, A) Found System.ini file: C:\WINDOWS\system.ini (274 bytes, A) Any help with the virus and these logs would be greatly appreciated.
	to forum · permalink · · 2004-05-03 16:23:32 ·
paddy_cass join:2004-05-03	Can i also add that the file svchost.exe is continuously running in the background. Not sure if this is a prob or not but when i attempt to close it it restarts the comnputer. An RPC violation.
	to forum · permalink · · 2004-05-03 16:27:31 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	said by paddy_cass : Can i also add that the file svchost.exe is continuously running in the background. Not sure if this is a prob or not but when i attempt to close it it restarts the comnputer. An RPC violation. You should have about 4 svchost.exes running. -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2004-05-03 16:37:37 ·
darkstar2778 Premium join:2004-01-20 Florida clubs: 1 edit	reply to paddy_cass Wait for an expert to come along and help you out (please don't do anything with Hijack This until an expert comments). This looks off to me: O4 - HKLM\..\Run: [Msrv32] Msrv32.exe O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe I see some things you can fix but will let someone with more experience post. Do you know what this is: O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe EDIT: Please move Hijack This to it own permanent folder (i.e. C:\Hijack This\hijackthis.exe). This will allow it to make back-ups of any changes you make. This is important in the event you need to restore items you chose to fix with Hijack This.
	to forum · permalink · · 2004-05-03 16:38:53 ·
paddy_cass join:2004-05-03	reply to John2g yeah, i have 4, does anyone know how to get rid of the virus
	to forum · permalink · · 2004-05-03 16:39:00 ·
paddy_cass join:2004-05-03	reply to darkstar2778 Have no idea, MSRV.exe is a w32.Gaobot virus. When i get rid of the current virus by simply deleting the file its associated with it reappears again. This is actually the very first hijack log i have ever run.
	to forum · permalink · · 2004-05-03 16:41:51 ·
darkstar2778 Premium join:2004-01-20 Florida clubs:	reply to paddy_cass You're in good hands now paddy_cass ....hang tight as I would imagine John2g is looking around to help you now.
	to forum · permalink · · 2004-05-03 16:42:53 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to paddy_cass This will help you remove the phatbot worm »www.nacs.uci.edu/security/phatbot.html -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2004-05-03 16:43:59 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England 2 edits	reply to paddy_cass avserve2.exe is the sasser worm sasser removal tools can be found here »securityresponse.symantec.com/av···ool.html Or in all in one removal tool from MS »support.microsoft.com/?kbid=841720
	to forum · permalink · · 2004-05-03 16:46:39 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to paddy_cass When you have got rid of the viruses, have HJT fix these. R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/customize/.">uk.docs.yahoo.com/info/bt_side.html">u... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/customize/.">uk.search.yahoo.com/">uk.red.clientapp... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »uk.red.clientapps.yahoo.com/customize/.">uk.search.yahoo.com/">uk.red.clientapp... O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [Msrv32] Msrv32.exe O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2004-05-03 16:55:57 ·
paddy_cass join:2004-05-03	In relation to the file Msrv32.exe, have scanned system and cannot find this file, have deleted and check regedit but no sign of this file. However i have am still getting virus alert for W32gaobot!inf. Hosts file is the one infected.
	to forum · permalink · · 2004-05-03 17:40:55 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	I think your answer is in this post. »Re: Comp is under serious attack - HijackThisLog -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2004-05-03 17:44:41 ·
ccullins join:2004-05-05 Saint Petersburg, FL	reply to paddy_cass You need to take the system off the network and go to your HKLM, software, microsoft, windows, currentversion, run look far an entry 10base-t and delete it, and do the same for runservices. This gets rid of the virus but I have a couple of machinces I have do this to but I have gotten it back once or twice. Still looking for the fix
	to forum · permalink · · 2004-05-05 09:26:49 ·
BusterDuke @nuvox.ne	We have had all of our Windows 2000 PCs in our office infected with soundtasks.exe which appears to be very similar to the w32.sasser worm The only things I could tell it was doing was 1) sending out a large amount of network traffic (trying to infect other computers) 2) modifying the c:\winnt\system32\drivers\etc\hosts file (adding a bunch of anti-virus web sites with loop-back IP to prevent reaching them) and 3) making multiple copies of itself to the root of c:\ drive with random characters as its name (with a .exe extension) all 142 kb in size. I killed the process, removed the file (c:\winnt\system32\soundtasks.exe), and removed it from the registry (hkey_local_machine\software\microsoft\windows\currentversion\run\soundtasks) and all of the excessive network traffic seems to have stopped. It spreads through the same vulnerability as the w32.sasser worm exploits (I've noticed that once we've patched our PCs with that fix they are not getting re-infected).
	to forum · permalink · 2004-05-05 14:08:28 ·
sonnysims join:2003-03-29 Spring, TX	We are in the same boat here. Soundtasks.exe and Soundtctrls.exe running on machines. If you scan them for viruses with Trend's Sysclean you get BKDR_SDBOT.M virus on the machine. After we remove the registry entries and delete the .EXEs from windows\system32 it seems to cure them. They have to have the patches though or they get reinfected. NONE of the anti-virus companies have anything about this. I've submitted soundtasks.exe and soundtctrls.exe to Trend yesterday. Nothing yet, even scanning with their latest 886 pattern.
	to forum · permalink · · 2004-05-05 14:24:20 ·


Tuesday, 10-Nov 06:19:11	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF