paddy_cass
join:2004-05-03
| Hijack Log and w32.Gaobot!inf virus Need help, yesterday I had the sasser virus. managed to get rid of this after 6 hours. Scanned using Stinger.
Got up today put on the computer and viola i have the w32.Gaobot!inf virus. Can seem to get rid of this. Symantec programs seem to crash while they are scanning for it.
Have run the following hijack log, can u pls check and see if there is anything i should remove:
Logfile of HijackThis v1.97.7
Scan saved at 17:48:35, on 03/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\soundtasks.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\BTopenworld NetHelp\bin\mpbtn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Owner\Desktop\stinger.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/cust···ide.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »uk.red.clientapps.yahoo.com/cust···hoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »search.yahoo.com/search?p=%s
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [soundtasks] soundtasks.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Homepage (HKCU)
O9 - Extra button: BT (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - »us.chat1.yimg.com/us.yimg.com/i/···chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - »dev-www.fileplanet.com/fpdlmgr/c···0_41.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - »www.wildtangent.com/multiplayer/···inst.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - »launch.gamespyarcade.com/softwar···unch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···ient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···95717593
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - »download.yahoo.com/dl/installs/y···mapi.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - »www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1436D38F-83E0-4D33-AFA2-2BBA2B3FCBEF}: NameServer = 194.74.65.69 194.72.9.38
Also this from CWShredder:
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (1112 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be ») [] »
Registry value: WWW Prefix (should be ») [www] »
Registry value: Mosaic Prefix (should be ») [mosaic] »
Registry value: Home Prefix (should be ») [home] »
Found Win.ini file: C:\WINDOWS\win.ini (718 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (274 bytes, A)
Any help with the virus and these logs would be greatly appreciated. | |
|
 paddy_cass
join:2004-05-03 | Re: Hijack Log and w32.Gaobot!inf virus Can i also add that the file svchost.exe is continuously running in the background. Not sure if this is a prob or not but when i attempt to close it it restarts the comnputer. An RPC violation. | |
|
 | 
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| Re: Hijack Log and w32.Gaobot!inf virus said by paddy_cass  :
Can i also add that the file svchost.exe is continuously running in the background. Not sure if this is a prob or not but when i attempt to close it it restarts the comnputer. An RPC violation.
You should have about 4 svchost.exes running.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. | |
|
| | paddy_cass
join:2004-05-03 | Re: Hijack Log and w32.Gaobot!inf virus yeah, i have 4, does anyone know how to get rid of the virus | |
|
| | | |
| 
darkstar2778
Premium
join:2004-01-20
Florida
clubs:
1 edit | Wait for an expert to come along and help you out (please don't do anything with Hijack This until an expert comments). This looks off to me:
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
I see some things you can fix but will let someone with more experience post. Do you know what this is:
O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe
EDIT: Please move Hijack This to it own permanent folder (i.e. C:\Hijack This\hijackthis.exe). This will allow it to make back-ups of any changes you make. This is important in the event you need to restore items you chose to fix with Hijack This. | |
|
| | paddy_cass
join:2004-05-03 | Re: Hijack Log and w32.Gaobot!inf virus Have no idea, MSRV.exe is a w32.Gaobot virus. When i get rid of the current virus by simply deleting the file its associated with it reappears again.
This is actually the very first hijack log i have ever run. | |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| This will help you remove the phatbot worm
»www.nacs.uci.edu/security/phatbot.html
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. | |
|
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| When you have got rid of the viruses, have HJT fix these.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »uk.red.clientapps.yahoo.com/customize/.">uk.docs.yahoo.com/info/bt_side.html">u...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »uk.red.clientapps.yahoo.com/customize/.">uk.search.yahoo.com/">uk.red.clientapp...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »uk.red.clientapps.yahoo.com/customize/.">uk.search.yahoo.com/">uk.red.clientapp...
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Msrv32] Msrv32.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\RunServices: [Msrv32] Msrv32.exe
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. | |
|
| paddy_cass
join:2004-05-03
| Re: Hijack Log and w32.Gaobot!inf virus In relation to the file Msrv32.exe, have scanned system and cannot find this file, have deleted and check regedit but no sign of this file.
However i have am still getting virus alert for W32gaobot!inf.
Hosts file is the one infected. | |
|
| | |
ccullins
join:2004-05-05
Saint Petersburg, FL
| You need to take the system off the network and go to your HKLM, software, microsoft, windows, currentversion, run look far an entry 10base-t and delete it, and do the same for runservices. This gets rid of the virus but I have a couple of machinces I have do this to but I have gotten it back once or twice. Still looking for the fix | |
|
| 
BusterDuke
@nuvox.ne
| Re: Hijack Log and w32.Gaobot!inf virus We have had all of our Windows 2000 PCs in our office infected with soundtasks.exe which appears to be very similar to the w32.sasser worm
The only things I could tell it was doing was 1) sending out a large amount of network traffic (trying to infect other computers) 2) modifying the c:\winnt\system32\drivers\etc\hosts file (adding a bunch of anti-virus web sites with loop-back IP to prevent reaching them) and 3) making multiple copies of itself to the root of c:\ drive with random characters as its name (with a .exe extension) all 142 kb in size.
I killed the process, removed the file (c:\winnt\system32\soundtasks.exe), and removed it from the registry (hkey_local_machine\software\microsoft\windows\currentversion\run\soundtasks) and all of the excessive network traffic seems to have stopped.
It spreads through the same vulnerability as the w32.sasser worm exploits (I've noticed that once we've patched our PCs with that fix they are not getting re-infected). | |
|
| | sonnysims
join:2003-03-29
Spring, TX
| Re: Hijack Log and w32.Gaobot!inf virus We are in the same boat here. Soundtasks.exe and Soundtctrls.exe running on machines.
If you scan them for viruses with Trend's Sysclean you get BKDR_SDBOT.M virus on the machine.
After we remove the registry entries and delete the .EXEs from windows\system32 it seems to cure them. They have to have the patches though or they get reinfected.
NONE of the anti-virus companies have anything about this. I've submitted soundtasks.exe and soundtctrls.exe to Trend yesterday. Nothing yet, even scanning with their latest 886 pattern. | |
|
|
|
|
