win32:Gaobot - 744

Viruses and worms
1

Help I can’t get rid of this. Have tried every thing. infected File comes up C:/DOCUMENTS AND SETTINGS/HOMEUSER/…/CA9SWE and not able to scan ( have disabled system restore and checked delete file at eboot.

2

Hi, welcome to the forums.

Please Help us to Help you In order to help fully we need more information…
- What OS are you using? is it up to date?
- What email program are you using - if applicable?
- avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the virus name, what was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?
- What actions have you taken to try and resolve the problem?
Also see this thread for further information and advice User’s FAQ.

This virus, takes advantage of several exploits that were patched by MS ages ago, you need to update your system, or it will be back again.

A search of these forums for win32:Gaobot will no doubt return many hits as this topic has been previously discussed a number of times. As will a google search.

General Advice & Tools for virus/trojan/malware removal

If you need more help, come back here with more info…

3

I am a learner so please be gentle with me :-[. I don’t know what an OS program is?. I am using windows xp profesional and my emails are outlook express and hot mail. I have update my windows but haven’t downloaded service pack 2 yet because it said it would take 10 and a half hours. I have avast home edition 4. vps number 0441-1. virus name= WIN 32: Gaobot - 744 [wrm]. file name= C/System Volume Information?_restore{7F133ADB-DEE1-48EC-. My computer starts freezing up I run the virus scan. Get the infected siren delete infected files and at the end of the scan it comes up with C:/DOCUMENT AND SETTINGS?HOMEUSER/…/CA7795WE in the information box and says it is unable to scan. After this my computer runs like a bought one for a week or so and then it does this all over again.I tried getting rid of it with norton anti virus first and it came up with some files that were infected I got rid of them and after having just spent $100 on the disc that didn’t work norton wanted another $131 just to talk about it. Avast got me going but only for a while.

4

Run a bottitme scan and see if that solves the problem and click on the link in my signature and follow the steps on that page.

5

Read this information, http://www.symantec.com/avcenter/venc/data/w32.gaobot.afw.html the information is relevant to the win32.gaobot familly.

It states which vulnerabilities it takes advantage of and which MS security updates patch it, even though you think you are upto date with your Operating System (OS), something hasn’t been patched. That’s why it keeps coming back After this my computer runs like a bought one for a week or so and then it does this all over again.. I suggest that you reapply the patches again.

You need to switch off system restore, to get rid of items in the ‘C/System Volume Information?_restore{7F133ADB-DEE1-48EC’ folder as this is protected by Windows. Having done that, reboot and scan again. If all is clear then you can enable system restore again.

Win XP - How to disable System Restore

Don’t worry about your experience level, take it one step at a time (the whole process may seem daunting), print off the instruction and information we have given you so it is easier to follow step by step.

6

yes its me again :-[. I am following your instructions Eddy. I can’t seem to open my host file. It says it needs to know what program created it in order to open it??. When I do open it how do I know what unknown files are in order to delete them? ( all files are unknown to me!! ). I got the programs you said including hijack this and when I ran hijack this about 70 files were on it and it said that if your not sure which files not to delete then don’t delete any without checking with a computer expert. ( What The !! ). I am totaly new to computers and I am going to go and have a lie down as I have a head ache trying to work it all out. ( I’ll probably have a cry as well ) Regards Efuniture

7

You can open the hosts file with any textediter. And post the hijackthis log here. Let us have a look.

8

hi Eddy this is the hijack stuff that came up and can you please tell me what a text editor is and how do i use it?
ing processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hotbar\bin\4.5.1.0\HbSrv.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.5.1.0\HbHostIE.dll
O4 - HKLM..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM..\Run: [Virtual Directory Driver] hpwinn32.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.5.1.0\HbInst.exe /Upgrade
O4 - HKLM..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM..\RunServices: [Virtual Directory Driver] hpwinn32.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Microsoft Update] msconfg.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1091673055998
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38203.053900463
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

9

hi efuniture

Your system is seems to have quite alot of malware on it, you could try going to Eddys website, follow the instuctions/steps there, then re-post your hijackthis log here, could you include the top of the hijackthis log if you re-post please (what version of hijackthis and IE is in it).

–lee

10

thanks Lee16 here it isLogfile of HijackThis v1.97.7
Scan saved at 4:32:13 PM, on 10/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\homeuser\My Documents\HijackThis.exe
C:\Documents and Settings\homeuser\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM..\Run: [Virtual Directory Driver] hpwinn32.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM..\RunServices: [Virtual Directory Driver] hpwinn32.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Microsoft Update] msconfg.exe
O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1091673055998
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38203.053900463
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{836CAD47-CAEB-4F01-A2EC-6F4AF91FADF0}: NameServer = 203.194.56.150 203.194.27.57

11
  • You have used a old version of HijackThis, next time please use the latest vresion since it can detect a lot more.
  • Your Windows is not up to date.
  • Your IE is not up to date.
  • I don’t see you using a firewall, unless you have a router/firewall I suggest you get one.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

r0 - hklm\software\microsoft\internet explorer\search,searchassistant = about:blank
o4 - hklm..\run: [microsoft update] msconfg.exe
o4 - hklm..\runservices: [microsoft update] msconfg.exe
o4 - hkcu..\run: [microsoft update] msconfg.exe
o4 - global startup: digimax viewer 1.0.lnk = ?
o4 - global startup: microsoft works calendar reminders.lnk = ?
o9 - extra button: research (hklm)
o16 - dpf: {00b71cfb-6864-4346-a978-c0a14556272c} (checkers class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
o16 - dpf: {19e28afc-eae3-4ce5-ac83-2407b42f57c9} (mssecurityadvisor class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/mssecadv.cab?1091673055998
o16 - dpf: {4c39376e-fa9d-4349-bacc-d305c1750ef3} (epuimagecontrol class) - http://tools.ebayimg.com/eps/wl/activex/epuwalcontrol_v1-0-3-12.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab31267.cab
o16 - dpf: {9f1c11aa-197b-4942-ba54-47a8489bb47f} - http://v4.windowsupdate.microsoft.com/cab/x86/unicode/iuctl.cab?38203.053900463
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.

THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

o4 - hkcu..\run: [msmsgs] “c:\program files\messenger\msmsgs.exe” /background
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe

12

Sorry I thought I had the hijack update. So I downloaded it and below are the results. I got rid of the ones on the other list but I don’t know how to remove the ones you told me to in start up. I’m not sure how to go about it. I tried to install a firewall following your advice from ealier ( zonealarm ) but no matter what I do it stops me from going onto the net coming up with all these alerts, blocks and stuff. I picked my programs to allow it to acess the net with and it keeps blocking it and interfering with my avast as well. I tried to get help from an inlaw who has a degree in these things but???. Any way if you have advice great !! and on the new list below too!. I also tried the ten hour update for my windows ( service pack 2 ) It would seem to be down loading ok and then it would come up error in downloading so I would start again and the same thing any way its put all these questions in my section where you add and remove programs. What are all these Questions. i can’t post them so I will give you an example = Windows XP Hotfix (SP2 [ see Q329048 for more information] ?? I am going for a valium and a lie down now Thanks ogfile of HijackThis v1.98.2
Scan saved at 4:49:36 PM, on 10/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\homeuser\My Documents\HijackThis.exe
C:\Documents and Settings\homeuser\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [Virtual Directory Driver] hpwinn32.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\RunServices: [Virtual Directory Driver] hpwinn32.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip..{836CAD47-CAEB-4F01-A2EC-6F4AF91FADF0}: NameServer = 203.194.56.150 203.194.27.57

13

  • The “questions” as you call it in the add/remove section are Microsoft Updates.

  • After installing the updates they leave a lot behind which can be removed. I have a little script for that which can be found HERE

  • You’re not the only one who has troubles installing a update (eg SP2) online. You can download the entire service pack and install it locally SP2 Network Installation English (start browsing there for other languages)

  • I am still finding things in your log:

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

o4 - hklm..\run: [virtual directory driver] hpwinn32.exe
o4 - hklm..\runservices: [virtual directory driver] hpwinn32.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm

THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

o4 - hkcu..\run: [msmsgs] “c:\program files\messenger\msmsgs.exe” /background
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe

  • For the things in the startup you can do several things.
    1] Most applications have a setting “load when windows start” disable it there.
    2] Use HijackThis to take care of it.
    3] Use StartUp.cpl to take care of it.
    The choice is yours.

  • About ZA. Read the manual on how to configure it correctly to your needs.

Think I answered all your questions. If not let me (us) know.

14

;D ;D ;D ;D
EDDY - Your THE MAN !!