w.32/gaobot.bat worm

[Gäst idgadmin]

Hej alla kunniga!

Körde Panda ativirustest igår och fick då ett meddelande om att min dator hade denna mask, programmet tog nog bort den? Kan någon säga om det finns något borttagningsprogram att hämta hem.Symantec verkar inte ha det?

 

[Zipp.]

 

Ladda ner HijackThis och scanna dator med det och skicka hit loggen sen så ska vi ta en titt på den.

 

http://koti.mbnet.fi/pattaya1/HijackThis.exe

 

[Gäst idgadmin]

 

Hej Zipp!

Skickar loggen här:

Logfile of HijackThis v1.98.2

Scan saved at 11:07:10, on 2004-10-18

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Sygate\SPF\smc.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\rmctrl.exe

C:\Program\HP\HP Software Update\HPWuSchd.exe

C:\Program\HP\hpcoretech\hpcmpmgr.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\Program\Eset\nod32kui.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Eset\nod32krn.exe

C:\Program\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\snmp.exe

C:\Program\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aftonbladet.se/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Carola och Kjell-Åkes webbläsare

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [smcService] C:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [HP Software Update] "C:\Program\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [ccApp] C:\Program\Delade filer\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [nod32kui] "C:\Program\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab'>http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program\HP\hpcoretech\comp\hpuiprot.dll

 

 

 

[Zipp.]

Sätt HijackThis.exe i en egen mapp

 

 

Scanna med Hijack bocka i följande rader stäng Web-läsaren och alla andra öppna fönster och klicka FIX checked

 

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

 

 

Sen har du 2 antivirusprogram i gång

 

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Eset\nod32krn.exe

 

Använd bara en och stäg av andra.

 

Var ska wormen finnas enligt Panda?

 

 

[Gäst idgadmin]

Hej Zipp!

Enligt Panda ska wormen finnas iSettings\All Users\Dokument\MSMSGS.exe

Här följer ett nytt försök till scanning:

Logfile of HijackThis v1.98.2

Scan saved at 12:57:10, on 2004-10-18

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Sygate\SPF\smc.exe

C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\rmctrl.exe

C:\Program\HP\HP Software Update\HPWuSchd.exe

C:\Program\HP\hpcoretech\hpcmpmgr.exe

C:\Program\Delade filer\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\Program\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\snmp.exe

C:\Program\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program\Messenger\msmsgs.exe

C:\Program Files\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aftonbladet.se/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Carola och Kjell-Åkes webbläsare

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [smcService] C:\Program\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [HP Software Update] "C:\Program\HP\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [ccApp] C:\Program\Delade filer\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program\Delade filer\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~2\AdvTools\ADVCHK.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab'>http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program\HP\hpcoretech\comp\hpuiprot.dll

 

Hälsningar

Kjelle

 

 

[Zipp.]

>Enligt Panda ska wormen finnas iSettings\All Users\Dokument\MSMSGS.exe <

 

 

Ok sök filen och scanna den här

 

 

http://virusscan.jotti.dhs.org/

 

 

Meddela sen vad scannern sa om filen.

 

[[@]]

Namn: Agobot.FO

Alias: Backdoor.Agobot.fo, W32.HLLW.Gaobot, Gaobot, Win32/Gaobot, Phatbot, Phat

Detektion: 2004-03-09_05

Storlek: 115738

 

 

Detta speciella verktyg för alla kända versioner av bakdörren Agobot från mars 2004. Verktyget kan laddas ner från

 

ftp://ftp.f-secure.com/anti-virus/tools/f-agobot.exe

 

 

 

[Gäst idgadmin]

 

Hej Zipp!

Enligt scanningen var filen helt OK!

 

[Zipp.]

 

Är du säker att du scannade den här filen

 

iSettings\All Users\Dokument\MSMSGS.exe <

 

 

och inte den här

 

C:\Program\Messenger\msmsgs.exe

 

 

Du kan också pröva toolen som [@] nämde.

 

[Gäst idgadmin]

 

Hej Zipp

Ja helt säker har dessutom gjort om det idag. Jag försöker med nästa tips

Hälsningar

Kjelle

 

[Gäst idgadmin]

Hej @

Tack för tipset men masken verkar vara borta. Tack även till Zipp för din hjälp. Jag avslutar nu detta problem.

Hälsningar

Kjelle