2 viruses (+HJT log)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sagybp

Thread Starter
Joined
Sep 3, 2004
Messages
59
Hi.

Yesterday I went to fix a friend's comp. I cleaned his computer with adaware and also deleted all the unwanted apps he had (and he ha d a lot of spyware there).

I installed NAV2004 and it found 2 viruses:
1. w32.gaobot - the NAV finds the virus in c:\winnt\system32\winhlpp32.exe and the message keeps popping up, although I can't find this file.


2. w32.spybot.worm - the NAV finds the virus in c:\winnt\system32\TFTP#### where #### represents different numbers each time. here too I can't find the file that NAV is pointing to.


also, 10-30 minutes after restarting the computer the CPU suddenly starts working at 100% and is not stoping until restarting again. when this thing happenes I find in the processes list w2kup2date.exe (which is a virus, I guess). But even when I deleted this file from the c:\winnt\system32 and the key from the CurrentVersion\Run in the registry, the file keeps showing up again. I can't seem to figure out why this happenes.

anyway, can you guys help? here is the HJT log. Thanks.

Logfile of HijackThis v1.98.2
Scan saved at 13:53:51, on 05/09/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\win2kup2date.exe
C:\Program Files\Outlook Express\msimn.exe
D:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Adminuistrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindowsRegKey update] win2kup2date.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] win2kup2date.exe
O4 - HKCU\..\Run: [WindowsRegKey update] win2kup2date.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/iw/big/1.1.62-big/GoogleNav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0586074A-9902-47A4-A5A1-5BA0E15DB5F4}: NameServer = 192.114.47.4 192.114.47.52
O17 - HKLM\System\CS1\Services\Tcpip\..\{0586074A-9902-47A4-A5A1-5BA0E15DB5F4}: NameServer = 192.114.47.4 192.114.47.52
 
Joined
Aug 25, 2004
Messages
893
Hello...

Research on the w2kup2date.exe shows that it might be an unknown or a variant of a virus that is currently not detected. It seems to be an IRC Trojan, but no one has identified it.

For the w32.spybot.worm....

If you can get to the internet, here are the removal instructions:

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

Also, for the w32.gaobot

There is a removal tool at the Symantec site for some of the W32.gaobot's and/or removal instructions... go here:

http://search.symantec.com/custom/us/query.html

Type in the full name of the W32.gaobot.?? and follow the directions.

When you are done, don't forget to update your operating system!
 
Joined
Feb 23, 2003
Messages
16,274
Lets begin by rescanning once again then insert a check next to each of these then close all browser windows and click "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Seked"
rch Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com


O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)


O4 - HKLM\..\Run: [WindowsRegKey update] win2kup2date.exe

O4 - HKLM\..\RunServices: [WindowsRegKey update] win2kup2date.exe

O4 - HKCU\..\Run: [WindowsRegKey update] win2kup2date.exe



Then reboot the system into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55

Set the system to show hidden files and folders as per http://dotcomsecurity.org/forums/index.php?showtopic=57


Open windows explorer, find then delete:
C:\WINNT\System32\win2kup2date.exe
c:\winnt\system32\winhlpp32.exe


Delete all temp files as per http://dotcomsecurity.org/forums/index.php?showtopic=63

Reboot then do an alternate scan here http://housecall.trendmicro.com/housecall/start_corp.asp
 

sagybp

Thread Starter
Joined
Sep 3, 2004
Messages
59
I tried everything you suggested and nothing worked, so I formatted the hard drive.
I installed Win2K again and then NAV2004 with the latest virus definitions, and then I connected to the internet. The first thing I did was to go to microsoft's site and update windows. I started to install SP4 and in the middle the w32.spybot.worm message popped up (c:\winnt\system32\TFTP####) again and the installation of SP4 stopped.
I did a full scan with NAV and TrendMicroHC and I found nothing. But still this message keeps popping up. how is this possible? it's a new, formatted hard drive...
 
Joined
Feb 23, 2003
Messages
16,274
You got me how that could happen if you went directly to windows update..
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top