1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

2 viruses (+HJT log)

Discussion in 'Virus & Other Malware Removal' started by sagybp, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. sagybp

    sagybp Thread Starter

    Joined:
    Sep 3, 2004
    Messages:
    59
    Hi.

    Yesterday I went to fix a friend's comp. I cleaned his computer with adaware and also deleted all the unwanted apps he had (and he ha d a lot of spyware there).

    I installed NAV2004 and it found 2 viruses:
    1. w32.gaobot - the NAV finds the virus in c:\winnt\system32\winhlpp32.exe and the message keeps popping up, although I can't find this file.


    2. w32.spybot.worm - the NAV finds the virus in c:\winnt\system32\TFTP#### where #### represents different numbers each time. here too I can't find the file that NAV is pointing to.


    also, 10-30 minutes after restarting the computer the CPU suddenly starts working at 100% and is not stoping until restarting again. when this thing happenes I find in the processes list w2kup2date.exe (which is a virus, I guess). But even when I deleted this file from the c:\winnt\system32 and the key from the CurrentVersion\Run in the registry, the file keeps showing up again. I can't seem to figure out why this happenes.

    anyway, can you guys help? here is the HJT log. Thanks.

    Logfile of HijackThis v1.98.2
    Scan saved at 13:53:51, on 05/09/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINNT\System32\win2kup2date.exe
    C:\Program Files\Outlook Express\msimn.exe
    D:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\Documents and Settings\Adminuistrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WindowsRegKey update] win2kup2date.exe
    O4 - HKLM\..\RunServices: [WindowsRegKey update] win2kup2date.exe
    O4 - HKCU\..\Run: [WindowsRegKey update] win2kup2date.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/iw/big/1.1.62-big/GoogleNav.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0586074A-9902-47A4-A5A1-5BA0E15DB5F4}: NameServer = 192.114.47.4 192.114.47.52
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0586074A-9902-47A4-A5A1-5BA0E15DB5F4}: NameServer = 192.114.47.4 192.114.47.52
     
  2. pinntech

    pinntech

    Joined:
    Aug 25, 2004
    Messages:
    893
    Hello...

    Research on the w2kup2date.exe shows that it might be an unknown or a variant of a virus that is currently not detected. It seems to be an IRC Trojan, but no one has identified it.

    For the w32.spybot.worm....

    If you can get to the internet, here are the removal instructions:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

    Also, for the w32.gaobot

    There is a removal tool at the Symantec site for some of the W32.gaobot's and/or removal instructions... go here:

    http://search.symantec.com/custom/us/query.html

    Type in the full name of the W32.gaobot.?? and follow the directions.

    When you are done, don't forget to update your operating system!
     
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Lets begin by rescanning once again then insert a check next to each of these then close all browser windows and click "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Seked"
    rch Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com


    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)


    O4 - HKLM\..\Run: [WindowsRegKey update] win2kup2date.exe

    O4 - HKLM\..\RunServices: [WindowsRegKey update] win2kup2date.exe

    O4 - HKCU\..\Run: [WindowsRegKey update] win2kup2date.exe



    Then reboot the system into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55

    Set the system to show hidden files and folders as per http://dotcomsecurity.org/forums/index.php?showtopic=57


    Open windows explorer, find then delete:
    C:\WINNT\System32\win2kup2date.exe
    c:\winnt\system32\winhlpp32.exe


    Delete all temp files as per http://dotcomsecurity.org/forums/index.php?showtopic=63

    Reboot then do an alternate scan here http://housecall.trendmicro.com/housecall/start_corp.asp
     
  4. sagybp

    sagybp Thread Starter

    Joined:
    Sep 3, 2004
    Messages:
    59
    I tried everything you suggested and nothing worked, so I formatted the hard drive.
    I installed Win2K again and then NAV2004 with the latest virus definitions, and then I connected to the internet. The first thing I did was to go to microsoft's site and update windows. I started to install SP4 and in the middle the w32.spybot.worm message popped up (c:\winnt\system32\TFTP####) again and the installation of SP4 stopped.
    I did a full scan with NAV and TrendMicroHC and I found nothing. But still this message keeps popping up. how is this possible? it's a new, formatted hard drive...
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    You got me how that could happen if you went directly to windows update..
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270379

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice