[ShiftyCapone]

Ok, I now have the W32/Gaobot.worm.gen.d virus on my computer doing the very same thing as the last virus I had yesterday (refer to http://forums.techguy.org/t213849/s.html for further details). That was the W32/Polybot.gen!irc virus. But this virus (Gaobot one) is in the same exact location as the previous one: C:\Documents and Settings\All Users\Documents\ folder. The program for this virus is called hallowelt.exe. I don't understand where this is come from, I never open/download anything I don't recognize. I also have McAfee VirusScan (the autoscan keeps recognizing the virus, deleting it and popping right back up saying the same thing)...... Please help me out if you can........

 

[ShiftyCapone]

::bump::

Can sum1 please help me out?

Here's my HJT logfile just in case...

Logfile of HijackThis v1.97.7
Scan saved at 7:11:24 PM, on 3/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Dave\Desktop\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.52.190.43:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;ams-server*
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe"
O4 - Global Startup: Dell Control Utility.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {46EB676D-8C0B-4C15-8E61-5770B172DE2F} (ThemeCreator Control) - http://www.peanutsoftware.com/tw/TW-ThemeCreator3.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[Nok1]

http://securityresponse.symantec.com/avcenter/venc/data/w32.g
aobot.sa.html - New variant, let this be a lesson to download all of your windows updates when this is all over

Instructions are in the above link, if anything is unclear, come back and post your question in this thread.

EDIT:Try running this virus-scan and see if locates/removes the file.

http://housecall.trendmicro.com/housecall/start_corp.asp

 

[ShiftyCapone]

When I click on that link it brings up symantec's "file not found" page.......

 

[Nok1]

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.sa.html

I accidently put a line feed at the end

 

[ShiftyCapone]

Right off the bat it said, "HouseCall has found and cleaned a malware.BKDR_IRCFLOOD.X" But it said something similar to that when I scanned with HouseCall for the previous virus I couldn't get rid of the other day....

 

[Nok1]

Complete the scan, then we'll get to securing your computer

 

[ShiftyCapone]

Sounds great, appreciate the help so far..... I'll let post again when the scan has finished.

 

[ShiftyCapone]

Other than that first thing, nothing was found..... So what's next?

 

[Nok1]

Did you follow removal instructions from the norton site (you have to scroll down until it says Removal)?

 

[ShiftyCapone]

Ok, I followed all the instructions.... I didn't find any of the files in my registry, nor did I find anything when I did the virus scan. I also checked my host files, and they were all clean. This is the same thing that happened with the previous virus. It just sorta went away after I did all that work with no proof that my computer was infected........ Any ideas???

 

[Nok1]

Did you find the file hallowelt.exe? that is the actual trojan. If it is there then

-Restart your computer in safemode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
-Go to where the file hallowelt.exe is located and deleted. It may be hidden, so you will need to enable view hidden/system files (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
-Restart and post a new log

EDIT: File should be in the C:\Windows\System32 directory of present.

 

[ShiftyCapone]

I did that. I started my computer in safe mode, ran regedit and found nothing in my registry. I then proceeded to do a virus scan which found nothing as well. I know I should have found the hallowelt.exe program, as should I have found the soundman.exe file last time around for the last virus. So, I dunno what's goin' on.... I'm sure in the next day or so I'll get another virus similar to these two and the same thing will happen.....

 

[ShiftyCapone]

Ok, this is really weird.... My autoprotect thing just popped up again saying:

A Virus Has Been Detected and Cleaned!

The file C:\Documents and Settings\All Users\Documents\hallowelt.exe was infected by the W32/Gaobot.worm.gen.d virus and has been deleted to complete the Clean process.

That is word for word what it said. I then proceed to click "Continue what I was doing". It asks me if I'd like all my files to be scanned. I click yes and do a full scan of all my files. And nothing is found, yet the same message keeps popping up saying the virus has been detected and cleaned.........

What is going on here?????

 

[Nok1]

The file is still there, and cant be deleted because its running.

see my instructions in post #12

Your directory is
C:\Documents and Settings\All Users\Documents\
and file name is hallowelt.exe

Make sure that you have enabled view hidden/system files (link in post#12) so that the file can be viewed if hidden.

 

[ShiftyCapone]

I did all that. The only thing I did that may have been wrong was to start my computer in "safe mode with networking". I only did that so I could go to the symantec website to see which registry files to delete and the rest of the removal process. But I don't understand how my autodetect virusscan can detect the virus, but the full out virus scan cannot find it. And if it does still exist on my computer (which obviously it does) then why aren't any of the registry files here and how come it didn't mess with my host files?

P.S. I PMed you..... Check that....