[irish_eyes]

Pieter was helping me with ridding my system of W32/Gael/worm. We thought we had the problem solved, but today, my newly update McAfee hit on it again. I ran a full system scan and it turned up 6 hits. I saved the logfile and it is here, I ran it immediately after running the update to my McAfee:

9/5/2006 11:46:41 PM Deleted c:\Documents and Settings\All Users\Documents\setup.exe\setup.exe Proxy-Horst.gen(Trojan)9/5/2006 11:48:48 PM Deleted c:\Documents and Settings\Kate\Local Settings\Temp\setup.exe\setup.exe Proxy-Horst.gen(Trojan)
9/5/2006 11:48:52 PM Deleted c:\Documents and Settings\Kate\Local Settings\Temp\tmp1.tmp BackDoor-CMQ.dldr(Trojan
9/6/2006 12:04:04 AM Deleted c:\RECYCLER\S-1-5-21-1887795725-2014835873-67682326-1005\Dc23.exe BackDoor-CMQ.dldr(Trojan
9/6/2006 12:04:06 AM Deleted :\RECYCLER\S-1-5-21-1887795725-2014835873-6768232611005\Dc24.exe\Dc24.exe\0001e4f0.EXE BackDoor-CMQ.dldr(Trojan 9/6/2006 12:19:43 AM Deleted c:\WINDOWS\system32\spool\drivers\setup.exe\setup.exe Proxy-Horst.gen(Trojan


9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Scan Summary
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Processes scanned : 35
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Processes detected : 0
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Processes cleaned : 0
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Boot sectors scanned : 3
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Boot sectors detected: 0
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Boot sectors cleaned : 0
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Files scanned : 61311
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Files with detections: 6
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate File detections : 6
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Files cleaned : 0
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Files moved : 0
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Files deleted : 6
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Files not scanned : 24
9/6/2006 12:20:13 AM Scan Summary HEWLETT-Z3203O4\Kate Run time : 0:38:21
9/6/2006 12:20:13 AM Scan Complete HEWLETT-Z3203O4\Kate Scan All Fixed Disks


I then ran another HJT and here is the file for that:


Logfile of HijackThis v1.99.1
Scan saved at 1:21:14 AM, on 9/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kate\My Documents\Kate's Documents Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://ecourt.marico...des/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay11...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123987291062
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123987283280
O16 - DPF: {8731163E-77B9-4F91-9122-F112521C28AF} (MMSPlayerX Class) - http://otp.mycricket...r/mmsPlayer.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by113fd.bay11...ex/HMAtchmt.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Hewlett-Packard - C:\Program Files\HP\e-DiagTools\edtsrv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Please help - this is driving me crazy!!

Edited by irish_eyes, 06 September 2006 - 02:34 AM.

[Advertisements]

Hey irish_eyes,

Sorry to see you back so soon.
Any idea where they came from?

Can you do a find files for files called autorun.inf

I'd like to know where they are exactly and which date they were created.
One of my friends and fellow malware fighters told me to look for those, since they might be responsible for the return.

Regards,

[Metallica]

Hey irish_eyes,

Sorry to see you back so soon.
Any idea where they came from?

Can you do a find files for files called autorun.inf

I'd like to know where they are exactly and which date they were created.
One of my friends and fellow malware fighters told me to look for those, since they might be responsible for the return.

Regards,

[irish_eyes]

Hi Pieter:

I'm sorry to be back so soon! The only autorun I found in the search was assigned to the folder Program files>Hewlett Packard. I don't think that is the right one though since I opened the file and it relates to the installation of my "all-in-one" printer/scanner.

I can say that all these popped up after my daughter was on my computer for several hours. Although she is 26, I guess I still can't trust her to stay off when I tell her too! One other question, that may help the continuing problems - she and my son go to "My Space" all the time and I never had any problems before they started using my computer. I've had the same system for 6 years and never a problem till then. Is there any way to block this site from access. I have put it on my blocked list, but they are still able to access without any trouble.

Thanks for looking into this. It is just driving me crazy. Every time I use the computer, this Gael/worm hit pops up on the McAfee, but when I run a scan it turns up nothing.

Kate

[Metallica]

Hi irish_eyes,

Please find this file on your computer:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

Rightclick the the file and choose Open with .... Notepad

Add this line:

127.0.0.1 myspace.com

Then save the file inclucing the change.

More information about the hosts file can be found here:
http://www.mvps.org/...p2002/hosts.htm

Can you describe this in some more detail please

Every time I use the computer, this Gael/worm hit pops up on the McAfee

I'd like to know what happens exactly and when.
A relevant part of the McAfee log might also be helpfull.

Regards,

[irish_eyes]

Quite simply, every time I boot up, or shortly thereafter (within the first hour), I get the McAfee warning window that says is has detected the worm. I don't know if this is what you wanted, but here are some of the applicable parts of the log. I don't want to put them all here as it would probably take up several pages ():

9/5/2006 1:36:37 AM Statistics:
9/5/2006 1:36:37 AM Files scanned: 14390
9/5/2006 1:36:37 AM Files detected: 1
9/5/2006 1:36:37 AM Files cleaned: 1
9/5/2006 1:36:37 AM Files deleted: 0
9/5/2006 1:36:37 AM Files moved: 0
9/5/2006 8:06:33 PM Engine version = 4.4.00
9/5/2006 8:06:33 PM DAT version = 4838
9/5/2006 8:06:33 PM Number of virus signatures in EXTRA.DAT = None
9/5/2006 8:06:33 PM Names of viruses that EXTRA.DAT can detect = None
9/5/2006 11:20:30 PM Engine version = 4.4.00
9/5/2006 11:20:30 PM DAT version = 4845
9/5/2006 11:20:30 PM Number of virus signatures in EXTRA.DAT = None
9/5/2006 11:20:30 PM Names of viruses that EXTRA.DAT can detect = None


9/7/2006 8:42:57 AM Statistics:
9/7/2006 8:42:57 AM Files scanned: 7119
9/7/2006 8:42:57 AM Files detected: 1
9/7/2006 8:42:57 AM Files cleaned: 1
9/7/2006 8:42:57 AM Files deleted: 0
9/7/2006 8:42:57 AM Files moved: 0
9/7/2006 4:58:13 PM Engine version = 4.4.00
9/7/2006 4:58:13 PM DAT version = 4845
9/7/2006 4:58:13 PM Number of virus signatures in EXTRA.DAT = None
9/7/2006 4:58:13 PM Names of viruses that EXTRA.DAT can detect = None
9/8/2006 3:30:50 AM Not scanned (scan timed out) HEWLETT-Z3203O4\Kate jview.exe C:\WINDOWS\java\Packages\IP39R75V.ZIP\IUIBASEEVENTLISTENER.CLASS (Virus)
9/8/2006 3:49:57 PM Engine version = 4.4.00
9/8/2006 3:49:57 PM DAT version = 4845
9/8/2006 3:49:57 PM Number of virus signatures in EXTRA.DAT = None
9/8/2006 3:49:57 PM Names of viruses that EXTRA.DAT can detect = None
9/8/2006 9:00:09 PM Cleaned HEWLETT-Z3203O4\Guest System:Remote C:\Documents and Settings\All Users\Documents\setup.exe W32/Gael.worm.a (Virus) 130.13.110.205 (VDSL-130-13-110-205)
9/8/2006 10:53:02 PM Engine version = 4.4.00
9/8/2006 10:53:02 PM DAT version = 4848
9/8/2006 10:53:02 PM Number of virus signatures in EXTRA.DAT = None
9/8/2006 10:53:02 PM Names of viruses that EXTRA.DAT can detect = None
9/9/2006 12:25:27 AM Engine version = 4.4.00
9/9/2006 12:25:27 AM DAT version = 4848
9/9/2006 12:25:27 AM Number of virus signatures in EXTRA.DAT = None
9/9/2006 12:25:27 AM Names of viruses that EXTRA.DAT can detect = None
9/9/2006 12:37:39 AM Not scanned (scan timed out) HEWLETT-Z3203O4\Kate stopsignav.exe C:\I386\DRIVER.CAB\CN1000.HLP (Virus)

9/13/2006 5:22:10 AM Statistics:
9/13/2006 5:22:10 AM Files scanned: 33945
9/13/2006 5:22:10 AM Files detected: 1
9/13/2006 5:22:10 AM Files cleaned: 0
9/13/2006 5:22:10 AM Files deleted: 1
9/13/2006 5:22:10 AM Files moved: 0
9/13/2006 5:23:53 AM Engine version = 4.4.00
9/13/2006 5:23:53 AM DAT version = 4848
9/13/2006 5:23:53 AM Number of virus signatures in EXTRA.DAT = None
9/13/2006 5:23:53 AM Names of viruses that EXTRA.DAT can detect = None

9/13/2006 7:08:44 PM Statistics:
9/13/2006 7:08:44 PM Files scanned: 1293
9/13/2006 7:08:44 PM Files detected: 1
9/13/2006 7:08:44 PM Files cleaned: 1
9/13/2006 7:08:44 PM Files deleted: 0
9/13/2006 7:08:44 PM Files moved: 0
9/13/2006 8:54:47 PM Engine version = 4.4.00
9/13/2006 8:54:48 PM DAT version = 4848
9/13/2006 8:54:48 PM Number of virus signatures in EXTRA.DAT = None
9/13/2006 8:54:48 PM Names of viruses that EXTRA.DAT can detect = None
9/14/2006 8:08:26 AM Cleaned HEWLETT-Z3203O4\Guest System:Remote C:\Documents and Settings\All Users\Documents\setup.exe W32/Gael.worm.a (Virus) 130.13.110.205 (VDSL-130-13-110-205)
9/14/2006 4:32:42 PM Statistics:
9/14/2006 4:32:42 PM Files scanned: 2214
9/14/2006 4:32:42 PM Files detected: 1
9/14/2006 4:32:42 PM Files cleaned: 1
9/14/2006 4:32:42 PM Files deleted: 0
9/14/2006 4:32:42 PM Files moved: 0
9/14/2006 4:34:08 PM Engine version = 4.4.00
9/14/2006 4:34:08 PM DAT version = 4848
9/14/2006 4:34:08 PM Number of virus signatures in EXTRA.DAT = None
9/14/2006 4:34:08 PM Names of viruses that EXTRA.DAT can detect = None
9/14/2006 4:38:59 PM Not scanned (scan timed out) HEWLETT-Z3203O4\Kate explorer.exe C:\WINDOWS\java\Packages\IP39R75V.ZIP\SYSTEMVERSIONMANAGER.CLASS (Virus)


Hope this helps and thanks for the info on blocking the site. I hesitate to say that is where the problems came from, but it is an odd coincidence that I have had this system for 6 years with absolutely no virus hits on McAfee and no problems, then when the kids moved back home and started going on that site - nothing but problems. You know what I mean?!

Edited by irish_eyes, 15 September 2006 - 05:52 AM.

[Metallica]

OK this is what I'd like you to do.

Copy the part in bold below into notepad and save it as Setup.exe

This file was put here to block the Gael Worm

Set the filetype to all files and save it to the folder C:\Documents and Settings\All Users\Documents\
Should you get a prompt that a file with that name already exists, replace it with yours.
Then find the file you just created and saved. Rightclick it and choose Properties.
Put a checkmark in the "Read Only" box.

Hopefully this will prevent from the worm getting re-created all the time.

It looks as if it comes in through the internet.
Your system is full updated, right ?

Regards,

[irish_eyes]

OK! It's done, and yes my system is fully updated and current. Every time I boot up I run the update for McAfee and just downloaded the Windows update yesterday, so it should be fine.

Let's hope it works this time!

Kate

[Metallica]

Sure do.

Let me know either way. I'll keep this thread open for a while.