Windows problem issue: Possible virus

[Lagmonster]

I've exhausted my own limits of expertise here, and wanted to try you guys for help:

One of our computers has started sending emails without a clue, prompting, or a trace. I've disconnected the mail server but something's still trying to send something somewhere (Yahoo, actually, a service I don't use).

Add to that, for some reason that I cannot determine, Symantec, McAfee, and Microsoft's website have all been blocked on the machine, though there is no security reason for this (nor was it blocked before, nor do I have trouble accessing them from other machines).

A Norton scan reveals nothing; the fix tools for Sasser, Netsky, and a few other current threats reveal nothing; Spybot S&D reveals nothing; A cursory examination of my system processes turns up nothing suspicious (I compare the entries with an online dictionary of terms used to help people figure out what all those words mean and which are threats).

I *know* something is wrong, and I suspect foul play, but I don't have a damn clue what this could be. Anyone recognize the symptoms?

[phongn]

You probably got hit by some semi-custom trojan, virus or worm that is now using your box to send spam or act as a relay. Check your HOSTS file to see if those websites have been redirected to some nonexistant IP address. If you have a good hardware firewall, block that machine from doing anything malicious until you can resolve the problem.

Worst-case scenario, wipe the machine.

[Lagmonster]

Good call;

The Hosts file had a section added at the end which specifically lists a wide number of virus-scan related websites such as McAfee and Norton and a pile of others and directs them to 127.0.0.1.

Just because I want to be sure, I should delete these false entries, yes? Any good idea what I should be looking for that a virus scanner won't pick up, or should I just kick in the reformatting?

[phongn]

Nuke those false entries. Grab HijackThis! and post the logs -- it might turn up something on your machine not immediately visible with Task Manager. Check msconfig as well and look for anything suspicious.

[Einhander Sn0m4n]

Nuke those false entries. Grab HijackThis! and post the logs -- it might turn up something on your machine not immediately visible with Task Manager. Check msconfig as well and look for anything suspicious.

And just in case Spywareinfo is 127.0.0.1ed out, here's the direct link to the EXE.

HB, Lagmonster

[Lagmonster]

'HB', Ein? I don't think I know that one...

Although I'm working out of a small-office business centre in Ottawa, the machine is owned by the company, so I'm stuck with IE until someone gets their head out of their ass.

Logfile of HijackThis v1.97.7
Scan saved at 4:29:28 PM, on 07/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINNT\system32\SxgTkBar.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Stauf\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Stauf\LOCALS~1\Temp\342x43.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... /swdir.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdat ... t/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/273ac865f3653c8bd9 ... xIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupda ... t/opuc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... 5362268519
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-9600-000000000000} - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh ... wflash.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = centretown.ccs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = centretown.ccs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = centretown.ccs.com

[Einhander Sn0m4n]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Services] C:\DOCUME~1\Stauf\LOCALS~1\Temp\342x43.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/273ac865f3653c8bd9 ... xIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = centretown.ccs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = centretown.ccs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = centretown.ccs.com

'HB', Ein? I don't think I know that one...

Although I'm working out of a small-office business centre in Ottawa, the machine is owned by the company, so I'm stuck with IE until someone gets their head out of their ass.

<snip>

Tell them that the spyware IE allows translates directly to lost productivity, as do the viruses Outbreak Excess attracts...

[McC]

Sounds like Gaobot. The media labs here at NU got hit by Gaobot just recently and we have a fun time (not) trying to get it removed. The removal process is fairly easy: clean the hosts file, update your virus defs, run a scan. Also, check the registry keys listed under the Gaobot AFJ entry on Symantec's site and remove those as well. Then you should be fine.

[Einhander Sn0m4n]

www.grisoft.com AVG in case it's Gaobot/Agobot/whateverbot. And McC, learn how to link info instead of forcing everyone to google for it!

[McC]

Terribly sorry. Didn't realize going to www.symantec.com was so difficult, nor did I realize simply typing in Gaobot was hard either. I will be sure to not underestimate the inability of an individual next time.

Here is the precise link to the virus that infected our systems. It's relatively easy to remove once you know how to remove it. It's just obnoxious until then.

[Einhander Sn0m4n]

Terribly sorry. Didn't realize going to www.symantec.com was so difficult, nor did I realize simply typing in Gaobot was hard either. I will be sure to not underestimate the inability of an individual next time.

Here is the precise link to the virus that infected our systems. It's relatively easy to remove once you know how to remove it. It's just obnoxious until then.

It's about common courtesy, not difficulty. Some virii have dozens of variants, and I don't appreciate your veiled flame either.

[McC]

I realize that. Had I not been simultaneously speaking with a coworker while writing the post, I would've included it.

Apologies for the flame, but your tone irked me ("learn how to") and that's what I was reacting to. Like I said, under more leisurely circumstances I would've included it as a matter of course.

[phongn]

Both of you, knock it off. Ein, you completely overreacted and for the last time, it's spelled viruses, not virii.

[Crayz9000]

and for the last time, it's spelled viruses, not virii.

I thought the jury was still out on that one?

[phongn]

I thought the jury was still out on that one?

No, the term is "viruses."

[Bugsby]

The plural of a noun ending in "-us" is only "-i" if the pronunciation sounds a bit like "-oos", like in octopus. The "us" at the end of virus is pronounced differently, and therefore it uses the basic "-es" plural form. This is from Latin, where masculine nouns ended in "-us" that was pronounced like "-oos", and the plural was "-i".

AND NOW YOU KNOW!

[Durandal]

and for the last time, it's spelled viruses, not virii.

I thought the jury was still out on that one?

No. Merriam-Webster seems pretty sure about it; it doesn't exist. It's a 1337 term dreamed up by 15 year-olds. The biological and medical science communities have had a perfectly acceptable plural form of the word "virus" for a very long time, now. That plural form is "viruses."

[Crayz9000]

No. Merriam-Webster seems pretty sure about it; it doesn't exist. It's a 1337 term dreamed up by 15 year-olds. The biological and medical science communities have had a perfectly acceptable plural form of the word "virus" for a very long time, now. That plural form is "viruses."

Well, as referenced above, the only way that virus would have a "-oos" sound at the end is if it were pronounced as if it were Latin (But is virus masculine?). In that case, virii probably would be correct, but we're speaking English, not Latin...