agobot / gaobot

[thomasv]

HELP!
Who can help me with the worm called "gaobot / agobot". it is updating itself to agobot.3.i. or 3.gen. or 3.z.
Avast, Norton, Mc Affee couldnt find that worm, Kaspersky found it, but isnt able to delete it cause of I/O Errors.
It is working through a file "svchost.exe" which cant be found. This file is comprimed with "exe.stealth" and "ASPack".
pls write me as soon as possible, i would be grateful for every kind of a hint (also formating c: brought no effort)
thank you
thomas

[raman]

So sieht man sich wieder!;)

Okay, we do it a other way. Download Hijackthis from here: http://www.lurkhere.com/~nicefiles/
unzip and start the Exefile. Press scan, safe log and after that the Windowseditor will pop up Copy/past the result here.

But just i said. It will come back again and again if you do not Patch your System! Read the Links i gave in the above Thread carefully.

[thomasv]

thanks a lot for the quick response.
here the copy from hijack:

Logfile of HijackThis v1.97.5
Scan saved at 17:25:41, on 13.11.2003
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\Programme\Java\j2re1.4.2_01\bin\jusched.exe
C:\Programme\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Outlook Express\msimn.exe
C:\Dokumente und Einstellungen\thomas\Lokale Einstellungen\Temp\Temporäres Verzeichnis 1 für hijackthis1975[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chello.at/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVPCC] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\Programme\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned35.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4303/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B485B56F-D714-49C0-BA6F-DA0AC440EBF6}: NameServer = 195.34.133.10,195.34.133.11

hope u can help me
thanks again in advance
thomas

[raman]

Hm, you aren´t infected right now. Wich AV still finds the agobot and where? installed everything from www.windowsupdate.com?

[thomasv]

yes, i got a cd with the last security patch. cant install it by microsoft.com, you may know the reason. :-)
thomas

[raman]

Somebody else should help you with that!

[whocares]

yes, i got a cd with the last security patch. cant install it by microsoft.com, you may know the reason. :-)
thomas

ÄÄhm, why not ?
illegal copy or svchost gets attacked/PC rebooting ?
if after formatting it keeps returning: you should apply ALL the relevant RPC/DCOM/IIS/WebDAV patches FIRST before going online
(or install/activate a firewall while offline and block:
UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, 593. )

P.s: Where exactly (full path and filename) does KAV detect it ?
what happens if you start the PC in SafeMODe (F8-Boot) and then run Kaspersky or delete it manually ?

what do RAV & TREND online scanners say ?
also read here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.AO

or if you use filesharing -> read up on the filesharing agobot variants on Trend'S AV-Site

[The Baron]

I am also having difficulty with a gaobot variant, specifically W32.HLLW.Gaobot.ao.

Avast anti-virus doesn't detect this. I did an online virus scan with Symantec and it did pick it up. It told me to end the process 'scvhost.exe' (note the different spelling, not svchost.exe) using the Task Manager.

However, Task Manager won't let me end the process. Symantec also recommends removing certain parts of the registry, but my regeditor won't stay open for more than a few seconds (probably due to the worm). The worm is also keeping my firewall from working.

A long look around various anti-virus sites doesn't give much help or they don't have any info on this variant. One virus chat forum I came across recommended nothing less than a full disk reformat and reinstall! Surely this can't be the case - I hope not.

I think this is pretty similar to the problem first mentioned on this thread. Any help or advice would be appreciated.

[raman]

You can post a Hijackthis Log too, or delete the scvhost in windows safe mode and delete the references to scvost.exe in the registry manual.

[The Baron]

I used http://housecall.trendmicro.com and it cleared the problem right up. I am now gaobot.ao free!

[raman]

Nice to hear that!;)

[.: Mac :.]

yes the new scan engine from trend really does the trick