Bart not detecting qhosts.apd in Hosts file

[pkavanagh]

Can anyone shed some light on this problem - I have been tring to rid a small network of the qhosts.apd trojan using Norton Corporate, Stinger and the Bart boot CD. Bart doesn't detect any viruses but subsequent scans by Stinger show up an infected Windows Hosts file and Stinger claims to have repaired it. But when I re-boot, the Hosts file is infected once more.
I think this is either one thing or another a) Stinger is mis-detecting something which Bart doesn't detect or b) the virus is re-created at boot time by some process which none of my anti-virus is picking up.
I'm a bit fed up chasing this virus round in circles and would be glad if someone could tell me if Bart does detect this trojan and can I take it for certain that if Bart doesn't detect it, it's not a threat ?

[whocares]

Hi,

qhosts.apd:
http://vil.nai.com/vil/content/v_124880.htm
->
There have been an increase in the detection of this file reported to AVERT recently. This is caused by new variants of W32/Gaobot.worms that exploit a MS04-011 vulnerability (LSASS vulnerability CAN-2003-0533).

--> if you've got this GAOBOT in a network, you've probably got to disconnect all machines from network, CLEAN them & most important: PATCH them !!! (Windowsupdate !!!) -> Otherwise, all cleaning is futile
And change all the passwords..


****  please post a hijackthis-Log for analysis -> http://klaffke.de ******
And maybe the contents of a potentially infected host-file (before cleaning, of course..)



did you try editing/cleaning the host-files manually and write-protecting them ? (not sure if this could work, though..)


This INFO here:
VGREP1
& here:
VGREP2
 is
a) probably a month old,
b) contradictory
but there it seems as if Avast/Bart would NOT detect the specific Host-file modification, which qhosts.apd stands for..

The avast definitions are uptodate I trust.. ?
 

[pkavanagh]

Thanks for the suggestions.

Hi-jack log goes like this -

Logfile of HijackThis v1.98.2
Scan saved at 21:19:42, on 16/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\ACT\SideACT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\moriordan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [asdx] xwinrpc32.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\RunServices: [asdx] xwinrpc32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ChkMail] È<Œ
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095348342765
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wccc.local
O17 - HKLM\Software\..\Telephony: DomainName = wccc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{63BB0A6A-E5FF-4DD5-BB84-278F330CB34A}: NameServer = 192.111.39.1,192.111.39.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wccc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wccc.local

and the hosts file looks like this -

127.0.0.1   www.symantec.com
127.0.0.1   securityresponse.symantec.com
127.0.0.1   symantec.com
127.0.0.1   www.sophos.com
127.0.0.1   sophos.com
127.0.0.1   www.mcafee.com
127.0.0.1   mcafee.com
127.0.0.1   liveupdate.symantecliveupdate.com
127.0.0.1   www.viruslist.com
127.0.0.1   viruslist.com
127.0.0.1   viruslist.com
127.0.0.1   f-secure.com
127.0.0.1   www.f-secure.com
127.0.0.1   kaspersky.com
127.0.0.1   www.avp.com
127.0.0.1   www.kaspersky.com
127.0.0.1   avp.com
127.0.0.1   www.networkassociates.com
127.0.0.1   networkassociates.com
127.0.0.1   www.ca.com
127.0.0.1   ca.com
127.0.0.1   mast.mcafee.com
127.0.0.1   my-etrust.com
127.0.0.1   www.my-etrust.com
127.0.0.1   download.mcafee.com
127.0.0.1   dispatch.mcafee.com
127.0.0.1   secure.nai.com
127.0.0.1   nai.com
127.0.0.1   www.nai.com
127.0.0.1   update.symantec.com
127.0.0.1   updates.symantec.com
127.0.0.1   us.mcafee.com
127.0.0.1   liveupdate.symantec.com
127.0.0.1   customer.symantec.com
127.0.0.1   rads.mcafee.com
127.0.0.1   trendmicro.com
127.0.0.1   www.trendmicro.com

so it does look very like Gaobot. The only real issue I now have is what antivirus will remove the variant I've got ?

All definitions are fully up to date, but NAV Corporate is not picking it up at all. Stinger doesn't seem to be effective and Bart doesn't see it.

I'm presently trying Kaspersky and the scan has picked up Gaobot so after re-boot I'll scan again and post the results.

Any further comments on logs much appreciated !    

[whocares]

a big hello to Ireland ...

Here's an analysis of the log:
http://hijackthis.de/logfiles/51ac3c87f67562d9d4984a70c589c5d2.html
(CAUTION: false positives quite possible..!!)

But these two are definitely fishy:
O4 - HKLM\..\Run: [asdx] xwinrpc32.exe
O4 - HKLM\..\RunServices: [asdx] xwinrpc32.exe

--> fix the entries in SafeMode, then MOVE the respective file into a password-protected archive, and pleae submit it to
virus (at) avast.com

*

All other stuff which is flagged yellow in above analysis, and which you don't know: scan with KAV and report here..

you know the domains/IPS in the O17 entries.. ?

***

P.S.: Might be this variant:
TrendMicro-Info&Removal


again: Windowsupdates and password-change is imperative!!!

[pkavanagh]

Hello from the green and misty Isle  

Thanks for all the help with my problem. You certainly know your viruses !

The Sysclean tool from Trend is a brilliant piece of kit. It detected the Agobot.vo variant which was giving me the real trouble and cleaned it very nicely. Sysclean combined with subsequent scans by Stinger ( which picked up the SdBot worm not detected by Trend ) and referral to the Hijackthis analysis which identified rogue start-ups and running processes ( xwinrpc.exe was the problem here ) and subsequent full WinXP updates have ensured a return to normality on the network.

I am submitting xwinrpc32.exe to virus@avast.com and hope it will help other users.

Once again many thanks for the help.