Found this in my system32. Is controlling other files. If I remove file, hardly any program works. Is installing also winupdate files on all my drives. Can't find any info online, any suggestions?

Bert

Go through your registry and clean all gansta, gansta.exe out..maybe that will help..just a thought..

Can I add that the program blocks access to any antivirus sites e.g. kaspersky, symnatec and so on. Task manager, regedit are being disabled by program. Switching off PC is impossible, well except by pulling the plug.

OOps just found a large list of blokced sites in the HOSTS file. I need help any takers?

Do you use NOD32 ?

Send a copy of the file to Virus Total http://www.virustotal.com to check if it is real threat

Send a copy of the file to ESET http://www.eset.com/threat-center/up/submit.htm

Host file blocks access to virustotal website. I have main file submitted to ESET. Trace down outbound connection to www.zonart.net.

If you know this potential threat has edited the host file so that VirusTotal's web-site is blocked , I guess you can edit the host file so that Virus Total is not retured to the localhost.

If you use NOD32 :
{QUOTE-> Open Control Center and click on Update -> Update now to ensure your NOD32 is up to date.

Make sure your settings are the same as listed in this tutorial (http://www.wilderssecurity.com/showthread.php?p=450664#post450664).

Boot Windows in Safe Mode (http://support.microsoft.com/kb/315222) , Open Start -> Programs -> ESET -> NOD32
Make sure it uses "Control Center profile" and push Scan&Clean of all your hard drives . NOD32 will take care of all threats found . <-QUOTE}

Then you contact ESET Technical Support Dept. to help you deal with this unknown threat or post in a forum providing malware cleaning services . Wilders forums do not provide such .

ESET Support fill in this form here (http://www.eset.eu/support/form). When typing in the info , add a link to this thread . Good luck!

One question, I tried to manual remove the gangsta.exe file and noticed that none of my programs were working any longer. Will that happend if I follow this procedure?

Thanks,

Bert

The file appears to be not legitimate . If it is not detected by ESET NOD32 , then you will scan for everything else but not for it . So just do it .

I can get into safe mode and that is were it stops. Cannot start up any programs.

Can you open folders? If so go start,my computer,windows,system 32,drivers,etc,hosts. Rightclick on it choose by open wordpad mfc-application and delete the entries or other ip-address then 127.0.0.1 save your hosts file afterwards. If that doesn't work select the hosts file and cut and past it on a different location.

{QUOTE-> I can get into safe mode and that is were it stops. Cannot start up any programs <-QUOTE}

Do a scan in Normal mode then.

Since the system looks corrupted , you might need to repair Windows after the whole story finishes = no malware
http://www.wilderssecurity.com/showpost.php?p=1025999&postcount=19

Normal mode scan only finds gangsta.exe in memory and system32 directory. Nothing else present. I do have a clean Acronis True image backup, but I can't restore the image. Seems to be locked too.

I will just wait until ESET comes up with a solution.

Update:

there are 2 keys in software\classes\exefile\shell\open\command

Latest update (todays) Adware found them.

Furthermore: If you reboot (as far that is possible) these keys are placed back in the registry.

What to do next????

Please see the second solution HERE (http://www.wilderssecurity.com/showthread.php?t=178177)

Let us know how you go...

Cheers ;D

I cannot download autoruns access refused. I have the rest of the programs installed as standard. Will run them bit later on and post reports to local center.

Within 15 minutes I was contacted by ESET UK. The first solution they offered was remove host file, but that doesn't work.

Keep you updated.

{QUOTE-> Normal mode scan only finds gangsta.exe in memory and system32 directory. Nothing else present. <-QUOTE}

... which mean NOD32 detects the threat , no necessary to submit it.

Open My Computer and navigate to
C:\Windows\system32\drivers\etc\

copy the file to the Desktop

Open Desktop and double click the host file , choose to run it with Notepad.

Then edit it so that you leave it as in the screenshot here:
192808

Then close it and choose to Save the changes .

Copy the host file from thr Desktop to C:\Windows\system32\drivers\etc\ . Windows may report that such file already exists , you choose to acept it to be overwritten.

Keep in touch with ESET support :thumb:

This is not the host file in drivers\etc. This host file is located in windows main directory. As you can see it is mainly anti virus sites that are blocked. Host file will be overwritten again by gangsta.exe.


127.0.2.5 sarc.com

127.0.2.5 www.sarc.com

127.0.2.5 www.sophos.com

127.0.2.5 sophos.com

127.0.2.5 www.mcafee.com

127.0.2.5 mcafee.com

127.0.2.5 liveupdate.symantecliveupdate.com

127.0.2.5 www.viruslist.com

127.0.2.5 viruslist.com

127.0.2.5 f-secure.com

127.0.2.5 www.f-secure.com

127.0.2.5 f-prot.com

127.0.2.5 www.f-prot.com

127.0.2.5 kaspersky.com

127.0.2.5 kaspersky-labs.com

127.0.2.5 www.avp.com

127.0.2.5 avp.com

127.0.2.5 www.kaspersky.com

127.0.2.5 www.networkassociates.com

127.0.2.5 networkassociates.com

127.0.2.5 www.ca.com

127.0.2.5 ca.com

127.0.2.5 mast.mcafee.com

127.0.2.5 my-etrust.com

127.0.2.5 www.my-etrust.com

127.0.2.5 download.mcafee.com

127.0.2.5 dispatch.mcafee.com

127.0.2.5 secure.nai.com

127.0.2.5 nai.com

127.0.2.5 www.nai.com

127.0.2.5 vil.nai.com

127.0.2.5 update.symantec.com

127.0.2.5 updates.symantec.com

127.0.2.5 us.mcafee.com

127.0.2.5 liveupdate.symantec.com

127.0.2.5 customer.symantec.com

127.0.2.5 rads.mcafee.com

127.0.2.5 trendmicro.com

127.0.2.5 www.trendmicro.com

127.0.2.5 housecall.trendmicro.com

127.0.2.5 pandasoftware.com

127.0.2.5 www.pandasoftware.com

127.0.2.5 www.trendmicro.com

127.0.2.5 free.grisoft.com

127.0.2.5 www.grisoft.com

127.0.2.5 grisoft.com

127.0.2.5 clamav.net

127.0.2.5 www.clamav.net

127.0.2.5 free-av.com

127.0.2.5 www.free-av.com

127.0.2.5 www.avast.com

127.0.2.5 avast.com

127.0.2.5 cert.org

127.0.2.5 www.cert.org

127.0.2.5 www.microsoft.com

127.0.2.5 microsoft.com

127.0.2.5 www.virustotal.com

127.0.2.5 virustotal.com

127.0.2.5 update.microsoft.com

127.0.2.5 windowsupdate.microsoft.com

127.0.2.5 www.myspace.com

127.0.2.5 myspace.com

127.0.2.5 profile.myspace.com

127.0.2.5 login.myspace.com

Follow through with the Support Office in the UK and they will lead you to a solution.

Let us know how you go...

Cheers ;D

COOL!!!!!!!

I phoned Jonathan Deane and we went through the whole process and currently the problems seem to be gone.

I am a happy bunny. If everything in life was solved as fast as ESET does it, this world would be a better place. Or I am too phylisophical (never use this word, so I can't spell it, but you know what I mean) right now.

Thanks,

Bert.

What process did he go through exactly? In case this problem crops up again...

ahh now that would be telling :)

As he could not boot into safe mode without it hanging we tried safe mode with networking, would still not allow some internet connections ie logmein for remote admin but anyway we got the OS up...

Once in safe mode we used regedit to remove all gangsta.exe mentions, renamed the file in c:\windows

Deleted all user temp file etc inc internet files

with fingers crossed we reboot into normal mode and internet connections all worked again including remote admin, quick setup of NOD32 to auto clean/delete etc

original file detected in NOD32 as 'probably unknown NewHeur_PE virus'

I've uploaded the sample as normal and ran it though VirusTotal as well, which received mixed results from the rest of the scanners.

Jon

Does it (virus) have a name?

Bert's gangsta.exe virus sounds nice.;D

WOCL4..hi; do you know where U got gansta.exe from?..maybe a game on the internet?..thanks.:)

Pirate bay

The file has been deleted from pirate bay.

Hi,

I am posting an update, because the registry entries keep on reappearing. There is no trace of the gangsta.exe file. Outpost reports no outbound connection by gangsta.exe. Everytime I delete the registry entries, they keep on reappearing. Any suggestions.