GANGSTA.exe

Discussion in 'NOD32 version 2 Forum' started by WOCL4, Aug 21, 2007.

Thread Status:
Not open for further replies.
  1. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    Found this in my system32. Is controlling other files. If I remove file, hardly any program works. Is installing also winupdate files on all my drives. Can't find any info online, any suggestions?

    Bert
     
  2. QuestionX

    QuestionX Registered Member

    Joined:
    Aug 16, 2007
    Posts:
    28
    Go through your registry and clean all gansta, gansta.exe out..maybe that will help..just a thought..
     
  3. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    Can I add that the program blocks access to any antivirus sites e.g. kaspersky, symnatec and so on. Task manager, regedit are being disabled by program. Switching off PC is impossible, well except by pulling the plug.
     
  4. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    OOps just found a large list of blokced sites in the HOSTS file. I need help any takers?
     
  5. ASpace

    ASpace Guest

  6. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    Host file blocks access to virustotal website. I have main file submitted to ESET. Trace down outbound connection to www.zonart.net.
     
  7. ASpace

    ASpace Guest

    If you know this potential threat has edited the host file so that VirusTotal's web-site is blocked , I guess you can edit the host file so that Virus Total is not retured to the localhost.

    If you use NOD32 :
    Then you contact ESET Technical Support Dept. to help you deal with this unknown threat or post in a forum providing malware cleaning services . Wilders forums do not provide such .

    ESET Support fill in this form here. When typing in the info , add a link to this thread . Good luck!
     
  8. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    One question, I tried to manual remove the gangsta.exe file and noticed that none of my programs were working any longer. Will that happend if I follow this procedure?

    Thanks,

    Bert
     
  9. ASpace

    ASpace Guest

    The file appears to be not legitimate . If it is not detected by ESET NOD32 , then you will scan for everything else but not for it . So just do it .
     
  10. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    I can get into safe mode and that is were it stops. Cannot start up any programs.
     
  11. Niels

    Niels Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    466
    Location:
    Belgium
    Can you open folders? If so go start,my computer,windows,system 32,drivers,etc,hosts. Rightclick on it choose by open wordpad mfc-application and delete the entries or other ip-address then 127.0.0.1 save your hosts file afterwards. If that doesn't work select the hosts file and cut and past it on a different location.
     
  12. ASpace

    ASpace Guest

  13. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    Normal mode scan only finds gangsta.exe in memory and system32 directory. Nothing else present. I do have a clean Acronis True image backup, but I can't restore the image. Seems to be locked too.
     
  14. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    I will just wait until ESET comes up with a solution.

    Update:

    there are 2 keys in software\classes\exefile\shell\open\command

    Latest update (todays) Adware found them.

    Furthermore: If you reboot (as far that is possible) these keys are placed back in the registry.

    What to do nexto_O?
     
    Last edited: Aug 22, 2007
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please see the second solution HERE

    Let us know how you go...

    Cheers :D
     
  16. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    I cannot download autoruns access refused. I have the rest of the programs installed as standard. Will run them bit later on and post reports to local center.
     
  17. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    Within 15 minutes I was contacted by ESET UK. The first solution they offered was remove host file, but that doesn't work.

    Keep you updated.
     
  18. ASpace

    ASpace Guest

    ... which mean NOD32 detects the threat , no necessary to submit it.

    Open My Computer and navigate to
    C:\Windows\system32\drivers\etc\

    copy the file to the Desktop

    Open Desktop and double click the host file , choose to run it with Notepad.

    Then edit it so that you leave it as in the screenshot here:
    host_file_ed.PNG

    Then close it and choose to Save the changes .

    Copy the host file from thr Desktop to C:\Windows\system32\drivers\etc\ . Windows may report that such file already exists , you choose to acept it to be overwritten.

    Keep in touch with ESET support :thumb:
     
  19. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    This is not the host file in drivers\etc. This host file is located in windows main directory. As you can see it is mainly anti virus sites that are blocked. Host file will be overwritten again by gangsta.exe.

    Code:
    127.0.2.5 sarc.com
    
    127.0.2.5 www.sarc.com
    
    127.0.2.5 www.sophos.com
    
    127.0.2.5 sophos.com
    
    127.0.2.5 www.mcafee.com
    
    127.0.2.5 mcafee.com
    
    127.0.2.5 liveupdate.symantecliveupdate.com
    
    127.0.2.5 www.viruslist.com
    
    127.0.2.5 viruslist.com
    
    127.0.2.5 f-secure.com
    
    127.0.2.5 www.f-secure.com
    
    127.0.2.5 f-prot.com
    
    127.0.2.5 www.f-prot.com
    
    127.0.2.5 kaspersky.com
    
    127.0.2.5 kaspersky-labs.com
    
    127.0.2.5 www.avp.com
    
    127.0.2.5 avp.com
    
    127.0.2.5 www.kaspersky.com
    
    127.0.2.5 www.networkassociates.com
    
    127.0.2.5 networkassociates.com
    
    127.0.2.5 www.ca.com
    
    127.0.2.5 ca.com
    
    127.0.2.5 mast.mcafee.com
    
    127.0.2.5 my-etrust.com
    
    127.0.2.5 www.my-etrust.com
    
    127.0.2.5 download.mcafee.com
    
    127.0.2.5 dispatch.mcafee.com
    
    127.0.2.5 secure.nai.com
    
    127.0.2.5 nai.com
    
    127.0.2.5 www.nai.com
    
    127.0.2.5 vil.nai.com
    
    127.0.2.5 update.symantec.com
    
    127.0.2.5 updates.symantec.com
    
    127.0.2.5 us.mcafee.com
    
    127.0.2.5 liveupdate.symantec.com
    
    127.0.2.5 customer.symantec.com
    
    127.0.2.5 rads.mcafee.com
    
    127.0.2.5 trendmicro.com
    
    127.0.2.5 www.trendmicro.com
    
    127.0.2.5 housecall.trendmicro.com
    
    127.0.2.5 pandasoftware.com
    
    127.0.2.5 www.pandasoftware.com
    
    127.0.2.5 www.trendmicro.com
    
    127.0.2.5 free.grisoft.com
    
    127.0.2.5 www.grisoft.com
    
    127.0.2.5 grisoft.com
    
    127.0.2.5 clamav.net
    
    127.0.2.5 www.clamav.net
    
    127.0.2.5 free-av.com
    
    127.0.2.5 www.free-av.com
    
    127.0.2.5 www.avast.com
    
    127.0.2.5 avast.com
    
    127.0.2.5 cert.org
    
    127.0.2.5 www.cert.org
    
    127.0.2.5 www.microsoft.com
    
    127.0.2.5 microsoft.com
    
    127.0.2.5 www.virustotal.com
    
    127.0.2.5 virustotal.com
    
    127.0.2.5 update.microsoft.com
    
    127.0.2.5 windowsupdate.microsoft.com
    
    127.0.2.5 www.myspace.com
    
    127.0.2.5 myspace.com
    
    127.0.2.5 profile.myspace.com
    
    127.0.2.5 login.myspace.com
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Follow through with the Support Office in the UK and they will lead you to a solution.

    Let us know how you go...

    Cheers :D
     
  21. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    COOL!!!!!!!

    I phoned Jonathan Deane and we went through the whole process and currently the problems seem to be gone.

    I am a happy bunny. If everything in life was solved as fast as ESET does it, this world would be a better place. Or I am too phylisophical (never use this word, so I can't spell it, but you know what I mean) right now.

    Thanks,

    Bert.
     
  22. sparx

    sparx Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    60
    What process did he go through exactly? In case this problem crops up again...
     
  23. Jdeane

    Jdeane Eset Staff

    Joined:
    Jul 18, 2007
    Posts:
    82
    Location:
    UK
    ahh now that would be telling :)

    As he could not boot into safe mode without it hanging we tried safe mode with networking, would still not allow some internet connections ie logmein for remote admin but anyway we got the OS up...

    Once in safe mode we used regedit to remove all gangsta.exe mentions, renamed the file in c:\windows

    Deleted all user temp file etc inc internet files

    with fingers crossed we reboot into normal mode and internet connections all worked again including remote admin, quick setup of NOD32 to auto clean/delete etc

    original file detected in NOD32 as 'probably unknown NewHeur_PE virus'

    I've uploaded the sample as normal and ran it though VirusTotal as well, which received mixed results from the rest of the scanners.

    Jon
     
  24. WOCL4

    WOCL4 Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    16
    Does it (virus) have a name?

    Bert's gangsta.exe virus sounds nice.:D
     
  25. QuestionX

    QuestionX Registered Member

    Joined:
    Aug 16, 2007
    Posts:
    28
    WOCL4..hi; do you know where U got gansta.exe from?..maybe a game on the internet?..thanks.:)
     
Thread Status:
Not open for further replies.