Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.gaslide.b Along With Other Problems...


  • Please log in to reply
13 replies to this topic

#1 Ashok_Chandra

Ashok_Chandra

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 06 February 2008 - 01:57 PM

Hello,

I'd like to bring to your attention regarding a new problem which I'm facing since the past couple of days. Whenever I'm running a malware scan on my system, I'm finding a trojan called "Trojan.Gaslide.B". I'm not sure how the trojan caught me. But it is something which is showing up everytime I run a scan on my PC.

The next set of problem is that whenever I'm running a "Search and Destroy" using Spybot, the following Problems are appearing always.

Microsoft.WindowsSecurityCenter.RegistryTools
Microsoft.Windows.ActiveDesktop
Microsoft.Windows.Explorer
Microsoft.Windows.System
SpySheriff

I request anyone's help to help me fix these issues once and for all as they are repeatealy infecting my PC.

Thanks a lot,
Ashok

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:26 PM

Posted 07 February 2008 - 03:14 PM

Hello my first recommendation is to run your AV scans from safe Mode. As`you did not mention which Operating system you are using look here.
How to start Windows in Safe Mode

After`that run these online scans
ESET Online Scanner

Panda ActiveScan?

Please let us know how it goes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 13 February 2008 - 06:46 AM

My Operating System is Windows XP.

I have run a scan using Panda ActiveScan and it detected no viruses. However, I had problems ESET online scanner. By the way, I couldn't run the scanners on "Safe Mode" hence I had to do it in normal mode.

Despite of the above I could still see the infections in my PC.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:26 PM

Posted 13 February 2008 - 11:42 AM

Following these should remove it.

Now Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program.
DO NOT run yet.

Now reboot into Safe Mode:
Safe Mode Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or the Opera browser click on that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.Click Close to exit the program.

Please ask any needed questions,post logs and Let us know how your PC in running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:26 PM

Posted 13 February 2008 - 01:41 PM

Microsoft.WindowsSecurityCenter.RegistryTools
Microsoft.Windows.ActiveDesktop
Microsoft.Windows.Explorer
Microsoft.Windows.System
SpySheriff

This does not provide enough information.

When inquiring about Spybot scans, you should always post a complete log of the actual detections received.

For example, the first item could be part of:
Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1343024091-813497703-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegis tryTools

Spybot - Search & Destroy is detecting Windows Security Center associated with Microsoft Security Center Registry changes. This is neither a false positive nor a bug. It is just an information.
Spybot-S&D only wants to bring to your attention that "someone" disabled one or more notifications in the Windows Security Center, e.g. the notifications that your virus protection is not active or not up-to-date. If you changed the settings yourself you can safely tell Spybot-S&D to exclude those detections from further scans.

forums.spybot.info
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 14 February 2008 - 08:49 AM

Thank you for the help. The scan log generated by running SUPER is as follows

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2008 at 06:15 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:08:19

Memory items scanned : 201
Memory threats detected : 0
Registry items scanned : 4375
Registry threats detected : 0
File items scanned : 30232
File threats detected : 0

It has not detected any infections. I hope I'm clear.
When enquiring about spybot queries, I will include the registry entries as well. I'll try to post them in my next post.

Thanks a lot

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:26 PM

Posted 14 February 2008 - 09:56 AM

Also let us know if your still getting detections of Trojan.Gaslide.B. If so, what specific file is associated with that threat and where is it located (full path) on your system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 JDM2

JDM2

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:08:26 PM

Posted 14 February 2008 - 10:22 AM

Your SuperAntiSpyware virus definitions are four months old. I would update those. That's pretty important.

#9 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 24 February 2008 - 11:43 AM

Sorry for the late reply. I was away for sometime.

Yes, I am still getting detections of Trojan.Gaslide.B. Following is the full path and the associated file as shown in the detection

Threat Name - Trojan.Gaslide.B
Type - Modified Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-858812337-1687452334-2804402542-145104\Software\Microsoft\Windows\CurrentVersion\Policies\System, NoDispBackgroundPage

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:26 PM

Posted 24 February 2008 - 12:10 PM

What program is providing that detection alert and what action does it take?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 24 February 2008 - 12:24 PM

Spyware Doctor is detecting this alert and it says it deleted/removed the trojan, but obviously it appears when rescanning after a few hours.

Further, when I did run a spybot search and destroy tool, the following malware and threats were detected.

SpySheriff: [SBI $9302253C] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858812337-1687452334-2804402542-145104\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn

Microsoft.Windows.ActiveDesktop: [SBI $B6472C30] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858812337-1687452334-2804402542-145104\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoAddingComponents

Microsoft.Windows.ActiveDesktop: [SBI $99FAD8A8] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858812337-1687452334-2804402542-145104
\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper

Microsoft.Windows.Explorer: [SBI $1931FF4D] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858812337-1687452334-2804402542-145104\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges

Microsoft.Windows.System: [SBI $7F8E43F4] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858812337-1687452334-2804402542-145104\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage

Microsoft.Windows.System: [SBI $CEA39E97] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858812337-1687452334-2804402542-145104\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispSettingsPage

Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-858812337-1687452334-2804402542-145104\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools

Hope this answers your query.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:26 PM

Posted 24 February 2008 - 01:59 PM

The Spybot alert is informational to let you know there were registry changes but it has not done anything about them. Since the first relates to SpySheriff lets do this.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link
  • Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

    Posted Image
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process and, if asked to restart the computer, please do so immediately.

As for Spyware Doctor's detection, I'm suspicious of that so check with PC Tools Spyware Doctor - Online Support.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Ashok_Chandra

Ashok_Chandra
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:56 AM

Posted 04 March 2008 - 01:59 PM

please find the results of the scan. it has not detected any malware i suppose

Malwarebytes' Anti-Malware 1.05
Database version: 451

Scan type: Quick Scan
Objects scanned: 40422
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:26 PM

Posted 04 March 2008 - 02:37 PM

That's a good sign. It means no files/registry entries associated with SpySheriff were found on your system.

If Spyware Doctor is still alerting you to Trojan.Gaslide.B, again I ask what specific file is it flagging that is associated with that threat and where is it located (full path) on your system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users