HELP!! I'm losing my mind

Archived from groups: microsoft.public.win2000.security (More info?)

We seem to have contracted a version of the Gaobot in our company. Some pc's
(interestingly enough, all Windows 2000) keep getting hit with a
systemdll.exe file by an unknown source. I've deleted the file from all the
found locations, did a search through the registry and deleted all instances.
Everything is fine for a while, but then it appears again. I tried using
the Gaobot repair tool, but it comes up empty. What the file appears to do
is use or create network shares, it's favorites so far have been WINNT and
SYSTEM32, but it also uses print shares by creating a copy of an existing
printing on the pc and creating a share for it. I've also seen where it
creates a share on a user's My Documents folder, the C drive, and the
SYSTEM32\SPOOL\DRIVERS. Here are the share names:
C = C$ (default share set up by windows)
WINNT = ADMIN$ (default share set up by windows)
SYSTEM32\SPOOL\DRIVERS = print$
My Document = My Document
It will also create a randomly named service that shows up under Manage (ie.
aerwse) that will either be set up as Manual run or Disabled which I've
searched through the registry for and delete.
It looks like the process is being run by user (pc name\Administrators or NT
AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
those to a more secure password, but I can't do anything with NT
AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
be happy to supply it and as always thanks in advance for any help.
3 answers Last reply
More about help losing mind
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    This is from SARC http://www.sarc.com/ and it sounds a lot like what you may have.
    The link also includes removal instructions.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.azt.html

    Your computers could becoming infected and reinfected from either the internet or
    infected computers on your network. Make sure your firewall is correctly configured
    and you can do a basic scan at http://scan.sygatetech.com/ . Be sure that you are
    using the latest virus definitions as of today from your vendors website. Tools such
    as TCPView from Sysinternals can help in determining what computer or computers are
    infecting other computers on the network.

    You should isolate infected computers by disconnecting them from the network, then
    repairing them, and patching them with the latest critical updates from Windows
    Updates. Being current on critical updates may have prevented your problem in the
    first place. Note that installing critical updates does not help an already infected
    computer and ideally a repaired computer would have the drive reformatted and a fresh
    install/image of the operating system but that is your call. It would also be best to
    not put repaired computers back on the network until all infected computers have been
    removed, though again that is your call and a properly patched computer may not get
    reinfected. A temporary solution to help protect computers on the network that do not
    offer shares [domain controllers do] to other computers is to use tcp/ip filtering on
    the network adapter to enable IP filtering for TCP permit only and add no ports to
    the list. Be sure to disable tcp/ip filtering when done as it will interfere with
    remote access to a computer for things like remote Computer Man.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798 -- tcp/ip filtering

    I guess you learned your lesson on not using any or weak passwords and the trouble
    that it can cause. It would be wise to enforce complex passwords on the network in
    Domain Security policy and also have an account lockout policy with a threshold of no
    less than ten bad attempts. This can go a long way to protecting your network. ---
    Steve

    http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx -- Microsoft
    security recommendations for small businesses.

    "Gary" <Gary@discussions.microsoft.com> wrote in message
    news:3462DC9C-F43E-46DC-8538-3D7D4725327F@microsoft.com...
    > We seem to have contracted a version of the Gaobot in our company. Some pc's
    > (interestingly enough, all Windows 2000) keep getting hit with a
    > systemdll.exe file by an unknown source. I've deleted the file from all the
    > found locations, did a search through the registry and deleted all instances.
    > Everything is fine for a while, but then it appears again. I tried using
    > the Gaobot repair tool, but it comes up empty. What the file appears to do
    > is use or create network shares, it's favorites so far have been WINNT and
    > SYSTEM32, but it also uses print shares by creating a copy of an existing
    > printing on the pc and creating a share for it. I've also seen where it
    > creates a share on a user's My Documents folder, the C drive, and the
    > SYSTEM32\SPOOL\DRIVERS. Here are the share names:
    > C = C$ (default share set up by windows)
    > WINNT = ADMIN$ (default share set up by windows)
    > SYSTEM32\SPOOL\DRIVERS = print$
    > My Document = My Document
    > It will also create a randomly named service that shows up under Manage (ie.
    > aerwse) that will either be set up as Manual run or Disabled which I've
    > searched through the registry for and delete.
    > It looks like the process is being run by user (pc name\Administrators or NT
    > AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
    > was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
    > those to a more secure password, but I can't do anything with NT
    > AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
    > be happy to supply it and as always thanks in advance for any help.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks Steve,
    I've tried all those instructions last week, but the systemdll.exe file
    keeps coming back. I'm hoping that by increasing the user security as well
    as applying the Windows Updates will help. I've often pushed the idea of
    using nothing but secure passwords, but apparently nobody listened.
    We have a few specialized PC's that run specific programs which may also be
    causing problems, so I'll definately give TCPView a shot.
    Thanks again for all your suggestions!

    "Steven L Umbach" wrote:

    > This is from SARC http://www.sarc.com/ and it sounds a lot like what you may have.
    > The link also includes removal instructions.
    >
    > http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.azt.html
    >
    > Your computers could becoming infected and reinfected from either the internet or
    > infected computers on your network. Make sure your firewall is correctly configured
    > and you can do a basic scan at http://scan.sygatetech.com/ . Be sure that you are
    > using the latest virus definitions as of today from your vendors website. Tools such
    > as TCPView from Sysinternals can help in determining what computer or computers are
    > infecting other computers on the network.
    >
    > You should isolate infected computers by disconnecting them from the network, then
    > repairing them, and patching them with the latest critical updates from Windows
    > Updates. Being current on critical updates may have prevented your problem in the
    > first place. Note that installing critical updates does not help an already infected
    > computer and ideally a repaired computer would have the drive reformatted and a fresh
    > install/image of the operating system but that is your call. It would also be best to
    > not put repaired computers back on the network until all infected computers have been
    > removed, though again that is your call and a properly patched computer may not get
    > reinfected. A temporary solution to help protect computers on the network that do not
    > offer shares [domain controllers do] to other computers is to use tcp/ip filtering on
    > the network adapter to enable IP filtering for TCP permit only and add no ports to
    > the list. Be sure to disable tcp/ip filtering when done as it will interfere with
    > remote access to a computer for things like remote Computer Man.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798 -- tcp/ip filtering
    >
    > I guess you learned your lesson on not using any or weak passwords and the trouble
    > that it can cause. It would be wise to enforce complex passwords on the network in
    > Domain Security policy and also have an account lockout policy with a threshold of no
    > less than ten bad attempts. This can go a long way to protecting your network. ---
    > Steve
    >
    > http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx -- Microsoft
    > security recommendations for small businesses.
    >
    > "Gary" <Gary@discussions.microsoft.com> wrote in message
    > news:3462DC9C-F43E-46DC-8538-3D7D4725327F@microsoft.com...
    > > We seem to have contracted a version of the Gaobot in our company. Some pc's
    > > (interestingly enough, all Windows 2000) keep getting hit with a
    > > systemdll.exe file by an unknown source. I've deleted the file from all the
    > > found locations, did a search through the registry and deleted all instances.
    > > Everything is fine for a while, but then it appears again. I tried using
    > > the Gaobot repair tool, but it comes up empty. What the file appears to do
    > > is use or create network shares, it's favorites so far have been WINNT and
    > > SYSTEM32, but it also uses print shares by creating a copy of an existing
    > > printing on the pc and creating a share for it. I've also seen where it
    > > creates a share on a user's My Documents folder, the C drive, and the
    > > SYSTEM32\SPOOL\DRIVERS. Here are the share names:
    > > C = C$ (default share set up by windows)
    > > WINNT = ADMIN$ (default share set up by windows)
    > > SYSTEM32\SPOOL\DRIVERS = print$
    > > My Document = My Document
    > > It will also create a randomly named service that shows up under Manage (ie.
    > > aerwse) that will either be set up as Manual run or Disabled which I've
    > > searched through the registry for and delete.
    > > It looks like the process is being run by user (pc name\Administrators or NT
    > > AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
    > > was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
    > > those to a more secure password, but I can't do anything with NT
    > > AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
    > > be happy to supply it and as always thanks in advance for any help.
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Gary.

    A search on Google shows that systemdll.exe is found in a number of very recent
    virus/worms and parasites [shown as a keyboard logger in one site] . I would also
    suggest running AdAware with the latest definitions and try a second virus removal
    program. There are free ones online such as at SARC as shown below.

    http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

    TCPView is free at SysInternals and they also provide other useful free tools such as
    Process Explorer and Autoruns [shows startup programs in many places]. It might help
    to also try and do repairs in safe mode. -- Steve

    http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

    "Gary" <Gary@discussions.microsoft.com> wrote in message
    news:344EF6CB-BF29-4BBA-B2AA-CB104C0775E7@microsoft.com...
    > Thanks Steve,
    > I've tried all those instructions last week, but the systemdll.exe file
    > keeps coming back. I'm hoping that by increasing the user security as well
    > as applying the Windows Updates will help. I've often pushed the idea of
    > using nothing but secure passwords, but apparently nobody listened.
    > We have a few specialized PC's that run specific programs which may also be
    > causing problems, so I'll definately give TCPView a shot.
    > Thanks again for all your suggestions!
    >
    > "Steven L Umbach" wrote:
    >
    > > This is from SARC http://www.sarc.com/ and it sounds a lot like what you may
    have.
    > > The link also includes removal instructions.
    > >
    > > http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.azt.html
    > >
    > > Your computers could becoming infected and reinfected from either the internet or
    > > infected computers on your network. Make sure your firewall is correctly
    configured
    > > and you can do a basic scan at http://scan.sygatetech.com/ . Be sure that you are
    > > using the latest virus definitions as of today from your vendors website. Tools
    such
    > > as TCPView from Sysinternals can help in determining what computer or computers
    are
    > > infecting other computers on the network.
    > >
    > > You should isolate infected computers by disconnecting them from the network,
    then
    > > repairing them, and patching them with the latest critical updates from Windows
    > > Updates. Being current on critical updates may have prevented your problem in the
    > > first place. Note that installing critical updates does not help an already
    infected
    > > computer and ideally a repaired computer would have the drive reformatted and a
    fresh
    > > install/image of the operating system but that is your call. It would also be
    best to
    > > not put repaired computers back on the network until all infected computers have
    been
    > > removed, though again that is your call and a properly patched computer may not
    get
    > > reinfected. A temporary solution to help protect computers on the network that do
    not
    > > offer shares [domain controllers do] to other computers is to use tcp/ip
    filtering on
    > > the network adapter to enable IP filtering for TCP permit only and add no ports
    to
    > > the list. Be sure to disable tcp/ip filtering when done as it will interfere with
    > > remote access to a computer for things like remote Computer Man.
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q309798 -- tcp/ip
    filtering
    > >
    > > I guess you learned your lesson on not using any or weak passwords and the
    trouble
    > > that it can cause. It would be wise to enforce complex passwords on the network
    in
    > > Domain Security policy and also have an account lockout policy with a threshold
    of no
    > > less than ten bad attempts. This can go a long way to protecting your
    etwork. ---
    > > Steve
    > >
    > > http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx --
    Microsoft
    > > security recommendations for small businesses.
    > >
    > > "Gary" <Gary@discussions.microsoft.com> wrote in message
    > > news:3462DC9C-F43E-46DC-8538-3D7D4725327F@microsoft.com...
    > > > We seem to have contracted a version of the Gaobot in our company. Some pc's
    > > > (interestingly enough, all Windows 2000) keep getting hit with a
    > > > systemdll.exe file by an unknown source. I've deleted the file from all the
    > > > found locations, did a search through the registry and deleted all instances.
    > > > Everything is fine for a while, but then it appears again. I tried using
    > > > the Gaobot repair tool, but it comes up empty. What the file appears to do
    > > > is use or create network shares, it's favorites so far have been WINNT and
    > > > SYSTEM32, but it also uses print shares by creating a copy of an existing
    > > > printing on the pc and creating a share for it. I've also seen where it
    > > > creates a share on a user's My Documents folder, the C drive, and the
    > > > SYSTEM32\SPOOL\DRIVERS. Here are the share names:
    > > > C = C$ (default share set up by windows)
    > > > WINNT = ADMIN$ (default share set up by windows)
    > > > SYSTEM32\SPOOL\DRIVERS = print$
    > > > My Document = My Document
    > > > It will also create a randomly named service that shows up under Manage (ie.
    > > > aerwse) that will either be set up as Manual run or Disabled which I've
    > > > searched through the registry for and delete.
    > > > It looks like the process is being run by user (pc name\Administrators or NT
    > > > AUTHORITY\SYSTEM). I just found out that when these pcs were set up there
    > > > was no Admin password set (yeah, it's blank, pretty stupid), so i'm changing
    > > > those to a more secure password, but I can't do anything with NT
    > > > AUTHORITY\SYSTEM user account that I know of. If you need any more info I'll
    > > > be happy to supply it and as always thanks in advance for any help.
    > >
    > >
    > >
Ask a new question

Read More

Windows