gsb32.exe

  • Thread starter Thread starter Stratman
  • Start date Start date
S

Stratman

My son's PC intermittently slows to a crawl, and I have identified the
culprit as the file 'gsb32.exe'. Is this a variant of gdi32.exe? This file
arrived together with a file called 'qtfont.for' a few days ago. If I move
them to another directory they are immediately recreated back ion the
Windows System directory, and I get the 'Access Denied' warning if I try to
deletw them. Any help gratefully received.
DD
 
| My son's PC intermittently slows to a crawl, and I have identified the
| culprit as the file 'gsb32.exe'. Is this a variant of gdi32.exe? This
file
| arrived together with a file called 'qtfont.for' a few days ago. If I move
| them to another directory they are immediately recreated back ion the
| Windows System directory, and I get the 'Access Denied' warning if I try
to
| deletw them. Any help gratefully received.
| DD
|

What do you mean "arrived"? Where did it come from?
Do you have up-to-date anti-virus software running?
Do you have a hardware or software firewall active?
Have you scanned for spyware with SpyBot Search & Destroy?

SB
 
My son's PC intermittently slows to a crawl, and I have identified the
culprit as the file 'gsb32.exe'. Is this a variant of gdi32.exe? This file
arrived together with a file called 'qtfont.for' a few days ago. If I move
them to another directory they are immediately recreated back ion the
Windows System directory, and I get the 'Access Denied' warning if I try to
deletw them. Any help gratefully received.
Click to expand...

I found this too. Kaspersky
(http://www.kaspersky.com/remoteviruschk.html) identifies it as
"gsb32.exe Infected: Backdoor.G_Spot.20". On my machine it kept
throwing out a message: "caused an error in <unknown>.". Zonealarm
traps its attempts to connect out. We also found the infection in
WMPlayer.exe. I don't have a qtfont.for file.

Current versions of AVG and F-Prot don't identify the files and the
various anti-virus websites don't have details except for other
incarnations of Backdoor.G_Spot.20.

I was able to delete gsb32.exe but it kept being replaced. There is a
registry key at:
MyComputer\HKEY_LOCAL_MACHINE\SOFTWARE|Microsoft\WIndows\CurrentVersion|Run
that needs removing.

In the end I had to boot to DOS using a Startup floppy and rename the
directory containing wmplayer.exe.

I wonder if wmplayer has a security vulnerability or whether it just
happens to be targetted by the trojan. I don't think I'll bother to
reinstall it for now.

Hope this helps!

Stephen
 
There is a Windows Media Player vulnerability.

See Microsoft Knowledge Base Article KB828026.

Stephen
 
[...] Kaspersky
(http://www.kaspersky.com/remoteviruschk.html) identifies it as
"gsb32.exe Infected: Backdoor.G_Spot.20".
[...]
In the end I had to boot to DOS using a Startup floppy and rename the
directory containing wmplayer.exe.

I wonder if wmplayer has a security vulnerability or whether it just
happens to be targetted by the trojan. I don't think I'll bother to
reinstall it for now.
Click to expand...

The vulnerability is not in wmplayer. It's in IE. A web page script
tricked IE into over-writing wmplayer.exe with a downloader.
Then that downloader was used to install other malware onto your
system. Use google to get these archived messages:

From: (e-mail address removed)
Newsgroups: alt.comp.virus
Subject: Re: What is this virus? Help
Message-ID: <[email protected]>

From: "Jibba Jabba" <[email protected]>
Newsgroups: alt.comp.virus
Subject: Re: What is this virus? Help
Message-ID: <[email protected]>

From: Spamless <[email protected]>
Subject: Re: Another operation on trojaned machines (vano-soft.biz, UZC12.biz)
Message-ID: <[email protected]>
Newsgroups: news.admin.net-abuse.email

Moral, don't use IE.
 
Back
Top